Blackmail virus prevention guide

Blackmail virus has become one of the biggest threats to network security . The American oil pipeline from the other side of the ocean is paralyzed , Meat processing is in a hurry , State Ferries have been suspended , And then to the neighboring Fujifilm group of Japan, which shut down some of its services , Recent extortion incidents have occurred frequently , It highlights the seriousness of the threat , It also sounded the alarm for the organizational units again .

that , Which units are more likely to be targeted by extortion gangs ？ How to conduct blackmail attacks ？ How should organizational units prevent , Avoid becoming the next victim ？

Blackmail virus attacks the target

Blackmail virus industrialization is the general trend , Industrialization means pursuing commercial efficiency , Low cost and high output , The pursuit of efficiency and output . Industrialization will inevitably lead to a mixture of good and evil , Some extortion virus teams are large 、 Highly skilled , Some are smaller 、 The technology is average （ Can only attack ordinary industry users ）. All extortion teams are not the same principle , There must be differences in their behavior and principles . Some are keen to attack large enterprises 、 Large organizations , Some are keen to attack ordinary enterprises , Some blackmailed the interests of the team , Do not hesitate to attack non-profit public welfare organizations such as hospitals , There are also teams that refuse to attack such users , For example, recently attacked the U.S. product oil transportation company DarkSide The extortion team claimed not to attack non-profit public welfare organizations .

On the whole , Extortion gangs are classified in two ways , One is classified according to technical capability , One is to classify according to the attack principle ; Empathy , Extortion targets can also fall into two categories , One is according to the enterprise / Organization size , One is by industry type ; The corresponding relationship between the attacker and the extortion target is as follows ：

The corresponding relationship between the attacker and the extortion target

From the statistical data of Shenxin Security Cloud brain ,2021 In the first half of , Blackmail software attacks are distributed in the industry , The infection in the education industry is serious （ suffer Wannacry Data impact statistics , The campus network is weak due to the vulnerability of a large number of devices , bring Wannacry The infection is serious ）, Enterprises 、 manufacturing 、 Medical and health industries , Due to the importance of data and better economic ability , It is usually the target of active extortion virus attacks .

Blackmail virus attack chain analysis

Enemy and know yourself , Only in this way can a hundred battles be won . If you want to do a good job in blackmail virus protection, you first need to understand the whole process of blackmail virus attack .

Generally speaking , The attack chain of blackmail virus is generally divided into four steps ： Break through the border 、 Virus delivery 、 Encrypted blackmail 、 Horizontal communication .

Blackmail virus attack chain

1.  Break through the border

Generally, attackers pass through RDP Blast 、 Fishing mail 、Web Exploit 、 Puddle sites and other ways to achieve the transmission from the external network to the internal network . among RDP Blasting because of its low cost 、 And you can directly obtain the advantages of host permissions , Is the main use of attackers . Phishing email attack is that the attacker spreads a large number of spam in the way of spreading a wide net 、 Fishing mail , Once the recipient opens the email attachment or clicks on the link in the email , Blackmail software will be installed in the background in a form invisible to the user , Blackmail .Web Vulnerability exploitation generally means that an attacker uses malicious advertisements on the page to verify whether the user's browser has exploitable vulnerabilities , If there is , When the user accesses the page normally , The attacker exploits the vulnerability to download the blackmail software to the user's host .

Border breakthrough is the first step of blackmail attack , It is also a key step in the protection process , The defender should identify the intranet risks in advance , Eliminate hidden dangers in advance .

2.  Virus delivery

After successfully invading the intranet , The attacker begins to issue a privilege granting program to the target host 、 Blackmail encryption key, etc , Implement malicious program installation and C&C signal communication . At this stage , Defenders need to strengthen their daily threat analysis methods , Thus, the threat can be detected in advance during the virus delivery stage .

3.  Encrypted blackmail

The attacker executes an encryption program to encrypt the data of the target host , And blackmail pop-up prompt, etc , The new security theft and extortion mode uploads data to the attacker's server before data encryption , Use the risk of data leakage to put pressure on victims , So as to improve the success rate of extortion .

4.  Horizontal communication

In order to expand the scope of the results , Attackers often take advantage of intranet system vulnerabilities or RDP Port, etc. for internal and external horizontal spreading , So as to achieve the purpose of blackmailing more hosts . This process may be performed before or after the blackmail .

Effectively prevent blackmail virus attacks , Continuous monitoring is the key

First step , Asset management

Safety construction must be based on safety visibility , No one can protect “ Unknown ” Transaction security . If there is no complete 、 A detailed list of assets , The security operation and maintenance personnel cannot ensure the security of the organization . therefore , Asset management is the basic work of safe operation , It is also a key element for the smooth implementation of subsequent safety operations .

Asset sorting generally uses security tools to discover and identify user assets , The sorted information includes the operating system that supports the operation of the business system 、 database 、 middleware 、 Version of the application system , type ,IP Address ; Apply open protocols and ports ; Application system management mode 、 The importance of assets and network topology, etc .

The second step , Risk investigation

Regularly check the risk items in the organizational network , Include ：

System and Web Vulnerability investigation ： To the operating system 、 database 、 Common applications / agreement 、Web Common vulnerabilities and conventional vulnerabilities are scanned for vulnerabilities .

Weak password troubleshooting ： Apply weak password guessing detection to different information assets , Such as ：SMB、Mssql、Mysql、Oracle、smtp、VNC、ftp、telnet、ssh、mysql、tomcat etc. .

Baseline configuration verification ： Check the host operating system supporting the information service 、 database 、 Baseline configuration of middleware , Ensure that the corresponding safety protection requirements are met . Check items include but are not limited to account and password management 、 authentication 、 The authorization policy 、 Networks and services 、 Process and startup 、 File system permissions 、 Access control and other configurations .

Border defense assessment ： Check whether the security defense measures at the network boundary are perfect , Including the convergence of exposed surfaces 、 Intrusion prevention capability 、 Network virus detection, etc .

Terminal antivirus check ： Check whether the office terminal and key server are installed with enterprise anti-virus software 、 Virus database networking 、 Updated date , And whether it has the ability to check and kill the latest variant virus .

The third step , Safety reinforcement

According to the blackmail risk screening results , For the existing high-risk exploitation of Intranet extortion , High risk ports are open 、 Weak password of core system , Repair in time , Eliminate risks .

For the lack of network boundary defense , By supplementing the border security defense equipment , And according to the risk screening results and the actual protected business , Configure protection strategies for specific purposes , Maximize the safety protection effect of the equipment , Ensure that the first line of defense is built at the network boundary , Try to block the virus from breaking through the border and entering the intranet .

Short board for terminal anti-virus capability , Through the installation of enterprise level anti-virus software on the office terminal and server respectively , Enable networking to automatically update the virus database , And enable the mutant virus monitoring and killing function , Make sure the virus runs on the host and encrypts the file , Identify and purge files as much as possible , Prevent substantial loss to the business .

Step four , Continuous monitoring

Want to stop the attacker before he causes the final damage to the business system , Then we must blackmail and invade the business system 、 infection 、 Real time monitoring of communication behavior , Timely detection of threats , Respond in advance .

Besides , Through the statistics of the activity law of hackers , Hacker organizations often launch attacks when defenders are more relaxed , Like the early morning at night 、 The holiday season , therefore 7*24 Hour continuous monitoring and response is the general trend .

Continuous monitoring can be combined with the results of asset sorting , Cover the range of high-value assets , And make full use of border defense equipment 、 Terminal antivirus software 、 Network threat monitoring platform and other security tools , Through professional safety analysis personnel, abnormal traffic 、 In depth analysis of attack logs and virus logs , The first time we found the spread of the intranet epidemic , And quickly linked to isolate stop loss .

Step five , Backup management

The current threat is growing too fast , No tool can provide 100% protective . therefore , It is recommended to make a backup and recovery plan in advance , Choose the right backup for your business type , The core data shall be backed up regularly 、 Offline backup , If unfortunately fall , Backup and recovery can minimize the loss .

Data backup mode

Step six , Strengthen the safety awareness of employees

People are the weakest link in the safety chain , Many internal risks are often caused by people's lack of safety awareness . therefore , It is very important to cultivate internal safety awareness , Including regular publicity of safety awareness 、 Formulate the standard operation of employees and computers 、 Formulate safety system assessment , Motivate employees to pay attention to network security, etc .

Build blackmail virus immunity with human-computer intelligence , Deeply convinced that the blackmail virus protection solution has been upgraded , On the basis of providing complete protection technology around the blackmail virus attack chain , Superimposed extortion prevention and response special services , Cloud security operation experts focus on users' core assets , Based on the supporting anti extortion security products , Develop 7*24H Blackmail prevention and response , Help users supplement blackmail prevention 、 monitoring 、 Lack of disposal capacity .

Comprehensive investigation , Effective defense ： Around the two dimensions of border defense and host killing , Carry out security reinforcement in the early stage of blackmail attack respectively , And by security service experts based on a large number of accumulated extortion viruses Checklist Conduct defense effectiveness verification and tuning , Assist users to completely eliminate the hidden dangers of blackmail virus , Greatly reduce the probability of being blackmailed .

Continuous monitoring , Full protection ： Based on the whole network traffic monitoring and analysis ,  superposition 7*24H Secure hosting services for , Build... For users “ Man machine intelligence ” Blackmail virus monitoring and early warning system , Focus on network poisoning 、 infection 、 encryption 、 Identify and intercept the whole process of diffusion , Ensure business security throughout the process .

Respond quickly , Efficient disposal of ： Once the new variant virus breaks out in the intranet , Security service specialists can be found at 5 Quick response in minutes , Isolate the virus source through the collaborative linkage of the equipment at the first time , Curb the spread of the epidemic , At the same time, online and offline users are assisted to further eliminate threats , Resume business , Reduce business losses comprehensively and efficiently .