Expert opinions, information and comment from the LTO Program

2023 looks set to be another record-breaking year for ransomware. In the first half of the year our data found that publicized attacks represented a 49% increase over the first six months of 2022. But it’s important to remember that not every ransomware attack is made public. A more disturbing figure is the number of undisclosed ransomware attacks of 2023, a massive 1,815 in the first six months of this year. By taking these figures into account can we paint a more realistic picture of the real ransomware landscape.This year has seen many notable attacks, and in this blog, we highlight some of the biggest publicly reported attacks of the year along with some of the biggest fallouts we’ve seen to date.Read on to see what attacks earned a spot on our top 10 list.1In January we saw Royal Mail fall victim to a ransomware attack at the hands of LockBit. The group hacked into the UK’s postal services’ software and blocked all international shipments by encrypting files. Negotiations took place between the two sides, but after two weeks, LockBit set a ransom demand of $80 million, 0.5% of the company’s revenue, in exchange for the decryption of the files. Royal Mail chose to not pay the ransom and take the risk of their data being leaked, which ultimately happened.2Months later, the US Marshals Service is still recovering from an attack which took place in February. The attack impacted a computer system which held sensitive law enforcement data belonging to the Technical Operations Group (TOG) who provide surveillance capabilities to track fugitives. “Most critical tools” were restored within 30 days, but the Marshal’s service is still to bring in a new version of the impacted system online with better security. Stolen data included employees’ personally identifiable information alongside returns from legal processes, administrative information and PII pertaining to subjects of USMS investigations and third parties.3Medusa hit the headlines when the group claimed an attack on Minneapolis Public Schools, exfiltrating a trove of data and demanding $1million to keep the information from being posted on the dark web. The reason behind the headlines was more sinister than the attack itself, it was the data they eventually leaked that caused a stir. Confidential information including complete sexual assault case folios were among the 300,000 files dumped by the ransomware group in March after the attack. Other leaked information included medical records, discrimination complaints, SSNs and contact information of district employees.4Another ransomware attack with sinister consequences was reported in March when ALPHV, aka BlackCat, infiltrated Lehigh Valley Health Network’s computer system. The incident involved systems used for “clinically appropriate patient images for radiation oncology treatment” and other sensitive information. The notorious ransomware group leaked naked images of breast cancer patients along with medical questionnaires, passports, and other sensitive patient data after the healthcare provider refused to pay the ransom demanded. LVHN have since faced lawsuits in relation to this ransomware attack.5British outsourcing company Capita was hit by a ransomware attack in March, since reporting that recovery from the incident is expected to cost up to $25million. Expenses have been attributed to “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.” The attack was “significantly restricted” by the company’s security team, but it was confirmed that customer, supplier, and employee data may have been stolen during the incident. BlackBasta claimed responsibility for the attack and has published data belonging to the organization. Not only has Capita incurred exceptional costs but the share price for the company dropped 12% after the attack.6Managed Care of North America (MCNA) Dental exposed a data breach which impacted almost 9 million patients. LockBit claimed the attack, threatening to publish 700GB of sensitive confidential information unless the $10million ransom was paid. Data including PII, health insurance information, care for teeth or braces documentation, and bills and insurance claims was later posted on the group’s dark web site. On the notice MCNA provided, there was also an extensive list of over one hundred healthcare providers that may have been indirectly impacted by the incident.7The fallout from a ransomware attack on City of Dallas in May this year is still making the news. The city was forced to shut down some of its IT systems, with a number of functional areas including the police and fire department experiencing disruption. It has recently come to light that over 26,000 people were affected by the attack orchestrated by Royal ransomware group. Information including names, addresses and medical information is among the data exfiltrated by the threat actors. Some city employees have already reported identity theft, with some of their children also having personal information stolen. In August, it was announced that the Dallas City Council approved $8.6 million in payments for services relating to the attack, including credit monitoring for potential identity theft victims.8In June it was announced that St Margaret’s Health (SMH) in Illinois would be closing after 120 years of serving the community, partially due to a 2021 ransomware attack. The attack crippled operations for months, catastrophically impacting the hospital’s ability to collect payments from insurers for services rendered and forced the shutdown of the hospital’s IT network, email systems, electronic medical records, and other web operations. Other factors leading to the closure included unprecedented expenses tied to COVID-19, low patient volumes and staff shortages.9At least four Australian banks were impacted when a major ransomware attack hit law firm HWL Ebsworth in June. BlackCat claimed the attack, successfully accessing HWL’s servers and exfiltrating 4TB of data. Westpac, NAB, the Commonwealth Bank and ANZ were among the many public and private sector entities who may have had data stolen during the incident. The ransom was reportedly $5million AUSD which the law firm refused to pay. 1.4TB of the exfiltrated data was publicly released which included financial information, customer documentation, and local and remote company credentials.10Ransom demands are not declining, which is made clear by the $70million ransom demanded by Bassterlord following an attack on TSMC. The threat actor, who is affiliated with LockBit, live tweeted the ransomware attack, sharing screenshots of information relating to the company. LockBit posted the attack on their site and stated should the ransom payment not be made the data would be leaked along with published points of entry into the network and password and company logins. TSMC has reported that it has not been breached but rather the systems of one of the IT hardware suppliers, Kinmax Technology, was hacked.11Barts Health NHS Trust, the largest health trust in the UK, was hit by a ransomware attack in June which was claimed by ALPHV, aka BlackCat. The gang stated that it had stolen 7TB of sensitive data in what is claimed to be the biggest breach of healthcare data in the United Kingdom. Samples of the stolen data included employee identification documents including passports and driver’s licenses and labelled internal documents. They also claim to have “citizens’ confidential documents.” The trust is still investigating the scope of the attack.12A class-action lawsuit has been filed against Tampa General Hospital following a cybersecurity incident reported in July. The incident resulted in the theft of protected personal health information (PHI) of up to 1.2 million patients. Although data was stolen, the hospital clarified that the hackers had failed in their attempt to launch a ransomware attack, with robust security systems preventing encryption of files and further damage. The class-action law suit filed against the hospital is for “failing to protect the personal data of its patients.” The hospital is also being accused of failing to notify impacted individuals on time, taking nearly two months to notify them.We will continue to update this blog as the year continues with other notable ransomware attacks that make the headlines.

Aug 15, 2023THNLinux / RansomwareThe threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors.Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. Not anymore.The new version, per Trend Micro, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors."Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors," Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio said.A BinDiff analysis has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul.Some of the crucial changes include the addition of a '--whitelist' parameter to instruct the locker to skip a list of virtual machines as well as the removal of command-line arguments --size, --log, and --vmlist.The Linux variant is also designed to tamper with the motd (aka message of the day) file to display the ransom note, employ AES-256-CTR encryption instead of Salsa20, and solely rely on the file size for its encryption process.In other words, files larger than 1.048 MB but smaller than 4.19 MB will only have the first 100,000 (0xFFFFF) bytes of the file encrypted, while those exceeding 4.19 MB have a chunk of their content locked depending on the outcoming of a Shift Right operation.Files that have a size smaller than 1.048 MB will have all their contents encrypted."It's likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm," the researchers said."Furthermore, by altering the code, Monti's operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

In today’s business environment, disaster recovery planning is essential to maintain uninterrupted operations. Unforeseen events like natural calamities, cyber intrusions, power failures, and human mistakes can lead to substantial damages in terms of data, efficiency, and profits. Hence, to counter such challenges, companies need to develop a robust disaster recovery strategy that specifies the actions to be taken during a crisis.For a long time, tape backups have been vital to disaster recovery planning due to their durability and reliability, making them ideal for such scenarios. So, this blog post explores the role of tape backups in disaster recovery planning, how they fit into the plan, their advantages, and the associated risks.Overview of Disaster Recovery PlanningDisaster recovery planning is developing a strategy to safeguard your company against the adverse consequences of unforeseen occurrences like power outages, cyber assaults, equipment breakdowns, and natural calamities. This plan itemizes the measures your business will take to guarantee the uninterrupted operation of crucial operations in case of a catastrophe.Importance of disaster recovery planningAll organisations need to have a disaster recovery plan since it can reduce downtime, safeguard business assets, and preserve customer confidence. In the event of a disaster, a well-executed disaster recovery plan can enable swift recovery and the resumption of business operations with minimal disruption. Furthermore, a disaster recovery plan can assist in fulfilling legal and regulatory requirements, particularly in industries that mandate disaster recovery plans. Moreover, having a disaster recovery plan can enhance an organisation’s reputation and credibility. Customers and partners are likelier to trust a company with a plan to secure their information and ensure business continuity.Key components of a disaster recovery planAn essential aspect of disaster recovery planning is to encompass the following significant components:The initial step is to conduct a risk assessment to identify potential hazards and threats to your business, such as natural calamities, cyber-attacks, power outages, and equipment failures. After identifying potential risks, the next step is to conduct a business impact analysis to evaluate the impact of these risks on your business. This involves identifying critical business functions, systems, and data and determining how long your business can operate without them.Based on the risk assessment and business impact analysis, it is necessary to develop recovery strategies to restore critical business functions and systems. These may include backup and recovery strategies, alternative communication channels, and alternative work locations. After devising recovery strategies, creating a comprehensive plan specifying your organisation’s actions to recuperate from a calamity is crucial. The plan should include a thorough guide for restoring vital systems and data, as well as procedures for communication and notification. Following the plan’s development, testing it, and ensuring it functions as intended is crucial. Consistent testing and training are essential in guaranteeing the organisation’s ability to recover from a disaster swiftly.Tape Backups in Disaster Recovery PlanningTape backups play a vital role in disaster recovery planning due to their reliability and security in backing up critical data and systems. They enable the creation of off-site backups stored in a safe location, separate from the primary business site. Should a disaster occur, these backups can be swiftly accessed and utilized to restore crucial systems and data. Moreover, tape backups are versatile and can back up various data and systems, such as servers, databases, and applications. This feature makes them an ideal backup solution for organisations of all sizes and industries.Advantages of using tape backups in disaster recoveryRegarding disaster recovery planning, using tape backups offers several benefits. Firstly, they are a dependable way to back up essential data and systems because they are less vulnerable to vulnerabilities than digital storage. Also, they can be stored for extended periods without losing quality, which makes them a reliable option for long-term archiving.Furthermore, tape backups are cost-effective as they require minimal hardware and are often less expensive than other methods. Meanwhile, tapes have a long lifespan and can last many years if stored correctly. Lastly, tape backups offer enhanced security as they can be kept securely away from the central business premises protecting against theft, fire, and other disasters.Best practices for using tape backups in disaster recoveryTo guarantee that your tape backups are adequate during disaster recovery, it’s crucial to adhere to the best practices for utilizing tape backups. Listed below are some best practices for tape backups in disaster recovery:Regular backups: Consistent backups are essential to guarantee the safety of your data and systems. It’s advisable to back up your vital data and systems at least once a week.Off-site storage: Storing your backups off-site is crucial to safeguarding them from calamities that may impact your primary business location. The recommendation is to store your backups securely far from your primary business location.Backup testing: Regularly testing your backups is vital in ensuring their efficiency. The widely advised etiquette is to test your backups at least once a quarter.Safe transportation: If you need to transport your backups to an off-site location, it’s necessary to ensure their safety during transportation. This involves using a secure transport service and keeping track of your backups during transit.Documentation and tracking: Keeping a record and tracking the location of backup tapes is crucial in quickly retrieving them in case of a disaster.Challenges and Risks of Using Tape Backup for Disaster RecoveryIn disaster recovery, using tape backups presents several difficulties organisations must face. Arguably, the most significant challenge is the time required to restore data from tape backups. Compared to alternatives like disk backups, tape solutions are notably slower. As a result, restoring large quantities of data from tape backups can be a time-consuming process. Another obstacle is the possibility of data loss due to tape degradation. When you store tapes in less-than-ideal conditions, degradation can occur over time. This may result in the loss or corruption of data, which can be a significant issue during disaster recovery.Using tape backups in disaster recovery also poses various risks. For instance, the physical damage to tapes represents a potential threat to data. Should tapes become damaged, organisations may be unable to recover data, which can be problematic. Similarly, the possibility of theft or loss of tapes carrying sensitive data presents another risk. Losing or having tapes stolen can result in data breaches and severe repercussions for the organisation.Mitigating the risksTo reduce the risks associated with data backup tapes, there are various measures that organisations can adopt. One of the primary measures is to ensure that you keep tapes in a secure and climate-controlled environment that safeguards them against damage from moisture, heat, or other environmental factors. Another critical step is establishing a secure chain of custody for the tapes, with well-defined processes governing their handling and transportation. Also, conducting regular tests and versification of the tape backups is essential to ensure that you restore the data accurately and promptly during a disaster.This involves testing backup and restore procedures to confirm they are properly functioning. Organisations can ensure their data remains secure and recoverable during an unforeseen catastrophe by adhering to these best practices and regularly testing and verifying the tape backups.Alternatives to Tape BackupsAlthough tape backups have been a favored backup solution for a long time, there are now a few other alternatives to consider. These include:Cloud storage: As a backup alternative, cloud storage has become more popular recently. This option provides an off-site backup choice that is easily accessible and rapidly recoverable.Disk-based backup: Hard or solid-state drives are examples of disk-based backup options offering quicker backup and recovery times than tape backups.Both disk-based backup and cloud backup offer distinct pros and cons. Disk-based backup boasts faster backup and restoration times and increased flexibility, yet it can prove pricier than tape backup. On the other hand, cloud backup presents a cost-effective and scalable option. Still, there may be better fits for some organisations.How to choose the right backup option for your organisationTo identify the most suitable backup option for your organisation, there are various elements you need to take into account, which include:Recovery Point Objective (RPO) refers to the maximum amount of data loss your organisation can bear should a disaster occur. If your RPO is low, you should opt for a backup solution that frequently creates backups with minimal data loss.Recovery Time Objective (RTO): This implies the longest acceptable downtime for your organisation in the event of a disaster. If your RTO is low, you need a fast restore time backup option.Cost: You must evaluate each backup option’s initial and ongoing expenses. While tape backups may have a lower initial price, they require more maintenance and have higher long-term costs.Compliance: If your organisation has strict compliance requirements, you must choose a backup solution that meets those requirements.Scalability: You must consider how effortlessly you can expand or reduce your backup solution as your organisation grows or changes.Security: It is crucial to ensure that your backup solution provides sufficient protection to safeguard your data from unauthorized access or theft.Considering these factors, you can select the backup option catering to your organisation’s requirements.Final ThoughtTape backups have been a common choice for disaster recovery planning for many years. Despite challenges and risks, they provide dependability, affordability, and durability benefits. While tape backups are essential for disaster recovery planning, exploring other backup solutions, such as cloud storage or disk-based backups, is crucial.To create an effective disaster recovery plan, it’s crucial to evaluate all backup options, including tape backups. By following proper procedures for tape backups and considering alternative backup solutions, organisations can guarantee that they will recover from a disaster and maintain normal operations.Learn more about Tape backup:

EditShare Assists PROGRESS With Archive Preservation, Monetization EditShare has a continuing relationship with PROGRESS.film, one of the biggest theatrical distributors in Europe and owner of vast archives of historical film. As well as supporting in-house production, the EditShare storage network is closely integrated with AI technology from Veritone to build a platform to monetize the archive.PROGRESS was founded in East Berlin in 1950 and, until the fall of the Wall, was the only film distributor in East Germany. Today it holds the complete film heritage of East Germany, along with exclusive collections from East and West Europe, Vietnam, Ukraine, the US and more. The archive runs to more than 26,000 films.Part of PROGRESS is a production company, LOOKS.film, specializing in historical documentaries. Original footage shot by LOOKS is also added to the archive, becoming a resource for film-makers of the future. LOOKS selected EditShare as the best platform to support its production activities, and parent company PROGRESS recognized that the flexibility, security and power of the EditShare solution was ideal as the foundation of its archive projects.The goal was to create workflows which would enable the team to bring online vast amounts of film at multiple locations across Europe, and link it with excellent metadata in part generated by AI software. By integrating the EditShare storage network with a highly automated commerce platform from Veritone using APIs to build a seamless solution, PROGRESS provides archive access to film-makers everywhere, with a cost-effective license and delivery workflow.“We acknowledge that our archive represents a unique library of unmatched historical and cultural significance,” says Gunnar Dedio, CEO at PROGRESS. “We wanted to make this as widely available as possible, by giving film-makers simple online access to search through our archive, select the footage they need, and to create a license and download their content.“After extensive technical trials, we identified the two best players in the field, EditShare, and Veritone,” he continued. “They worked together on the APIs which enabled us to create the powerful, seamless system we have today.”At the heart of this system is the three-tier storage network from EditShare. At the top layer is an EFS server with a total of 120TB of storage, providing fast and agile access for online users including eight editing suites. Supporting that is another EditShare disk structure providing 320TB of nearline storage, making all content in current use readily accessible, and providing a buffer layer to move content in and out of archive.The third tier is an EditShare ARK LTO8 tape library. Currently this has around a petabyte of storage but can continue to grow, and provides secure backup as well as highly resilient long-term archiving. EditShare FLOW asset management manages all levels of storage and generates proxies as required, and runs on its own servers.“This scope and significance of the archive project at PROGRESS is huge,” says Said Bacho, chief revenue officer at EditShare. “But it is achieved with standard building blocks from EditShare: server nodes, nearline storage and tape archives, brought together with FLOW software. We are very proud of this project, and it shows clearly what can be achieved with technology based on open standards and simple APIs.”

... at new ransomware payment and cyber incident reporting requirements. ... operations to actively disrupt players in the “ransomware ecosystem.

From ransomware and data breaches to insider risks, cyber events remain significant sources of financial loss and disruption for companies of all sizes.Reducing this risk requires understanding a company’s major business priorities, and how you would continue to deliver value to your customers, even during a serious cyber incident. Building this concept of cyber resilience for your own company is no easy task, as it requires a coordinated effort across an organisation’s risk, cybersecurity, and financial leadership.But in today’s world of sophisticated cyber adversaries, it is critical to ensure your organisation can take a digital hit, and survive.Against a dynamic risk such as cyber, a “set it and forget it” approach is not sustainable as cybercriminals continue to find new ways to exploit vulnerabilities.There are several best practices that we see proving effective, however, in narrowing cyber exposures and improving organisations’ resilience to cyber risk.Current best practices that cyber insurance underwriters like to see, and which cyber criminals don’t, include:Security awareness trainingIn cyber risk management, ironically humans are often considered the weakest link in the cybersecurity chain. KnowBe4 even puts phishing success benchmark rates as high as 33.2% in 2023.However, with appropriate security awareness training, employees can also become an organisation’s sentinels and identify threats early on.Training helps establish behavioural expectations and exposes staff to real-world scenarios, showing them what they should look out for, and what to avoid.“Building a security culture in any organisation is not possible without increasing staff awareness”Security awareness training is also a good way to discover where in an organisation’s systems users are susceptible to cyber threat vectors, and which behaviours make them more susceptible, allowing the organisation to put in place additional technical controls or training specific to the employee’s role to help minimise impact.Building a security culture in any organisation is not possible without increasing staff awareness. Training can inform and enable everyone in the organisation to take responsibility for increasing cybersecurity as security cannot be the sole responsibility of the security department.Identity and access management (IAM)Identity and access management has become the new perimeter in cyber security.One reason phishing is still a leading vector for harvesting credentials is criminals’ understanding that the right identity and access privilege is equivalent to holding the keys to the castle.A digital identity can belong to a human as well as a non-human – that is, software or another system that an organisation permits to access its network.A holistic IAM program is essential to managing all identities within an organisation.Three tactics have proven especially helpful in strengthening IAM. These are:Multi-factor authentication (MFA).  This tactic uses hardware tokens or additional means of verifying a user’s identity, such as an alphanumeric code sent to an authorised email or mobile phone. MFA has been demonstrated to stop an attacker who has phished account details or stolen access credentials.Privileged access management (PAM).  This form of access management can monitor, manage and automate privileged user accounts. PAM is a far better way of prioritising system access than simply assigning “local admin” access to multiple users. A zero-trust or least-privilege environment, which is becoming more common in larger networks, requires privileged access management.Lifecycle management.  The processes in place for managing identities are important as organisations may struggle with handling identities as users move within the organisation to different roles or leave. The current climate where layoffs are occurring has created some risk for organisations that have not been managing their identities well, as there may be users that are no longer with an organisation but still have access to resources. From a financial perspective, especially for organisations that heavily utilise Software-as-a-Service (SaaS) applications, having a good lifecycle management process in place is important so that when employees do leave or switch to a different role, their access to the SaaS application would get removed, reducing the number of users the organisation has to pay for.Vulnerability managementIn a physical location, doors and windows are considered vulnerabilities because they can provide a ready means of access.The “doors and windows” in a digital network take the form of open ports, such as the Remote Desktop Protocol, and vulnerabilities and weaknesses that may exist through connected devices or software.For an organisation reducing its external footprint, limiting the open and accessible doors and windows they have open, is essential.A comprehensive vulnerability management program includes vulnerability scanning, vulnerability assessments and penetration testing, end-of-life system identification and remediation, and patching or hardening systems.”There are thousands of vulnerabilities out there, so organisations need to ensure they have a process in place to identify the ones that pose the most risk”Segmenting critical and older systems within one’s network is vital as well.As organisations are dealing with vulnerabilities found from vulnerability scans, vulnerability assessments, and penetration tests, they need to think through the risk that the vulnerability poses to them and not rely on just the severity rating of the vulnerability to determine whether it should be fixed.There are thousands of vulnerabilities out there, so organisations need to ensure they have a process in place to identify the ones that pose the most risk otherwise they may spend time remediating vulnerabilities that don’t pose a big risk to them, while ignoring the ones that do.BackupsUninterrupted access to their data is critical for virtually all organisations. That is a reason ransomware remains a major threat vector in cyber.Good backups of data not only offer peace of mind but also strengthen an organisation’s position when it experiences a ransomware attack.Good backups that are readily accessed can make a difference in deciding whether to pay a ransom demand.Any backup strategy should be sound and tested.Recommended tactics for backups include multiple copies and locations, if managing one’s own data backup; regularly backing up critical systems; protecting backups by limiting access, encrypting, scanning for malware, and ensuring the files are immutable – cannot be altered or deleted.”There is no replacement for a strong security culture and that starts at the top.”Regularly testing backups to ensure they are ready when needed is also strongly advised.These best practices have proven helpful in reducing cyber risk and obtaining better cyber insurance coverage, but they are only a starting point.There is no replacement for a strong security culture and that starts at the top.Aligning senior executives and the entire organization around what threats are most critical to ensuring operations helps everyone stay alert for an attack and respond quickly so an incident doesn’t become a crisis.Alpha Diallo is senior manager of security at Resilience, a company with operations in Europe, the United Kingdom and the United States that helps financial, risk, and information security leaders continuously improve their organizations’ cyber resilience.