On August 3, 2018, on an ordinary Friday evening, T Company, a global semiconductor leader located in a wafer factory in Hsinchu and long regarded as a cybersecurity model, was installing a new server scheduled to go online over the weekend. However, it failed to perform the prescribed virus scan according to the original SOP before connecting to the network. Once the server was started, the hidden WannaCry variant virus automatically scanned all the host computers within the same network. It targeted port 445 to exploit the EternalBlue vulnerability to spread the infection.
Within a few hours, due to all factories of T company being connected on the same production network, the WannaCry ransomware variant spread rapidly to the Hsinchu, Central, and Southern Science Park factory areas. The main infected computers were using Windows 7 operating system, causing a major shutdown of production lines across Taiwan. The revenue loss amounted to a shocking NT$5.2 billion, making it the highest financial loss in a cybersecurity incident in Taiwan’s history. This not only worried global media and analysts, delaying the shipment schedule of the new iPhone, but also provided a significant lesson in cybersecurity worldwide.
The Threat of Targeted Ransomware is Far More Terrifying Than You Can Imagine.
Ransomware has long been a leading threat to corporate cybersecurity, with the average ransom demand increasing from hundreds to tens of thousands of dollars over the past decade, and in some cases, even reaching hundreds of thousands of dollars. According to research, the manufacturing industry, government entities, and educational institutions are the top three victims of targeted ransomware attacks.
In 2023, regardless of whether a ransom is paid, the estimated average loss per incident exceeds 5 million US dollars, with a total exceeding 30 billion US dollars. The analysis report also indicates that Taiwan has experienced a rapid increase in the number of malicious threats in the first half of 2023, with a nearly 80% increase compared to the same period last year. On average, there were nearly 15,000 attacks per second, the highest in Asia-Pacific. This implies that enterprises are constantly facing the risk of production line interruptions and sensitive data leaks.
When the perimeter defense is breached, or when new unit (such as T company’s new machine, or an accidentally inserted USB flash drive containing a virus) is activated inside and gets infected, the first compromised unit appears. Without an adequate internal network defense, the ransomware will quietly lurk in the network for an extended period of time. It often uses unatended user-end devices as a springboard to launch attacks and slowly moves laterally across the internal network to spread and gradually infect all devices. By the time the enterprise detects the presence of malicious software, the real attack has already been launched, and all devices within the internal network are already fully compromised, resulting in irreparable losses for the enterprise.
Small and Medium-Sized Enterprises with Insufficient Resources Often Become the Main Targets of Attacks
For small and medium-sized enterprises (SMEs), which make up over 98% of all businesses in Taiwan, many have computer equipment ranging from 10 to 250 devices. Due to inadequate cybersecurity measures, including insufficient resources, insufficient budget, understaffing, numerous outdated devices with vulnerabilities, difficulty in recruiting professionals for malware detection and investigation, and the inability to bear the loss of business downtime, SMEs often become primary targets for attacks. Physical storage devices like NAS and servers or services within local area networks are often easy targets for hackers.
In the field of information security, analyzing and detecting network data is the most basic requirement. In traditional small and medium-sized enterprise network architectures, cybersecurity devices are often deployed in front of the core switch. These traditional cybersecurity devices are connected between the edge of the regional network and the core switch, and cannot detect malicious software activities in the backend of the regional network. Installing antivirus software on personal computers and servers, or directly connecting NAS and other types of servers to cybersecurity devices are common solutions. However, the former reduces computer performance and requires periodic updates of virus definitions and automatic scanning, which has a negative impact on IT staff productivity; the latter, on the other hand, is not suitable for NAS and other types of servers that require extremely high transmission performance because traditional cybersecurity devices scan all traffic, which can easily slow down network speed.
Not Only IT, But Also OT
Besides IT, T company’s virus incidents have also exposed security issues in the OT (Operational Technology) domain, which is the security of factory production and manufacturing systems. The most important principle in planning OT networks is to ensure the stable operation of manufacturing equipment, and allow managers to control the manufacturing process in real-time to maximize production efficiency. Therefore, cybersecurity has never been a major consideration for OT. Installing cybersecurity protection software on manufacturing equipment can often have a more significant negative impact on production efficiency than the potential risks of attacks on the system.
In addition, many OT devices have old operating systems (such as Windows XP) without installing necessary security patches, thus are in a highly vulnerable state. OT devices frequently use a large number of non-standard components, and even if the operating system manufacturers release patches, the personnel responsible for OT may not be able to install them independently and need to rely on the original equipment manufacturers for updates, which makes it difficult to quickly respond to the rapidly evolving threats of new viruses. Only by adding an extra layer of protection can we effectively prevent the production line from being forced to shutdown due to virus attacks.
ADRA NDR Software Actively Guards Against Blind Spots in Traditional Cybersecurity Solutions
As a professional network storage unit manufacturer, QNAP is well aware of the risks of targeted ransomware attacks and has deployed a new defense line called ADRA NDR (Network Detection & Response) at the access swith. It can be flexibly installed on both QGD-1600P and QGD-1602P PoE switches, configured in front of QNAP and various brand NAS, other servers, and client devices. It uses efficient Threat Watch for selective fast screening of partial network traffic without slowing down, and Threat Trap to simulate traps for common network services for early detection of targeted ransomware and other malicious software’s lateral movement activities within the network. Coupled with in-depth threat analysis and threat correlation analysis, as well as precise, small-scale automatic blocking of infected devices, it prevents the spread of targeted ransomware and other malicious software within the network to ensure security of enterprise information.
The ability to respond quickly is even more crucial in defending against targeted ransomwar. The QGD series switches are equipped with network management functions and PoE (Power over Ethernet) power supply and allow administrators to easily connect or replace existing access switches. With minimal and quick adjustments to the network structure, ADRA NDR can be introduced through QGD switches to immediately protect critical servers. It also allows timely detection of hidden potential threats and concealed internal network spread attacks among numerous networked devices that cannot install security software. The QGD-1602P goes a step further by providing 10GbE and 2.5GbE high-speed network ports, which can be used for uplinking to Aggregation Switches or connecting to QNAP 10GbE NAS and other high-speed devices to enhance cybersecurity and overall network performance.
When Computer Equipment Is Confirmed to Be Infected, Use QNAP NAS to Quickly Restore Computers and Servers
As the saying goes, ‘It’s never too late to mend’. When ADRA NDR detects high-risk internal network spread attacks, isolate the infected phone and perform a thorough scan on the computer. Administrators can use QNAP NAS’s comprehensive backup solution NetBak PC Agent, Hyper Data Protector (HDP), and Snapshot functions, by using manual or automated NAS backups, to quickly restore employees’ workstaions and the services needed for company operations to a previous flawless point in time. This significantly reduces the cost of time and manpower.
The ADRA NDR solution is QNAP’s targeted strategy against ransomware. It introduces a new layer of defense beyond traditional security measures. Initially, it aims to protect QNAP NAS from malicious software threats, but it’s also compatible with other brands’ NAS and servers, and offers excellent protection that is not limited to small and medium-sized enterprises, whether IT or OT. It helps businesses of various industries and scales in collectively defending against threats such as sensitive data encryption ransomware and data leakage. For as low as $399 per year, you can immediately upgrade the QGD switch to an ADRA NDR cybersecurity device. Quickly detect threats and strengthen defenses, the time is now!
Learn more about ADRA NDR: https://www.qnap.com/go/product/series/adra-ndr