With the evidence gathered by Cybersecurity experts, they were able to conclude that even after the ransomware attack has been dealt, perpetrators continue its reconnaissance on their prey. As reported, on the recently concluded Maze Ransomware attack, a department Incident Report that circulates within the network of ST Engineering named VT San Antonio Aerospace (VT SAA), leaked onto the dark web leading to the diagnosis that remnants of control and infiltration of the attackers are still ongoing.
VT San Antonio Aerospace was a reputable company that caters to aerospace technology delivering sophisticated cargo and commercial aircraft. Maze ransomware attackers, with its ingenuity of infiltration, successfully penetrated its security through its vulnerability infrastructure on remote desktop services and VPN software. On a span of weeks or a month or so of planning and lurking onto the network, they were able to deploy their harmful malware such as Trickbot, Mimikatz, and Power Shell Empire that listen to the whole operation of the company and secretly delivered the gathered intelligence to the untraceable server of the attackers for their perusal. The company reported that the issue was an isolated case, and a rigorous investigation is already ongoing with constant communication to potential customers that information may have been compromised.
However, with the leaked memorandum that came from the attackers, every company, exceptionally large enterprises, is warned for a post or extended attacks. Cybersecurity expert’s community gave few mitigation tactics that can be done to address these aftermaths.
- Once ransomware has been noticed, a total shutdown of the network is needed to stop perpetrators continue extracting information on the compromised system.
- Do rigorous investigation and scrutinization of every data storage and device that may have been infected.
- Immediate credentials checks and change of password, especially those who have elevated access as these are the main targets of perpetrators to gain full access onto the network.
- Have secured outside communication for people involved in the clearing process to avoid the possibility that the attackers may come to know of the mitigation plan and devise a countermeasure.
- Complete system reloading or reinstallation from an uncompromised data source to ensure no remnants of malware infection are in place.
Every IT security officer must not be compliant and always vigilant for possible attack and its aftermath.
Consistently devise a continuity plan and ensure to invest in a sophisticated cybersecurity application aside from diligent spread of awareness for each employee is highly recommended at this time that attackers are even collaborating for much lethal and successful attack. Random system checks and maintenance are also advised as malware is said to equipped with a countermeasure for any routine task scheduler in place. As perpetrators are always thinking ahead, so as the security administrators should do the same, else face the loss and damage.
