Category: ransomware

By Doron Pinhas | CTO at Continuity, Co-author of NIST Special Publication Security Guidelines for Storage Infrastructure

Ransomware attacks have been in the public eye for quite a while now. Growth is propelled not only by the surge in the number of cybercrime groups specializing in ransomware, but to a large extent, also by the continual increase in attack sophistication.

Ransomware has evolved into a fully-fledged industry, with competing groups that continually introduce new capabilities and techniques.

Some of the new trends in data crimes, such as data leak, threat of data exposure and shaming techniques have ignited the media attention, though other, potentially even more devastating are still not widely discussed, which we’ll attempt to correct here.

Breaking The Myths: Storage, Backup, And Data Recoverability

A few years ago, very few CISOs thought that storage & backups were important. That’s no longer the case today.

In a security research study published by Continuity, more than two-thirds of respondents believed an attack on their storage environment would have ‘significant’ or ‘catastrophic’ impact, and almost 60% of respondents were not confident in their ability to recover from a ransomware attack.

Ransomware has pushed backup and recovery back onto the agenda.

Cybercriminals like Conti, Hive and REvil have been actively targeting storage and backup systems, to prevent recovery.

Regulators are starting to pay attention to backup systems and data recovery. Industry awareness is also steadily growing. NIST released a Special Publication 800—209, titled Security Guidelines for Storage Infrastructure, that places significant emphasis on securing and protecting data against attacks.

This has driven CISOs to look again at potential holes in their safety nets, by reviewing their storage, backup and recovery strategies.

“In my experience CISOs have not given the storage layer enough attention in the past in protecting their businesses (including myself).” — John Meakin, Former CISO at GlaxoSmithKline

Storage and backup systems may seem relatively minor in the IT stack, but size isn’t the best measure of the criticality of storage.

Let’s compare storage to the human heart. The heart is modest in size but pumps life-giving blood throughout the body. So, storage houses critical high-risk data that feeds your applications and devices.

Just as shooters aim for the heart, so hackers target data where it lives, in your storage systems. If you let cybercriminals leak data from storage and backup systems, they can sell it or give it away.

Unlike an attack on individual endpoints or servers, which can be highly inconvenient to a large enterprise, one that targets central storage or backup can be truly devastating. This is because a compromise of a single storage fabric can bring down thousands of servers.

Furthermore, while recovery of an individual server is relatively straightforward, recovery of a storage fabric is a complete unknown to many CISOs.

In other words, storage & backup security neglect will take its toll. CISOs must learn the ropes and must stop pushing it off as someone else’s responsibility.

“It is good to see more and more CISOs acknowledging the risks, and beginning to properly secure their storage & backup systems.” — Joel Fulton, Former CISO at Symantec and Splunk

The Current Threat Landscape for Storage, Backup And Data Recovery

NIST SP 800-209 provides a detailed overview of storage & backup system threats, risks, attack surfaces and security recommendations.

By successfully infiltrating these new targets, ransomware gangs can:

  • Prevent recovery efforts by destroying or tampering with backups (including offsite cloud-based copies and immutable storage)
  • Steal or encrypt petabytes of data easily stored on a single storage or backup system
  • Evade detection by existing Data Loss Prevention (DLP), Intrusion Detection Systems (IDS), and most modern threat intelligence solutions. Some hackers actually take advantage of cloud-based offsite backup solutions which, if not secured properly, can provide access to copies of huge datasets without introducing any visible load on production systems

“You need to have governance and an active program to secure your storage layer.” — Marc Ashworth, CISO at First Bank

Recommendations

Data is a major part of the role of any CISO. And in today’s digitized, data-everywhere world, an organization must make significant investments in data protection, and storage and backup hardening.

CISOs have the skill to do it; many simply lack a clear view of the problem. The problem needs to be reframed in the minds of security experts, and fast. Analyzing data storage and backup security posture is a new skill that security teams must adopt in order to deal with emerging cyber-security threats.

I’m expecting to see much stricter national guidance to organizations to tighten their data protection solutions and to avoid negotiating with criminals.

I highly recommend evaluating your internal security processes to determine if they cover storage and backup infrastructure to a sufficient degree.  Some of the questions that could help clarify the level of maturity are:

  • Are you evaluating the resiliency of your storage and backup systems on an ongoing basis?
  • Do you have detailed plans and procedures for recovery from a successful ransomware attack on a storage or backup system?
  • How confident are you that you can recover from a successful ransomware attack?

Storage vulnerability management would significantly help security teams get a full view of security risks in your storage & backup systems. It does this by continuously scanning these systems, to automatically detect security misconfigurations and vulnerabilities, and then prioritizing those risks in order of urgency.

Finally, I encourage you to learn more about ransomware resiliency for storage and backups.  A good start could be the NIST Guide for Storage Security – a report I co-authored along with NIST.

This guide provides CISOs with an overview of the evolution of the storage and backup technology landscape, current security threats, and a set of practical recommendations.

 

About Doron Pinhas (Chief Technology Officer, Continuity)

Doron is an avid Storage and Backup security advocate, and one of the two authors of the recently published NIST special publication titled: “Security Guidelines for Storage Infrastructure”.  Alongside continuous research of storage security, threat landscape, and market maturity analysis, he is also engaged in writing, public speaking and information exchanged with leading organizations.

Doron has over 20 years of experience in data and storage management, mission critical computing, operating system design and development, cloud computing, and networking architecture.

The post Ransomware Resiliency for Storage & Backup: Trends, Threats & Tips appeared first on Cybersecurity Insiders.

Cyberattacks are commonplace in the United States and around the world. Thousands of data breaches happen annually and affect millions of people. One of the most ruthless cyberattacks is a ransomware attack. These cyber invasions affect all industries worldwide, and companies question whether their computer systems can withstand such an invasion.

What Is a Ransomware Attack?

Ransomware is a cyberattack that uses malware – software created to infiltrate a computer system and damage or disrupt it. A ransomware attack occurs when somebody hacks a person’s or company’s computer system and demands a ransom payment in return. If the victim does not pay the ransom, they could see their data damaged or erased permanently.

Ransomware attacks are about as old as the internet itself. One of the first known instances took place in 1989. An AIDS researcher named Joseph Popp put malware on floppy discs and handed them out to over 20,000 people at a conference. These people arrived from over 90 countries worldwide. The malware demanded over $500 from each person who inserted the floppy disk.

What Companies Have Suffered These Attacks?

Ransomware attacks have become commonplace in today’s digital age and cost a lot of money. In 2019, this type of cyberattack cost companies about $7.5 billion. Some infamous examples of ransomware attacks over the years include:

  • WannaCry: This ransomware attack occurred in May 2017 and had devastating effects worldwide. Hackers took advantage of people using the Microsoft Windows operating system. Some people did not update their computers when a security patch was released a couple of months prior, making themselves more vulnerable. The United Kingdom’s National Health Service, Renault, FedEx, and the Bank of China were just some of the affected The hackers demanded $600 in Bitcoin as payment.
  • CryptoLocker: Another cryptocurrency attack took place in 2013 at the hands of a piece of ransomware called CryptoLocker. These attacks affected people in the United States and the United Kingdom Most attacks took place through email and instructed users to click on a zipped file. The attachment contained malware in the form of software called Gameover Zeus. This program locked the user’s computer and demanded a ransom to retrieve the files. CryptoLocker affected over 200,000 people in three months. The FBI had stopped CryptoLocker by the summer of 2014.
  • Phoenix Locker: In March 2021, CNA Financial – a Chicago-based corporation – suffered a ransomware attack by a group called Phoenix and malware called Phoenix Locker. The hackers breached over 75,000 people’s personal identification details, including their Social Security numbers. CNA Financial relented and gave the hackers about $40 million to regain control of the computer systems.

How Can a Company Protect Itself?

Cyberattacks happen every day to many companies. Conservative estimates show ransomware attacks occur about once every 11 seconds. Most of them are unsuccessful, but the ones that slip through can cost a business thousands or millions of dollars. Here are some of the ways companies can protect themselves from ransomware attacks:

  • Update software: One of the best defenses against ransomware is regularly updating software, especially antivirus software installed on the computer. One of the root causes of the WannaCry attacks was computers without updated Windows security.
  • Educating employees: Security on the computer starts with the employees. Companies can teach their workers best practices for cybersecurity, such as not clicking suspicious links on emails. Avoiding phishing scams can be the best way to prevent a ransomware attack.
  • Administrator privileges: Some ransomware attacks require users to install software onto their computers. From there, the malware will lock the computer and demand monetary payment. One way to safeguard computers is only allowing administrators to install new software. An IT administrator can help an office determine what is safe.

Ransomware Attacks in the Modern Day

Ransomware attacks have been around for decades. Since the first one happened in 1989, they’ve only gotten worse and more sophisticated.

Ransomware attacks have been an unfortunate consequence of the pandemic, too. Since 2020, cyberattacks have increased by 50%.

Companies can try to protect themselves by enhancing security, regularly updating systems, and educating their employees. As technology advances, ransomware becomes more sophisticated and more challenging to stop.

The post Could Your Company Survive a Ransomware Attack? appeared first on Cybersecurity Insiders.

Quantum ransomware gang has this time struck a government agency in the Dominican Republic and is demanding $600,000 to free up the data from encryption. According to a spokesperson from Dominican Republic, Instituto Agrario Dominicano, the attack led to access lockdown of 4 physical servers and 8 virtual servers of the agency.

Preliminary Investigations revealed that the attack was linked to IP addresses operating in United and Russia. But the law enforcement agencies state that the attack could have been organized through proxies and might be the work of North Korea hackers.

Quantum hackers claim the hack led to the steal of about 1TB of data and if the ransom is not paid on time, the threat actors are threatening to either release or sell that data via the dark web.

The National Cybersecurity Centre (CNCS) estimates that all the applications, email servers and databases were affected by the incident and has assured that it will recover from this malware attack within no time- all thanks to an efficient business continuity plan that is already in place.

NOTE 1- Till September 2020, a ransomware named MountLocker was operating in the wild. Apparently, Quantum is the same version of the MountLocker and was previously known with names such as AstroLocker and XingLocker.

NOTE 2- Most of the file encrypting malware spreading gangs are nowadays indulging in double extortion tactics. First, they steal data from the victim server and then lock it down from access until a ransom is paid. And if the victim cannot pay the ransom or denies paying it, the threat actors sell that data to interested parties such as marketing firms or to individual hackers or, in rare cases, to state funded hacking groups.

 

The post Dominican Republic’s Institute Agrario Dominicano suffers Quantum Ransomware Attack appeared first on Cybersecurity Insiders.

North Korea’s Lazarus Group has reportedly designed new ransomware that is being targeted at M1 processors popularly running on Macs and Intel systems. And security researchers from ESET have discovered that the malware was uploaded to the VirusTotal operated system in Brazil and was targeted by a social engineering attack.

ESET claims the Lazarus campaign targeted specifically Macs as most of the journalists, high-profile dignitaries, and politicians use them to stay connected to the world.

Currently, evidence has been gathered that the attack is being propagated through false job offers and business deals and most of them are being synced to the code signing certificates.

Second is the news related to ransomware named HavanaCrypt that researchers from Cybereason claim to be targeting victims as fake Google software updates. And studies have revealed that the newly developed file-encrypting malware is using an Open-source password management library for encryption and is having capabilities of remaining anonymous, ex-filtrate data, and having abilities to give control to remote servers.

The third is something astonishing to read! Acronis, a firm that offers cybersecurity protection for IT infrastructure, has made a study and concludes that ransomware attacks will cause $30 billion in damage to governments across the world by 2023 and the estimate might double by the year 2026.

Interestingly, from the year 2012 to 2021, the loss is estimated to be $60 billion in cryptocurrency, and the past 16 months fetched a loss of $44 billion on a combined note…might be true!

Fourth is a news piece belonging to a Digital Transformation firm Orion Innovation which has been hit by the LockBit Ransomware group. The company claims that the gang that spreads file-encrypting malware struck its servers on Tuesday and is demanding a ransom ranging in millions to be paid by the first week of September.

The gang also mentioned in their ransomware note that there is no chance of negotiating the demanded sum and, if neglected, the stolen data will be released to the dark web.

Fifth is news about a new ransomware variant named BianLian that Cyber criminals are swarming to buy and deploy it on their targets. BianLian operates on Google created Open source programming language and was discovered in the wild by a security firm named Cyble Research Labs.

It’s been two months that they said ransomware operators are functioning and have so far targeted about 14 firms mainly related to Manufacturing, education and media and entertainment

As BianLian follows the process of dividing the encrypted content in 10 bytes of data, it easily evaded detection by antivirus products.

Sixth is the news related to a billing company that provides services to the healthcare sector. A ransomware attack on the servers of Practice and Resources has reportedly led to data compromise of over 942,138 patients and the New York based vendor has notified all the affected patients about the data breach and how they should follow certain steps to keep their identity intact from future threats. Conti Ransomware gang that is now defunct is suspected to be behind the attack and is yet to attain official confirmation.

 

The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.

Ragnar Locker Ransomware gang has officially declared that they are responsible for the disruption of servers related to a Greece-based gas operator DESFA. And reports are in that Ragnar Locker Gang is demanding $12 million to free up data from encryption.

DESFA released a press statement that it became a victim of a ransomware attack on Saturday last week and assured that its business continuity plan will surely bail them out of the present situation, without paying a penny.

Natural Gas supply hasn’t been hit by the malware, however, some systems on the administration side were reportedly disrupted.

FBI issued a statement in May this year that Ragnar Locker was responsible for the disruption of systems across 53 organizations in the past two years, including 35 from the critical sector of the United States.

Interestingly, the law enforcement agency has determined that Ragnar Locker ransomware spreading group avoids putting forward its ransom demand to victims from Azerbaijan, Armenian, Belorussian, Russian, Kyrgyzstan, Kazakhstan, Moldavian, Turkmen, Uzbekistan, Ukraine, and Georgia and instead terminates its infection from that system or network, and the reason for this is yet to be probed.

NOTE- Donuts Leaks, a new data extortion group is also linked to Ragnar Locker and is responsible to target Sheppard Robson, the UK-based Architectural company, and Construction giant Sando and the same group was responsible to announce to the world the digital attack on DESFA.

It is worth noting that the cyber attack comes at the point when gas suppliers in Europe are facing fuel supply shortages because of the cut-off of trade ties with Russia over fuel supply. As the former is supporting Ukraine in the war with Putin and so come winter, the public is expected to be plagued by troubles such as power cuts, fuel prices soaring, rationing, and of course load-shedding blackouts.

Meantime, Technology Giant Microsoft issued a statement yesterday that 80% of ransomware attacks are expected to occur because of system configuration errors, and the same was rendered in its latest Cyber Signals report.

The Satya Nadella-led company has also reiterated that the proliferation of ransomware as a service could bring complications for companies that aren’t focusing much on cybersecurity.

Highlighting the achievements made by Microsoft’s Digital Crimes unit, which have been combating cybercrime since 2008, the Windows OS offering firm stated that its security teams have removed over 531,000 unique phishing URLs and about 5400 phishing kits between July 2021 to June 2022.

 

The post Ragnar Locker Ransomware targets Greece Gas Company appeared first on Cybersecurity Insiders.

A noted ransomware spreading gang has put forward a $10m proposal before the management of a Paris hospital and is interested in freeing up the data from encryption only when they get the demanded ransom.

The CHSF Hospital Centre in Corbeil-Essonne’s, Paris, is the victim that is in discussion and the computer attack is said to have taken place on Saturday night last week.

According to French Government Centre for Combating Digital Crime (C3N) the demand has been placed in dollars and that needs to reach the hackers in cryptocurrency.

To counter the troubles met by the cyber incident, CHSF Hospital having a 1000 bed capacity immediately triggered its white plan emergency operation from the morning hours of Sunday, all to keep the data continuity to the health services intact.

Concerning, the ransomware attack has disrupted the operations of the business software, data storage servers and information related to the patients. However, the good news is that the data is backed up and so we can term the interruption as temporary.

NOTE 1- From the past few years, the healthcare sector has become a soft target to major ransomware attacks such as the WannaCry malware attack that crippled the servers of NHS to the core in the year 2017.

NOTE 2- The ransomware group that targeted CHSF is yet to been kept under wraps and will be revealed shortly!

Note 3- As the NCSC of the UK is acting as an information-sharing hub related to cyber-attacks, the threat impact details have been shared to it by the hospital authorities. The National Authority for the Security and Defense of Information Systems (Anssi) is also busy investigating the incident and suspects the hand of a Russian funded ransomware spreading group.

 

The post Ransomware spreading Criminals demanding $10m from Paris Hospital appeared first on Cybersecurity Insiders.

Lockbit ransomware group has claimed that it breached the computer network of Entrust business on July 18th this year and stole some sensitive files from the internal systems. Entrust that is into data card and information protection business said that it has notified its customers about the incident and has taken measures to block all such attacks in the future.

Releasing a press statement on this note, Entrust did not agree to the claims openly made by Lockbit and instead it remains diplomatic by saying that it is still investigating the incident.

Vitali Kremez, the CEO of AdvIntel, gave an update to online technology resource Bleeping Computer and said that Lockbit might have purchased the access details to the company network by resellers available on the dark web.

Lockbit ransomware gang has the habit of threatening its victims by releasing a portion of data siphoned from their servers, so that the victim is forced to return to the negotiation table. And if the victim doesn’t bow down to the demands of hackers, then they release all the data on to the dark web to tarnish the image of the firm in business or to strike a deal with interested parties who opt to buy the data.

NOTE- Entrust is a payment card protection service that offers related software and hardware to support financial cards, e-passports, user authentication and to overall conduct money transactions in secure environments.

 

The post Lockbit takes claim for Entrust Ransomware Attack appeared first on Cybersecurity Insiders.

By Aaron Sandeen, CEO, Cyber Security Works

It should be no surprise that ransomware is currently one of the most common attack vectors wreaking havoc on businesses worldwide. Attackers and ransomware operators are constantly looking for more vulnerabilities to weaponize and increase their arsenal of tools, tactics, and techniques. In fact, the FBI’s Internet Crime Report for 2021 recorded 649 ransomware attacks on critical infrastructure establishments, with nearly $50 million reportedly lost as a result.

Ransomware operators have become relentless and are weaponizing vulnerabilities faster than ever to achieve their goals.

The numbers don’t lie: Ransomware is on the rise. 

Ransomware operators have become relentless and are weaponizing vulnerabilities faster than ever to achieve their goals. Since the year-end ransomware report was published, our analysis shows a substantial 7.6% increase in the number of vulnerabilities tied to ransomware in Q1 2022, with Conti dominating the list.

Critical industries such as food, automotive, healthcare, finance, and government organizations have taken a big hit this quarter, continuing the trend from 2021. In February 2022, cybersecurity advisories in the US, Australia, and the UK joined hands to alert organizations of increased ransomware attacks on critical infrastructure sectors. Before this, CISA released a mandate directing federal agencies and public sector organizations to patch a list of KEVs within fixed timelines.

All organizations are at risk from this threat, and most of them are not equipped to deal with it. Lack of cyber hygiene, budget restrictions, limited human resources, absence of talent, insufficient cybersecurity intelligence at the right time, and the lack of visibility and awareness are some factors that enable ransomware operators to undertake bold and crippling attacks. This threat has grown exponentially within two years from 57 to 310 vulnerabilities. We have watched affected organizations brought to their knees as they lose their reputation, trust, and brand value, resulting in the loss of business and customers.

How to use data to combat ransomware

Organizations must invest in determining and maintaining their attack surface to be aware of vulnerabilities. Suppose security teams are going to prevent ransomware attacks. In that case, they need to link their patch and vulnerability responses to a centralized threat intelligence management workflow that provides complete visibility into the ever-changing ransomware attack vectors through multi-source intelligence ingestion, correlation, and security actions.

Tools like vulnerability scanners, application and event monitoring systems, and patch management systems, among others, can be used to manage your attack surface. However, new research shows that organizations should be wary. Several crucial ransomware vulnerabilities are not being detected by some of the most well-known scanners. Over 3.5 percent of ransomware vulnerabilities were ignored in Q1 2022, putting businesses in serious danger. Fortunately, that represents a development over prior years, indicating that scanner manufacturers are addressing the issue. This emphasizes the value of having readily available ransomware statistics. To stay current with innovative solutions, cybersecurity experts must be aware of the always-shifting ransomware statistics.

Ransomware gangs today are like a business. Both have the same goal: to make money. Ransomware is rising because gangs like Conti are organized as successful businesses. This means also trying to stay one step ahead of the opponent, which to them are legitimate enterprises.

Only a small number of enterprises now have access to timely ransomware knowledge and data. Many people are unaware of the severity of the hazards they are exposed to. On average, eight days after a company publishes a vulnerability, it is weaponized. Attackers take full use of latencies because they present them with risky windows of opportunity.

The post Understanding ransomware trends to combat threats appeared first on Cybersecurity Insiders.