The forensic report on the attack on the Carinthian state government is available: A phishing email enabled the attack that led to the compromise of around 250 gigabytes of data at the end of May 2022 and paralysed the computer systems for several days. At the beginning of July, a large part of the systems has now been restored. 
The ransomware BlackCat, also known as ALPHV, is behind the cyber attack. BlackCat was the first widespread ransomware to be written in the programming language RUST, which is considered very secure and powerful. BlackCat is offered as “Ransomware as a Service”: The malware can be “rented” against payment or participation in the ransom, including the necessary infrastructure. Only access to the victim system needs to be contributed.
Entry Points for Ransomware BlackCat
The FBI reported at least 60 successful attacks with BlackCat worldwide by March of this year. It warns of known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs). 
Further attacks are to be expected.
Compromised user credentials are a typical attack scenario with BlackCat. In the case of the Carinthian state government, a successful phishing email was the starting point of the attack.
More scenarios are thinkable. Since anyone with enough criminal energy can use the malware, the entry points can be tailored to the actors’ possibilities and to the victims, for example by exploiting vulnerabilities in the target system.
Securing typical entry points against ransomware
- Secure E-Mail Gateways: Email security solutions can protect against phishing and ransomware by checking all attachments, the email itself and any links it contains. Sandboxes can detect unknown and potentially malicious content by running the content in a segregated environment.
- Secure user data: Secure passwords are sufficiently long, unique and have an expiry date: Passwords should have at least 12 digits and use at least three different types of characters (upper and lower case letters, numbers, special characters). Each accounts needs a different password. An expiry date helps to automatically remove passwords from circulation once they have been compromised. In addition, important services should be secured using two-factor authentication (2FA) or multi-factor authentication (MFA).
- Security Awareness: Regular training and information on threat scenarios raise awareness of suspicious emails, requests or incidents. Users are the greatest risk factor for cyber attacks. Since the technical implementation and the tricks of the criminals are becoming more and more sophisticated, it is worth investing in awareness, knowledge and the right reaction in case of suspicion.
- EDR-Agents: EDR functions consolidate all information about each security incident and provide relevant context. IT teams are able to act as quickly as possible and have all the tools at hand to initiate countermeasures and secure traces.
Further security measures against cyber attacks
- Network segmentation: Network segmentation divides the network into smaller, separate subnetworks. This enables security controls for each segment and the control of data traffic. On the one hand, this facilitates monitoring and, on the other hand, the sealing off (potentially) infected areas.
- Backup strategy: The most effective way to regain the ability to act after a ransomware attack is to have an up-to-date, functional backup. The backup routine must include a disconnection from the network. Otherwise, the ransomware will also encrypt the backup. In case of cloud backups, use multi-factor authentication. Since some ransomware attacks also target backups in order to emphasise the ransom demand, the backup infrastructure has to be sufficiently protected.
- Incident Response Plan: In the event of an attack or attempted attack, it is important to react quickly and correctly in order to contain the technical and financial consequences. An emergency plan for cyber security incidents, which regulates the measures and responsibilities, provides orientation. It must be drawn up before a security incident occurs. Incident Response Services provide a professional alternative: Experts are on call to carry out investigations and initial assessments, secure traces of attacks, identify vulnerabilities, clean up infections and restore systems.
- Managed Security Service Provider (MSSP): Managed security providers support the secure design or maintenance of IT systems if resources or know-how are lacking. Professional reviews of existing security concepts and optimisations in the network and infrastructure strengthen prevention and resilience against cyberattacks.
Guide to the right reaction to ransomware attacks
Our tip: The IKARUS guide “Ransomware attacks: Do‘s and Don’ts” shows which mistakes you should avoid at all costs, which measures and decisions have to be taken in an emergency and which questions and guidelines have to be clarified internally. Download now!
Security Services to protect against Ransomware
- IKARUS 24/4 incident.response (powered by Mandiant)
- IKARUS managed.defense (Security Services & Know-how)
- IKARUS mail.security mit ATP (Advanced Threat Protection)
- Cybereason Endpoint Security (mit EDR und MDR-Option)
- SECUTAIN Awareness-Kampagnen, Pakete, Beratung & Schulung
Do you have questions or are you looking for support?
Contact us at Tel. +43 1 58995-500 or firstname.lastname@example.org! We will be happy to advise and support you.