Category: ransomware

IT Staff who have opted for a hybrid work culture or those on the move often experience device loss. Issue deteriorates when the ICO imposes a penalty on the company because their staff have lost laptops because of their negligence or misfortune,

Taking context of staff losing laptops into account, the Information Commissioner Office has reportedly imposed a penalty of £26m since 2020 on companies as their employees’ lost laptops, but imposed a fine of just £90,000 on a single company for putting itself at risk to ransomware attacks.

In research conducted by Cisco, in the past two years, ICO is said to have received over 3k complaints from employees losing devices that contained sensitive info. The devices were lost because of misplacement and that costed a lot to a law firm as it was penalized for exposing its IT infrastructure to file encrypting malware attacks.

A few months ago, cyber criminals infiltrated a law firm’s computer network to steal thousands of files. Those files were later dumped online for sale and were made available to anyone interested in gathering info from them.

ICO launched a serious probe on this note, as it leaked personal information of some celebrities who were clients to the said legal firm. And upon conformation, it penalized the firm with a stipulated sum need to be paid within a certain period.

Martin Lee, a security expert at Cisco, wondered why only the staff losing gadgets was being heavily penalized and why those exposing their networks to cyber attacks were being left without being levied with harsh penalties?

Well, in this context, some clarity needs to be put in here. Losing devices is a crime committed because of the carelessness of a human being.

But being targeted by a file encrypting malware, even if the victim has taken all proactive security measures, is a misfortune. What will the target do if the attack is filled with sophistication and complexity?

 

The post Laptop loss costs more than ransomware attacks appeared first on Cybersecurity Insiders.

Ransomware attacks are hitting organisations every day and infrastructure & operations (I&O) leaders are aggressively bolstering protection, detection and response capabilities against attacks.

However, questions remain as to whether existing disaster recovery (DR) and business continuity plans are sufficient for ransomware recovery.

To address this, I&O Leaders must consider five areas between the two recovery approaches, to better establish whether existing plans can withstand a potential ransomware attack.

  1. Similarities and Differences

Traditional DR and ransomware recovery have many similarities, including the need to coordinate with business continuity management, prioritise via recovery tiers and understand dependencies. Both also require procedures to assess the impact, declare and activate recovery plans, execute plans, and obtain clarity around access and maintenance.

However, ransomware recovery involves greater complexity and unpredictability and so it’s important to consider the business demand of the differing recovery steps in the process, which will naturally involve different stakeholders. These include varied recovery approaches, location, data loss, recovery time and the speed of a return to business as usual.

  1. Disaster Recovery Protects Against ‘Predictable’ Disasters

Traditional DR planning assumes that an entire location or application has failed, requiring failover to a DR location. These events can vary in scope, from regional power outages to IT equipment failure, and even natural disasters such as earthquakes, tornadoes and flooding, which destroy all infrastructure.

Planning for these events requires active or hot standby application infrastructure across data centres, which enables the failover to happen within a reasonable time, and with minimal or no data loss.

  1. Disaster Recovery Not Always Suitable for Ransomware Attacks

As of today, ransomware attacks are mostly well-planned where the attack can start weeks or months before the final ransomware assault. Typically, ransomware is only activated as the last step in a this well-prepared cyberattack, with attackers still having access during the attack.

Traditional DR usually relies on the replication and synchronisation of applications, data, and foundational network services between the primary site and the DR location. So, all the work the attackers do to compromise the production site will be replicated on the DR site. Consider that the contamination of the DR site will make it impossible to use standard recovery procedures after a cyberattack.

Contemplate that you may have to build from scratch in a worst-case situation and this will require planning to recover from alternative infrastructures, such as isolated recovery environments, cloud infrastructure, relocation sites and services.

  1. Disaster Recovery and Ransomware Recovery Follow Different Processes

Traditional DR activation follows a straightforward process where — after the disaster event is detected — an assessment is conducted to decide whether failover is required or not. After that, failover is executed and validated, and business continues. A well-planned failback (when applicable) can be executed when the primary environment is recovered.

Recovery from ransomware, on the other hand, requires multiple and more complex stages. In the first phase, there is a focus on stopping the attack from execution and propagation. In the second phase, forensic analysis is required to find out what happened, what ransomware was executed, the security issues at hand and how it infiltrated the infrastructure. During the third phase, analysis is required to find which network artefacts, apps, data and backups are affected.

Through phase four, there is a focus on the recovery of foundational infrastructure, by either a restore or a rebuild of all artefacts in the network, as well as storage and compute infrastructure, followed by a rebuild or recovery of network services like DNS and AD. In phase five, a dedicated isolated recovery environment (IRE) is leveraged to scan, repair, and validate operating and application/data systems to prepare for recovery back to the primary environment. Finally, in phase six, systems are migrated out of IRE back to production.

This level of impact on the entire infrastructure is what makes ransomware recovery so complex and unpredictable, as you need to first recover and resecure every impacted element in your infrastructure environment before you can recover systems, applications and their data. Examine the complexities that come along with the different processes and the demands this may ask of your organisation.

  1. Ransomware Recovery is a ‘Team Effort’

DR is often led by the DR team, which consists of the server team, network team, storage team, backup team, who all report to the DR manager, who then reports to the CIO. DR is part of the wider business continuity management process, where DR is responsible for the recovery of IT systems in a disaster situation.

Ransomware recovery, on the other hand, is initially led by the cybersecurity incident response team, which reports to the chief information security officer and is supported by other infrastructure and operations teams, including the DR team. Hence, recovery from a ransomware attack is far more of an all-enterprise effort and consider whether you have the resources to approach this appropriately.

Gartner analysts will further explore and compare disaster recovery and ransomware recovery at next year’s Gartner Security & Risk Management Summit 2023, taking place 26-28 September, in London, UK.

Jerry Rozeman is a Senior Director Analyst at Gartner

The post Gartner: 5 Considerations for I&O Leaders Planning Against Ransomware Attacks appeared first on IT Security Guru.

Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks.

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

Nothing leading to an attribution.

News article.

Slashdot thread.

FBI, in association with CISA, issued a joint statement claiming Cuba Ransomware gang has raked in $60 million in ransom from over 100 victims worldwide. And they attained the monetary benefits in just one month, i.e., August 2022.

The advisory was issued as a follow up to a similar statement issued at the same time last year and has warned that organizations which are into the management of US Critical Infrastructure should be extra vigilant about the ongoing threat.

Ransomware is a kind of malware that allows the hacker to steal data and then encrypt a database until a ransom is paid. Many state-funded actors along with individuals are nowadays getting over-involved in this business as it guaranty’s a pay for sure.

In the past two months, the FBI gained intelligence from its sources that Cuba Ransomware gang was showing a lot of interest in firms involved in public health, manufacturing, financial services, government services and Information Technology. And might increase the ransom from $60m per target to $145m.

Federal Bureau of Investigation is urging companies not to pay any payment to the hackers as it not only encourages crime but also doesn’t guarantee a decryption key in return.

Furthermore, the hackers can take this payment scheme as an opportunity to strike the organization twice or thrice.

NOTE- Australian government is planning to impose a ban on cryptocurrency as it will help curb the spread of ransomware crime certainly. However, a formal law has to be drafted and passed on this note. And that’s not an effortless task for the politicians as prevalence and curb of digital currency is next to impossible, virtually.

 

The post CUBA Ransomware gained $60 million ransom from 100 victims appeared first on Cybersecurity Insiders.

First is the news related to Southampton County of Virginia, as information is out that personal information of many county populaces was stolen in a ransomware attack that occurred in September 2022.

Details are in that cyber criminals gained access to a server at Southampton and siphoned details such as name, social security numbers, driving license details and addresses of the county populace.

FBI Cyber Crimes division has taken a note of the incident and has launched a probe on who was behind the attack.

Second is the news related to study made by the security firm Cybereason. According to the recent report released by the firm titled ‘Ransomware Attacks don’t take Holidays’, there is a high probability that the attacks might surge by 50% during the holiday season, that what was observed the whole year till now.

Meaning, threat actors do not take holidays, unlike staff members who have a regular off on weekends and during Christmas. Therefore, companies need to be extra vigilant during these days and must have adequate support to mitigate risks associated with the cybercrime.

Hence, companies need to either hire security professionals on a freelance basis or order its current staff to keep a vigil on the networks during weekends and Christmas & New Year that are fast approaching.

Third is the news related to Department of Health and Human Services that has issued a warning that all businesses operating in the healthcare sector should stay cautious about Lorenz Ransomware spreading gang that demand $700,000 as ransom to free up data from encryption.

Lorenz Ransomware spreading gang focused more on public sector companies from February 2021 to October 2022. But now shifted their focus to healthcare organizations as the demand for patient and medical history data has gained the interest of buyers by many folds.

Fourth is the news related to a new ransomware variant dubbed as Trigona. Malware Hunter Team has reportedly discovered a new file encrypting malware that appears to be a rebranded version of old ransomware. And the specialty of this hacking group is that they accept on Monero as ransom payments. BTW, Trigona is a village name in Germany and a renowned game hosted on Chinese servers, also used to operate with the same name until September 2020.

 

The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.

AIIMS Delhi, one of the renowned hospitals of the world, lost access to digital infrastructure because of a ransomware attack that occurred in the early hours of Wednesday this week. And information is out that doctors lost access to medical records resulting in severe chaos in treating the patients. The incident came into light today when another Indian news daily Times of India made the cyber attack details public.

AIIMS aka All India Institute of Medical Sciences has informed the details to the Indian Government and the CERT-IN and they found out in a probe that the compromised server belonged to the National Informatics Centre.

A Ransomware is a kind of malware attack where hackers steal information from a database and encrypt it until a ransom is paid. If the victim fails to pay the demanded sum, then the threat actors sell the stolen data on the dark web.

Smart Lab services, digital billing, report generation, appointment systems, medical reports access and other IT infrastructure of the New Delhi based hospital were affected in the attack and restoration services are underway.

Unconfirmed sources state that AIIMS is not interested in paying the ransom and is instead looking to recover data from an efficient data continuity plan that is already in store. It has directed all its staff members to manually write data on paper and is currently waiting for the Union Ministry of Electronic and Information Technology for further guidance.

NOTE- The hospital authorities announced in October this year that all their services will be paperless from January 1st of 2023.

 

The post Ransomware attack on Indian AIIMS Hospital appeared first on Cybersecurity Insiders.

Daixin, the Ransomware spreading group that hacked into the servers of AirAsia now seems to repent for its deeds, as it released a press statement that confirms that the victimized firm’s IT infrastructure, staff, and security are so poorly aligned that the said group of cyber criminals do not want to strike the same victim twice.

What the press update means that the Malaysia’s largest air carrier is so frustrated with the way AirAsia was responding to its negotiation filled talks that it doesn’t want to strike the IT infrastructure of the airliner as it is vexed with the way the staff was dealing with the situation and has lost hope of receiving a ransom for a decryption key.

Probably this might be the first time that the hackers have fallen to their knees as their victim was not responding to their demands positively, all because of the miscommunication and ‘office politics between the staff of the targeted organization.

A sentence in one of their recent tweets says they are facing humiliation from the staff of Air Asia that, despite suffering from a data breach of about 5 million passengers and all employees, is still showing apathy in taking control of the situation.

Hahahaha……this was probably the first time the hackers of Daixin Team Ransomware Gang were suffering such agony, as their anguish was clearly visible in their latest statement.

Is this how we need to deal with ransomware attacks, then?

To a certain extent, this can act as an example or a kind of guidance too many of the small organizations who are not in a position to have a dedicated team of cybersecurity experts.

But who is at the loss…?

It’s the victim, as the company has lost valuable data that threat actors can misuse soon. And the hacker can gain monetary benefits by putting the stolen info for sale on the dark web.

 

The post Ransomware gang repents for spreading ransomware to AirAsia appeared first on Cybersecurity Insiders.