Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang. Some documents claimed to be stolen from Sol Oriens were posted on the REvil website on the Darkweb, including some sensitive personal information about employees and payroll. A spokesperson for Sol Oriens stated that they became aware of a security incident in May 2021 and that they are aware that some documents were stolen.
Ransomware threat actors are becoming increasingly bold. The best practices for defending against this threat are to have employees well trained to spot and report phishing emails, use an enterprise email filtering solution, keep up to date with patches of security vulnerabilities in software, use EDR and implement behavioral detections that could detect the first stage of the attack before ransomware is deployed. To prepare for mitigation and recovery, it is important to maintain proper backups, keeping three copies of backup data with two on separate media devices and one off-site, and have a robust incident response plan to help get your organization back up and running quickly if a ransomware attack happens despite these measures. Also, as the article mentions, RDP exposed to the Internet is one of the most common methods of breaching a network, so if possible don’t expose this service to the Internet such that it could be brute-forced by a threat actor. It is better to protect RDP behind a VPN with two-factor authentication and client certificates required to connect to the VPN server.