Category: ransomware

In a recent interview with Deepen Desai, Global CISO and Head of Security Research at Zscaler, we discussed the evolving threat landscape and the company’s innovative approach to combating the ever-growing threat of ransomware.

Traditional ransomware attacks primarily focused on encrypting the victim’s files and demanding a ransom for the decryption key to unlock the encrypted business data. This approach has undergone several transformations over the years, with attackers increasingly adding the component of stealing data and even weaponizing payloads to propagate laterally within the IT environment.

Deepen noted the latest shift, encryptionless attacks, explaining: “Some of the large and more successful ransomware families have also started what they’re calling encryptionless attacks. This is where they will not encrypt a file, instead they will expel large volume of data, often over 10 terabytes. The gangs go to the full sequence of attack using weaponized payloads, using a vulnerability exploit to move laterally, establish environment wide persistence and then just steal data. But they don’t encrypt the data, don’t cause any business disruption.”

Why the Shift to Encryptionless Attacks?

The shift towards encryptionless attacks can be attributed to several factors, including an increased focus from law enforcement and regional agencies, potential fines, and public scrutiny. By avoiding encryption and the ensuing disruption of businesses, the ransomware gangs stay out of the news, the targeted business remains unexposed, and both parties potentially avoid legal attention.

Deepen added, “It’s a win-win situation for them. In fact, some of these groups have started calling these attacks a post exploitation penetration testing exercise. It’s basically a ransomware attack, but they’re calling it pen testing.”

Interestingly, Deepen also highlighted how some ransomware gangs are adopting a form of “customer service” in an attempt to enhance their reputation. They provide victims with reports that detail the vulnerabilities exploited and suggestions for security improvements after the ransom is paid.

The Implications for Cybersecurity

The emergence of encryptionless attacks represents an alarming advancement in the cybercriminal’s arsenal. The ability to extract large volumes of data without encryption or immediate business disruption makes these attacks more covert, insidious, and potentially more damaging.

Encryptionless attacks present a new challenge in the ongoing battle against cybercrime. The shift from encryption to stealthier methods illustrates the rapid adaptability and innovation of cybercriminals.

A fascinating aspect of the conversation was the potential role of generative AI and machine learning in cyber threats. Deepen expressed, “It’s only a matter of time when these guys will start using dark web versions of chat GPT variants to create very effective phishing attacks.”

Advice for Cybersecurity Professionals

Deepen provided a few pieces of advice for organizations in their battle against such attacks, emphasizing the importance of Zero Trust Architecture, which is centered around a fundamental shift away from the traditional trust within a network. The core principles include “Never trust, Always verify,” ensuring that no internal or external access is taken for granted; “Least privileged access,” granting only the necessary permissions required for a specific task; and “Assumed breach scenario,” operating with the mindset that a breach has occurred and taking measures accordingly. Together, these principles emphasize continuous validation, restriction, and awareness, aiming to reduce the attack surface and enhance overall security.

For effective implementation of these principles, Deepen advocated for a staged approach, beginning with “focus on your crown jewel application, implement user to app segmentation first and then go towards more complicated micro-segmentation strategies.” Additionally, he called for the elimination of VPN, characterizing it as a “juicy attack surface for the bad guys.”

Zscaler’s Security Approach

Zscaler’s approach to cybersecurity embodies the principles of zero trust, emphasizing a cloud-first strategy that effectively minimizes the external attack surface through a “never trust, always verify” philosophy. By hiding internal applications and employing a no-VPN approach, Zscaler ensures consistent security with full TLS inspection, regardless of user location. This zero trust model includes proper segmentation and containment strategies to limit the impact of potential breaches and prevent lateral movement within the environment.

Additionally, Zscaler’s inline Data Loss Prevention (DLP) acts to prevent data exfiltration, thereby offering a robust defense aligned with the fundamental principles of zero trust, including assuming breach scenarios, applying least privileged access, and reducing the blast radius if a breach were to occur.

The interview with Deepen Desai provided a fascinating window into the nuanced and multifaceted world of ransomware defense. As the landscape continues to evolve, understanding these new tactics, and responding with equally advanced defenses, will be essential in safeguarding against this next generation of threats.

The post Encryptionless Ransomware Attacks and Defense Strategies: An Interview with Zscaler’s Deepen Desai appeared first on Cybersecurity Insiders.

by Avishai Avivi, CISO, SafeBreach 

From small attacks to mass hacks, ransomware groups continue to wreak havoc in 2023, attacking organizations of all types, disrupting operations, and exacting high payouts. In March, not only did the White House declare ransomware a national security threat, but a record was also set for the highest number of ransomware attacks in one month, totalling 459. The infamous Ransomware group Clop has also already waged two high-profile mass hacks against western organizations, impacting hundreds of organizations and millions of consumers. Public, private, government, schools, healthcare…none are safe from these emerging threats. What should businesses do to protect themselves?  

A good place to start is by understanding the most popular patterns and types of attacks used by ransomware groups. Armed with this data, organizations can more effectively implement their security controls and continuously validate them to proactively identify gaps and take action before malicious actors do. Here are the top four ransomware trends observed by the team at SafeBreach in 2023.

New Focus on Healthcare, Schools, and Government 

The unfortunate truth about ransomware is that most threat actors carrying out these types of attacks are financially motivated. They don’t care who they attack, as long as they can make a profit. This means they will typically go after the most vulnerable victims who have the most urgent need—and monetary means—to stop an attack. 

In 2023, we saw a significant rise in ransomware attacks on healthcare entities. Due to their highly sensitive and valuable patient data, as well as the critical life-saving services they offer, healthcare organizations face heavy pressure to meet ransomware attackers’ demands. Over 1 million patients had their data exposed in March and April in a breach of NextGen Healthcare, the electronic health record software. Harvard Pilgrim Health Care (HPHC) suffered a ransomware attack in April that resulted in sensitive data of 3.5 million people being exposed. And 11 million patients had data exposed in a July attack on HCA Healthcare. And these are only a few examples. 

Governments have increasingly come under attack as well. In late July Maximus, a U.S. government contractor, confirmed that it was a victim of the MOVEit ransomware campaign. Official numbers aren’t out yet, but it is suspected that eight to eleven million individuals were impacted by this campaign. Universities, who can’t afford to let students sit idle, have also become common targets for ransomware groups. In the MOVEit campaign alone, Colorado and Washington State Universities were both confirmed as victims.  

Exploiting Vulnerabilities in the Supply Chain  

In the 2023 mass attacks based on MOVEit and GoAnywhere, Clop exploited vulnerabilities in two popular managed file transfer (MFT) systems used by thousands of companies. By taking advantage of a flaw in software that was presumed secure, Clop was able to successfully attack many different companies across every level of the supply chain. This is likely because many of the organizations using MOVEit and/or GoAnywhere software had not adopted a zero-trust architecture to compartmentalize their computing environments against supply-chain-type risks. It does not take much for a company to have at least one vendor in the supply chain that is vulnerable to risk considering how many are used across industries.

What these two Clop campaigns emphasize is that it’s incredibly important for companies to use caution when transferring data through third-party vendors. Even if the vendor says they are secure, companies should apply robust security practices. For example, applying critical secure-by-design and privacy-by design principles would prevent sensitive data from being allowed to linger in a location meant to be a temporary transfer system. Additionally, it’s necessary for organizations to adopt a zero-trust architecture and begin to assume that every supply-chain vendor used is already insecure and leaking data.

Utilizing Spray and Pray Versus Big Game Hunting Methods

Another interesting phenomenon in 2023 is the split between the use of “spray and pray” and “big game hunting” methods by ransomware groups. In “spray and pray” attacks, ransomware groups indiscriminately send out as many attacks as they can, hoping for smaller payouts from as many victims as possible. This is effective because smaller organizations are less likely to have mature security programs to prevent these attacks and/or deal with the fallout. 

The other method is “big game hunting,” where ransomware groups target a smaller selection of large organizations to maximize profit in one shot. The target organizations are often desperate to avoid a breach and are more likely to pay a ransom, thus rewarding the ransomware group with a large payout.  

Though the split between these two methods has been even in the past, we predict that larger organizations will begin to understand the necessity of investing in proactive security measures, making “big game hunting” less feasible for threat actors overall. Unfortunately, this means “spray and pray” attacks will likely be on the rise to make up for the loss of “big game hunting” revenue. 

Motivated By Politics

Increasingly, we see that profit is not the only motivator for threat actors. In recent years, the presence of nation-state actors in the cyber arena has been on the rise. These threat actors—most commonly from China, Iran, Russia, and North Korea—are not motivated just by money, but rather by causing damage to western organizations and governments. These groups are much less predictable and, because of that, are highly dangerous and often more difficult to detect. 

How to Utilize This Information 

Understanding recent ransomware trends is the first step to defending your organization. The next step is fortifying your security practices. At a minimum, we strongly recommend that public, private, and government enterprises deploy multi-factor authentication (MFA), use least privileged access to protect sensitive data from unauthorized access, and remain up to date on all software patches. 

Further, it’s important to proactively identify any gaps within your organization’s security controls in order to minimize your exposure duration and prevent exploitation. As discussed above, adversaries will use proven techniques to accomplish their goals, and they will continue to seek weaknesses in order to achieve maximum profitability. The continuous validation of security controls with tools such as breach and attack simulation (BAS) can help organizations leverage known information about attacker techniques to test their defenses to gain greater visibility into business risk, maximize security ROI, and strengthen their resilience against attackers, both today and in the future.

The post 2023 Ransomware Trends appeared first on Cybersecurity Insiders.

As the frequency of ransomware attacks targeting Indian defense digital infrastructure continues to rise, the administration under the leadership of Prime Minister Shri Narendra Modi has taken a decisive step. The government has chosen to replace all Microsoft systems with a domestically developed operating system known as Maya OS.

With this significant stride, India becomes the second country globally, after Russia, to undertake the replacement of operating systems across all devices. The rationale behind this move is to counteract the escalating malware and DDoS attacks that aim not only to disrupt operations but also to pilfer critical information from the compromised systems.

Maya OS, conceptualized and crafted by the Union Ministry of Defense in early 2022, is geared toward safeguarding computing devices against a spectrum of cyber threats. At its core, Maya OS is built upon an open-source Ubuntu (Linux) foundation, fortified with robust security features. Remarkably akin to the functionality of Windows, Maya OS ensures a seamless transition for all users.

A standout feature of Maya OS is its integration with an advanced edge security software called Chakravuh. This software operates as a vigilant monitoring solution, effectively countering malware and providing a protective shield against espionage attempts.

Informed sources reveal that Maya OS boasts compatibility with popular applications such as MS Office, Adobe Photoshop, and AutoCAD. This inherent flexibility allows it to seamlessly integrate with existing applications, meeting the demands of the current ecosystem.

A defense contractor based in New Delhi, the capital city of India, divulged that the plan entails replacing Microsoft systems with Maya OS by the conclusion of the current year. Subsequently, the government aims to pivot its focus over the next three years to encompass all centrally managed systems at the government level.

Given that India stands as the most populous country globally, where smartphones and laptops have become indispensable facets of daily life, the undertaking of transitioning millions of Microsoft-operated devices poses a formidable challenge. However, this monumental task is envisioned to be realized over the next decade with strategic execution.

As for the implications for the company led by Satya Nadella, it is important to note that the aforementioned developments remain in their infancy and are anticipated to undergo a protracted transition period.

It’s worth noting that Russia and China have already taken strides in a similar direction. Both nations have enacted bans on the use of Apple iPhones and Microsoft-powered devices within their borders. These countries are progressively advancing toward a 2026 deadline, by which a majority of the computers within their jurisdictions will operate on domestically developed software and applications.

The post India to replace all its defense related Microsoft systems with Maya OS due to Ransomware appeared first on Cybersecurity Insiders.

After observing a series of ransomware attacks targeting K-12 schools, the United States government convened its inaugural cybersecurity summit on August 8th, 2023, in a concerted effort to mitigate these attacks that have resulted in the compromise of sensitive information such as student medical records, psychiatric assessments, academic performance data, and reports of incidents such as sexual assault on students.

Jill Biden, the First Lady, addressed the issue, emphasizing that safeguarding the future of children hinges on effectively securing their personal data from unauthorized access.

Based on research conducted by security firm Emsisoft, a staggering 48 school districts fell victim to severe ransomware incidents in 2022. In these attacks, malicious groups employing file-encrypting malware exfiltrated data belonging to both students and staff members, including sensitive information like social security numbers and salary account details. The attackers followed a pattern of stealing a subset of data and then issuing threats to publish it online if their demand for cryptocurrency ransom was not met.

A separate report issued by the Government Accountability Office in October 2022 revealed that ransomware hackers had a substantial impact on over 1.2 million students during 2020. This period coincided with increased reliance on online educational programs due to the global lockdowns resulting from the Covid-19 pandemic.

According to findings from the Center for Internet Security, a non-profit organization, by the conclusion of 2021, one out of every three U.S. districts had experienced breaches.

During the Cybersecurity summit attended by Ms. Biden, it was underscored that the ransomware groups had demanded ransom amounts ranging from $50,000 to $1 million from each victim, with approximately 21% of the affected parties complying and making the payment.

With the new school year mere weeks away, the White House, under the leadership of the First Lady and congressional members, engaged in discussions addressing concerns such as mitigating cyber attacks on educational institutions and advocating for stringent punitive measures against perpetrators to instill a deterrent among potential wrongdoers.

The post US holds first ever cybersecurity summit on ransomware attacks on K12 Schools appeared first on Cybersecurity Insiders.

Clop Ransomware, a notorious cybercriminal gang based in the United States, has recently changed its tactics to evade law enforcement surveillance. Instead of using traditional websites to sell stolen data, the gang has adopted a new strategy of leaking data related to the victims of the MoveIT cyber-attack through torrents.

This group made headlines after infiltrating the MoveIT software database on May 27th, 2023, compromising sensitive information from nearly 600 organizations worldwide. Subsequently, they demanded a ransom from the victims and then began leaking the victims’ details starting in June 2023. Initially, the leaked data was distributed through Clearweb websites accessible only via the TOR browser. However, the FBI and CIA took action against these sites, forcing Clop to find an alternative approach.

To circumvent law enforcement, Clop decided to use torrents for distributing the stolen information from the MOVEit attack. They began publishing magnetic links to the remaining 20-27 victims, which not only helps them avoid detection but also addresses the issue of slow transfer speeds.

Cybersecurity firm Coverware estimates that Clop could earn an extortion payment of $60-$90 million with this latest move of using Torrent downloads.

Clop has a history of engaging in double extortion attacks, pressuring victims by disclosing breach details to the victimized company’s partners and customers. To exacerbate the situation, the gang often launches DDoS attacks on the victims’ networks, causing significant revenue losses and tarnishing the affected companies’ reputation.

This new tactic showcases the adaptability and sophistication of Clop Ransomware, making them a formidable threat to organizations’ cybersecurity and emphasizing the need for enhanced measures to counter such attacks.

The post CLOP Ransomware avoids takedowns by using torrents appeared first on Cybersecurity Insiders.

In recent times, the rising threat of ransomware attacks has caused significant financial losses and severe disruptions to businesses. As companies struggle to recover from ransom payments, data recovery, and reputational damage, the need for effective solutions has become more pressing than ever. In response to this challenge, Cisco has unveiled an innovative automated ransomware recovery feature exclusively for its Extended Detection and Response (XDR) system customers.

According to a recent press release from Cisco, this new feature integration is made possible through a collaboration with Cohesity’s DataHawk and DataProtect plans, which are specifically designed to safeguard virtual machines and enterprise workloads from infections.

Security analysts believe that the Cohesity ransomware feature, available within the XDR platform, empowers Security Operations Center (SOC) teams to rapidly detect, snapshot, and recover critical business data at the very first sign of a ransomware infection. This capability enables enterprises to protect their high-value IT environments from the increasingly prevalent double and triple extortion cyber threats.

For those unfamiliar with XDR services, Cisco’s platform seamlessly combines its own robust security features with a wide array of third-party security products. These include tools for incident analysis, threat remediation, response automation, and network access control, all accessible through user-friendly cloud-based interfaces. The XDR system leverages data from six key telemetry sources, namely endpoints, network, firewall, email, identity, and DNS, to provide comprehensive and proactive cybersecurity.

In addition to its XDR offerings, Cisco has made strides in integrating with other leading infrastructure networks and enterprise data backup and recovery plans. By doing so, the company enhances in-house business continuity solutions with automated ransomware recovery capabilities.

With Cisco’s cutting-edge automated ransomware recovery solution, businesses can fortify their cybersecurity defenses and mitigate the damaging consequences of ransomware attacks. By acting swiftly and decisively in the face of cyber threats, companies can safeguard their financial assets and protect their hard-earned reputation in the market.

The post Cisco Introduces Automated Ransomware Recovery Solution for Enhanced Cybersecurity appeared first on Cybersecurity Insiders.

As we approach August, it’s time to take stock of the ransomware attacks that have plagued numerous organizations, leaving CTOs and CIOs grappling with the aftermath. The year 2023 has witnessed several high-profile incidents, exposing sensitive data and causing disruptions across various industries.

1.) Harvard Pilgrim Health Care (HPHC) faced a significant breach in April. Hackers targeted HPHC, compromising the personal information of approximately 2,550,922 patients. Social engineering tactics allowed the perpetrators to steal full names, contact details, physical addresses, insurance information, medical histories, dates of birth, and social security numbers. Alarming as it is, no ransomware gang has claimed responsibility for the data theft so far.

2.) Reddit, a prominent tech-based discussion forum, became another victim of a security breach. Unauthorized access to corporate documents, software codes, and metadata occurred, with the BlackCat Ransomware gang, also known as Alphv, claiming responsibility. The hackers demanded a hefty ransom of $4.5 million for the decryption key, after gaining access to and stealing around 80GB of sensitive data.

3.) Barts Health NHS Trust, responsible for serving 2.5 million people across the UK, experienced a leak of internal documents on the dark web. The ALPHV Ransomware gang was behind the incident, exposing 5 terabytes of data out of the total 9TB in storage. This leak poses a significant risk, particularly with identity theft on the rise.

4.) Dish Network fell victim to the BlackBasta ransomware gang between February and March, causing disruptions to services like Dish Anywhere. The company took swift action, identifying and isolating the affected systems by the end of March. Details regarding the attackers and the financial impact of the attack remain undisclosed.

5.) The Royal Mail suffered at the hands of the LockBit Ransomware gang, causing delays in international deliveries. A critical infrastructure within the organization was targeted, and recovery efforts continued until November 2023.

6.) San Francisco’s BART (Bay Area Rapid Transit) encountered a ransomware incident early in the year, leading to the exposure of sensitive files. Vice Society, the perpetrator, claimed to have stolen police reports, employee information, and other confidential documents from BART servers.

7.) Dole Food Company, a prominent online retail giant in the fruits and vegetables sector, faced a file-encrypting malware attack that disrupted its operations for days. The company managed to recover from the incident with the assistance of third-party experts, refusing to pay any ransom to the criminal gang.

8.) Yum! Brands, the owner of Taco Bell, KFC, and Pizza Hut, experienced a malware attack in January that temporarily shut down operations in almost 300 UK restaurants. In response, Yum! Brands implemented threat monitoring solutions to prevent future risks.

9.) The UK Marshals Service encountered a data leak in February, with sensitive information related to US Marshals Service being exposed online. The cybercriminals behind the attack attempted to tarnish the organization’s image after their ransom demands went unheeded.

10.) In Florida, Tallahassee Memorial Hospital faced a ransomware attack that disrupted IT services for a week. As a result, administrative staff and doctors temporarily relied on paper documents, leading to the postponement of some surgeries. However, thanks to their efficient data continuity plan, the healthcare provider handled the downtime with maturity and resilience, without paying any ransom.

These incidents serve as a stern reminder of the persistent threat posed by ransomware attacks, highlighting the importance of robust cybersecurity measures and proactive planning for organizations across the globe.

The post Top 10 Ransomware Attacks in 2023 so far appeared first on Cybersecurity Insiders.

Over the past two years, security analysts have been discussing the impact of cyber insurance on ransomware attacks. There have been claims that companies covered by cyber insurance end up paying higher amounts to hackers who launch such attacks. Tech platforms like Quora and Reddit have even allowed discussions on which cyber insurance covers attract the most criminals, adding fuel to the debate.

To address these concerns and put an end to speculative discussions, the National Cyber Security Centre (NCSC) partnered with the Research Institute for Sociotechnical Cyber Security to conduct a comprehensive study. The aim was to investigate whether having insurance coverage influences cyber criminals to demand more from their victims and whether insurance companies secretly pay commissions to these criminals for demanding higher ransoms.

After meticulous research and analysis, the joint report from NCSC and the Research Institute revealed that there is no “compelling evidence” suggesting that ransomware attack victims with cyber insurance end up paying more than those without any insurance coverage. The findings indicated that being covered by a cyber insurance policy did not significantly impact the ransom amounts paid by the victims.

Furthermore, the evidence collected during the study did not indicate any suspicious collaboration between insurance companies and ransomware spreading criminals. There were no indications that these companies incentivize or encourage hackers to demand higher ransoms from insured victims to maximize their own benefits.

In response to the growing concern over ransomware threats, British officials from Whitehall have initiated discussions on a Counter Ransomware initiative. They recognize that various government departments face acute digital threats and are actively seeking measures to combat cybercrime. The British Parliament, in collaboration with the NCSC and other government partners, is working to implement effective strategies to counter this rising cyber threat, which poses significant challenges to businesses and organizations operating in the country.

While concrete actions are being taken to address the issue, it remains crucial to safeguard IT assets from file encrypting malware threats. Additionally, efforts must be made to ensure that insurance firms do not engage in any collusion with criminals, ensuring a more secure and resilient cybersecurity landscape for businesses and individuals alike.

The post Report says no evidence that cyber insurance coverage makes victim pay more appeared first on Cybersecurity Insiders.