Previously we discussed about National Data Center Hit by Ransomeware, Perpetrators Demand RansomHowever, there is one interesting thing for us to discuss again, guys, namely that BSSN seems to have discovered an attempt to deactivate the Windows Defender security feature which occurred starting June 17 2024 at 23.15 WIB, which allowed malicious activity to take place.
And quoted from the magazine Tempo, Ariandi explained that the ransomware works by disabling Windows Defender (security system) to allow malicious files to be installed on the system. Furthermore, ransomware started to enter on June 17 and suspicious activity began to be detected on June 20, 2024 at 00.54.
So, of course, suspicious activity includes allowing malicious files to be installed on the system, deleting important files, and turning off running services. Files related to storage such as VSS, Hyper V Volume, VirtualDisk and Veaam vPower NFS start to be disabled and cannot run. And not long after, Windows Defender “was successfully disabled on June 20 2024 at 00.55 so it could no longer operate,” said Ariandi.
PDN Use Windows!
One of the interesting facts that was revealed is that it seems that the National Data Center that was successfully hacked uses Windows, possibly Windows Server. This is because Lockbit 3.0 ransomware What succeeded in infecting the system was ransomware which can indeed work in the Windows ecosystem.
According to information from cisa.govLockBit 3.0 is able to bypass User Account Control (UAC) to execute code with elevated privileges via the Elevated Component Object Model (COM) Interface. Apart from that, according to cyber.gov.au, LockBit 3.0 ransomware is often delivered to victims' machines using PsExec, Windows Management Instrumentation (WMI), and RDP protocols. And what's even more interesting, the perpetrators behind Lockbit 3.0 utilized remote administration software such as AnyDesk, Splashtop, and Atera RMM to establish persistent access on the victim's network.
Windows Defender as Protection!
Well, maybe Winpoint often discusses that too Windows Defender It is indeed suitable for use in system security, we can even activate it Ransomware Protections which unfortunately is not active by default.
Also Read: How to Enable Ransomware Protections in Windows Defender Windows 11
However, my question as an Indonesian citizen is, why do you need Windows Defender to secure important state data? There are many better anti-malware out there, namely Kaspersky, Norton, BitDefender and many others which have been tested and used in various levels of government. foreign country.
And although Windows Defender is actually sufficient for the personal domain, for the country domain with super important data in it, it is worth spending extra money for additional protection.
Now regarding this news, as reported by Tempo page, Ariandi said that BSSN had succeeded in finding the source of the ransomware attack with the name Brain Chipper Ransomware, which is a development of the Lockbit 3.0 ransomware. Next, the ransomware samples will be subjected to further analysis involving other cyber security institutions.
According to Ariandi, BSSN will use this incident as an important lesson in the future and work on mitigation so that similar incidents do not happen again in the future.
Well, let's hope that this incident can be an important lesson for both the government and us as citizens, because ransomware is indeed one of the most dangerous types of malware.
What do you think gaesss? comment below.
Via: Tempo
Source link
