A new strain of ransomware, dubbed Qilin, is targeting VPN networks with stolen or harvested credentials. These VPN networks lack basic multi-factor authentication requirements! With Qilin, this leads to quick and easy compromise of VPN networks, deletion of backups, and ransomware deployment. But don’t worry—we now turn to steps you can take to protect yourself and your organization from this threat.
What Makes Qilin Ransomware Different?
Qilin ransomware isn’t just another piece of malware; it’s a highly refined attack designed to bypass traditional security defenses. Once past VPN services, Sophos researchers state Qilin finds your domain controller and deploys a credential harvesting script. This script specifically targets Google Chrome’s stored passwords from authenticating users. Within a day or two, enough credentials are harvested to delete backups, exfiltrate data, and cause additional harm. Once backups are deleted Qilin encrypts critical files and demands a ransom for their release.
The cleverness of Qilin lies in how it enters, lands, and expands. Sophos security researchers did not detail whether there is an exploit being used on domain controllers to breach them. It’s possibly another credential replay attack on the DCs to install the GPO script. Either way, collecting credentials through a GPO script is a new tactic for ransomware malware, making this very dangerous. It also makes recover more expensive as all credentials need to be reset in addition to many other recovery measures.
The truth is, every VPN should require MFA. It is really a terrible tragedy when IT does not put MFA on a VPN or removes it for certain special people. Let’s look at ways to protect yourself from Qilin now.
How to Protect Yourself from Qilin and Other Ransomware Attacks
While the threat of ransomware is alarming, you can take proactive steps to safeguard your company from Qilin and similar threats. Prevention starts with the VPN measures below, but extends to adopting password managers, segmenting backup networks, and more. Let’s look at the best practices that will serve you well next.
Strengthen Your VPN Security:
- First, and foremost, use Multi-Factor Authentication (MFA): Implement MFA for VPN access always and everywhere. Make NO exceptions on ANY account for anyone (not even the CEO or CFO). This adds an extra layer of security by requiring users to verify their identity through multiple channels.
- Regularly Update and Patch: Ensure that your virtual private network (VPN) software and all connected devices are up-to-date with the latest security patches. Cybercriminals often exploit vulnerabilities in outdated software.
- Limit Access: Only allow necessary personnel to access your VPN. Regularly review and adjust access permissions to minimize potential entry points for attackers.
Use a Password Manager:
- Disable Chrome Browsers ability to manage and store passwords. There is a GPO method for doing this – Chrome ADMX Templates – check Google for help with Chrome and Microsoft for help with the GPO commands.
- Generate Strong, Unique Passwords: Password managers can create and store complex passwords for each of your accounts, reducing the risk of unauthorized access through weak or reused passwords.
- Auto-Fill Credentials: With a password manager, you can securely auto-fill your login details, avoiding phishing attempts that trick you into entering credentials on fake websites.
- Manage Access Securely: A password manager allows you to easily update and revoke access as needed, ensuring that only authorized personnel can access sensitive systems.
Enhance Your Network Security:
- Segregate Networks: Divide your network into segments, so that if one area is compromised, the attacker’s access to the rest of the network is limited. This is especially helpful for Backup servers. Segregate them off the normal production network whenever possible.
- Monitor for Unusual Activity: Use advanced monitoring tools to detect unusual behavior within your network, such as unexpected data transfers or access from unfamiliar IP addresses.
- Deploy Endpoint Protection: Ensure that all devices connected to your network have robust antivirus and anti-malware software installed.
Backup Your Data Regularly:
- Use Multiple Backup Methods: Employ both on-site and cloud backups to ensure your data is safe even if one method fails. Better yet, follow the 3-2-1 Backup methodology.
- Test Your Backups: Regularly test your backups to make sure they can be restored quickly and efficiently. A backup that can’t be restored is as good as no backup at all.
- Keep Backups Offline: Store at least one copy of your backups offline to protect against ransomware that targets backup systems.
Educate Your Team:
- Cybersecurity Awareness Training: Regularly train your employees on the dangers of ransomware and the importance of cybersecurity best practices.
- Phishing Simulations: Conduct positive and educational phishing simulations to help employees easily recognize and avoid phishing emails. Here’s a 1 minute overview video of a better way to Phish from CyberHoot’s.
Develop an Incident Response Plan:
- Have a Plan in Place: Develop and regularly update an incident response plan that outlines the steps your organization will take in the event of a ransomware attack.
- Conduct Drills: Regularly practice your incident response plan with drills to ensure everyone knows their role and can act quickly under pressure.
Prevention is Key
The best defense against ransomware is a strong, multi-layered approach that combines technology, education, and preparedness. By taking these steps, you can significantly reduce the likelihood of falling victim to the Qilin ransomware or any other similar threat.
Remember, cybercriminals are always looking for new ways to infiltrate networks and steal data. Staying informed and proactive is your best bet to keep your data safe and your organization secure.
In the face of evolving threats like Qilin, it’s not just about reacting to an attack—it’s about preventing it from happening in the first place. Stay alert, stay informed, and stay secure.