The cyber security incidents just keep coming. And, if allegations are true, Acer has fallen victim to a cyberattack resulting in a $50 million ransomware demand by the threat group known as REvil. Early reports are that it is possible REvil exploited the Microsoft Exchange vulnerabilities to launch the cyber offensive.If confirmed, it will mark the first time a threat group used this particular method to initiate a ransomware attack.
For Acer, Travelex, Garmin, Hyundai, Kia and other companies allegedly impacted by recent ransomware attacks, simply recovering doesn't solve everything, explains Cybereason Chief Security Officer Sam Curry.
“Getting operational as quickly as possible is the main goal, yes, but it isn’t the only one. Organizations must also be careful to destroy as little forensic evidence as possible to know what really happened and to avoid re-infection,” says Curry in a statement. “A record of what happened during downtime and recovery to ensure breach avoidance and limit liability to what really happened is critical. The bad guys are learning how recovery is done and are developing more insidious operations targeting backups, failover and redundancy plans -- these must also be protected.”
“The attack on Acer with a $50M ransom is very concerning, and we believe it may lead to a cycle of attacks that target more companies with even larger ransoms. Ransomware remains a security Achilles heel,” says Ralph Pisani, president of Exabeam, in a statement. “Understanding ‘normal’ versus ‘abnormal’ behavior sheds light on the presence of ransomware, yet far too few organizations are able to see the canary in the coal mine.”
Road ahead
Acer, like many companies, is caught between a rock and hard place when it comes to security, explains Matt Glenn, vice president of product management at Illumio. “They likely invested a lot of money in detection, but detection technologies will ultimately fail. An attacker only has to get it right once, while a defender has to get it right every single time – and that is almost impossible,” he says. “The pattern is the same as Eternal Blue, but organizations need to evolve their defenses from detection to protection.”
According to Pisani, organizations that do reconnaissance, taking the time to understand normal behavior, will uncover the ransomware as abnormal before it strikes. “If organizations want to detect ransomware before it’s too late, user and entity behavior analytics (UEBA) is the only technology that can detect behavioral deviation and spot malicious activity at far earlier stages of an attack,” he says. “Since ransomware strikes fast, the window of opportunity for killing and cutting it out is small. Traditional correlation rules do not work because they require too many rules and generate far too many false positives. Organizations without advanced analytics in SecOps are extremely vulnerable to being preyed upon by ransomware.”
Curry adds, defending against today’s ransomware attacks, “defenders must engage in mature security programs that include ransomware protection, backup and recovery, contingency planning, and employee education -- and routine testing of these programs,” he says. “It would be wise for any organization seeing today’s headlines to take the time to plan now what they would do if they were caught in the crosshairs next.”