author photo
By Clare O’Gara
Mon | Jun 22, 2020 | 5:30 AM PDT

We've seen it before: cybercriminals will always exploit a bad situation.

And COVID-19 created a perfect storm of "bad situations" for cybersecurity. A sharp increase in technological reliance, be it through eCommerce or remote work, heightens the risk of cyber threats.

Just ask Claire's, who recently experienced a malware attack linked to store closures.

According to Netherlands based security company Sansec, one day after Claire's closed its 3,000 worldwide stores, hackers registered a malicious site to facilitate a Magecart cyber attack.

Now, the Cybersecurity and Infrastructure Security Agency (CISA) has a new warning about ransomware threat actors. And it has everything to do with remote work.

Ransomware campaign targets remote access

CISA can thank another acronym, CERT NZ, the New Zealand Computer Emergency Response Team, for this alert.

CERT NZ recently uncovered a ransomware campaign aimed directly toward remote work. These hackers access networks through remote access tools, such as Remote Desktop Protocol and virtual private networks (VPN). From there, they can exploit vulnerabilities and poor authentication practices.

And according to CISA's report on the advisory, this campaign has some serious movement:

"After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup."

While any network without secure remote access is at risk, CERT NZ does provide a few suggestions to help determine if your network was impacted:

"Check your remote access systems for any sign of unauthorised access. If any unauthorised access is detected, further investigation will be required to determine any lateral movement across the network.

If an attack has progressed to the ransomware phase, Nefilim ransomware may leave the following indicators of compromise (IOCs):

• files with a .NEFILIM extension

• a file called NEFILIM-DECRYPT.txt may be placed on affected systems

• batch files created in C:\Windows\Temp"

All the more reason to stay on alert while many end-users continue to do jobs remotely.

Ransomware alert mitigation practices

CERT NZ provided mitigation practices, which CISA shared in the United States.

In terms of prevention, CERT NZ says maintaining a network with secure remote access is the most critical step. It lists two other recommendations for mitigation:

"CERT NZ Critical Controls such as network segmentation and application whitelisting can mitigate the impact of such an attack, by making it harder for an attacker to move around your network. Well-configured backups are essential to recovery from any ransomware attack."