Tag Archives: ransomware

Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Ransomware Operators Up The Ante

Israeli insurance company Shirbit was hit by a ransomware attack last week. The hackers demanded 50 Bitcoin within 24 hours. 50 Bitcoin is about a million dollars.

When they didn’t do that, the hackers started leaking the company’s data and doubled the ransomware demand to 100 Bitcoin or about two million dollars.

They said that if Shirbit still didn’t comply, they would raise the demand to 200 Bitcoin or about $3.8 million in the following 24 hours.

AND then they would start leaking more data every 24 hours as well as selling some of the data.

One thing of interest here is the timeline. Evey 24 hours the rules change. That means that you, as a business, need to be completely prepared because you do not have time to figure it out on the fly.

In the US, you also have to figure out whether paying the ransom is even legal and if not, what your alternatives are.

The insurance company says that they looked and the data that was stolen won’t hurt their customers. That may depend on your definition of hurt. I think that remains to be seen. You may remember that Travelex said their ransomware attack would not have a material effect on their business. Then declared bankruptcy a couple of months later.

Credit: The Jerusalem Post

How Long Does it Take to Recover from Ransomware?

First the wise guy answers: Too Long and It Depends.

Unfortunately, both are true.

For a lot of companies, 30 to 60 days seems to be the average.

Company size doesn’t seem to be a factor. We recently worked with a smallish company (less than 150 people) and it was 30 days before they were mostly back to semi-normal.

Travelex, the huge foreign currency exchange company was closed for 30 days and they wound up having to file for the equivalent of bankruptcy.

Today’s story is about the University of Vermont Medical Center.

The attack started during the week of October 25th. The system, which includes hospitals, home health and hospice care and which employs a thousand doctors plus 2,000 other medical staff, caused the system to have to cancel procedures such as chemotherapy.

The governor even brought in the National Guard’s cyber team to help recover (don’t you wish you could get that treatment if you had a cyber attack)?

A month later, they are still picking up the pieces.

Just last week they got their electronic medical record system back online and restored their online patient portal. At least medical staff doesn’t have to deal with paper charts any more. Of course, now they have to enter a month’s worth of backlogged patient chart data.

There are still other systems to be restored.

While the online patient portal is working again, new patients still cannot sign up. Also billing and payments are still a problem area, not great for cash flow during a pandemic.

Due to the outages, up to 300 employees have either been transferred or furloughed.

Now translate this to your company.

How long would it take you to recover from a complete cyber meltdown?

Do you have the funds to tide you over?

Do you have a plan to be able to continue to perform your key business functions during this time?

Can your IT team deal with the challenges?

If you don’t plan now, it will take longer to recover in the event that the worst does happen. Some companies have just shut down after a ransomware attack. They do not have the resources to recover.

Many companies hope that it won’t happen. Many companies have been wrong about that. Credit: Threatpost

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security

Is Paying to Delete Stolen Data Bonkers?

I sort of stole Brian Krebs’ blog post title and then changed it completely for the counterpoint.

Brian’s actual title (nothing against Brian; I have spoken with him multiple times; he is a good guy) is WHY Paying to Delete Stolen Data is Bonkers .

In concept, I don’t argue with it.

Brian’s claim is that crooks are not honorable, which is kind of a sad state of affairs. If you can’t trust your local extortionist, who can you trust?

First part of the conversation: Brian says that currently, about half of the ransomware attacks are also data extortion attacks meaning that in addition to making your data unavailable to you, the hacker also steals your data and threatens to do something bad if you don’t pay the ransom.

Brian quotes data from Coveware who says that often, even after the victim pays the ransom, at least some of the data published anyway.

They have also seen many cases where some of the data published before companies even have a chance to pay.

Finally Brian correctly points out that unlike getting a decryption key and decrypting the data, paying a ransom for a crook to destroy your data could lead to multiple extortion efforts over time since you have no way know if they really will destroy any or all copies of the data.

That is the end of Brian’s thoughts.

But he allows comments. The commenters are likely all techies and seem to have a “the world is black or white view”.

The writers suggest that paying ransom should be illegal and that insurance companies should not be allowed to pay a ransom (apparently these folks are not aware of the recent DoJ announcement).

One asked what if paying the ransom was the only way to restore your business and your livelihood? What if you are a doctor and your patient records are all encrypted. One person who clearly does not understand medicine said that you can always recreate the records by talking to the patient and/or redoing some tests. Really. Glad he is not MY doctor. Other writers said that if person goes out of business, tough. Not his problem. After all, good security is easy and cannot be compromised, right? Just ask any company that has been hacked whether protecting their data is easy.

All that being said, ransomware is a multi-billion dollar business.

Mostly, that is because businesses seem to figure that it is not going to happen to them. As a result businesses choose not to spend enough money on cybersecurity. IF something happens, which they figure it won’t, it is a legitimate business expense and they deduct it from their profits – for the part that is not covered by insurance. That doesn’t make it free, but it does make it less painful.

What might be interesting is to change the law to say you can do what you want, but proactive cybersecurity costs are deductible, while incident response costs are not deductible. If paying for a breach comes out of the shareholders/owners pockets directly, that might change some attitudes.

We have seen some fines, but even for the big breaches, the fines are small, so they are not much of a disincentive. An example is the recent Marriott breach. The “proposed” fine was 100 million British Pounds. The “negotiated” fine is 18 million Pounds.

That is about five cents for every record exposed.

What if the law says that the penalty is, say, $1 per record exposed and the regulator cannot negotiate that down like you do with a speeding ticket.

In that case, Marriott’s fine would have been about $400 million. Much more of an incentive than five cents per record.

I don’t have a great answer.

When all we were worried about was getting your systems back online, then good backups and a well thought through recovery plan solves the problem.

Now the problem is more complex.

This is a business risk problem and an especially big problem those in regulated industries. That means that risk owners (like the CEO, COO and CFO) need to be involved in the conversation.

The federal government is at the beginning of a five year project to require companies that do business with them (initially the DoD) to be certified periodically. If they do not get certified, they CANNOT be awarded new contracts. That is one case where security is binary.

There is no simple answer but business owners play a key role. They have to step up to the plate and understand that cybersecurity can mean the difference between staying in business or closing down. Then have conversations with their managers and with IT to figure out what each business should do.

Credit: Brian Krebs

Security News for the Week Ending October 30, 2020

Louisiana National Guard Called in to Help Local Election Officials

According to tips, the state of Louisiana had to call out the National Guard after some number of small government offices across the state were hit by ransomware. Experts say the tools have the hallmarks of the North Koreans, so all of the major attackers – Russia, China, Iran and now North Korea – are all trying to compromise our elections. This problem is not going away. Credit: Business Insider

Attacks on Cryptocurrency Continue

A hacker stole $24 million of cryptocurrency service Harvest Finance, a company that allows users to arbitrage cryptocurrencies. The company was hit by a $570 million “bank run” after the attack. They claim they know who the attacker is. One more time, software has bugs and can be exploited. Who would have thunk? Credit: Coindesk

Ransomware Disables GA. County Election Database

This is both good news and bad news. Hall County, GA was hit by a ransomware attack earlier this month. The attack, disabled the voter database, along with other systems like phones. The county claims that they will still be able to run the election because they can manually verify signatures from voter registration cards. They are also using a state database that was not affected. This points out that attacking some small county in a state is probably not the best way to change the outcome of an election. Credit: Gainesville Times

Trump Website Briefly Defaced

One of the campaign’s websites was briefly defaced Tuesday night and the site was replaced by a message similar in style to the messages put on a website that the government seizes. The message looked like this:

Image

Of course the site had not been seized and it was returned to its normal state after a little while. To be honest, I am surprised not more has occurred given the other events going on in the country. This seems pretty childish, but we don’t know if the warning on the site is true; stay tuned.

Regarding the hack, CISA Director Chris Krebs said on Twitter, “Like I said yesterday, website defacements are noise. Don’t fall for these attempts designed to distract, sensationalize, and confuse. Ultimately they’re trying to undermine your confidence in our voting process.” Credit: Variety

Wisconsin Repubs Say Hackers Duped Them Out of $2 Million+

The Wisconsin Republican Party says that hackers scammed them out of more than $2 million of donors’ money using very traditional business email compromise attacks creating fake invoices from real vendors and paid to the hackers’ bank accounts. The Wisconsin Dems say that they have been targeted by over 800 attacks, but so far, none (that they know of) have been successful. Credit: AP