CISA Alerts in Ongoing Ransomware Exploiting Vulnerabilities in RDP and VPNs

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert regarding an on going Nefilim ransomware campaign, after the New Zealand Computer Emergency Response Team (CERT NZ) issuing an alert as well.

CISA Alerts Ransomware

Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks.

Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.

The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information they want they attempt to sell or publicly release the information.

Ransomware Mitigations to Help You Defend Today and Secure Tomorrow

The below recommendations are provided by the “CISA INSIGHTS Report”.  The three sets of straightforward steps any organization can take to manage their risk. 


Actions for Today – Make Sure You’re Not Tomorrow’s Headline:

1. Backup your data, system images, and configurations and keep the backups offline
2. Update and patch systems
3. Make sure your security solutions are up to date
4. Review and exercise your incident response plan
5. Pay attention to ransomware events and apply lessons learned

Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse:

1. Ask for help! Contact CISA, the FBI, or the Secret Service
2. Work with an experienced advisor to help recover from a cyber attack
3. Isolate the infected systems and phase your return to operations
4. Review the connections of any business relationships (customers, partners, vendors) that touch your network
5. Apply business impact assessment findings to prioritize recovery

Actions to Secure Your Environment Going Forward – Don’t Let Yourself be an Easy Mark:

1. Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multifactor authentication
2. Segment your networks; make it hard for the bad guy to move around and infect multiple systems
3. Develop containment strategies; if bad guys get in, make it hard for them to get stuff out
4. Know your system’s baseline for recovery
5. Review disaster recovery procedures and validate goals with executives

Leave a Reply