Category: ransomware

This article makes LockBit sound like a legitimate organization:

The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom.

LockBitSupp said that the ransomware operator is now looking to add DDoS as an extortion tactic on top of encrypting data and leaking it.

“I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” LockBitSupp wrote in a post on a hacker forum.

The gang also promised to share over torrent 300GB of data stolen from Entrust so “the whole world will know your secrets.”

LockBit’s spokesperson said that they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent.

They’re expanding: locking people out of their data, publishing it if the victim doesn’t pay, and DDoSing their network as an additional incentive.

InterContinental Hotels Group, a Britain-based hotel chain, has announced that its IT systems were fraudulently accessed by some outsiders, thus disrupting all booking channels and applications.

Unconfirmed sources state that the attack was related to ransomware and an investigation to detect the culprits behind the intrusion has been launched. Security experts have been hired to start the recovery of the data from encryption.

InterContinental Hotels is not in a mood to entertain the demands of the hackers as it has an active disaster recovery plan. So, the question of paying the cyber criminals’ money in crypto doesn’t arise at all.

Hotel staff haven’t stopped taking bookings and are continuing the service with pen and paper.

NOTE 1- A ransomware attack is a kind of malware attack where threat actors steal data from a victim database and then encrypt it until a ransom is paid.

NOTE 2- Law enforcement agencies like the FBI are discoursing ransomware victims from paying a ransom, as it not only encourages crime but also doesn’t guaranty a decryption key for the ransom. As per a report released by Sophos, in the year 2020 and 2021, the number of victims who have been cyber attacked double time has increased by 80%. Meaning, threat actors are striking the same victims twice, as they get a guaranteed pay and the network of such victims is easy to infiltrate.

 

The post Ransomware attack on InterContinental Hotels appeared first on Cybersecurity Insiders.

GIGN, an elite cyber force set up by French National Gendarmerie, has lowered the ransom demanded by hackers to free up data on the database of a Paris Hospital. CHSF Hospital Centre in Corbeil-Essonnes is the healthcare service provider in discussion whose servers storing imaging and patient data were locked up by encryption.

As per a report published in Parisien Newspaper, the hackers demanded $10 million to release a decryption key, but lowered the sum to $1 million after negotiations by the members of Gendarmerie.

Interestingly, the hospital authorities have disclosed that they will not pay any ransom to the cyber criminals and will instead recover data from a backup plan.

Then why did the negotiators involve in lowering the ransom is the big question?

Hospital authorities suggest that LockBit ransomware hackers were involved in the incident and the negotiations were being conducted to gain time to track down the criminals.

Reports are in that over 500 patients, including 13 children, were diverted to other hospitals because of the digital disruption.

Pharmacy-related data and test reports are being burned onto disk drives for sharing and some staff are seen, using pen and paper to make a note of prescriptions and details of patient treatment.

NOTE- GIGN is a tactical force of France that deals with issues such as counterterrorism, surveillance on national threats, the rescue of hostages, protection of government people and properties and cybercrime. This unit was established in 1974 and gained publicity when it played an extensive role in recusing hijacked passengers on Air France Flight at Marsellie Marignane Airport in Dec’94.

 

The post GIGN Elite Force helps lower ransom to a French Hospital appeared first on Cybersecurity Insiders.

Details are few, but Montenegro has suffered a cyberattack:

A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control.

[…]

But the attack against Montenegro’s infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.

Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.

The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.

Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”

EDITED TO ADD (9/12): The Montenegro government is hedging on that Russia attribution. It seems to be a regular criminal ransomware attack. The Cuba Ransomware gang has Russian members, but that’s not the same thing as the government.

Architecting for Extortion: Acting on the IST’s Blueprint for Ransomware Defense

Last month, the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF) launched the Blueprint for Ransomware Defense, a mitigation, response, and recovery plan for small- and medium-sized enterprises. This action plan is a cross-industry document that targets business leaders and protectors to ensure that even resource-strapped organizations can defend against the continued threat of extortion attacks, including ransomware.

Crucially, the RTF understands that most teams are strapped for resources, including time. So while it can be incredibly insightful — and great fun — to sketch out taxonomies of ransomware actors and their TTPs, or do graph analysis on communications networks for cybercrime groups, the blueprint considers what they call “essential cyber hygiene,” the foundational capabilities needed to successfully combat ransomware and other extortion threats.

A note on terminology

The term “ransomware” refers to a type of malware that encrypts files and demands payment for the key necessary to decrypt the files. A trend pioneered by the Maze ransomware group in 2020, double extortion, adds a second layer to this by also exfiltrating files and threatening to leak them if the ransom is not paid. We’ve also begun to see a broader trend of hack-and-leak extortion operations typified by the now-defunct LAPSU$ group, where rather than performing double extortion, the attacker simply skips the ransomware step of the operation.

While the Ransomware Task Force — as its name suggests — has prioritized ransomware, and the blueprint is called the Blueprint for Ransomware Defense, the overwhelming majority of the safeguards are useful against a variety of attacks. Thus, when we say “ransomware,” we specifically mean “an attack in which your files are encrypted and a ransom is demanded” and “extortion” for the broader class of operations.

How to use the blueprint

The blueprint outlines 40 safeguards: 14 foundational and 26 actionable. The foundational safeguards are the well-trod security advice that protectors are familiar with: Have an asset inventory, have a vulnerability management process, establish a security awareness program, etc.

Readers who wish to review these safeguards should consult the RTF blueprint directly and particularly consider printing out Appendix A, which nicely lists the category and type of each safeguard while also mapping it to the National Institute of Standards and Technology (NIST) cybersecurity framework function and the Center for Internet Security (CIS) safeguard number. There is also a helpful tools and resources spreadsheet linked in the PDF.

Safeguards to start implementing today

All of the safeguards chosen by the RTF are designed to be easy to implement and offer good “bang for your buck.” The controls that RTF has identified as important have also been identified by CIS as crucial for stopping ransomware attacks. However, some items, such as having a detailed asset inventory, are easier said than done. Of these, a handful are uniquely impactful or easy to implement, so they offer a good starting point.

1. Require MFA for externally exposed applications, remote network access, and administrative access

OK, technically this recommendation is three safeguards, but since they’re related, we’re lumping them into one. Lumping these together does not mean that implementation is a one-stop shop. Indeed, each one of these will require its own configuration to get working. However, as our incident response analysts and pentesters can both attest, the number one headache for attackers is multi-factor authentication (MFA).

MFA may not be a panacea, but it can serve as a roadblock for initial access or lateral movement, and it can provide an early warning that someone is in your environment who does not belong. If your organization is not pushing MFA everywhere, they should be, as most enterprise applications today support it natively or via single sign-on. A variety of free and paid authenticators exist and can be implemented in a straightforward manner.

2. Restrict administrator privileges to dedicated administrator accounts

Separation of duties is a longstanding core tenet of information security, but between remote work, the increased speed of communications and development, and the general expectation that things Get Done Right Now, we have systematically over-privileged user accounts. Even if global administrators remain rare, users are often local administrators on their machines, permitting the installation of unauthorized software that can be used by attackers and access brokers to establish persistence. This persistence can be leveraged into higher-level access through the use of tools like Mimikatz or techniques like Kerberoasting, and that higher-level access exposes the enterprise to significant risk.

By restricting administrator privileges to dedicated accounts, we develop some very clear indicators that something is wrong – no administrator account should ever be logged in multiple places at the same time, and there are some functions that simply should never be performed from a dedicated administrator account. This may add some friction to your IT management, but it’s good friction.

3. Use DNS filtering services

Unlike the two previous suggestions, this is something that not only could you start implementing today – you could probably finish implementing it today. Domain Name System (DNS) filtering services replace the default DNS configuration in your environment. Free options like Quad9 and OpenDNS offer security-friendly domain name lookups, which can defeat phishing attempts, malvertising, and malware command and control beaconing.

CIS also offers malicious domain blocking and reporting to members of some organizations. In general, this is a simple configuration update that can be pushed to all computers and will instantly improve your security posture.

Safeguards for tomorrow

While the three action items for today will offer the greatest return on investment for your time, all of the safeguards in the guide are important. Many are well-understood but can take time to implement. For some controls that aren’t “table stakes” in the way that deploying anti-malware software, establishing a security awareness program, and collecting audit logs are, we offer a bit of advice.

1. Manage default accounts on enterprise assets and software

As Rapid7’s own Curt Barnard demonstrated with Defaultinator this year at Black Hat, applications and hardware are still rife with default credentials that never get changed. Defaultinator is one tool that can help evaluate devices that may have default credentials in use. Finding these default accounts can be challenging, but once you have a good asset inventory, managing these default accounts is important to keeping attackers out and your data in.

2. Use unique passwords

Continuing with the notion of credentials, using unique passwords is incredibly important. Password reuse is a common way for attackers to move from a single, potentially unrelated account to your crown jewels. Today, there are myriad password management tools that will even generate unique passwords for users and many of them offer enterprise subscriptions. Of these, nearly all allow for the secure sharing of passwords – if for some reason that is necessary. (Hint: It's almost never actually necessary, but merely a bad habit.) Easily guessable (or easily shareable) passwords often fall victim to brute-force or password-spraying attacks, and with an enterprise password management tool, no user should need to use passwords that aren’t both strong and unique.

3. Establish and maintain a data management process

While we all know the power, benefit, and value of backups – especially when it comes to ransomware – data management is a bit more nuanced. We know that attackers in double extortion or leak-and-extort operations choose the files they steal and leak carefully to put maximum pressure on victims. Thus, the data management process is of increased importance for this category of attack. Categorizing and classifying your data will help inform the particular restrictions that need to be put around that data. Since attackers are targeting and leaking different sorts of data across industries, it’s imperative to know what data is most important to you and most likely to be targeted by attackers, and to have a plan to protect it.

While extortion attacks are on the rise and ransomware remains an expensive threat to organizations, action plans like the RTF’s Blueprint for Ransomware Defense serve as great tools to help decision makers, technical leaders, and other protectors mitigate extortion attacks. The safeguards in the report and the details in this blog post can help prioritize and contextualize what needs to be done. After all, we're all targets, but we don’t all have to be victims.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Many companies, irrespective of the investment and size, are in an illusion that ransomware attackers do not target them, as they are not a popular company and do not have a business stature that could attract the attention of hackers. In this below article, let us discuss on some of such myths that are keeping the CIOs and CTOs in dark.

My organization is safe- This is a common myth among CTOs that since their organization is small and isn’t dealing with sensitive data, it cannot fall into the eyes of hackers. But this notion is false as SMBs are 3 times more like to face ransomware attacks than large corporations as they do not have skilled staff to deal with situations and so cannot follow basic cybersecurity measures, due to budget crunch.

Ransomware menace ends by paying money- This is completely false, as hackers can target n number of times, as soon as they realize their target can oblige their requests at any cost. Second, cost of disruption, recovery, downtime loss for days might end a company pay a hefty price that could go beyond their annual budget and cripple them so much that they could fall flat and might say a goodbye to business.

Phishing is the major cause for ransomware. Remember, phishing is one way to download ransomware onto a device directly. Weak passwords, configuration blunders, vulnerabilities can also lead to deep troubles.

An anti-malware solution can shield a network from many ransomware– this is completely false, as there is no such silver bullet to eradicate ransomware under any circumstances.  And every month, at least 3 newly developed ransomware are entering the web to disrupt companies and mint money as ransom.

A single backup is safe–According to security experts, a company has to maintain at least 2 online and 1 offline backup to recover from ransomware attacks. So, one copy of backup doesn’t work in practical and it makes sense to invest in cloud-based solutions, as the pain of maintaining such a solution gets eradicated to a large extent.

 

The post These are the general myths about Ransomware appeared first on Cybersecurity Insiders.

A few days ago, the IT Managed Services provider ‘Advanced’ suffered a ransomware attack that almost crippled the entire emergency network of NHS UK to the core. To keep going, the healthcare services provider resorted to the pen and paper services in order to bring the situation under control.

But because of the disruption of the network of NHS 111, patient check-ins, medical notes and emergency services such as ambulance came to a severe halt, as many of such services were being managed with pen & paper.

Staff are finding it difficult to manually manage the services because of which piles of papers and patient files are seen being dumped into the room.

The attack that took place on August 4th of this year will leave ‘Advanced’ paralyzed for a few more months and if the situation continues staff estimate that the administration officials will need at-least a 5000-10,000 square feet space to secure patient data. And then a few of the data entry staff to digitize the whole info.

NOTE 1- NHS offers medical services to over 250,000 patients across 1220 hospitals and has reported the incident to NCSC and ICO.

NOTE 2-Advanced is into IT services and provides support to about 42 acute healthcare service providers. It has taken the incident seriously and has hired forensic experts to probe down the incident. The group behind the incident is yet to be probed, and it is unclear whether the threat actors have stolen any data before encrypting the servers.

 

The post NHS Ransomware Attacks leading to accumulation of medical records appeared first on Cybersecurity Insiders.

Microsoft released a report that cloud applications are acting as catalysts for cyber attacks as it detected over 1.5 million attack attempts on cloud environments in a time frame of just 60 months.

The technology giant mentioned in its Cyber Signals reports that most of the attempts were made by exploiting configuration errors by admins in corporate environments. And the only way to counter the situation is to apply patches as early as possible, audit configurations employed by admins and use sophisticated security tools that are proactive.

Second is the news related to NATO. From the past couple of days, some blueprints belonging to a missile system developer are doing rounds on the internet and hackers who released the data claim the blueprints belong to a European Missile Maker named MBDA Missile Systems and the information of about 80GB is up for sale for a meagre 15 Bitcoins.

Currently, the incident is under investigation and so MBDA is yet to react to the news that hackers had accessed to the company classified data. The Italian company based in France has admitted that a compromised hard drive might have leaked the details to hackers. But failed to divulge more details, as the probe is still on.

Since all the NATO aligned nations are supporting Ukraine in its war with Russia, the attack is suspected to have been launched by a hackers group named Killnet funded by Kremlin.

Third is the news related to file encrypting malware. As per a report released by Barracuda Networks, the volume of ransomware attacks identified in between January to June 2022 is said to have reached 1.2 million per month on an average.

Researchers saw a rise in the attacks, as most of the targets were service providers whose impact was directly felt by customers.

Barracuda study also discovered that the industries that were affected were education, municipalities, healthcare, IT and finance.

Last is the news related to Montenegro, a nation that is in Southeastern Europe. Coming to the news, the government of Montenegrin has accused Russia of launching cyber attacks on its servers on August 22nd,2022.

The Agency for National Security, ANB, has also accused Russian federation of launching a hybrid war that is becoming inconclusive and is affecting innocent civilians.

 

The post Cyber Attack news headlines trending on Google appeared first on Cybersecurity Insiders.