Aug 25 2022

This company paid a ransom demand. Hackers leaked its data anyway

Category: Information Security,RansomwareDISC @ 8:57 am

It’s always recommended that ransomware victims don’t give in to ransom demands – and this real-life case demonstrates why.

a-man-looking-frustrated-at-his-computer-in-the-office

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn’t hold up their end of the deal. 

The real-life incident, as detailed by cybersecurity researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. 

Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received.  

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin. 

Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals. 

Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.

Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place. 

A few months after the incident, BlackMatter announced it was shutting down, with the recommendation that those using the ransomware-as-a-service scheme should switch to LockBit. 

According to Barracuda’s report, ransomware attacks are on the rise, with more than double the number of attacks targeting key sectors, including healthcare, education and local government. 

Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism. 

“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said. 

In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline. 

It’s also recommended that organisations apply security updates as quickly as possible to stop attackers targeting known vulnerabilities to gain access to accounts and networks. 

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

The Ransomware Threat Landscape

Ransomware Protection Playbook

Tags: Ransomware Protection Playbook, Ransomware Threat


Sep 01 2021

Feds Warn of Ransomware Attacks Ahead of Labor Day

Category: Information Security,RansomwareDISC @ 11:12 am

Feds Warn of Ransomware Attacks Ahead of Labor Day

Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.

Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.

While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.

Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.

“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.

Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.

That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.

History of Holiday Attacks

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Tags: Labor Day, ransomware attacks, Ransomware Threat