Tag Archives: ransomware

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather

Ransomware, The Gift That Keeps On Giving

Just a few years ago most people had not even heard about ransomware.  Today, if you have not been hit by a ransomware attack, you certainly have heard about attack after attack.  Ranging from massive attacks that affected companies like Fedex and Merck pharmaceuticals to  hospitals to little mom and pop stores, ransomware is the scourge of our technical world.

There really is one major reason for ransomware attacks – money.  If you pay the ransom, even what you perceive to be a small  one, it sustains the attacker’s morale and encourages more attacks.

Although no one really knows the statistics, people do  make educated guesses.  According to security firm Kaspersky, In Q1 2016 an individual was attacked every 20 seconds; a business was attacked every 2 minutes (I assume that most of these attacks were NOT successful).  By Q3 2016, those numbers were 10 seconds and 40 seconds respectively.

In Q1 2017, 60% of all malware payloads were ransomware, according to malwarebytes.

And, according to Cybersecurity Ventures, ransomware damages are predicted to exceed $5 billion in 2017 when the stats finally come in.  That includes a billion dollars for WannaCry alone.

People are paying millions in ransom as well.

See this article for more stats.

So why are we seeing the increase in ransomware?

#1 – as credit card companies improve their security, it is becoming harder to cash in on stolen credit cards.  Hackers are turning to other ways to make money.

#2 – Complex hacks to steal data and then monetize it are becoming harder and riskier as companies up their games when it comes to cybersecurity.

#3 – The emergence of Bitcoin and other crypto-currencies have made it easier for hackers to get paid in a way that is difficult to trace, if done correctly.

So here are some thoughts about dealing with ransomware.

In two recent attacks at organizations with a few thousand user devices each, ransomware spread quickly.  In these cases several thousand devices were compromised in an hour.  That doesn’t give you much time to detect the attack, never mind respond to it.

In the first organization, they did not have robust detection software and so the attack ended when all of the vulnerable machines were compromised.  The other organization did detect it and were able to take some machines offline and save them, but still many machines were compromised.

Here in Colorado, the Colorado Department of Transportation was hit by a ransomware attack twice in a period of a week or two.  Weeks later, many of their computers are still only useful as doorstops.

Lets assume you get attacked and are not able to stop it (by the way, there are likely better ways to contain an attack than that decades old anti virus software that you are using) – then there are two options.

First, you don’t pay the ransom.  Assuming you have good backups and depending on the size of the organization, it could take weeks to months to recover all of your systems.

Assuming you do pay the ransom you only have 50/50 odds of getting a key that will successfully decrypt your devices.

But in either case, have you really eliminated the malware on those computers and have you closed the flaw that allowed the ransomware attack to work and spread?  PROBABLY NOT!

The best technique for preventing successful ransomware attacks is training your users.  Clicking on links and opening attachments are likely the two most common ways to get infected.

There is software that can improve the odds of stopping an attack, but that software is likely NOT what you are using today.

The next thing that you have to have is a very robust incident response program.

When I speak at seminars I talk about the Sony attack disaster.  A few months before that, there was a similar attack that you likely never heard of – because they have a great incident response program and empowered individuals to take actions.  The organization was the Sands Hotel and casino and IT security made the decision to start literally unplugging computers from the network.  They had people running through the casinos pulling cables.  The result was a greatly diminished attack.

On the other hand, a local municipality in the Denver area was hit by a denial of service attack and once they got approval to disconnect from the Internet,  it took them hours to figure exactly how to do that.    A lot of damage can be done in hours.  You need to have the plan in place and the approval pre-made so that you can make decisions in minutes, preferably less.

Two different organizations, two different outcomes.

Given the trends, it is more likely than you might like that your organization will get hit by a ransomware attack.  How devastating that attack is will be based on how prepared you are.

How prepared are you?

Information for this post came from SecurityInfoWatch.

Facebooktwitterredditlinkedinmailby feather

Davidson County, NC Hit By Ransomware – Reverts to Paper

While yet another local government being shut down by a ransomware attack is old news these days, it still can point to a few valuable things.

This time it is Davidson County, NC, home of Greensboro.

At 2:00 in the morning the county’s CIO was woken up – there was something strange going on with the 911 system.

What they figured out what that ransomware had compromised 70 servers and an unknown number of desktops and laptops.

Oh, yeah, and the phones weren’t working, which is sort of a problem for the 911 dispatchers.

The county manager said it could take weeks or months to fully resolve.  He also said that this kind of attack is common in Europe.  It is, but it is equally common in the U.S.  Just recently neighboring county Mecklenburg had the same problem.

One bit of good news is that they have cyber insurance.  That likely will help them pay for some of the costs.  At the time of the first article, they had not decided if they were going to pay the ransom.

By Monday the county said that 911 was working as was the tax collector.  You can see why both of these are important to the county.

They continue to work on the restoration, but did not give a time when things would be back to normal – just soon.

What what are the takeaways here?

  • Have a disaster recovery plan – it sounds like they did have one of these.
  • Have a business continuity plan  – how do we the doors open or answering the phone.  And, if you are a web based business and your web site is down, now what?
  • Having cyber insurance will help pay for all this.
  • Make sure you have backups.  Make sure it covers ALL of your data and systems.
  • Figure out how long it will take to restore those backups.  For nearby Mecklenburg, it was a couple of months.  Is that OK?  If not, what is plan B?
  • How are you going to communicate about it.
  • MUTUAL AID – this one is easier for non-profits and the public sector, still it is worth considering.  Davidson County received offers of assistance from the nearby City of Lexington and from Rowan County as well as the North Carolina Association of County Commissioners.  And they are talking with Mecklenburg County – that went through the same ordeal recently.  When I was in college in upstate New York (this was in the dark ages before the Internet), the volunteer fire departments up and down the Finger Lakes would invoke that mutual aid using fog horns that traveled across the lakes for miles.  A particular  burst meant that this fire department or that needed help.  It was a life saver, literally.  Maybe it is with a customer or a business partner or an investor.  You may not need the aid, but having it available could make a huge difference.

Ultimately, having a plan and testing that plan is hugely important.  Don’t hope it won’t happen to you.  That might be the case, but then again, it might not be the case.  Will you be ready if it happens to you?

Information for this post came from the Dispatch and Greensboro.com

Facebooktwitterredditlinkedinmailby feather

Ransomware. Backups. MTTR. Disaster Recovery. Business Continuity.

Ransomware and hospitals.  Not a great combination.

The Register is reporting that Hancock Hospital paid ransom attackers $60,000 to get control of their system back.

Pictured: Hancock Health, 801 N. State St. in Greenfield.(Tom Russo | Daily Reporter)

Hancock Health in Indiana was hit with a ransomware attack last week.  As the hospital detected “something wrong”, they decided to shut down all hospital systems, all wellness center systems, Physicians offices systems and, in fact, the entire Hancock Health Network.

The attack put the hospital and its affiliates back into the medical stone age.  No electronic medical records.  No email.  All paper.

Like many other attacks, this attacker, apparently, found a publicly exposed remote desktop protocol (RDP) open port and the rest, as they say, was history.

When the hospital figured out that it was being attacked they contacted the FBI and an outside IT specialist.  However, the Lone Ranger used all of the silver bullets up – there are  none left.

This is where the title of this blog post comes in.

If you get hit with a ransomware attack, the experts say that you are okay if you have good backups.  Well, maybe.

But there is more to it.

Business continuity –  can you continue to operate while you sort things out.  In this case, the hospital reverted to paper.  But paper is slow and cumbersome and introduces errors.

Disaster recovery – do you have a plan for how you are going to recover from the disaster.

MTTR – MTTR standards for mean time to repair.  That goes along with RTO or Recovery Time Objective and RPO or Recovery Point Objective.  All of these mean HOW LONG WILL IT TAKE TO GET BACK IN OPERATION?  And, HOW MUCH DATA ARE YOU WILLING TO LOSE?

That is what tripped up Hancock.  They decided to pay the $60k and get working again.

The county in which Charlotte, NC is in, Mecklenburg, decided that they were not going to pay the ransom and it is still recovering, months later.

In late 2016,  Madison County, Indiana, decided to pay their ransom to get access to their data – it cost them $200,000.

According to the FBI, there are thousands of these attacks every day.  According to some reports, ransomware is a $9 billion industry.

So as you think about how to deal with a possible ransomware attack; think about this:

  • Backups
  • Mean Time To Repair
  • Business Continuity
  • Disaster Recovery

Put those all together and you will be in pretty good shape.

 

Information for this post came from The Register and The Greenfield Reporter.

Facebooktwitterredditlinkedinmailby feather

A New Form of Ransomware

The British shipping company Clarksons was hacked and decided not to pay the ransom.  So far, nothing new.  No ransom, no data.

Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.

I think this is becoming a bigger problem for hackers.  As a result, hackers are changing tactics.

There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.

But now there are many that say that if you don’t pay up we are going to publish what we hacked.

There is a very important distinction between these two types of attacks.  In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere.  In this attack, in order for it to work, the hacker had to steal the data.  ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES.  I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.

This concept is not far fetched;  in fact, hackers have done this (recently) before.  For this type of attack, whether you have backups or not doesn’t really matter.  What matters is what are the consequences of this data being made public.

In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.

Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.

What they have said is be prepared for stuff to be released.

So, I guess, we wait.  And see.  Stay tuned.

For the rest of us, we have a new cyber security worry.  Making backups and having a disaster recovery plan won’t help with this one.  The only way to protect yourself from this one is the keep the bad guys out.

One other thought.  Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked.  This is not always an easy decision, but one that needs to be made.

A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees.  An example of this might be a mortgage company.  They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk?  In a bank vault?  It could be difficult to hack.  Just saying.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Montgomery County Hit With Ransomware – Pays $40-$50,000 To Get Files Back

Montgomery County, Alabama joined the ranks of probably millions of others and paid a ransom to get their data back after hackers threatened to erase their data if the ransom was not paid within 7 days.

While details are sketchy, reports are that the attack began Monday around 5PM (at the end of the day) and probably spent all nite encrypting data.  By Tuesday morning systems such as vehicle tags, car registrations and marriage and business licenses were down.  Reports said that 70 terabytes of data was encrypted with no one noticing it.

The Chairman of the County Commisioners, interviewed on the Montgomery Advertiser link below said it was an “unfortunate situation” and “you don’t think about these situations until they happen”, but now he says it is “kind of an emergency situation”.

While we can laugh at his response because it wasn’t our systems that are down, the reality is that all of his comments are pretty accurate.  Most businesses don’t have a disaster recovery program, an incident response program, tested backups or trained emergency resources already identified and contracted for.  In fairness, some businesses are prepared, but they are the minority.

The County CIO, Lou Ialacci said that they tried to restore from backups but were unable to for some reason not related to the attack.  Perhaps, the backups weren’t working or didn’t exist.

The Chairman of the County Commissioners NOW says that they are going to do whatever it takes to prevent this from recurring.

That comment is also not unusual – after the horse is out of the barn, down the round and the barn on fire, it gets pretty real for people.

The county also said not to worry – no data has been compromised.  Are they sure?  It wouldn’t be very hard to encrypt the data and then copy it to the cloud somewhere.  Since the hacker has the key, he or she can then decrypt it at their leisure.  Don’t know in this case, but it definitely happens some times.

In Montgomery County’s case, they had to pay the hackers 9 Bitcoin or about $40,000 to $50,000 in taxpayer dollars based on the then current Bitcoin price.

My guess is that Montgomery County was not specifically targeted by Vladimir Putin, so I think we can safely say this was an attack of opportunity.

The county is being pretty quiet as to what happened, but likely someone clicked on a link or opened an attachment and it was all over at that point.

The message here is that businesses especially and individuals too need to be prepared,  Anyone can get targeted.  The bad guys might send out 10 million emails and hope a few people click on it.  At $40-$50 thousand a pop, you don’t need very many people clicking to earn a very nice living.  Ten people click on it and you might make a cool half mil – tax free, I might add.

Are you prepared?

Are you sure?

Have you tested it?

You don’t want to be the next Montgomery County.

Information for this post came from the Montgomery Advertiser and TechTalk.

Facebooktwitterredditlinkedinmailby feather