Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025021103022727 | Publication Time | 2025/02/11 15:30 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/02/11 15:30 |
| Impact Level | Medium | ||
| [Subject] 【Attack Alert】Recent Increase in Ransomware Attacks – Strengthen Preventive Measures |
|||
| [Content] Recent incidents have shown an increase in ransomware attacks targeting schools and hospitals. Hackers have been executing lateral movement attacks through system administrator computers, subsequently spreading ransomware across internal hosts. This has resulted in service disruptions and data encryption on multiple machines. One specific case involved a ransomware attack on a hospital by the Crazy Hunter ransomware. The following malicious executables have been identified: bb.exe crazyhunter.exe crazyhunter.sys zam64.sys go3.exe go.exe Prevention is key in mitigating ransomware attacks. It is recommended that all organizations enhance their data backup strategies, including offline backups. Regular security assessments for all internal servers, as well as timely updates to operating systems and automated backup solutions, are also crucial. Account and password security measures should be reinforced, including regular password changes and increased password complexity. Administrators should avoid using the same credentials for managing multiple servers. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] All |
|||
| [Recommended Actions] 1.Perform regular security updates for both systems and antivirus software. If updates are not feasible, deploy appropriate protective measures. 2.Beware of suspicious emails and verify email sources before opening attachments. Scan emails and attachments for malware. Example: Before opening files, use antivirus software to scan attachments. Verify file types and be cautious of anomalies (e.g., exe.pdf, exe.doc, pdf.zip, lnk, rcs, exe, moc) that may indicate executable file extensions in reverse order. 3.Implement network segmentation and isolation to reduce the number of vulnerable hosts. 4..Enhance monitoring of high-privilege accounts, including: •Disabling accounts with excessive failed login attempts •Logging login activities •Detecting suspicious behavior 5.Adopt multi-factor authentication (MFA) to enhance security. 6.Regularly back up files following the 3-2-1 backup rule: •3 copies of the data •2 different storage media •1 copy stored offsite 7.Deploy Endpoint Detection and Response (EDR) solutions on critical systems to detect and investigate suspicious activity on hosts and endpoints, preventing ransomware attacks. |
|||
| [Reference] | |||