Yesterday the FBI along with the Department of Homeland Security(DoH)/Cybersecurity Infrastructure and Security Agency (CISA) issued a warning. The summary states:
Mamba ransomware has been deployed against local governments,
public transportation agencies, legal services, technology services,
industrial, commercial, manufacturing, and construction businesses.
Mamba ransomware weaponizes DiskCryptor—an open source full
disk encryption software— to restrict victim access by encrypting an
entire drive, including the operating system. DiskCryptor is not
inherently malicious but has been weaponized. Once encrypted, the
system displays a ransom note including the actor’s email address,
ransomware file name, the host system name, and a place to enter the
decryption key. Victims are instructed to contact the actor’s email
address to pay the ransom in exchange for the decryption key.
The FBI recommends the following mitigation:
- Regularly back up data, utilize air gap network security measures, and password protect backup copies offline. Ensure that copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Require administrator credentials to install software.
- If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
2,226 total views, 7 views today