author photo
By Bruce Sussman
Fri | Feb 21, 2020 | 6:43 AM PST

We don't typically report on cybersecurity issues happening in Switzerland, but this information is worth sharing.

The Swiss Reporting and Analysis Centre for Information Assurance (MELANI) just issued an urgent security alert following a surge in ransomware attacks against Swiss-based companies.

The most significant part of this alert for IT and security teams? The Centre for Information Assurance found the same types of cybersecurity gaps at each of the companies recently hit by ransomware.

In other words, these are the vulnerabilities hackers will be looking for as a way to successfully attack your organization.

The companies studied in this case range from Small to Medium Enterprise (in the EU, this means fewer than 250 employees) to large companies. 

The 7 cybersecurity gaps found in companies hit by ransomware

Here are the types of shortfalls that appeared within a dozen Swiss organizations recently hit with ransomware:

1. Antivirus problems

"Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers). In a small number of cases, some servers did not even have any antivirus software installed. This can contribute significantly to the spread of malware within corporate networks."

2. Remote access problems

"Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter). This meant that the systems were very easily accessible and the attackers could easily penetrate unnoticed into company networks and install malware."

3. Discounting or ignoring outside warnings:

"Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies. Infections were therefore eliminated only partially or not at all, which in many cases led to complete encryption of the company network."

4. Backup problems

"Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted. In many cases, a company's activities could only be recovered with considerable effort, if at all."

5. Patch management problems

"Companies often do not have a clean patch and life cycle management. As a result, operating systems or software were in use that were either outdated or no longer supported. Attackers exploited the security vulnerabilities and thus gained access to the company network and other internal systems.

If an attacker has gained access to the network, inadequate patch and life cycle management also facilitates the further spread of malware within the network."

6. Network segmentation problems

"The networks were not divided (segmented), e.g. an infection on a computer in the HR department allowed the attacker a direct attack path to the production department."

7. Access Management problems

"Users were often given excessive rights, e.g. a backup user who has domain admin rights or a system administrator who has the same rights when browsing the internet as when managing the systems."

These types of problems remind us of a story we reported on a while ago, called Nightmare on Cybersecurity Street.

Swiss cybersecurity advice: stop paying the ransom...but...

The Swiss Reporting and Analysis Centre for Information Assurance (MELANI) also urged the country's organizations to stop paying the ransom.

"As long as there are still companies that make ransom payments, attackers will never stop blackmailing."

But, if you do pay a hackers ransom, remember this:

"If a ransom payment is nevertheless being considered, it should be noted that although systems and data might be decrypted, the underlying infection from malware such as "Emotet" or "TrickBot" will remain active. As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware or steal sensitive data from it.

MELANI is aware of cases in Switzerland and abroad where the same companies have been victims of ransomware several times within a very short period of time."

And SecureWorld recently wrote about this: 10% of organizations who pay the hackers ransom report that hackers then demand a second ransom before sending decryption keys. See When Organizations Pay Ransom, What Do They Get In Return?

We've covered some common security problems in this article.

So what are cybersecurity best practices in Switzerland?

Well, they look a lot like best practices in the rest of the western world.

Check this out: Swiss Guide to Cybersecurity for SMEs