Tuesday, 27 June 2023

Another week… another cyber breach: how to deal with the latest ransomware attacks

Workers at some of the UK’s largest companies are being warned that their personal data has been compromised. What can we learn from this data breach?

As we continue to track the impact of the data breaches at UK outsourcing firm Capita, workers at some of the UK’s largest companies are being warned that their personal data has been compromised.

What can we learn from this latest data breach?


On Monday 5 June, several British companies announced that they had been affected by a cyberattack by Russian-based hackers. 

The attack was a result of a vulnerability in a third-party supplier to the companies’ payroll provider Zellis. Zellis uses a file transfer system called MOVEit, also used widely in the public sector, and this was the source of the vulnerability. 


Personal data exfiltrated in the attack 

It is understood that eight companies in the UK and Ireland which use Zellis for payroll have been impacted. British Airways, Boots and the BBC are amongst those affected. Reports suggest that compromised data includes staff personal data – including names, employee numbers, dates of birth, email addresses, home addresses and national insurance numbers.

Microsoft’s threat intelligence team has attributed the attacks on MOVEit to a group called Lace Tempest. It reported that the group was known for conducting ransomware operations. It runs an extortion site which carries data extracted during the attacks, favouring the Clop ransomware.

Security experts have suggested they are affiliated with the group that developed the Clop ransomware, which has links to Russia. Experts expect the stolen personal data to end up published on the Clop website. 


The international scope of ransomware activity

The attack on MOVEit was attributed to the Russian-based Clop group. Security researchers have warned that the Russian group has changed its tactics lately, favouring a pure extortion approach.

Earlier this year, the US Cybersecurity and Infrastructure Security Agency published an advisory about another ransomware developer, deployer, and data extortion cybercriminal group called , BianLian. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. 

BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data. However, around January 2023, they shifted to primarily exfiltration-based extortion.

Another ransomware strain that has been targeted at accounting, investment and construction sectors, especially in Spanish-speaking users in the Americas, has been used the steal sensitive information and compromise email accounts to launch phishing attacks. Because of the scope of the Horobot attacks, security researchers believe the group managing it is based in Brazil.


How to mitigate the effects of a ransomware attack

The UK’s National Cyber Security Centre (NCSC) recommends that the best way to protect your organisation from ransomware attacks is to make regular backups. Keep your backups in a separate location so that they cannot be included within the scope of the attack. Always scan your backups for malware before you restore files.

The NCSC also makes a number of other suggestions:

•    Block websites that are known to be suspicious,

•    Configure network services to prevent malware being delivered, e.g. by inspecting content, intercepting proxies, deploy internet security gateways, etc.

•    Use mail filtering,

•    Disable remote desktop protocol if it’s not needed,

•    Use multi-factor authentication with a system of least privilege

•    Manage devices centrally to prevent malware running on them, 

•    Keep anti-malware and antivirus products (and the software definition files) up to date,

•    Invest in awareness training for your people, so they recognise how to spot phishing attempts and malware,

•    Install security updates as soon as they become available, enabling automatic updates where possible, 

•    Prepare for an incident, including by keeping incident management playbooks, supporting resources and communication strategies available offline.


What next?

If you think you might be subject to the MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362), you can find more information here, including the appropriate patch. 

If you’d like specific help about responding to the incident, protecting your organisation from malware or malicious cyberattacks, or would like help developing an incident response plan, our team can assist. 

Get in touch:

Call us on 0808 164 4142.

Or message us at https://www.grantmcgregor.co.uk/contact-us.

Further reading

You can find additional information about cyber security topics on our blog:

•    What can we learn from the Capita data breaches?

•    Is your organisation doing enough on supply chain security?

•    What are the risks of ChatGPT and large language models (LLMs)? And what should you do about them?

•    AI’s new role in cyber security

•    Is your business data at risk? Don’t take chances with old tech