A new version of the LockBit ransomware offers a bug bounty, women uninstall period-tracking apps in fear of how their data might be used against them, and Microsoft's facial recognition tech no longer wants to know how you're feeling.
All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford from The Host Unknown podcast.
Plus don't miss our featured interview with Bitwarden founder and CTO Kyle Spearrin.
Category: ransomware
Welcome to the second installment in our series looking at the latest ransomware research from Rapid7. Two weeks ago, we launched "Pain Points: Ransomware Data Disclosure Trends", our first-of-its-kind look into the practice of double extortion, what kinds of data get disclosed, and how the ransomware “market" has shifted in the two years since double extortion became a particularly nasty evolution to the practice.
Today, we're going to talk a little more about the healthcare and pharmaceutical industry data and analysis from the report, highlighting how these two industries differ from some of the other hardest-hit industries and how they relate to each other (or don't in some cases).
But first, let's recap what "Pain Points" is actually analyzing. Rapid7's threat intelligence platform (TIP) scans the clear, deep, and dark web for data on threats and operationalizes that data automatically with our Threat Command product. This means we have at our disposal large amounts of data pertaining to ransomware double extortion that we were able to analyze to determine some interesting trends like never before. Check out the full paper for more detail, and view some well redacted real-world examples of data breaches while you're at it.
For healthcare and pharma, the risks are heightened
When it comes to the healthcare and pharmaceutical industries, there are some notable similarities that set them apart from other verticals. For instance, internal finance and accounting files showed up most often in initial ransomware data disclosures for healthcare and pharma than for any other industry (71%), including financial services (where you would think financial information would be the most common).
After that, customer and patient data showed up more than 58% of the time — still very high, indicating that ransomware attackers value these data from these industries in particular. This is likely due to the relative amount of damage (legal and regulatory) these kinds of disclosures could have on such a highly regulated field (particularly healthcare).
All eyes on IP and patient data
Where the healthcare and pharmaceutical differed were in the prevalence of intellectual property (IP) disclosures. The healthcare industry focuses mostly on patients, so it makes sense that one of their biggest data disclosure areas would be personal information. But the pharma industry focuses much more on research and development than it does on the personal information of people. In pharma-related disclosures, IP made up 43% of all disclosures. Again, the predilection on the part of ransomware attackers to “hit 'em where it hurts the most" is on full display here.
Finally, different ransomware groups favor different types of data disclosures, as our data indicated. When it comes to the data most often disclosed from healthcare and pharma victims, REvil and Cl0p were the only who did it (10% and 20% respectively). For customer and patient data, REvil took the top spot with 55% of disclosures, with Darkside behind them at 50%. Conti and Cl0p followed with 42% and 40%, respectively.
So there you have it: When it comes to the healthcare and pharmaceutical industries, financial data, customer data, and intellectual property are the most frequently used data to impose double extortion on ransomware victims.
Ready to dive further into the data? Check out the full report.
Additional reading:
- New Report Shows What Data Is Most at Risk to (and Prized by) Ransomware Attackers
- Complimentary GartnerⓇ Report "How to Respond to the 2022 Cyberthreat Landscape": Ransomware Edition
- 3 Takeaways From the 2022 Verizon Data Breach Investigations Report
- A Year on from the Ransomware Task Force Report
Unfortunately, a cyber attack that is revealed to be of the ransomware genre, hit Apetito, which offers free meals to hospitals, child care facilities, social welfare homes, and charities.
Because of the digital invasion, the IT infrastructure was disrupted, prompting the company to announce a delay in the distribution of free meals across England.
Apetito, which operates both in North America and the UK and also owns Wiltshire Farm Foods, admitted to having taken all precautionary measures to mitigate risks and assured that no card details were compromised in the incident.
Those deliveries that were scheduled till Thursday, i.e. June 30th,2022 will be delayed by a couple of days and those scheduled for the 1st and after of next month will operate on time.
Those who selected a menu for a free hot meal will get their meal on time. But not the one that they chose, but the one the company will provide.
Everything is expected to be brought back to normalcy by this weekend, as a hardware and software overhaul is expected to be done by UK Microsoft’s division by this month-end.
Cybersecurity Insiders have learned that the company was hit by a ransomware attack on June 26th and the motive of the hackers was clear- to extract a hefty amount in ransom.
Investigations launched by the Trownbridge-based company have affirmed no Personal Identifiable Information was leaked or compromised in the attack.
However, we can get more clarity on the issue when the company submits a report to the Information Commissioner’s Office (ICO) by next month-end.
The post Apetito hit by a ransomware attack and so announces a delay in deliveries appeared first on Cybersecurity Insiders.
Carnival Cruises, the world's largest travel leisure firm which operates over 100 ships for millions of vacationing customers, has been fined a total of $6.25 million following a series of security mishaps.
Read more in my article on the Hot for Security blog.
1.) A sophisticated cyber attack has reportedly halted the steel production across Iran and if the scenario doesn’t improve, it can fuel shortage of supply of the metal-based products across the world.
However, the Iranian government assured that the cyber attack that was of ransomware variant was contained at the start of its spread and a business continuity plan has been implemented to mitigate the risks associated with the attack.
Unconfirmed reports suggest that the digital disruption caused at the production facilities of the state-owned Khuzestan Steel and two other steel companies could be the work of Israel funded ‘Gonjeshki Darande’.
2.) Second is the news related to a Miami based company titled Carnival Cruise Lines. After a lot of legal entangles set up by the Department of Justice of the USA, Carnival Cruise Lines has finally agreed to pay $6 million to end two separate lawsuits filed against by representatives from approximately 46 states.
In the year 2019, a ransomware group claimed to have taken hostage of personal information belonging to the cruise-liners customers and it includes details such as social security numbers, names, addresses, driving license info, passport numbers, and health and payment card info belonging to American populace.
The intrusion took place in March 2019 and the IT staff of the company identified the incident only after May 2019. But the company revealed about the incident after 10 months, i.e. in March 2020.
Prima facie revealed the intruders got hold of the information after compromising Microsoft Office 365 email accounts of about 146 employees and then got hold of PII of over 180,000 carnival customers and employees.
After legal prosecution, the company has now agreed to pay $6 million by this year’s end as compensation to end two separate lawsuits filed by the government of North America in 46 states.
3.) Third news is about a ransomware incident that took place at the Medical University of Innsbruck. Vice Society Ransomware Gang has taken responsibility for the sophisticated attack that led to data theft and service disruption, leaving 3,400 students and 2,200 employees without support to medical records, access to digital assets and blockage to medical care services, including surgeries.
Austrian University is recovering the encrypted information with the help of a third party and the local law enforcement authorities.
Meanwhile, reports are in that Vice Society Ransomware is only interested in targeting educational institutes operating in UK and has become super-active after Russia waged a war against Ukraine from the end of February this year.
The post Ransomware Attack news trending on Google appeared first on Cybersecurity Insiders.
Ransomware has matured significantly over the previous decade or so. Initially thought to be a relatively basic virus that could be contained on a floppy disk, it can now damage global business infrastructures, stop healthcare systems dead in their tracks, mess with fuel supply networks, and disrupt transportation infrastructure. Its simplicity is what makes it […]… Read More
The post Are Protection Payments the Future of Ransomware? How Businesses Can Protect Themselves appeared first on The State of Security.
1.) In a study made recently, ransomware attacks on educational institutions are estimated to have crossed $3.58 billion in 2021. And the costs that stemmed were accounted as such from the downtime and recovery expenses incurred through cyber attacks.
The file-encrypting malware attack is said to have affected over 1.3 million students at different schools and colleges.
According to the document released by Comparitech, about 67 ransomware variants hit over 954 schools and colleges last year, affecting over 1.3 million students.
School districts became popular targets for cyber attacks, as many of the educational institutions were operating with obsolete hardware and software.
2.) Conti Ransomware gang that was rumored to have shut down its operations in May this year seems to have resumed its operation again. According to a report compiled by the security intelligence firm Group-IB, Conti targeted almost 40 organizations of enormous size between the months of April to June.
Researchers of Group-IB have determined that Conti launched ransomware attacks in the name of the ARMattack hacking campaign that was primarily conducted from the first week of April this year.
As per the analysis by the security firm, Conti gang members worked almost 14-15 hours a day, except on New Year’s eve, and took just 3 days to compromise a corporate network. The group also operated in a legitimate business model by having members dedicated to R&D, accounts, and customer support, and hired a group of 30-40 money laundering gang members to quench their financial needs.
The R&D gang members of Conti were assigned the duty of analyzing windows updates and finding any flaws in the patches and discovering zero-day vulnerabilities that can be exploited later.
Precisely speaking, Conti gangs occupy the second place on the list of most-wanted cyber criminals by FBI, Interpol, Europol, and NCSC.
The only thing is the more the law enforcement is making arrests, the more the Conti gang is getting elongated.
3.) According to a study conducted by Secureworks, two Chinese hacking groups are conducting espionage in disguise of ransomware attacks. Means, that two hacking groups are using malware to obscure their tracks, and block defenders from launching remediation measures, thus making attribution harder.
Bronze Riverside aka APT41 and Bronze Starlight aka APT10 are the two hacking groups that are using cobalt strike as a decoy to deploy ransomware strains such as AtomSilo, LockFile, Rook, Night Sky, and Pandora.
Currently, the targets are only companies operating in Japan and North America. But researchers predict that their focus could change towards the UK, Canada, and Australia.
4.) Fourth is the news that belongs to a Japanese firm called Nichirin Flex USA. A ransomware gang targeted the company that manufactures hoses for car makers on June 14th of this year.
Since then, the company has been witnessing a delay in tracking and processing orders and distributing them to neighboring nations and overseas.
Nichirin wants employees and clients to be extra vigilant against phishing emails as one or two such emails have reportedly compromised its email network. It has also assured that it will not bow down to the ransom demands of hackers and will instead rely on a data recovery plan.
The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.
As ransomware attacks are ever-evolving, they are hard to detect with human intelligence. So, Microsoft issued a press statement on Tuesday confirming the use of Artificial Intelligence (AI) technology to tackle ransomware attacks.
In a tech post released on ‘Patch Tuesday’, the tech giant disclosed it is harnessing the power of AI in exploring the complex threat landscape belonging to ransomware. And has achieved over 80% success in early detection of the said attacks.
Machine Learning protections will examine tons of data generated to recognize the way the attacks are being launched on endpoints and corporate networks. As it is an automated process, analysts will detect genuine processes and their data generations. And as soon as anything out of the norm is detected, it sends in an alert to the admin and predicts what is going to happen in near time.
Microsoft 365 Defender Research team that is working on this new ML model assured that the newly developed system can detect file encryption malware attacks at an early stage. That is when only 2% to 3% of systems are encrypted and the malware outbreak is in the early stages of infection.
The Redmond giant is confident enough of utilizing the power of AI in improving its capabilities in cyber defense. Like how the tech is being integrated with Facial Recognition technology to identify criminals in & across China- all in the name of national security and citizen protection.
The post Microsoft uses AI to tackle Ransomware Attacks appeared first on Cybersecurity Insiders.
Cybersecurity researchers from Proofpoint have detected that an Office 365 vulnerability is exposing files being stored on Microsoft SharePoint and OneDrive to hackers launching ransomware attacks. Research has found that the files which are being stored through the auto-save feature to the cloud are being intercepted by hackers.
The attack chain works simply by compromising the account credentials of MS Office 365 users and then hijacking their accounts to data steal and then encryption data stored on SharePoint and OneDrive cloud environments.
Interestingly, the vulnerability can also give hackers an opportunity to attack all modifying versions and encrypt them to the core.
American tech giant Microsoft(MS) responded to the report of ProofPoint sensibly and stated that its versioning settings were working perfectly and the claims made by the security firm were hard to prove.
Microsoft has also issued a statement that it has fixed the flaw that hackers can exploit on Windows machines operating on Arm Chips. The Windows 11 giant said that it has issued a fix on Tuesday that would rectify a problem that might prevent users from login into Azure Active Directory (AAD).
So, all those apps that were using AAD for sign-in, like Microsoft Teams, VPN connections, and Outlook, would be saved from hitting news headlines for being hacked.
MS also admitted that after installing the update, some .NET Framework 3.5 apps may be blocked from opening files. And the only thing admins can do to remediate the situation is by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.
The post Office 365 vulnerability opens OneDrive files to ransomware attacks appeared first on Cybersecurity Insiders.
1) Indian Computer Emergency Response Team (CERT-In) has given an update that all those who are using Adobe products and services should be cautious, as hackers can easily hack their systems by exploiting multiple vulnerabilities in the software.
According to CERT-In, the attacker can gain access to admin privileges, execute arbitrary codes and write arbitrary files on InDesign, InCopy, Illustrator, Bridge, and Animate services that work both on Windows and macOS.
So, users are being urged to keep their software up to date with the latest security updates to keep their systems well protected from such attacks.
2.) Second is the news that belongs to WordPress, the content management system provider offering services worldwide. WordPress forcibly issued an update to over millions of its sites after security researchers from WordFence Threat Intelligence documented an advisory about a code injection vulnerability.
After learning about the vulnerability, WordPress released an immediate update and applied the following plugins: 3.0.34.2, 3.1.10, 3.2.38, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11 on an automated note.
3.) Third is the news about QNAP storage devices. These company devices are being made as soft targets every month. And the latest news about these Taiwan-based network-attached storage makers is that two ransomware gangs recently targeted it.
First is the gang that is distributing DeadBolt Ransomware, and the second is the malware variant dubbed QNAPCrypt.
Cybersecurity researchers have found that the QNAP devices operating on weak passwords or operating outdated software are being targeted with the two said file-encrypting malware variants.
For keeping their systems updated, QNAP users are being urged to use strong passwords for admin privileges, use IP access protection for keeping brute force attacks at bay and avoid ports 443 and 8080 and keep the NAS systems updated with the latest QTS software versions.
4.) Fourth is the news related to a Russian botnet network that contains millions of infected machines and devices. RSocks botnet that is believed to be funded by Kremlin intelligence was shut down by law enforcement acting on a judgment pronounced by DoJ.
RSocks were being used by cybercriminals to launch credential stuffing attacks, account hijacks, phishing emails, and fraudulent induction of mining software.
The botnet was on the tracking radar of the FBI since 2017 and has taken control of millions of devices that including industrial control systems, routers, CCTV systems, AV Streaming devices, and IoT.
In the year 2019, RSocks was seen adding millions of android devices and small computers to its list.
Now that the law enforcement authorities have taken control of the devices based on the inputs provided by Microsoft, it brought the highly sophisticated Russian crime to an end in May this year.
5.) On Tuesday last week, Microsoft added an update that addressed its operating system’s Wi-Fi accessing capabilities via its Hotspot feature. As the issue was affecting all its Windows 10 and 11 operating systems, the tech giant issued a patch on June 14 of this year.
As per the details released by the Windows giant, the issue was a bug-driven update known as KB5014697 and was blocking users from using the Wi-Fi hotspot feature.
Already the company has issued an update on the issue and is expected to be rolled out to all its users by this month-end.
For the time being, tech analysts say that the update can be rolled back, but as per our analysts, it is not recommended at all.
The post Cyber Attack news headlines trending on Google appeared first on Cybersecurity Insiders.