Tag Archives: ransomware

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Security News for the Week Ending August 28, 2020

Ransomware is an Equal Opportunity Business

As American businesses deal with ever increasing ransomware attacks, larger ransom demands and ransom and extortion wrapped up together, we are not alone. Not that the fact that we are not alone should make us feel better. A new Iranian hacker group is using Dharma ransomware to go after businesses in Russia, Japan, China and India. According to the researchers who discovered this, the hackers aren’t apparently quite sure what to do once they get in. Credit: Group-IB

New Zealand Stock Exchange Attacked

The New Zealand stock exchange was down for the third time in two attacks after hackers attacked with with a volumetric attack (I think that is a fancy word for big). Basically, they crushed the exchange’s servers with a lot of useless data. You have to assume that a stock exchange has a lot of security in place and has certainly considered that someone might want to use it to make a point, so the fact that they went down three times and then halted trading says that (a) they made their point and (b) the exchange’s preparations were not sufficient. Do you care if your online systems are taken down by hackers? Are you prepared in case they try? Credit: News.com

Insider Threat Is a Real Problem

A Russian national inside the U.S. offered to pay an employee of an unnamed company $500,000 to plant malware in the company’s network. When the employee didn’t go for the plan, the Russian upped the offer to a million dollars. The Russian told him that the company would pay millions to not have their data posted on the web. The employee, instead, went to the FBI and the Russian national is now in custody. Credit: Security Week

UPDATE: It turns out the unidentified company is Tesla.

Homeland Security Releases 5G Strategy

Homeland Security’s CISA released a strategy document for the migration of the country to 5G. While those trying to sell 5G gear are pretending that the country is ready for 5G, the reality is that 5G that lives up to the 5G hype is years away except for small pockets.

The strategy document calls for 5G policy and standards emphasizing security and resilience, expanding awareness of 5G supply chain risk (code for beware of HUAWEI and China), encourage other companies to get into the 5G game and identifying risk based on potential 5G uses.

All of this is good, but unless this is more than a press release, it will not make any difference. Credit: SC Magazine

Planning for a Ransomware Attack

You know that if publications like Forbes are running pieces on preparing for ransomware attacks that things must be getting bad.

The Forbes piece, written by former Deputy Undersecretary for Cybersecurity at DHS Mark Weatherford is good, but it leaves out a few things (I am guessing that Forbes gave Mark a word limit).

We continue to see multi million dollar ransoms being paid. Garmin is reputed to have paid $10 million and the University of California at San Francisco paid $1.1 million. Those are just a couple of very recent, very public ransoms paid.

We seem to hear every day of a new attack: Opus Capital Markets (Freddie Mac vendor), Honda, Fresenius, 41 health care providers. This is just a sample of the attacks.

So what do you do – how do you prepare?

These are Mark’s recommendations. I will add some of my own.

  1. Have a business continuity plan. When Travelex got hit by ransomware earlier this year they were literally out of business for a month. They can afford that – can you?
  2. Focus on the data. Mark says systems can be replaced. Not so easy when it comes to the data. How much data are you willing to lose? A week? A day? An hour? Many times the backups are accessible online. Convenient. And easy for the hackers to destroy or encrypt. If that happens, you have nothing.
  3. Regularly educate your users. That means, for example, you need to be phishing your users regularly and the fake phishes need to be very convincing. Regular means weekly. Different phishes for different people. This includes the executive team.

Okay, so that was end of Mark’s list. Here are a few of mine to add to the mix.

4. Make sure that everything is patched. Computers, servers, cloud, phones. While that may not stop hackers, no sense making it easy for them.

5. Have a TESTED incident response plan. When Equifax announced their breach, they gave out the wrong web site and the right web site, when they finally got that out – it was not even owned by Equifax. It was set up after the breach by someone at their marketing vendor. He owned it personally. Doesn’t inspire confidence by your customers who may have just had the worst day of their business life.

6. Have cyber insurance. This is your last resort. These days it is still pretty affordable. Norsk got paid $3.5 million by their insurance and they spent $60 million to recover. Make sure that the insurance covers all of the situations that might occur (they often don’t) and that you have enough.

Finally, plan, test and plan some more. A few months before the Sony attack that was blamed on North Korea, there was a very similar attack on the Sands Hotel and Casino empire. Didn’t hear about the Sands attack? That is because they were prepared.

Are you? The rate of attack and the price of ransom are both escalating. Don’t wait; prepare now.

Ransomware Gone Berserk

As if ransomware wasn’t bad enough in the past.

As if ransomware 2.0 didn’t make you lose sleep.

If you thought that the pandemic was slowing down cyberattacks.

Sorry to be the bearer of bad news.

We are seeing new ransomware strains pop up at an alarming rate. In just the past couple of months we have seen:

  1. Avaddon – an email based attack that tries to lure you in by a subject line like Your New Photo? of Do You Like My Photo? The attackers sent out over a million emails in just one week trying to compromise people’s computers. And they have an affiliate program that pays a very generous 65% of any ransom that they generate.
  2. AgeLocker– uses the Google developed Age encryption tool. They are demanding 7 Bitcoin to unlock your files (about $65,000).
  3. Conti – probably a successor to Ryuk. New and improved. Can encrypt 32 files at the same time for reduced time to detect before it is all over. It attempts to maximize damage.
  4. ThiefQuest – This is a piece of Mac wizardry. Not only does it encrypt your files, but it also installs a keylogger, reverse shell and other niceties. They were asking $50 to decrypt, but there is no way to contact the hackers. There is now a free decryptor, but if the goal was really to install the keylogger and back door, maybe they figure that you won’t notice that if you can get your files back.
  5. WastedLocker – a variant of the EvilCorp malware, it has been targeting U.S. Fortune 500 companies and demanding multi-million dollar ransoms.
  6. Try2Cry – This ransomware uses infected links and compromised flash drives to share the love. This one, too, seems to be decryptable.
  7. FileCry – Another amateur attempt. They ask from 0.035 Bitcoin or about $400 at today’s value.
  8. Aris Locker – This one threatens the user that if they snitch on the hacker, they will delete your data permanently. They are asking for $75 in ransom if paid quickly; $500 otherwise.

While some of these strains are not a serious threat, others are and these are just the strains that this article identified in the last couple of months.

Suffice it to say, ransomware is alive and well and not taking a break during these crazy times.

This means that you better be ready to deal with the situation if one of your employees accidentally opens an infected email and compromises your network. Credit: Cyware

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

Ransomware Groups Turn into Cartels

As the Maze ransomware group continues to hit new targets like banks and defense contractors, among many others, those companies, in many cases, decide to restore their systems from backups and not pay the ransom.

So Maze decided to nuance their crime and steal (or exfiltrate) the data before encrypting it. That way, if the companies didn’t pay, they would start leaking the data, like water torture, drip by drip.

In some cases that is still not working, so in an effort to make money, they are auctioning the stolen data to the highest bidder.

As if this wasn’t incentive enough for businesses to increase their cybersecurity measures, the Maze group has now become a cartel.

In the full tradition of the drug cartels, they are affiliating with competitors and sharing infrastructure for a fee.

Last week the ransomware group LockBit joined the Maze cartel.

This week, it appears that Ragner Locker joined the cartel.

This means that those groups can likely use Maze’s auction site to auction off data that they have stolen. What other technology and facilities they are sharing is unknown.

And these ransoms are getting more expensive.

Florence Alabama (population 40,000) agreed to pay a NEGOTIATED ransom of ONLY $291,000 to get control back of their systems.

When big companies like Honda “pauses” production and shuts down their offices due to a ransomware attack like they did this week, they will definitely feel the pain but can afford to pay the millions that it will cost to pay the ransom, if needed, and recover control of their systems.

But most companies are not Honda. Even if it costs them a few tens of thousands of dollars, and many times it costs more, that hurts. A lot. And if they have to pay the ransom to stop they stolen data from being published or sold, that hurts more.

Not to mention the potential lawsuits and disgruntled customers leaving while expressing their displeasure on social media. What does that cost?

So, bottom line, even though no one likes to spend money, this is a case of spend it now or spend more – probably a lot more – later.

Are you confident that your systems are safe? Why do you think that? I am sure that Florence and Honda thought they were safe. Credit: SC Magazine