Attackers access an organisation's network through their remote access software, such as remote desktop protocol (RDP) and virtual private networks (VPN). They gain access through weak passwords, a lack of two-factor authentication, or software that’s not up-to-date.
What this means
Once the attacker gains access, they move across different parts of your network and search for valuable information.
They use tools to create their own access to your organisation’s network. This means that even if you change passwords to your remote access the attackers will still be able to get inside the network. They then identify and extract sensitive information from your network without your knowledge. They may threaten to sell the information if you don’t pay their ransom, or use the information to affect the reputation of the business.
What to look for
How to tell if you're at risk
Any business that uses remote access but isn’t using two-factor authentication and using strong passwords is at risk. The software also needs to be up-to-date to fix any security vulnerabilities that have been found.
How to tell if you're affected
You’ll know you’re affected when you get the ransom note. This may appear as the background image on your desktop, or as a text file which could be called something like NEFILIM-DECRYPT.txt or DECRYPT-FILES.txt
What to do
Ensure that all remote access systems:
- have the most up-to-date software
- strictly enforce two-factor authentication
- use a strong, long password that isn't used anywhere else.
Make sure you have a recent secure backup of your critical data. This backup must be kept offline, and on a different network. However, due to the level of access gained before deploying ransomware, simply restoring data from backup won’t resolve the issue.
Fixing the issue will require an in-depth technical investigation of your systems to make sure the attacker can’t gain access your network, and to identify any security improvements to prevent another attack.
We have some actions we recommend you discuss with your IT company to implement for your business. Most of these actions will help prevent an attacker from gaining access to your systems or will limit the actions they can do once they have access.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at email@example.com or call the MBIE media team on 027 442 2141.