The Australian Cybersecurity Centre and the FBI's Joint Advisory #stopransomware

Who Are Play Ransomware?

Play is a group of hackers that are responsible for extortion and ransomware attacks on government institutions and companies. Emerging in 2022, play ransomware actors employ a double extortion model, encrypting systems after infiltrating data. They have been known to use a variety of tools to steal information and scan and disable anti-virus software.

Who Are They Targeting?

The play ransomware group has targeted organisations not only overseas but right here in Australia with incidents observed as recently as November 2023. Cyber.gov.au have released a joint cybersecurity advisory with the FBI and the Cybersecurity Infrastructure Security Agency CISA publishing the (TTPs) tactics, techniques, and procedures and the (IOC’s) indicators of compromise of the play ransomware group. These have been published in their most recent ransomware report #StopRansomware This report aims to provide detailed information about various ransomware attacks and provides guidance and recommendations on how to stay safe.

How Can You Keep You and Your Business Safe

To reduce the likelihood and impact of ransomware incidents, organisations are encouraged to implement mitigation recommendations provided by these government agencies. These mitigations align with the Cross-Sector Cybersecurity Performance Goals which are developed by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) NIST. These performance goals provide a minimum set of practices of protection recommended for organisations to implement to reduce the risk of compromise and to limit the impact of ransomware attacks.  

Cross-Sector Cybersecurity Goals to Consider Implementing Within Your Business

The Cross-Sector Cybersecurity Performance Goals are listed below and should be implemented at a minimum by organisations.

1. Identify – Organisations are encouraged to develop an understanding of how to manage cybersecurity risks to their systems, assets, and data capabilities.
2. Protect – Organisations are encouraged to put safeguards in place to ensure delivery of services.
3. Detect – Organisations are encouraged to develop and implement appropriate activities, so they can identify a Cybersecurity event.
4. Respond – Organisations are encouraged to develop and implement appropriate activities, so they can respond and act on an identified cybersecurity event.
5. Recover – Organisations are encouraged to develop and implement appropriate activities to restore any capabilities or services impaired during or after a cybersecurity event and to maintain plans for future resilience.

Mitigations You Can Employ to Reduce the Risk of an Attack Occurring

To further mitigate the risk of an attack occurring, there are several mitigations an organisation can employ alongside the above-mentioned performance goals.

1. Retain and maintain multiple copies of sensitive or proprietary data and servers. These should be stored in a secure location, physically separate and segmented. They can be stored on hard drives, storage devices and or cloud as an example.
2. Most systems these days require access via passwords. Below are a few simple tips to ensure passwords are managed and comply with the NSIT’s standards:
   • Ensure passwords are at least 8 or more characters in length and no longer than 64 characters. There should be a mixture between numbers/letters and symbols.
   • Avoid reusing passwords or using the same password across multiple devices.
   • Disable password “hints”.
   • Refrain from requiring password changes more than once per year. Favor longer passwords rather than more frequent resets.
   • Require administrator credentials when installing software.
   • Implement account lockouts for multiple failed login attempts.
   • Use industry-recognised password managers.
3. Multifactor authentication makes it more difficult for unauthorised individuals to access an account. Ensure this is in place and turned on, particularly on things such as webmail, virtual private networks etc.
4. Patching is one of the most efficient and cost-effective steps you can take to protect your environment from potential security breaches. Ensure all operating systems, software and firmware are managed and up to date on a regular basis.
5. Adding suspected phishing banners or notifications that emails are being received from outside your organisation will help bring attention to potential email threats. It is also beneficial to disable hyperlinks received in these emails.
6. Ensure you have industry recognised anti-virus software installed on all hosts computers. This must be regularly updated and enable real-time detection.
7. Regularly audit user accounts and adjust administrative privileges accordingly.
8. Segmenting networks can assist in preventing the spread of ransomware. Controlling traffic flow between and access to various subnetworks and restricting adversary lateral movement will help to prevent the spread.
9. Employ a network monitoring tool to identify, detect and investigate abnormal activity and potential traversal of the indicated ransomware.
10. For new and/or unrecognised accounts, review the domain controllers, servers, workstations, and active directories regularly.
11. Maintain offline backups of all data and ensure backup is encrypted and immutable. This should be done regularly to ensure data will not be severely interrupted and/or organisations will only have irretrievable data.
12. Disable any unused ports.

Conclusion

In addition to applying performance goals and mitigations it is recommended that organisations regularly exercise, test, and validate their security program. For further information on the recommendations to test against MITRE ATT&ACK’s, the advisory report provides tactics and techniques to test against. It also provides a list of leveraged tools and indicators of compromise that can assist you in identifying potential risks.

Ransomware attacks are on the rise and can be detrimental to any organisation both operationally and financially. This also extends to individuals who may innocently have their data compromised. Therefore, it is crucial to take proactive measures such as those mentioned above to prepare for such attacks. The better prepared you are, the better the outcome.

If you are interested in finding out more about how you can better protect yourself and your organisation from potential ransomware attacks, Get in Touch with one of our friendly staff who will be more than happy to assist you.