Category: ransomware

Recently, there has been notable attention drawn to the announcement issued by CloudNordic, an Enterprise Hosting Provider. The statement acknowledges a distressing incident in which a ransomware group successfully compromised their systems, resulting in the complete loss of all customer data. Shockingly, this attack extended to the backup database as well, leaving the Danish service provider in a state of helplessness.

The gravity of the situation becomes evident as not only the primary data but also the secondary backups have been rendered irretrievable due to the attack. This raises significant questions about how affected customers can navigate their recovery process and whether they are entitled to any form of financial reparation.

Navigating the path to recovery is currently complex, largely contingent upon the contractual arrangements established between CloudNordic and its clients prior to project initiation. It is important to recognize that Cloud Service Providers (CSPs) commonly implement comprehensive data protection strategies. This often involves maintaining redundant copies of data both onsite and offsite. In certain cases, adherence to compliance regulations and best practices leads CSPs to uphold three distinct backup copies across diverse geographic locations.

Considering this, it is conceivable that CloudNordic might still be able to salvage data through its business continuity plans or its most recent archive. However, in instances where the predicament becomes exceptionally intricate, data recovery might prove unattainable. In such cases, legal provisions and obligations outlined in the pre-existing agreements would come into play, necessitating the company to provide compensatory measures to affected customers.

This situation presents a substantial setback, particularly for enterprises that have entrusted their critical data to the custody of Cloud Service Providers. The repercussions are especially dire for those whose operational continuity hinges on this data. Consequently, it is prudent for all stakeholders involved – both the CSP and the customers who have relied upon their services – to engage in a legal discourse. Collaboratively forging a resolution that addresses the concerns of both parties becomes imperative during these trying times.

The post What will a service provider do when ransomware attack wipes off all its data appeared first on Cybersecurity Insiders.

CloudNordic, a Denmark-based cloud service provider, has issued a public statement confirming the unfortunate incident of a ransomware attack that led to the complete deletion of customer data from its servers. Despite their efforts, the company found itself unable to prevent the removal of the stored information, which had initially been encrypted on August 18, 2023.

The company is diligently working on the process of restoring the lost data using backup solutions. However, the prospects of successful data recovery appear to be extremely slim, as the ransomware attack had also infiltrated the primary and secondary backup servers. Coinciding with this attack, another Danish firm named AzeroCloud fell victim to the same ransomware group. Yet, specific details regarding the extent of damage inflicted upon AzeroCloud remain undisclosed at this time.

In a separate incident, the University of Minnesota disclosed that unauthorized access to its servers took place on July 21, 2023. Disturbingly, reports indicate that the hackers behind this breach managed to acquire sensitive data associated with over 7 million social security numbers, data that had been amassed since the 1980s.

In a distinct development, a recently identified ransomware faction named Akira has embarked on a new campaign that involves the encryption of targets utilizing Cisco VPN products. Having gained notoriety for their involvement in the encryption of VMware ESXi virtual machines back in March 2023, the Akira Ransomware group has escalated their activities to now encompass Cisco VPNs. The modus operandi entails the deployment of backdoor mechanisms into various corporate networks. The full extent of the impact remains under ongoing investigation and is expected to be unveiled shortly.

Furthermore, Singing River Health System has fallen prey to a ransomware attack. Although an official confirmation is still pending, the healthcare service provider has reported suspicious external access to its computer network, potentially indicating an intrusion by a ransomware-type malware. The incident is currently being probed by the hospital’s IT personnel, who have assured the public that more comprehensive details will be disclosed in the upcoming week.

Amid these cyber threats, St. Helens Council, one of England’s oldest counties, has been thrust into the spotlight due to a suspected ransomware attack. Preliminary assessments indicate that the attack had a limited impact on certain internal systems of the council, with the website services continuing to operate normally.

In response to the evolving threat landscape, the council has taken proactive measures by establishing a dedicated sub-domain on its website. This sub-domain serves as a valuable resource to educate individuals about the dangers of falling victim to phishing attacks. For more information, interested individuals can visit www dot sthelens dot gov dot uk/watchoutforscams.

The post Headlines about ransomware making waves on Google’s trending news appeared first on Cybersecurity Insiders.

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which is a paid version of Thinkst that is powered by a small hardware device designed to be installed on the local network as a canary token server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens

Ransomware-as-a-Service cheat sheet

Ransomware-as-a-Service, or RaaS, has taken the threat landscape by storm — so much so that in 2023, the White House re-classified ransomware as a national security threat. How has RaaS taken the impact of ransomware attacks to this next level of federal concern? By allowing potential cybercriminals to launch a ransomware attack regardless of their experience with programming or technical sophistication.

According to Cybersecurity Ventures, ransomware might cost companies nearly $265 billion annually by the end of 2031. Meanwhile, bad actors get a lot of bang for their buck with Ransomware-as-a-Service. RaaS kit subscriptions can be as little as $40 per month.

That said, security professionals shouldn’t roll over or wave the white flag. Implementing a few key strategies can minimize the effect and decrease the likelihood of falling victim to a RaaS attack.

What is RaaS?

Organizations should clearly understand what RaaS is to make their security strategies specific to the needs of ransomware defense.

So, what is Ransomware-as-a-Service? It’s a business model designed by larger, more sophisticated ransomware groups. These groups utilize their technical expertise to create portable ransomware packages — or kits — that they then sell to buyers aiming to launch their own ransomware attacks.

Basically, ransomware operators turn their processes into a program or software usable by other threat actors. RaaS packages are often advertised on forums on the dark web, and they can also come with downloadable features, bundled offers, and 24/7 support staff. Well-known examples of groups that produce RaaS kits include:

RaaS kits aren’t developed out of the goodness of ransomware groups’ hearts. As noted above, these kits operate similarly to SaaS business models in that users follow some type of payment plan with the original ransomware operators.

These plans might look like:

  • A one-time licensing fee
  • A monthly subscription fee
  • An affiliate program fee — which typically entitles a chunk of the profits to the ransomware group
  • Pure profit sharing

Defending against RaaS attacks

When it comes to Ransomware-as-a-Service, the best method of defense follows a pretty consistent cybersecurity theme: Prevention is protection. Ransomware attacks are extremely costly and time-consuming for security teams to retroactively address. So, implementing security strategies aimed at stopping RaaS users in their tracks should be considered essential.

However, RaaS attacks are evolving faster than ever, so it can be tough for security teams to know where to start. Here’s a cheat sheet of three easy ways to defend your organization from RaaS attacks — well before they even strike.

1. Patch, patch, and patch again

Patching is a critical part of cybersecurity maintenance. Ransomware operators are looking out for new vulnerabilities to exploit around the clock — after all, that’s their full-time job. So, it’s critical for organizations to amp up their vulnerability management strategy and stay on top of the growing list of critical vulnerability exploits (CVEs) that bad actors use to breach sensitive systems and assets. A rigorous patching program will go a long way in keeping the latest RaaS kits at bay.

RaaS Hack: Keep tabs on what vulnerabilities your organization might have by checking up on CISA’s Known Exploited Vulnerabilities Catalog. This federal resource includes a bulletin that security teams can subscribe to, as well as downloadable versions in CSV and JSON formats.

2. Segment networks to prevent widespread environment proliferation

One of the biggest problems with RaaS attacks is that they move fast. Once RaaS users find an “in,” they can swiftly move into other connected environments — which can lead to an organization getting completely infested by ransomware.

To prevent the RaaS ripple effect, organizations should segment their networks. Network segmentation compartmentalizes one larger network into sub-networks, which allows security teams to devise security controls unique to each smaller network. Sub-networks not only make network security more manageable, they also make network security more diverse — mitigating the damage of one exploited vulnerability.

3. Build and maintain a culture of security

An organization is only as strong as its weakest link — and more often than not, humans are the weakest link. IBM’s 2023 X-Force Threat Intelligence Index found that successful phishing campaigns caused 41% of all security incidents. That means a critical remedy for RaaS attacks is providing organization-wide education on attempts via phishing, business email compromise, or other attack methods reliant on human error.

RaaS Hack: If your organization has limited resources for cybersecurity, leveraging managed services can implement cybersecurity “training wheels.” Managed services vendors can help educate your teams — and by proxy, your whole organization — on best practices for protection against RaaS attacks.

Next steps for RaaS defense

RaaS attacks are growing more frequent and more sophisticated, and it can be tough to match and meet bad actors where they’re at when you are inundated with a laundry list of other daily tasks.

That’s why we built Managed Threat Complete, an always-on MDR with vulnerability management in a single subscription that helps take the load off your security teams so they have space to innovate and strategize. Leverage the skill of our world-class cybersecurity experts and learn how to implement robust RaaS defense in your organization today.

The British government has initiated a fresh initiative named the ‘Early Warning’ program, designed to proactively alert potential targets of impending ransomware attacks, offering a preventive measure before the situation escalates. However, the program, supported by the UK’s National Cyber Security Centre (NCSC), has faced skepticism due to its limited success rate, with only 2% of the alerts sent being confirmed as authentic, while the rest are often dismissed as false alarms.

The NCSC, an integral part of GCHQ focused on cybersecurity, contends that the program’s efficacy could significantly improve if a larger number of organizations, both from the public and private sectors, opt into this complimentary alert system.

Operated by AI-driven analysis, the Early Warning system utilizes intelligence data from various sources. Its purpose is to furnish potential targets with a preliminary notice about the possibility of a substantial ransomware attack looming on the horizon.

In order to receive these updates, organizations need to possess a fixed IP address or a domain name and must be ready to undertake risk mitigation. The technical expertise essential for countering malware effects will be offered by the NCSC at no cost.

As of the conclusion of 2022, merely 7,860 organizations have enrolled in the ‘Early Warning’ service, despite a private sector boasting 5.5 million registered businesses. Similarly, among the 160,000 registered charitable institutions, over 32,000 schools, and around 700 healthcare facilities, a mere 3% have completed registration by February 2023.

Efforts are actively underway to encourage more businesses to join the platform by the year’s end. This entails raising awareness, educating employees about prevailing cyber threats, and underscoring the tangible benefits of the Ransomware Early Warning system. These strategies aim to draw a substantial portion of potential users to the platform before the close of the year.

The post Britain starts issuing ‘Early Warning’ to Ransomware Victims appeared first on Cybersecurity Insiders.

ALPHV Ransomware, also known as the BlackCat Ransomware group, has recently directed their cyber attack towards Seiko, a renowned Japanese watch manufacturer. This attack has caused a certain level of disruption to Seiko’s production operations and has led to the compromise of a portion of their data.

Seiko, the prominent producer of watches, has confirmed the authenticity of the incident. The breach is believed to have occurred sometime in the last week of July, but it was only on August 2nd, 2023, that the company’s IT staff managed to identify and address the situation.

With a workforce exceeding 12,000 employees and an impressive annual revenue of $1.3 billion, Seiko has initiated a thorough investigation into the matter. The company is unequivocal in its stance, making it clear that it will not entertain any ransom demands from the group responsible for encrypting their files, in this case, BlackCat Ransomware.

To exert pressure on their target, the BlackCat group has released a selection of sample data. This data includes confidential Seiko watch designs and technical information about semiconductors. Such information, previously held in high regard, could potentially serve as a goldmine for competitors and those involved in producing imitation gadgets. These counterfeit items are commonly traded on illegal black markets in Singapore and Malaysia, particularly during the months spanning from September to December each year.

Seiko Group Corporation boasts a rich history as one of the world’s oldest watchmakers. It made history by introducing quartz wristwatches to the global market in 1969. The company has a strong presence in New Jersey, USA, and has been actively engaged in sponsoring various sports events across the United States.

Interestingly, Seiko has been extending its support to Ukraine amidst its conflict with Russia. Given this backdrop, the recent cyber attack could potentially be attributed to a group of hackers fluent in Russian. This group may have affiliations with ALPHV, also known as Noberus. Notorious for engaging in triple extortion campaigns, launching denial of service attacks, and profiting from the sale of stolen data, this group has a track record of such malicious activities.

The post BlackCat Ransomware Group targets Seiko Watch Japan appeared first on Cybersecurity Insiders.

In recent times, the landscape of ransomware attacks has evolved, with threat actors altering their strategies. The common practice of encrypting databases and demanding ransoms has given way to a more nuanced approach. As cyber criminals have started adopting a new tactic known as “encryption-less” ransomware attacks.

Previously, adversaries employed double extortion tactics, stealing a portion of data from a database and then encrypting the entire repository, demanding payment in exchange for decryption keys. To amplify the pressure, they also threatened to leak sensitive information onto the dark web if the ransom was not paid promptly.

However, a notable shift has emerged in the way ransomware attackers operate. Instead of causing extensive disruption, they now seek to minimize the impact on their victims. They have introduced a novel approach—establishing a contact point in the form of a 24×7 customer service channel. Through this channel, victims can engage with the hackers’ support representatives to negotiate and facilitate the decryption of their compromised databases.

This model resembles a “software as a service” framework, where hackers interact with victims through customer service representatives. Beyond the surface level, this strategy conceals an additional motive. By minimizing downtime for victims, the attackers ensure that fewer incidents are reported to the media, law enforcement, and data protection agencies. This cloak of secrecy grants cybercriminals an extended window of operation and reduces the overall impact on victims.

According to a survey conducted by CrowdStrike, extortion attacks experienced a 20% increase in the preceding year, specifically in 2022. Intriguingly, these attacks involved stealing information without encrypting databases.

Another survey conducted by Cisco Talos between January and July of 2023 revealed a further 25% rise in encryption-less extortion attacks.

In these instances, criminals threaten victims with exposure of stolen data unless a payment is made. This approach benefits both parties involved, as victims are required to pay a comparatively smaller sum, and cyber-criminals circumvent the challenges posed by modern threat monitoring solutions. This move toward encryption-less tactics has enabled criminals to derive financial gains from their activities.

The question that arises is whether this shift in ransomware tactics is a lasting transformation or merely a temporary phase. The answer to this question can only be discerned over time. Future developments, which remain uncertain, will ultimately dictate the persistence or transience of this evolution.

In the present moment, it is evident that ransomware attackers have pivoted their methods. Encryption-less data extortion attacks have been showcased in recent incidents, such as the MoveIT cyber attack orchestrated by the CLOP ransomware gang. The dynamic nature of cyber threats makes it challenging to predict with certainty whether this trend will endure or fade away. Time will reveal the trajectory of this cybersecurity landscape.

The post Ransomware spreading gangs start Customer Service appeared first on Cybersecurity Insiders.