A ransomware attack is one of the most distressing forms of cyberattack as it can halt an organisation’s operations and jeopardise personal data. While the global number of ransomware attacks and the associated damages increased in 2024, the data available to us suggests a different trend in Estonia. CERT-EE registered around 10 ransomware incidents, fewer than in previous years. However, it is important to note that many victims do not report such incidents.
Two schools, two different outcomes
In 2024, two Estonian schools fell victim to ransomware attacks.
At the beginning of June, during the busy exam period, Tallinn Health Care College had to manage the aftermath of an attack. The attacker encrypted approximately 1.5 terabytes of data on the school’s server, including files belonging to more than 200 staff members and students.
Fortunately, the school had a recent backup, enabling them to restore the files and services by the next day.
Two weeks before the start of the new school year, on 16 August, staff at Järvamaa Vocational Training Centre discovered that all data on the school’s servers had been encrypted.
This attack caused more significant damage, as there was no backup of the data.
Attacks that halted business operations
At the end of July, a ransomware attack hit a small company in Tartu, and the attackers encrypted files on four computers. The attack disrupted the company’s regular operations.
About a week later, ransomware halted operations at a retail company in southern Estonia. Attackers gained access to the backup server, preventing the company from restoring its data.
On 1 November, a dental clinic fell victim to a ransomware attack that resulted in its data being encrypted. Since there was no functional backup, the clinic was unable to recover its files.
Why do such attacks happen?
An analysis of ransomware attacks that occurred in 2024 highlights vulnerabilities related to Remote Desktop Protocol (RDP) applications and network devices.
In nearly one-third of cases, attackers gained access to systems through Remote Desktop applications that were protected by weak passwords and lacked additional security measures such as VPNs, two-factor authentication, IP-based restrictions, logging and monitoring.
In light of these incidents, we recommend RDP users review the threat assessment available on RIA’s website, which outlines the risks associated with the Remote Desktop Protocol and how to mitigate them:
Several organisations also became victims of ransomware attacks in 2024 due to outdated network devices, unpatched software or insecurely configured management interfaces.
In one case, a network device’s management interface was publicly accessible on the internet, and the default administrator password was still used, while the server’s software was not up to date.
In another instance, a router with a long-known vulnerability was in use, despite the device manufacturer having stopped releasing security updates back in 2022. In such cases, purchasing a new device is essential.
Delays in replacing outdated equipment can lead to extremely costly consequences.
Unidentified infection methods
In several instances, the exact method by which ransomware entered the system remained unknown.
This uncertainty often stems from a lack of logging.
While attackers sometimes delete logs to cover their tracks, in many cases, they do not need to, as the systems simply do not have logs.
Without knowledge of how attackers accessed the system, organisations face a significant risk of intruders exploiting the same entry point again.
What to do if you have fallen victim to a ransomware attack
- Disconnect the infected device from the network (don’t forget to disable wireless connections).
- Notify CERT-EE ([email protected]) for guidance on resolving the incident and advice on preventing similar attacks in the future.
- If infected, restore the operating system from a backup or reinstall it to avoid reinfection. Before restoring from a backup, ensure that it is free of malware. Carefully consider the risks before contacting the attackers.
- Paying the ransom offers no guarantee that your files will be decrypted or that stolen data will not be published. Instead, paying will signal to the attackers that their actions were successful, which may make you a target for future attacks.
How to prevent ransomware attacks
- Keep software updated and only use software that receives regular security updates.
- Restrict user permissions and limit the number of devices that can access organisational systems.
- Use strong passwords and enable two-factor authentication.
- Limit the number of failed login attempts allowed.
- Configure and monitor system logs.
- Regularly create backups and keep at least one backup offline.
- Enable logging in web and email gateways, and block or quarantine any documents in the gateway that contain executable files, container formats or other file types that could potentially include active content.
- Train employees on cybersecurity threats.
Last updated: 17.02.2025
