Cyber999 Advisories

1.0 Introduction
Recently, the Cyber999 Incident Response Centre has been receiving several incidents of ransomware targeting organisations in Malaysia. The ransomware attacks we received affected various sectors, including businesses and education. As of 31st May 2025, 20 ransomware-related incidents have been reported to us, reflecting a broader global trend of increasing ransomware attacks reported in the constituency.

Notably, the ransomware variants reported to us this year are MedusaLocker, Akira, AnnoyRansomeware, Loki Locker, Bashe, HiddenTear & RALord. 

The growing sophistication and frequency of ransomware attacks underscore the urgent need for organisations to strengthen their cybersecurity defences and incident response capabilities in mitigating the threats. CyberSecurity Malaysia urges all organisations to stay vigilant and proactively safeguard their systems against ransomware threats.

2.0 Impact
Below is the list of ransomware impacts that could be devastating to organisations:

• Service Interruption: Customer-facing services may go offline, damaging trust and reputation.
• System and network infrastructure compromised.
• Files on the infected computer are encrypted, and the owner cannot access the files until a ransom (usually in a cryptocurrency such as Bitcoin) is paid.
• System Downtime: Ransomware often encrypts critical data and systems, halting business operations.
• Business operations are disrupted due to permanent or temporary loss of sensitive or proprietary data belonging to an organisation.
• Aside from financial gain, it exploits sensitive data and uses it as a levy. If the ransom is not fulfilled within time, organisations’ confidential data are exposed, and trade secrets are compromised.
• Financial loss: Some organisations may feel pressured to pay the ransom, which can be substantial. Restoring systems, conducting forensics, and improving security can be very expensive. 
• A data breach can result in reputational harm to the government and diminish trust in government digital transformation programmes.

3.0 Recommendations
3.1 Recommendations for System Administrators:

1. Organisations should actively monitor for compromised credentials, particularly those that may result from Infostealer infections, which can serve as entry points for more serious attacks such as ransomware.
2. Implement password revocation policies to enforce timely password changes and minimise exposure to compromised accounts
3. Promote the use of secure password managers and encourage employees to create strong, unique passphrases, avoid reusing passwords, and update them regularly.
4. Enable multi-factor authentication (MFA) to provide an additional layer of security for accessing critical systems and sensitive data
5. Enforce role-based access control and establish a formal authorisation policy that includes automatically locking idle accounts and alerting IT personnel after multiple failed login attempts.
6. Regularly audit and review Active Directory (AD) to detect and remove backdoors, particularly compromised service accounts that may hold elevated privileges.
7. Additional recommendations for AD Security:
   1. Protect Against Compromised Passwords: Implement strong password policies, password hashing, and rotation to prevent password theft and compromise. 
   2. Monitor and Investigate: Implement monitoring and logging to detect and investigate suspicious activity in Active Directory. 
   3. Review and Update Security Settings: Regularly review and update security settings, including Group Policy Objects (GPOs) and other security configurations. 
   4. Clean Up Active Directory: Regularly remove unused accounts and computer objects to reduce the attack surface. 
   5. Encrypt Data: Encryption is used for sensitive data stored in the Active Directory. 
8. Apply security patches and update antivirus software consistently to mitigate known vulnerabilities and reduce the attack surface.
9. Perform daily data backups in multiple copies, verify their integrity through regular testing, and store backup copies securely at an offsite location.
10. Conduct mandatory cybersecurity awareness training for all employees at least once a year to reinforce secure behaviours and response readiness.
11. Educate staff to avoid downloading files or attachments from unknown or untrusted sources.
12. Review and update the organisation’s Disaster Recovery Plan (DRP) to ensure preparedness in the event of a security incident or system failure.
13. Review and revise the Business Continuity Plan (BCP) as needed to maintain operational stability during and after a disruption.
14. Disable RDP if not needed as RDP is one of the most commonly exploited vectors. Use tools like Group Policy or the Windows Firewall to block RDP (port 3389).

3.2 Recommendations for Internet users:

• Use strong, complex, and unique passwords for each online account to minimise the risk of credential compromise.
• Ensure that Wi-Fi and network passwords are secure, updated regularly, and not shared with unauthorised individuals.
• Remain vigilant against phishing attacks by avoiding unsolicited links or attachments received via social media, messaging apps, or email.
• Practice safe browsing habits, and regularly back up important data to prevent data loss due to malware or accidental deletion.
• Only download software and applications from trusted and verified sources, such as official websites or app stores.
• Be cautious of applications circulated via social media platforms, especially those that appear suspicious or too good to be true
• Install and maintain up-to-date antivirus or antimalware software to help detect and block potential threats.
• Regularly apply operating system and software updates to address known security vulnerabilities.
• Contact relevant authorities such as CyberSecurity Malaysia for guidance or to report suspected cyber threats and incidents.
• Report suspicious advertisements, links, or malicious content to the appropriate service provider or social media platform to help prevent further distribution.

Generally, CyberSecurity Malaysia advises users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact us through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.cybersecurity.my

4.0 References

• https://www.mycert.org.my/portal/advisory?id=MA-1034.022024
• https://www.mycert.org.my/portal/advisory?id=MA-1300.032025
• https://cybersecurityventures.com/ransomware-report/
• https://www.ransomware.live/country/MYS]