InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
When IT and security professionals plan how to respond, they must not underestimate the degree to which many of the transformative changes to our working patterns enacted due to COVID-19 have already changed our risk of ransomware attacks.
After the first “shelter in place” orders were issued, many organizations swung into action to accommodate work-from-anywhere policies. The ability of these teams to accommodate their businesses and the flexibility in modifying working practices which, in some cases, had been set in stone for years, was remarkable.
Now, many organizations are assuming a more distributed and hybrid workforce as their new normal in order to provide resilience, agility and a far broader reach in the battle for talent. However, this change has led to an uptick in focused ransomware campaigns by targeting the “human attack surface” of such organizations in a more subtle, insidious manner.
It’s three weeks since the word HAFNIUM hit the news.
The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot.
The Hafnium crew, it turned out, not only knew about four zero-day vulnerabilities in Microsoft Exchange, but also knew how to exploit these bugs reliably in order to walk into unprotected networks almost at will.
The Exchange bugs didn’t include a remote code exeution (RCE) hole to give the crooks the direct and immediate access to a compromised server, but the bugs did allow the crooks to rig up RCE using a trick known as a webshell.
Greatly simplified, the attack goes like this:
Exploit the Exchange bugs to write a booby-trapped web file called a webshell onto a vulnerable server.
Trigger the booby-trapped web page hosting the webshell to run a Powershell (or similar) command to download further malware, such as a fully-featured backdoor toolkit.
Enter at will and, very loosely speaking, commit whatever cybercrimes are on today’s “to do” list.
A new report has emerged stating that average ransomware payments jumped by more than 171% in 2020, suggesting that cybercriminals have benefitted from an extremely lucrative period throughout the pandemic.
The numbers come from Palo Alto Networks, who noted an 171% increase in ransomware payments from organisations and individuals that had been hit by the malicious software.
In essence, malicious software like ransomware takes control of a user’s computer, and encrypts the data. This encryption leaves the data on that device locked up, and can only be made accessible again once a password – or decryption tool – is offered by the hacker in question.
Hackers are happy to make these tools available to their victims, so long as they pay a price.
According to the report in question, that price has been skyrocketing as cybercriminals look to exploit those impacted by ransomware software that often have sensitive private and corporate information stored on their device.
That report was published recently after analysing more than 19,000 network sessions, data from more than 250 ransomware leak websites and thanks to information provided by 337 organisations that had been hit by a ransomware attack.
The Ransomware Threat Report 2021 states that on average, ransoms paid by victims to hackers has increased from USD $115,123 to more than $312,000 in 2020.
Authors of the report say that they noted the largest ransomware payment paid to hackers had also doubled, from $5 million to more than $10 million.
Group-IB published a report titled “Ransomware Uncovered 2020-2021”. analyzes ransomware landscape in 2020 and TTPs of major threat actors.
Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has presented its new report “Ransomware Uncovered 2020-2021”. The research dives deep into the global ransomware outbreak in 2020 and analyzes major players’ TTPs (tactics, techniques, and procedures).
By the end of 2020, the ransomware market, fuelled by the pandemic turbulence, had turned into the biggest cybercrime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, with many restless players having joined the Big Game Hunting last year.
In 2020, ransomware attacks on average caused 18 days of downtime for the affected companies, while the average ransom amount increased almost twofold. Ransomware operations turned into robust competitive business structures going after large enterprises, with Maze, Conti, and Egregorgangs having been at the forefront last year. North America, Europe, Latin America, and the Asia-Pacific became the most commonly attacked regions respectively.
To keep the cybersecurity professionals up to date with how ransomware gangs operate and help the defense teams thwart their attacks, Group-IB’s DFIR team has for the first time mapped the most commonly used TTPs in 2020 in accordance with MITRE ATT&CK®. If you are a cybersecurity executive, make sure your technical team receives a copy of this report for comprehensive threat hunting and detection tips.
The growing threat of ransomware has put it in the spotlight of law enforcement. Some gangs operating under the Ransomware-as-a-Service (RaaS) model, such as Egregor and Netwalker, were impacted by the police efforts. Another notorious RaaS collective, Maze, called it quits at the end of 2020. Despite these events, the ransomware business continues prospering, with the Ransomware-as-a-Service model being of the driving forces behind this phenomenal growth.
A new ransomware called Vovalex is being distributed through fake pirated software that impersonates popular Windows utilities, such as CCleaner.
When it comes down to it, all ransomware infections boil down to the same function – encrypt a device’s files and then drop a ransom note demanding payment in some form.
While Vovalex is no different, what stands out to Advanced Intel’s Vitali Kremez and MalwareHunterTeam, who found the ransomware, is that it may be the first ransomware written in D.
A joint operation of U.S. and EU law enforcement authorities allowed the seizure of the leak sites used by NetWalker ransomware operators.
Law enforcement authorities in the U.S. and Europe have seized the dark web sites used by NetWalker ransomware operators. The authorities also charged a Canadian national involved in the NetWalker ransomware operations.
“The Department of Justice today announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” reads the press release published by DoJ.
“NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.”
The group has been active since 2019, the NetWalker ransomware has been offered with the Ransomware-as-a-Service (RaaS) model.
Healthcare leaders will need to shift into a proactive security approach into 2021, if they hope to defend against the onslaught of ransomware and phishing threats.
The ransomware surge during the last few months has already continued into 2021. And though the malware will remain a key trend into this year, healthcare industry stakeholders will need adopt a proactive security approach and secure key entry points, including phishing threats and vulnerable endpoints.
Xtelligent Healthcare Media Editors recently compiled predictions for the healthcare sector in the year ahead on a Healthcare Strategies podcast episode. In the healthcare security space, leaders can expect continued email-based attacks and other schemes that prey on COVID-19 fears.
2020 was a great year for ransomware gangs. For hospitals, schools, municipal governments, and everyone else, it’s going to get worse before it gets better.
AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. “It is a life-or-death situation,” the technician said at the time.
The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.
Ransomware has been around for decades, and it’s a fairly straightforward attack: Hackers distribute malware that mass-encrypts data or otherwise blocks access to a target’s systems, and then demand payment to release the digital hostages. It’s a well-known threat, but one that’s difficult to eradicate—something as simple as clicking a link or downloading a malicious attachment could give attackers the foothold they need. And even without that type of human error, large corporations and other institutions like municipal governments still struggle to devote the resources and expertise necessary to lay down basic defenses. After watching these attacks in 2020, though, incident responders say that the problem has escalated and that the ransomware forecast for next year looks pretty dire.
Ransomware-as-a-service (RaaS) crews are actively looking for affiliates to split profits obtained in outsourced ransomware attacks targeting high profile public and private organizations. The more well-known ransomware gangs run private affiliate programs where affiliates can submit applications and resumes to apply for membership.
For affiliates that are accepted into the program, the ransomware developers receive a 20-30% cut, and an affiliate gets 70-80% of the ransom payments they generate.
Understanding malware as a service
httpv://www.youtube.com/watch?v=VoOJaKZvZ-o&ab_channel=BitdefenderOEM
MaaS Chaos. Is Malware-as-a-Service Growing?
In the legitimate business world, there’s something known as Software-as-a-Service, or SaaS. Here’s a definition: A software licensing-and-delivery model in which centrally located and controlled software is made available and licensed/rented on a subscription basis by users. SaaS clients are generally businesses.
Now, organized online crooks have moved into that space and business model too. It didn’t take long for that large-scale approach to not only hit the Internet, but to create a lucrative malware business for criminals who are selling viruses and more to anyone who wants it and is willing to pay for it. It’s “MBA-like” thinking for the purpose of making money by committing technologically based crimes.
One of the reasons that cybercrime has grown so rapidly is that the criminals at the top of the “food chain” have built scalable business models for their crimes. This allows experienced hacking groups to collaborate, and new criminals to leverage the resources of veteran hackers. “Crime-as-a-service” is nothing new, but the tools change rapidly as crimeware developers work to exploit the latest vulnerabilities and stay ahead of security. The Emotet banking trojan has emerged as a leader in providing malware delivery services to other hacking groups, and you will want to make sure you understand and defend against this threat.
The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack.
No patients were affected, but the incident was another reminder of the risks in the increasingly common assaults on healthcare computer networks.
A Philadelphia company that sells software used in hundreds of clinical trials, including the crash effort to develop tests, treatments and a vaccine for the coronavirus, was hit by a ransomware attack that has slowed some of those trials over the past two weeks.
The attack on eResearch Technology, which has not previously been reported, began two weeks ago when employees discovered that they were locked out of their data by ransomware, an attack that holds victims’ data hostage until they pay to unlock it. ERT said clinical trial patients were never at risk, but customers said the attack forced trial researchers to track their patients with pen and paper.
Tyler Technologies, a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector, is battling a network intrusion that has disrupted its operations. The company declined to discuss the exact cause of the disruption, but their response so far is straight out of the playbook…
Earlier today, the normal content on tylertech.com was replaced with a notice saying the site was offline. In a statement provided to KrebsOnSecurity after the markets closed central time, Tyler Tech said early this morning the company became aware that an unauthorized intruder had gained access to its phone and information technology systems.
“Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem,” Tyler’s Chief Information Officer Matt Bieri said. “We have since engaged outside IT security and forensics experts to conduct a detailed review and help us securely restore affected equipment. We are implementing enhanced monitoring systems, and we have notified law enforcement.”
“At this time and based on the evidence available to us to-date, all indications are that the impact of this incident is limited to our internal network and phone systems,” their statement continues. “We currently have no reason to believe that any client data, client servers, or hosted systems were affected.”
The infoseccers strongly advised against paying the criminals:
Paying a ransom does not guarantee decryption of data. Open source reporting indicates several instances where an entity paid the ransom but the keys to decrypt the data were not provided. The ACSC has also seen cases where the ransom was paid, the decryption keys were provided, but the adversary came back a few months later and deployed ransomware again. The likelihood that an Australian organizations will be retargeted increases with every successful ransom payment.
It is generally much easier and safer to restore data from a backup than attempting to decrypt ransomware affected data.
“Many of these [attacks] could have been avoided or substantially mitigated by good cyber security practices,” sighed the ACSC in the report (PDF, 18 pages), which covered the months July 2019-June 2020.
How to recover your system from a Ransomware attack
httpv://www.youtube.com/watch?v=kJuibb9QaWk&ab_channel=CSO
Why are small and medium-sized businesses a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion?
According to a recent report by the Ponemon Institute, the biggest challenge faced by SMBs is a shortage of personnel to deal with cyber-risks, attacks, and vulnerabilities, while the second greatest problem revolves around limited budgets. The third biggest challenge is that the firms may lack an understanding of how to protect against cyberattacks.
According to Datto’s report, ransomware is at the top of the list of the malware threats that SMBs face, with one in five reporting that they had fallen victim to a ransomware attack. The average ransom requested by threat actors is about US$5,900. However, that is not the final price tag; the cost of downtime is 23 times greater than the ransom requested in 2019, coming in at US$141,000 and representing an increase of over 200% from 2018 to 2019.
“Funding cybercriminals also funds larger cyberattacks, so it must be reiterated that paying won’t always get make the issue go away,” says ESET cybersecurity specialist Jake Moore.
The key, then, is prevention, and it includes these basic measures:
All employees should undergo regular training so as to be up-to-date on cybersecurity best practices. This can go a long way in lowering the chances of them clicking on potentially hazardous links in their emails that could be laced with ransomware or plugging in unknown USB devices that could be loaded with malware.
You should always keep your operating systems and other software updated to the newest version available and, whenever a patch is released, apply it.
Always plan for the worst and hope for the best, so have a business continuity plan at the ready in case disaster strikes. It should include a data backup and maybe even a backup infrastructure you can use while you try to restore your locked systems.
Backups are essential for everyone, be it individuals or huge enterprises. Back up your business-critical data regularly and test those backups frequently to see if they are functioning correctly, so that they don’t leave you in a bind if you’re hit. At least the most valuable data should also be stored off-line.
Reduce the attack surface by disabling or uninstalling any unnecessary software or services. Notably, as remote access services are often the primary vector for many ransomware attacks, you would be well advised to disable internet-facing RDP entirely or at least limit the number of people allowed remote access to the firm’s servers over the internet.
Never underestimate the value of a reputable, multilayered security solution. Besides your employees, it is your first line of defense that you should have up and running to protect you against all manner of threats, not ‘just’ ransomware attacks. Also, make sure the product is patched and up-to-date.
