Honda suffered a ransomware attack earlier this month that temporarily disrupted its global operations and factory operations. As a result, employees were unable to access email and internal servers. It also disrupted their associated financial corporation preventing them from being able to answer calls, fund contracts, provide payoff quotes or service customer accounts.
Small businesses can learn from how Honda was targeted to better protect themselves from ransomware attacks.
Honda was hit with Snake ransomware
Snake Ransomware has been developed with the ability to obfuscate all forms of anti-malware solutions that any other previous forms of ransomware could have done till date. Snake will first target a system and remove shadow volume copies, then will kill all processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software and more. The malware will encrypt files and then drop a ransom note with the title “Fix-Your-Files.Txt” with an email address and a ransom demand.
Details of the executed attack
Kaspersky indicated that the malware was launched using a file called nmon.bat. Calling a malicious file with the .bat extension means that alert tools would see that a scriptable or batch file was used in the network. In many environments this would be an allowed file.
The attackers used a file named KB3020369.exe in the attack. This is interesting since the Microsoft Knowledge base number 3020369 is for a Windows 7 servicing stack patch. However, the file name of the actual patch is not KB3020369.exe, but Windows6.1-KB3020369-x64.msu. The attackers named malicious files in a pattern to “hide in plain sight” from the technology professionals.
It is speculated that Remote Desktop Protocol (RDP) may have been the attack point for the incident. Honda had machines with RDP access publicly exposed. RDP has been called out as some of the lowest hanging fruit preferred by attackers, especially in small businesses.
Protecting against ransomware attacks
Ransomware is the most common malware threat to small businesses. Unfortunately, traditional cybersecurity solutions like antivirus and email/spam filters are no match to sophisticated malware attacks. The best way to defend against ransomware is with layered defenses including the following:
- Employee Awareness Training (Prevent)
It is important to adapt your network defenses as your work environment changes. For example, if your work force is now remote, your awareness training should be increased to adapt to new threats that come with teleworking. One of the greatest risks to your network being breached is through your employees compromising a password, losing a device with critical information on it, or falling victim to a phishing attack. As such, employee awareness training will ensure that end users know how to be vigilant against cyber attacks.
- Advanced Email Protection (Detect)
One of the most common threats to your organization today comes from spear phishing and email hijacking of high value targets (such as your CFO or accounts payable person). Advanced email protection will allow experts to watch for unusual activity in email accounts such as email forwarding rules, logins at unusual times or from unusual places, and other behavior that is uncharacteristic of your email users. When this happens, the activity can be stopped it in its tracks before compromise.
- Advanced Threat Protection (Respond)
With the myriad of components in a network that can be compromised by threat actors such as switches, firewalls, endpoints and wireless access points, it is critical to monitor activity on and between all of these devices. Attackers will work to find any way they can achieve entry into your network and then attempt to remain stealth so they are not detected by traditional network tools. If they can stay “under the radar” long enough, they WILL find a way to access valuable data and protected network resources. To combat this, a Security Operations Center (SOC) should watch your network 24/7/365 for indicators of compromise to detect and respond to any unusual or malicious activity.
- Data Security (Recover)
Data security provides the ultimate fail safe in a layered defense strategy. A successful backup solution will take snapshots of data and systems and store them in a secure location. If you do fall victim to ransomware, you can simply ‘turn back the clock’ to a snapshot before the attack happened.
Developing a plan to fight back
Do you know your current cyber risk rating? Your cyber risk rating can help establish a plan to defend against ransomware and other critical attacks to your organization. Our Cyber Risk Gap Analysis assessment will help you make the best informed decision on the security improvements or changes needed within your organization.