Category: ransomware

BHI Energy recently issued a statement revealing that its servers fell victim to a ransomware attack orchestrated by a group known as Akira in June of this year. The breach was not detected until July. The attackers gained unauthorized access to the company’s network by exploiting a vulnerability in a VPN connection, resulting in the exposure of sensitive information belonging to approximately 896 residents of Iowa.

The compromised data included a range of personal information such as social security numbers, health records of Iowa citizens, full names, and dates of birth. BHI, a subsidiary of Westinghouse, emphasized that no financial data was compromised during the breach. To address the security breach, the energy service provider swiftly took action by offering a 24-month Experian credit monitoring service to the affected individuals free of charge.

In another cybersecurity incident, Grupo GTD, a telecommunications company, disclosed that it had fallen victim to a cyber attack targeting its Infrastructure as a Service (IaaS) platform. This attack severely disrupted its services over an extended period. The company, which provides IT managed services, data center services, and telecommunications solutions, confirmed that the attack was carried out by the Rorschach Ransomware group, which locked down access to critical data and applications necessary for the company’s operations.

Chile’s Computer Security Incident Response Team, in collaboration with other law enforcement agencies, has initiated an investigation into the incident. Forensic experts have been enlisted to assist in the probe. Research conducted by Check Point confirmed the sophistication of the Rorschach Ransomware group, revealing that it can encrypt a database in as little as four minutes.

Moving on to the global cybersecurity landscape, Malwarebytes released a report indicating that the United States is the primary target for file-encrypting malware attacks. Criminals are drawn to targeting U.S. companies due to the nation’s strong economy and the favorable exchange rate of cryptocurrencies against the U.S. dollar. Among the 1,900 reported attacks worldwide, 43% were directed at U.S. companies. Notably, many of these attacks were attributed to notorious groups such as Clop, Revil, Darkside, and Conti. Their primary focus is on stealing valuable data, including emails, documents, photos, and videos.

Lastly, there is news concerning Akumin, a Florida-based radiology service provider. The company, which specializes in providing imaging solutions, has filed for Chapter 11 bankruptcy protection as it grapples with a debt burden of approximately $470 million. While the specific details of this financial crisis remain unclear, Akumin recently acquired a healthcare company and cited the accumulation of debt due to higher interest rates as a contributing factor.

The cybersecurity landscape is fraught with challenges, as evidenced by these recent incidents. While companies often experience disruptions of varying durations, the case of Akumin marks a unique occurrence with the filing for bankruptcy as a result of financial strain.

The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.

A recent report by Comparitech reveals that the healthcare sector in the United States has incurred staggering losses of $78 billion due to ransomware attacks. These losses are primarily attributed to the significant downtime experienced by healthcare companies over the past six to seven years, spanning from 2016 to 2023.

The comprehensive study conducted by Comparitech on the subject of ransomware sheds light on a concerning trend. During this period, there were over 539 officially reported ransomware incidents that affected a total of 9,860 hospitals and clinics, resulting in the compromise of records belonging to over 52 million patients. The figures presented are based on data provided to law enforcement agencies and forensic experts, underscoring the severity of the issue.

Examining the duration of downtime, experts noted that the disruption period ranged from a few days to several months. In 2016, the average downtime was approximately 14 days, but this figure steadily increased to 16 days in 2022 and 19 days in 2023. When these statistics are taken into consideration, the cumulative downtime across all affected companies is estimated to be a staggering 6,350 days or roughly 18 years.

Notably, the landscape of ransomware attacks has evolved in 2023. Hackers have adopted new tactics, including double and triple extortion techniques. What’s particularly alarming is the lack of leniency shown to victims who fail to meet hackers’ demands. In a recent incident, Denmark-based CloudNordic fell victim to ransomware criminals who wiped out nearly all their customer data because they refused to pay the demanded ransom of 6 Bitcoins (BTC).

Starting from August 2023, these cyber criminals have taken their malevolent strategies a step further. They are now persuading employees of targeted companies to surrender their login credentials, granting the hackers control over the entire network. This worrisome development underscores the need for enhanced cybersecurity measures and vigilance within the healthcare sector to combat the growing ransomware threat.

The post American healthcare looses $78 billion to ransomware attacks appeared first on Cybersecurity Insiders.

As ransomware attacks continue to increase in frequency and sophistication, organizations are searching for ways to prevent them from occurring. One common approach is to implement Endpoint Detection and Response (EDR) solutions and other preventative measures. While these tools can be effective in many cases, they are not always effective in stopping ransomware attacks. Let’s explore why:

  1. Evolving Tactics and Techniques

Ransomware attackers are constantly evolving their tactics and techniques to evade detection and bypass security measures. They can use social engineering tactics, exploit vulnerabilities in software, and use stealthy malware techniques to evade detection. EDRs and other preventative measures can only be effective if they are able to detect these tactics and techniques, which is not always possible.

  1. Insider Threats

Insider threats can also pose a significant risk for organizations. Malicious insiders can use their knowledge and access to bypass security measures and deploy ransomware on the network. EDRs and other preventative measures are not designed to detect insider threats, making it difficult to prevent these types of attacks.

  1. Zero-Day Vulnerabilities

Zero-day vulnerabilities are previously unknown vulnerabilities that can be exploited by attackers to bypass security measures. EDRs and other preventative measures are designed to detect known threats and vulnerabilities, but they may not be able to detect zero-day vulnerabilities. Once an attacker exploits a zero-day vulnerability, it can be difficult to prevent or contain the attack.

  1. Human Error

Humans are often the weakest link in an organization’s security posture. Employees can inadvertently click on malicious links, download infected files, or fall for phishing attacks. EDRs and other preventative measures cannot always prevent human error, making it difficult to stop ransomware attacks.

  1. Lack of Visibility

EDRs and other preventative measures rely on endpoint visibility to detect and prevent attacks. However, ransomware can enter an organization in a myriad of ways. While these solutions can be effective in many use cases, they cannot stop ransomware attacks in all situations. Organizations must adopt a multi-layered approach to security to protect against ransomware. This approach should include detection, prevention, response, and recovery. Most organizations have focused on the detection and prevention side, which is a good first step. But with the increasing success that cybercriminals are having at evading these measures, another layer to contain an active attack has to be added to the full strategy. It should also involve regular employee training, network segmentation, and regular backups of critical data. By taking a holistic approach to security, organizations can better protect themselves from the growing threat of ransomware.

 

The post Why EDRs and other preventative measures cannot stop ransomware appeared first on Cybersecurity Insiders.

In today’s digital age, ransomware attacks have become a grave concern for industries across the world. Maritime companies, with their extensive reliance on digital systems and global operations, are no exception. Protecting against ransomware is of utmost importance in safeguarding sensitive information, ensuring smooth operations, and preventing potential financial losses. In this article, we will explore the key strategies and best practices that maritime companies can implement to shield themselves from ransomware attacks.

Employee Training and Awareness: The first line of defense against ransomware begins with well-informed employees. Conduct regular training sessions to educate your staff about the dangers of phishing emails, suspicious attachments, and links. Teach them to recognize and report potential threats promptly.

Robust Cybersecurity Measures: Implement strong cybersecurity measures, including firewalls, intrusion detection systems, and anti-malware software. Keep all software and systems up to date to address vulnerabilities that cyber-criminals may exploit.

Data Backup and Recovery: Regularly back up all critical data to an offline or isolated system. In case of a ransomware attack, having clean, uninfected backups can save your company from paying a ransom to retrieve data.

Access Control and Least Privilege Principle: Limit access to sensitive data and systems to only those employees who require it to perform their duties. Follow the principle of least privilege, which ensures that users have the minimum levels of access necessary for their work.

Network Segmentation: Divide your network into segments, each with its own security measures. This can prevent the lateral spread of ransomware within your system.

Incident Response Plan: Develop and regularly update an incident response plan that outlines steps to take in the event of a ransomware attack. This plan should include a chain of command, communication protocols, and contact information for relevant authorities and cybersecurity experts.

Regular Security Audits: Conduct regular cybersecurity audits and vulnerability assessments to identify weaknesses in your systems and take corrective actions.

Collaboration with Cybersecurity Experts: Seek assistance from cybersecurity experts who specialize in protecting maritime and logistics industries. They can provide industry-specific insights and solutions.

Regular Updates and Patch Management: Stay proactive by applying software updates and patches as soon as they become available. Many ransomware attacks exploit known vulnerabilities that can be prevented by staying current.

Threat Intelligence Sharing: Join or establish networks for sharing threat intelligence within the maritime industry. By collaborating with others, you can learn about emerging threats and how to protect against them.

Conclusion:

Ransomware attacks continue to pose a significant threat to maritime companies. Implementing a comprehensive cybersecurity strategy that includes employee education, robust technology solutions, and an incident response plan is essential to protect sensitive data and maintain the integrity of operations. With the right precautions and vigilance, maritime companies can significantly reduce their vulnerability to ransomware attacks and continue their essential operations with confidence.

The post How Maritime companies can shield from Ransomware appeared first on Cybersecurity Insiders.

International Criminal Court suffers espionage related cyber attack

The International Criminal Court (ICC) has officially determined that the recent cyberattack on its digital systems, which occurred last month, was an act of espionage with the intent to compromise sensitive court data. Situated in The Hague, the ICC houses a wealth of confidential information, including records of war crimes and details of criminals, making it a valuable target for hackers.

The ICC has publicly announced that it is launching an investigation into the September attack and plans to pursue criminal proceedings against those responsible, tarnishing their international reputation.

Netherlands government officials have suggested that the sophisticated cyberattack might have been orchestrated by individuals from Russia in collaboration with North Korea and China. Nevertheless, preliminary evidence indicates that the initial point of intrusion was traced back to devices connected to the internet in Iran.

Israel hospitals asked to sever ties with internet

In other news, a conflict zone has emerged between Israel and Hamas terrorists. According to a statement from Israel’s Health Ministry, several hospital networks have been advised by the government to disconnect their IT systems from the internet. Hospitals are also being cautioned against potential intranet attacks, as cyber groups associated with Russia, operating through Iran, have been attempting to exploit intranet connections to disseminate malware capable of disrupting network access for days, especially during critical emergencies.

The directive to disconnect health-related systems from the internet was issued jointly by the National Cyber Directorate and the Health Ministry. There are speculations that other government services such as power, water, transit, and arms facilities may also be instructed to shift to intranet services for a temporary period to mitigate the risk of cyber incidents from hostile nations.

Europol seizes Ragnar Locker Ransomware website

Finally, in recent developments, Europol successfully seized the website of the Ragnar Locker ransomware gang toward the end of last week. Government agencies took down the servers that supported the operations of this criminal group in the Netherlands, Germany, and Sweden, effectively disabling their operations. Furthermore, the cryptocurrency funds acquired by this gang through double extortion were also confiscated in the operation.

Ragnar Locker is a notorious cybercriminal gang that launched attacks against 168 international companies on a global scale. It has been active since 2019, with its operational peak in 2020. Notably, during the initial spread of the COVID-19 pandemic in March 2020, the gang displayed some level of humanity by providing decryption keys to healthcare-related organizations that fell victim to their attacks. However, since September 2021, they have been demanding substantial ransoms to compensate for losses incurred during pandemic-induced lockdowns in Western countries.

The post Top 3 Google trending news headlines related to Cyber Attacks appeared first on Cybersecurity Insiders.

In the double extortion strategy, cybercriminals first exfiltrate sensitive data from the victim’s servers and then encrypt the data, making it inaccessible. They then demand a ransom for both the decryption key and the assurance that they will not release the stolen data publicly. This places immense pressure on the targeted companies, leaving them with little choice but to meet the hackers’ demands. Unfortunately, there is no guarantee that the data will be returned or deleted once the ransom is paid.

One striking revelation from the CyberOwl study is the connection between the rise in ransomware attacks and Russia. Researchers and analysts involved in the survey have suggested that the surge in activity and the resulting revenue may be linked to Russia’s invasion of Ukraine. It’s hypothesized that the funds generated through ransom payments to cybercriminals could indirectly support the war efforts, inadvertently contributing to the conflict.

In alignment with these findings, a separate study by U.S.-based ransomware specialist Coveware found that 34% of ransomware victims paid various criminal groups in the second quarter of 2023. This indicates that the willingness to pay ransoms is a global issue affecting a broad spectrum of industries.

To mitigate the risks associated with file-encrypting malware and ransomware, companies in the maritime sector, as well as across other industries, should adopt a proactive approach.

Here are some essential measures to consider:

1.) Regular Data Backups: Maintain a consistent backup strategy, ensuring data can be restored in the event of a ransomware attack.

2.) Automated Threat Monitoring: Implement automated systems for detecting and responding to security threats in real time.

3.) Retention Policies: Establish data retention and deletion policies to minimize the amount of valuable data accessible to cybercriminals.

4.) Incident Response Teams: Develop and train incident response teams to swiftly address security incidents and minimize potential damage.

As the ransomware threat continues to evolve and grow, it is imperative that companies remain vigilant and prepared to safeguard their data, financial assets, and reputation from these insidious cyber threats. Paying ransoms may offer a short-term solution, but it perpetuates the cycle of criminal activity, making it crucial for organizations to invest in robust cybersecurity practices and risk mitigation strategies.

The post Maritime Companies Increasingly Paying Ransoms Amidst Ransomware Surge appeared first on Cybersecurity Insiders.

“Ukraine Cyber Alliance Takes Down Trigona Ransomware Gang, Wipes Their Data Clean”

In recent times, we’ve witnessed numerous headlines about ransomware groups wreaking havoc on corporate networks. However, this time, the ‘Ukraine Cyber Alliance,’ a group of activists, managed to infiltrate the Trigona Ransomware gang’s database and completely obliterate their operations. Notably, they absconded with sensitive information, including source code, decryption keys, and some cryptocurrency earnings acquired by the gang during the month of September this year.

A technical analysis released to the media indicates that the gang exploited a known vulnerability, CVE-2023-22515, to breach the Confluence database and gain access to this critical information. As our analysis team continues to investigate, we will provide updates as soon as further details are confirmed.

“Data Deletion Hack Targets Facebook Users”

For the first time in the history of hacking, a hacker or hacking group successfully took control of a Facebook account belonging to a photographer. They systematically deleted images and customer orders that had been stored on the account for the past seven years. The account holder, Doug Bazley from Queensland, expressed deep disappointment at the data wipe and reported the incident to Meta’s subsidiary, which subsequently launched an inquiry into the matter.

The hack appears to have occurred after Doug clicked on a phishing link that arrived in his inbox, cleverly disguised as a Meta company communication. The perpetrator(s) assumed control of the web page, altering the profile photo, changing the account holder’s name, and systematically erasing all the data that had been stored for years. Doug also voiced his dissatisfaction with the security measures Facebook imposes on user accounts. As the issue remains under investigation, it may take some time for all the facts to be revealed. Notably, deleted data often remains stored in the archival database of the social media giant for a certain period.

“Criminal Gang RansomedVC Compromises District of Columbia Board of Elections”

The District of Columbia Board of Elections (DCBOE) fell victim to a criminal gang known as RansomedVC, infamous for data extortion and their hefty demands for decryption keys. The attack followed an unconventional path, with the criminals initially targeting the hosting provider DataNet before gaining control of the online platform housing Washington DC Election Authority data.

To substantiate their claims, the gang leaked approximately 60,000 lines of voter information belonging to Washington DC voters and listed the data for sale on the dark web. The exposed information includes Social Security Numbers, driver’s license details, dates of birth, phone numbers, and email addresses. Law enforcement agencies such as the FBI and DHS have taken note of the data breach and are actively investigating these claims.

It is noteworthy that this same criminal gang, RansomedVC, was previously involved in the server hack of Sony and was confirmed to have stolen over 260GB of files in that incident.

The post Interesting cyber attack headlines trending on Google for this day appeared first on Cybersecurity Insiders.

How hunting for an aubergine could be all it takes for you to hand your credit card details over to a scammer, and just how good is a podcast entirely built by AI? All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault. Warning: This podcast may contain nuts, adult themes, and rude language.