Kaspersky has issued recommendations for individuals and companies on what to do if their data is exposed after a high-profile ransomware attack on a national government agency.
“As always, leaked information in the hands of cyber criminals allows them to impersonate or deploy social engineering scams. With exposed data, hackers can get to you whether online or offline —-they can send you messages, they know where you live, they can steal your identity and make unlawful financial transactions pretending to be you or hold on to your data to sell it for further financial gain,” says Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.
The state insurer, which has been recently targeted, has over 104 million members, including overseas workers. This means that the agency may have access to and process personal identifiable information (PII) that can be used to identify, contact, or locate a specific individual. In addition, the agency maintains medical information submitted by its members for claims verification and payment purposes.
While the incident is still under investigation, Kaspersky is strongly recommending for concerned Filipinos to take the following eight (8) steps immediately:
-
As soon as you realize your data may be compromised, inform the people in your life of what happened so they can avoid possible scams using your identity, and help you report to authorities.
-
Check if your email account has been exposed at https://haveibeenpwned.com or https://monitor.firefox.com/ type in the email address associated with you and you will find out if that address was included in any of the leaked databases that these services are aware of.
-
Change the passwords on all your accounts. If there are security questions and answers or PIN codes attached to your account, you should change these too. And use strong passwords. One of our experts shares how to create one here.
-
Secure your computer and other devices with an antivirus and anti-malware software. If your device is installed with Kaspersky Premium, you can use its Data Leak Checker feature that monitors the internet and the dark web to let you know if your personal data is compromised.
-
In order to protect financial data a safe option could be to store all related data in safe and encrypted storage. Modern security solutions like Kaspersky Premium have such storages as Secret Vault. It converts users’ sensitive data into an unreadable format and protects it with a password. Don’t respond directly to requests from a company to give them personal data after a data breach. It could be a social engineering attack. Take the time to read the news, check the company’s website or even phone their customer service line to check if the requests are legitimate.
-
Sign up for two-factor authentication (2FA) wherever it is available. It’s an extra level of security for your online accounts that requires you to enter an additional piece of identity information.
-
Monitor your accounts for signs of any new activity. If you see transactions that you don’t recognize, address them immediately.
For organizations whose information have been encrypted for ransom, quick and decisive actions are vital. Your response will help determine whether the incident becomes a deadly headache for the company or a feather in your cap.
We can summarize the recovery process in four (4) steps:
-
Step 1: Locate and isolate. Determine the extent of the intrusion. Start by looking for infected computers and network segments and immediately isolate them from the rest of the network to limit contamination. If your company doesn’t have many computers, start with antivirus, endpoint detection and response (EDR), and firewall logs. For very limited implementations, physically walk from machine to machine and check them. If we’re talking about lots of computers, analyze the events and logs in the security information and event management (SIEM) system. After isolating infected machines from the network, create disk images of them and leave the machines alone until the investigation is over.
-
Step 2: Analyze and act. First, see to the security of the rest of the network. Then start the threat-hunting process—analyze the ransomware, figure out how it got in and what groups usually use it. Ransomware doesn’t simply appear; a dropper, Remote Access Trojan (RAT), Trojan loader, or something of that nature installed it.
For any cybersecurity breach or attack, you need to perform an incident investigation and response to determine the root cause of an incident and ensure a similar incident will not happen again. If your internal team does not have the skills and experience, engage a qualified 3rd party such as Kaspersky Incident Response Services to provide comprehensive digital forensics and incident response service.
-
Step 3: Clean up and restore. Turn your attention to the computers that are out of commission. From those that are no longer needed for investigation, format the drives and restore data from the most recent clean backup. If you have no backup copy, decrypt whatever’s on the drives. Start at Kaspersky’s No Ransom website, where a decryptor may already exist for the ransomware you encountered. If it doesn’t, contact your cybersecurity provider for help. In any event, don’t delete the encrypted files. New decryptors appear from time to time and there might be one tomorrow.
Regardless of the particulars, don’t pay up. You’d be sponsoring criminal activity and the chances of getting your data decrypted is not high. Sooner or later, you will have to talk about the incident with employees, shareholders, government agencies and quite possibly journalists. Openness and honesty are important and will be appreciated.
-
Step 4: Take preventive measures. A major cyber incident always equals big trouble and prevention is the best cure. Prepare in advance for what go wrong:
-
-
Install reliable protection on all network endpoints (including smartphones)
-
Segment the network and furnish it with well-configured firewalls. Better still, use a next-gen firewall (NGFW) or a similar product that automatically receives data about new threats
-
Look beyond antivirus to powerful threat-hunting tools
-
Deploy a SIEM system if you’re a large company for immediate alerts
-
Train employees in cybersecurity awareness with regular interactive sessions
-
Deploy Managed Detection and Response service to proactively monitor and detect cyber-threats or cyber-attacks that automated prevention and detection tools may have missed
-
Deploy Threat Intelligence to understand the adversaries or cyber-criminals who are targeting your organization, business reputation and assets thus providing better cyber-threat mitigation measures
-
Use Digital Footprint Intelligence services to help security analysts explore an adversary’s view of their company resources and promptly discover the potential attack vectors available to them. This also helps raise awareness about existing threats from cybercriminals in order to adjust your defenses accordingly or take counter and elimination measures timely.
-
Leave a comment