1. Home
  2. IT specialists
  3. Advisories
  4. Active ransomware campaign leveraging remote access technologies

Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

9:55am, 16 June 2020

TLP Rating: Clear

Active ransomware campaign leveraging remote access technologies

We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.

The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup.

What's happening

Systems affected

Attackers access an organisation's network though vulnerable remote access technologies. This could be by:

  • unpatched software,
  • weak authentication, or
  • lack of multi-factor authentication (MFA).

From there, any system on the network may be affected. Citrix remote access technologies have been reported as a common way for attackers to gain access.

What this means

Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.

The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information they want they attempt to sell or publicly release the information.

Due to the level of access gained before deploying ransomware, simply restoring data from backup won’t resolve the issue. Remediation will require in-depth investigation of all compromised or potentially compromised systems to fully eradicate the attacker, and to identify the security improvements necessary to prevent another attack.

What to look for

How to tell if you're at risk

Any network that has does not have appropriately secure remote access is at risk. 

How to tell if you're affected

Check your remote access systems for any sign of unauthorised access. If any unauthorised access is detected, further investigation will be required to determine any lateral movement across the network.

If an attack has progressed to the ransomware phase, Nefilim ransomware may leave the following indicators of compromise (IOCs):

  • files with a .NEFILIM extension
  • a file called NEFILIM-DECRYPT.txt may be placed on affected systems
  • batch files created in C:\Windows\Temp

The following public reporting includes IOCs specific to Nefilim ransomware:

What to do

Prevention

Ensure that all remote access systems are:

  • up-to-date with security patches
  • strictly enforcing strong authentication (strong passwords and MFA).

Mitigation

CERT NZ Critical Controls such as network segmentation and application whitelisting can mitigate the impact of such an attack, by making it harder for an attacker to move around your network. Well-configured backups are essential to recovery from any ransomware attack.

Network segmentation

Enable application control

More information

Advisory: exploitation of Citrix remote access systems

CERT NZ critical controls

If you require more information or further support, submit a report on our website.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.