Whilst we do not yet know if this attack by BlackCat targeting the Austrian federal state of Carinthia was targeted or random, we do know that government services store mission critical data and typically do not have as large security budgets as the private sector. Moreover, since they are not a ‘business’ in the strict sense, attackers might assume they will be more willing to pay a demanded ransom, making them an enduring target for cyber criminals.
The main reason attacks like this one succeed, however, is the lack of real time protection against the propagation stage, in which the attacker uses compromised credentials to spread to other systems in the environment and plant the ransomware payload on them as well.
Consequently, attacks like this must lead security teams to start asking themselves the tough (but productive) questions – am I protected against a compromised credentials attack? Do I have MFA policies to all my users and resources? Can I monitor and protect my privileged users including service accounts?
In turn, the answers will enable them to act accordingly to invest in both proactive reduction of the attack surface and continuous monitoring of their users’ passwords and authentications, as well as in real time response to live threats in the form of MFA and access blocking.