Increased Threats of Pro-Russian ransomware groups

Good afternoon all,

I’m writing to you today to inform you of credible threats of increased malware and ransomware campaigns aimed at businesses around the world in response to the global financial sanctions against Russia. We strongly suspect state-sponsored Russian hackers and their supporters will significantly ramp-up ransomware attacks in the coming months in order to raise money to offset sanctions that were enacted in the last week. Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable, and there is no reason to suspect that won’t carry over to American businesses.

What We Are Doing

We are constantly monitoring CISA and other international intelligence community bulletins, as well as dark web chatter/traffic to stay up to date on the latest threats:

• On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable.

• On February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine, and we have seen evidence of it being used in the US.

• We have seen firsthand a ramp-up in the Emotet malware in the last month. We have blocked and/or remediated 10 times more Emotet footholds on systems this week than we did in the entirety of 2021.

• Conti, one of the largest ransomware groups in the world has issued a statement officially announcing its full support for the government of Putin vowing to attack enemies of the Kremlin if they respond to the invasion of Ukraine.

In addition to the above, we have also received increased alerts of phishing emails to Microsoft Office users. Moscow-led business email compromise (BEC) scams have started to make the rounds looking to lift credentials and other personal details. The scam is a fake email from Microsoft alerting the user that a login attempt was made to their account from Moscow/Russia. These phishing emails provide a button to “report the user,” and an unsubscribe option. Clicking the button creates a new message with the subject line of “Report the user.” The recipient’s email address is auto-filled and references Microsoft Account Protection. Using the email to respond could open up various risks. People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page which will harvest credentials.

If you receive a similar email, and are not subscribed to our enhanced email protection, the best thing to do is not reply and forward the email to support@netwurxgroup.com and we will take the appropriate action.

What We Recommend

Because of the severity of recent bulletins and specific targeting of small and medium sized businesses, we strongly recommend taking advantage of the following services we provide at a minimum in order to protect your company data and your employees from becoming victims of ransomware or malware:

• Conducting regular off-site (cloud) and local backups (full-image and file/folder) of workstations and servers

• Enhanced e-mail protection (MS365 & GSuite)

• Installing Ransomware Early-warning systems and/or Enhanced Threat Detection and Response (ETDR) software

• Utilizing non-consumer grade anti-virus/anti-malware

• Using strong passwords in combination with Multi-Factor Authentication

Some longer-term actions we also recommend:

• Crafting a Data Security Policy & Incident Response Plan

• Leveraging quarterly Security Awareness Training for staff

The measures noted above are good general recommendations to employ no matter the systems you run and are not specific to any of the solutions you receive from Netwurx. That being said, we take seriously the trust you have put in us, and we will continue to take every measure available to us to ensure the integrity and safety of your data and your customer’s data. Again, Netwurx invests heavily in delivering the highly secure products, services, and 24/7 system monitoring that you’ve come to expect, and this investment extends to communications such as this email and software deployment which are meant to serve as another layer of defense against cybercrime and we do not take this matter lightly.

If you have any questions about any of the mentioned services, or are unsure of the specific services and protection you are receiving from us, I strongly recommend you reach out to us as soon as possible.

Thank you again for your continued support and business and I look forward to talking to all of you soon.

Stay vigilant,

Ryan S. McKee | LinkedIn

Director of Operations