February 19, 2024FBI, British authorities seize infrastructure of LockBit ransomware group - CyberScoop
An international law enforcement operation on Monday seized servers and disrupted the infrastructure used by the LockBit ransomware syndicate, a government official confirmed to CyberScoop after websites used by the ransomware group displayed messages that they had been seized.An operation carried out by the Federal Bureau of Investigation and the UK’s National Crime Agency together with a range of international partners took control of a site used by LockBit to leak data belonging to its victims, the group’s file share service and communications server, various affiliate and support servers and a server for LockBit’s administrative panel, the government official said. The takedown is the latest in a string of FBI operations targeted at disrupting cybercrime and cyberespionage infrastructure around the world under Rule 41, a legal framework that enables the FBI to access computers across multiple jurisdictions and modify them. Last week, the agency announced the takedown of a Russian military intelligence-controlled botnet. In January, the FBI disrupted a Chinese botnet used to penetrate sensitive U.S. targets.LockBit first emerged in September 2019 and is believed to be the world’s most widely used ransomware variant.The takedown operation against LockBit raises questions about how lasting it will be. Previous operations against such groups have seen their operations temporarily disrupted only for the groups to return using new infrastructure. In December, the FBI seized some of ALPHV’s infrastructure, but the group “unseized it,” and a version of the site remains active.
February 15, 2024How To Optimize Your Data Center Against Ransomware Attacks
Many strategies for fighting ransomware, like taking regular backups, are the same no matter where you host data — in the public cloud, in a private data center, or on-prem.However, companies that operate data centers can deploy some special practices that may reduce their risk of falling victim to ransomware attacks. When you control all aspects of your infrastructure and hosting facility, you can do things to mitigate ransomware threats that wouldn't be possible elsewhere.Related: 'Cactus' Ransomware Strikes Schneider ElectricTo that end, keep reading for a look at actionable strategies for mitigating ransomware risks in your data center.Basic Ransomware Mitigation StrategiesBefore diving into anti-ransomware strategies that apply to data centers in particular, let's discuss generic tips for preventing ransomware in any type of environment. Standard best practices include:Back up data: If you take regular backups of your data, you can restore from a backup following a ransomware attack instead of paying the ransom.Monitor for threats: Continuous monitoring can help you detect the presence of malware that ransomware attackers use to encrypt data, making it possible in some cases to stop the attack before your information is held for ransom.Educate users: Educating employees, customers, contractors, and other stakeholders about ransomware and related risks reduces the chances that someone will fall for a scam that results in the deployment of ransomware inside your IT estate.Minimize exposure: Practices like closing unnecessary network ports, following the principle of least privilege, and turning off extraneous workloads make it harder for threat actors to carry out ransomware attacks.Related: A Guide to Cloud Resilience: Maximize Security, Minimize DowntimeAgain, you can do these things anywhere, not just in environments hosted in private data centers.Stopping Ransomware in the Data CenterHowever, when you operate your own data center (or use a colocation facility) to host workloads, you can take additional measures to protect against ransomware — measures that would be challenging or impossible to take in most other environments.Air-gappingFor one, you can air-gap data and workloads. Air-gapping means disconnecting resources from the internet completely, which will totally prevent any network-born attacks. This is especially valuable in the context of ransomware protection because it means you can virtually guarantee that data backups won't be accessed by attackers, who sometimes seek to compromise backups so their victims can't recover data without paying the ransom.Air-gapping is not typically possible in the public cloud because there is no way to disconnect cloud resources from the network; the best you can do is place them on private networks that are not directly exposed to the internet but may still be exposed to attackers who already have a presence inside your environment. With a private data center, however, you have total control over your infrastructure, and you can physically disconnect data from the network if you wish.Offsite backupsPrivate data centers also make it easier to maintain offsite backups, meaning backup data that is stored in a physical location separate from the one that hosts production workloads. Offsite backups provide another line of defense against ransomware by ensuring that you have a secure set of information you can recover, even if your entire data center facility is compromised in an attack.While it's possible to create offsite backups from the public cloud by downloading backup data to a location of your choosing, you have to rely on the network to move the data, which can take a long time if you have lots of data to move. With your own data center, you can copy your data directly to storage media, then move the media to a location of your choosing.Digital twinningIn the context of data centers, a digital twin is a complete replication of an IT environment. Digital twins help protect against ransomware risks by providing an environment that organizations can switch to in order to maintain continuity if their primary environment is compromised through a ransomware attack.You can maintain digital twins in the public cloud if you wish, but doing so tends to be more expensive and complicated because it essentially doubles the volume of the cloud resources you pay for. You also have to implement a plan for switching from one cloud environment to your backup environment, which can be complex due to the many variables (like network rules and IAM policies) that are involved.In a data center, you can maintain a digital twin more cost-effectively by, for example, using older hardware to host the twinned environment. You also don't need to worry about adjusting configurations such as IAM rules to redirect requests to your backup environment in the wake of a ransomware attack.Physical securityRansomware attacks carried out by malicious insiders (such as employees) are an increasing risk. Here, private data centers offer the advantage of giving organizations more control over physical security, helping them to manage in a granular way who can access infrastructure and data inside.Physical security controls are excellent in the public cloud, too, but the difference is that if you use the public cloud, you have to entrust physical security to a third party, which can't guarantee that no malicious insiders are present in its facilities. In your own data center, you have full ability to manage access to the facility, as well as to monitor activities as a means of detecting ransomware risks and other threats.ConclusionIt would be wrong to conclude that data centers are inherently less prone to ransomware attacks. Like any setting, data centers can be and often are hit with ransomware. However, data center operators can take precautions against ransomware that are not practical in other types of environments. By adopting those measures, companies that use data centers to host their workloads gain a leg up in the fight against ransomware.
February 15, 2024Ransomware disrupts utilities, infrastructure in January - TechTarget
Ransomware disrupted important U.S.-based utilities and services organizations in January, including a municipal water treatment organization, which is a sector that's become a growing target for attackers.The persistent ransomware threat continued last month following what many cybersecurity vendors and threat reports called a record year for ransomware in 2023. New victims emerged last month, but many of the targeted sectors and industries remained consistent from last year.Throughout January, ransomware impeded operations for victims in the government and critical infrastructure sectors, including water and wastewater treatment services. Last month, CISA published an incident response guide for water utilities warning that attacks "could cause cascading impacts across critical infrastructure." The guide also confirmed that the sector has already been hit by ransomware in recent years.On Jan. 19, Boston-based Veolia North America disclosed that ransomware had hit its municipal water division the previous week, affecting "some software applications and systems." In response to the attack, Veolia took its internal back-end systems offline, which disrupted customer access to the billing system. The water utilities company operates in 550 communities across North America.As of Jan. 19, Veolia said there was "no evidence" that the attack affected its water or wastewater treatment operations. However, the company said the personal information of a "limited number of individuals" was stolen. An investigation into the attack remains ongoing, and the incident forced Veolia to reexamine its cybersecurity posture."We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take to help prevent incidents of this kind in the future. We are putting our full resources behind these efforts," Veolia wrote in the statement.There were more public sector utilities and services disrupted last month. A ransomware attack on Jan. 21 against Bucks County in Pennsylvania temporarily disrupted the county's emergency communications database. The Akira ransomware group claimed responsibility for the attack, which rendered Bucks County's computer-aided dispatch (CAD) system inoperable for nine days. Law enforcement agencies, the fire department and ambulance services use the tool to record incident data, but the attack forced them to revert to pen and paper. Around 650,000 residents live in Bucks County and were able to make 911 calls despite the attack, but fallout was still substantial.On Feb. 7, the Bucks County Board of Commissioners approved contracts with cybersecurity forensic and legal firms and issued a Declaration of Disaster Emergency to help with restoration efforts. While CAD is now functional, the Board of Commissioners said the system requires additional rebuilding."The County did not engage in negotiations with those claiming responsibility for the attack, nor did it pay any ransom to restore functionality to its systems. Rather, the County's IT and Emergency Communications departments' meticulous cyber maintenance and backup practices were key to the system's quick restoration," Bucks County wrote in the statement.The Medusa ransomware group, which was highly active throughout 2023, claimed responsibility for an attack against the Kansas City Area Transportation Authority (KCATA) that occurred on Jan. 23. KCATA disclosed the attack on Jan. 24 and confirmed that it disrupted the regional RideKC call centers and landline service. However, transportation services remained operational. Customers looking to schedule a trip were redirected to new phone numbers while KCATA worked "around the clock" to restore systems. KCATA engaged the FBI and security professionals following the ransomware attack.Medusa's public data leak site also listed Denver-based nonprofit Water for People, which provides drinking water and sanitation services to communities in nine countries around the world. A Water for People spokesperson told cybersecurity news outlet The Record that the affected data predated 2021, and more importantly, the attack did not disrupt business operations.U.S. government agencies have issued multiple advisories of increasing threats against critical infrastructure organizations. Earlier this month, CISA, the National Security Agency and the FBI warned that a Chinese nation-state threat actor known as Volt Typhoon had compromised organizations in the communications, energy, transportation systems, and water and wastewater sectors. U.S. agencies also confirmed that the threat actor has been hiding in some victims' IT environments for at least five years to maintain access in preparation for any major conflict that could arise with the U.S.Education, financial services also hitRansomware did not spare the education sector last month. One particularly damaging attack occurred against Clackamas Community College in Oregon, which has an enrollment of more than 18,000 students. The Clackamas Print reported that authorities traced the attack to a Russian IP address.In a Facebook post on Jan. 21, Clackamas revealed that the incident began on Jan. 19 and shuttered online services, including its website, internal systems and ability to disburse financial aid. Because online services were affected, Clackamas canceled two days of classes, and teachers were instructed to push back assignment due dates for at least five days. The attack also coincided with the last day to drop winter classes, so that deadline was delayed.As of Feb. 12, some websites were restored. In response to the attack, students were asked to reset their passwords. The infamous LockBit ransomware group claimed responsibility for the attack on its public data leak site.One of the biggest attacks in January hit an enterprise in the financial sector. California-based mortgage lender LoanDepot disclosed an attack on Jan. 8 in a Securities and Exchange Commission filing, in which the company said the attack "included access to certain Company systems and the encryption of data."In a press release on Jan. 22, LoanDepot said it forced systems offline to contain the incident, but doing so disrupted and delayed many customer portals used for services and payments. LoanDepot also said it was still working to restore all services and that the attack affected a significant number of customers."Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems," LoanDepot wrote.Arielle Waldman is a Boston-based reporter covering enterprise security news.
February 15, 20242023 Ransomware Payments Hit $1.1B Record - InformationWeek
It seemed that the tide had turned in the ransomware landscape in 2022. Reports showed a declining numbers of attacks and more victims refusing to pay. But in 2023, ransomware activity surged. Ransomware gangs successful extorted a record $1.1 billion in cryptocurrency payments from victims, according to a report from blockchain analysis firm Chainanalysis.What factors drove the upswing in ransomware activity? And following a year of record payments, what can enterprise security leaders expect in the ransomware landscape of 2024?The Top Threat ActorsRansomware remains a lucrative business for cybercriminals, and the barrier to entry is relatively low. Threat actors can seek easily exploitable vulnerabilities or opt to pay for ransomware-as-a-service. While the volume of attacks is significant, several notorious groups take the lead as repeat offenders.“LockBit we see … almost 25% of all ransomware attacks are from that group,” Jonathan Braley, director of threat intelligence at the Information Technology-Information Sharing and Analysis Center (IT-ISAC), tells InformationWeek. “So, every week we’re seeing 10 to a dozen attacks coming just from LockBit.”Taiwan Semiconductor Manufacturing Company (TSMC) and IT products and services company CDW were among LockBit’s victims in 2023. The group demanded $70 million from TSMC and $80 million from CDW. In 2024, the group claimed responsibility for attacks on Saint Anthony Hospital and Lurie Children’s Hospital in Chicago.Related:China's Volt Typhoon Found Lurking in Critical Infrastructure for YearsThe Clop Ransomware Gang was also a big player last year. The group was linked to the MOVEit breach, which impacted thousands of organizations and millions of people, according to software company Emsisoft.ALPHV/Blackcat was another prominent player in 2023. The group made waves in the fall when it reported one of its breach victims to the US Securities and Exchange Commission (SEC) for not disclosing the breach. In December, the Justice Department announced that the FBI developed and offered a decryption tool to more than 500 ALPHV/Black Cat victims. The disruption campaign saved victims approximately $68 million in ransom demands.“You’re seeing some wins on the law enforcement side to help to degrade the ability of these groups to operate there effectively as they have been,” says Craig Hoffman, partner and cybersecurity team leader at law firm BakerHostetler.While law enforcement works to disrupt ransomware activity, threat actors continue to evolve.“Originally, when ransomware started it was quite disjointed, but I believe that the actors have become more streamlined. I think they’re working closer together,” Andrew Costis, chapter lead of the adversary research team at AttackIQ, a security optimization platform, shares.Related:Expect the Unexpected: How to Reduce Zero-Day RiskThreat actors are also increasingly leveraging data exfiltration as a means of extortion and profit: pushing companies to pay ransoms to prevent publication of sensitive data or selling that sensitive data.Richard Caralli, senior cybersecurity advisor at Axio, a cybersecurity performance management company, points out that major cyberattacks on companies like MGM and 23andMe in 2023 involved data exfiltration. “It’s far more lucrative for these groups on the dark web, selling it or using it for future attacks, than I think we’re giving them credit for,” he says.The Popular Attack VectorsRansomware groups do not necessarily need to pursue the most sophisticated techniques to gain access and exploit their victims. Social engineering and phishing tactics have proved effective. “We’re not giving enough attention to the basic fundamental practices and fundamental controls,” says Caralli.Threat actors are also exploiting zero-day vulnerabilities, like the one in the MOVEit file transfer tool, to execute ransomware attacks.Related:Sign Up for InformationWeek's New Cyber Resilience NewsletterWhile ransomware groups are more than happy to pick the low-hanging fruit, they are also finding new ways to execute their attacks.“They’re switching to different programming languages, so using things like Rust,” Braley explains. “They can go after macOS, they can go after Linux. They can go after potentially even some of these mobile operating systems as well.”Threat actors are also leveraging more advanced social engineering tactics, according to Costis. “So, for example, multifactor authentication [MFA] fatigue attacks or SMS phishing rather than traditional email phishing. Obviously, AI and generative AI are starting to play into this as well,” he says.The Worst-Hit Ransomware VictimsRansomware groups are financially motivated; their activity tends to be opportunistic.“If you’re connected to the internet and you use a VPN that bad guys know to be vulnerable, they will just scan the internet look for that VPN,” says Hoffman. “In a way, they don’t care who they find as long as they find someone they can attack that [becomes] someone who might pay them.”Ransomware attacks are reported in many different sectors, ranging across finance, health care, education, government, and more. IT-ISAC tracks ransomware activity across critical US sectors. “Critical manufacturing is typically number one, sitting around 15 percent,” says Braley.Critical infrastructure victims may be more likely to pay because they cannot afford downtime, and they offer threat actors the tantalizing possibility of valuable data. “I think we might start seeing more targeted ransomware attacks … in the future,” says Costis.In December 2023, a group affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) hacked a municipal water authority in Pennsylvania. The month prior, a water utility in Texas was hit with a ransomware attack.“To some degree, that is about disrupting operations and putting fear out there,” says Caralli.A Continuing TrendIn 2024 thus far, Comparitech has tracked more than 60 ransomware attacks across the business, education, government, and healthcare sectors. Braley shares that IT-ISAC has seen 185 attacks in January, up from 120 attacks last January. What could enterprise leaders expect to see as ransomware activity continues?Dual ransomware is a growing concern. “No sooner has a company paid out a ransom and then they’ll get infected by a different variant. So, we might see an uptick in that,” says Costis. Threat actors will likely continue to execute social engineering campaigns and look for zero-day vulnerabilities to exploit. The increasing use of AI could power more sophisticated attacks. Ransomware groups may also increasingly target hypervisors.“If groups start focusing more on virtual environments -- and those are sometimes less hardened than other parts of a company’s network -- you may see, at least temporarily until companies adapt, more impactful ransomware events,” says Hoffman.Public company compliance with the SEC’s cybersecurity incident reporting rule that went into effect in December 2023 may shed more light on ransomware activity. More visibility and continued threat actor activity could mean that we will see a new record amount of known victim payments. “I would not be shocked if we get another report by the end of the year or this time next year with a much higher … figure,” says Costis.Yet, there is hope for enterprises and the cybersecurity community. Basic cyber hygiene, patch management, and access control can go a long way toward mitigating the risk of ransomware. “We should see companies being more resilient and needing to pay less often,” says Hoffman.While 2023 was a record year for ransomware payments, Hoffman shares a positive trend seen in his work. “In 2022, in our ransomware matters, our clients paid about 40% of the time, and that was kind of split between our smaller clients paying for a decryptor and our larger clients paying to prevent publication,” Hoffman shares. “In 2023, we dropped; our clients paid about 25% of the time.”
February 09, 2024Rediscovering tape storage: The unconventional innovation for modern data challenges
Matt Ninesling, Senior Director of Tape Portfolio Management, Spectra Logic, highights the secure and sustainable nature of tape storage and why its steady resurgence shouldn’t be ignored amid data explosion requirements.Matt Ninesling, Senior Director of Tape Portfolio Management, Spectra LogicData is relentlessly expanding and is slated to reach a staggering 175+ zettabytes by 2025. The unprecedented storm of data generation in recent years has left many organisations seeking more scalable and cost-effective storage solutions. Amid this data deluge, traditional tape storage technology has always provided safe harbour, offering unparalleled advantages in scalability, security and sustainability. But through recent innovation and adaptability, modern tape storage solutions are helping organisations navigate the ocean of data to be protected and preserved in new ways.From humble beginnings as magnetic tape reels in the early days of computing, tape technology has undergone a transformation, evolving in formulations, read/write mechanisms and storage densities. Today, as a testament to its resilience and adaptability, tape remains a cornerstone in long-term data retention and security.Tape meets growing AI storage demandsOne of the key drivers behind the resurgence of tape technology is its inherent ability to accommodate vast volumes of information, making it an ideal storage solution for Artificial Intelligence (AI) initiatives. Multi-petabyte archives are becoming standard as AI increasingly drives every aspect of business, research and development. Modern Linear Tape-Open (LTO) technology, for instance, offers up to 19TB of data storage per cartridge in its latest generation. Moreover, offerings such as IBM’s TS1170 take it a step further, providing 50TB of native storage capacity and up to 150TB of compressed format capacity per cartridge.When compared to other storage methods such as disk and cloud, tape not only maintains its cost-competitive edge but is also the dominant leader in affordability due to new developments in tape density.While disk-based storage systems cater to the instantaneous demands of real-time operations, tape’s role as a secondary or tertiary storage tier meets the need to store AI training data and outputs for the long term. Preservation of training data is crucial given recent lawsuits over the use of copyrighted materials for AI models and defamation litigation in response to false information generated by AI chatbots. Moreover, these long-term archives must be accessible and searchable. The introduction of S3-compatible object-based tape makes today’s tape technology the ideal building block for such archives. Object-based tape is highly scalable, searchable and can even be tagged for future retrieval. In the case of catastrophic data loss or corruption, AI training data archived on tape provides for a reliable means of recovery. Tape can be stored offline, making it less susceptible to accidental deletions through true air-gapped protection. Archiving AI training data on tape also ensures data remains intact and can be successfully retrieved if, and when, it is needed.The role of tape in cybersecurityAnother significant factor propelling the resurgence of tape technology is the escalating importance of data security. Amid the increasing frequency and sophistication of ransomware attacks, tape’s offline nature provides a robust defence, making it an invaluable asset across diverse sectors.AI is expected to heighten the near-term impact of the global ransomware threat. Over the next two years, organisations can expect with an almost certain likelihood that AI will increase the volume and impact of cyberattacks, as reported by the UK’s National Security Centre. As threat actors are able to analyse exfiltrated data faster and more effectively, the assessment predicts they will use this data to train AI models to enhance existing tactics, techniques and procedures.Tape storage technology, with its air-gapped nature, provides the most resilient layer of protection against such threats, ensuring that the data remains secure and accessible in the event of an attack. Modern tape solutions that incorporate an object storage interface are particularly useful as a secondary storage target for S3-compatible applications. A mainspring of modern data protection, object-based tape allows organisations to maintain traditional methods of backup while simultaneously deploying S3-compatible applications in a single infrastructure. The technology is often seen in large backup environments leveraging cloud-based APIs, where tape serves as a cost-effective repository for storing cold data at scale.Tape as a pillar of complianceCompliance with long-term retention requirements is crucial for businesses today. The focus is on ensuring that records, whether related to architecture or performance, can withstand the test of time and iterations.Mandates for compliance are typically instated by top-level executives such as a compliance officer, CIO, or security manager. These mandates may involve the retention of critical records, especially for industries where changes to formulations or architectures need to be preserved for legal reasons. For example, companies like Coca-Cola will often implement long-term data retention mandates to preserve previous formulations offline and protected, ensuring records can be accessed into the future in the event of litigation but remain shielded from unauthorised access.The decision to retain data for an extended period is not arbitrary; it involves evaluating the value of the data to the company. The length of retention is directly proportional to the significance and utility of the data for the business.Tape’s longevity makes it the ideal technology for retaining data for extended periods. The advantages of tape storage include Write Once Read Many (WORM) functionality, air-gapped security and the ability to be taken offsite for added protection. Furthermore, to ensure minimal data degradation over time, modern tape offerings feature greater data integrity and reliability by incorporating error correction codes and automated data integrity verification checks.Sustainability in data storageThe energy consumption of data centres is a pressing global concern, with data centres consuming approximately 200 terawatt-hours of electricity annually. Tape storage’s minimal power consumption and reduced cooling requirements provide a more sustainable alternative to disk-based storage systems, delivering significant savings in electricity usage and contributing to a reduction in CO2 emissions.Tape technology’s durability and cost-effectiveness make it an attractive proposition for organisations seeking long-term data retention solutions that are not only reliable and secure but also environmentally friendly.The road aheadTape storage technology’s adaptability, resilience and enduring relevance make it a worthy contender in the data storage arena. Moreover, when it comes to storing large amounts of infrequently accessed data for the long term, tape is in fact the undeniable leader. Whether it’s managing the surge of Big Data, safeguarding against cybersecurity threats, ensuring regulatory compliance, or championing sustainability, tape storage continues to thrive, demonstrating its timeless value.The horizon promises even more sophisticated tape solutions, hinting at greater storage capacities, enhanced data transfer speeds and strengthened data integrity checks. Modern tape storage technology, with its ability to complement big data analytics, fortify cybersecurity defences, meet compliance mandates and contribute to a greener planet, underscores a compelling truth – sometimes, the tried-and-true ways prove to be the most successful.Click below to share this article
February 13, 2024WORM Functionality – Understanding its Importance in Data Storage - Tycoonstory Media
In our digital world, keeping data safe is crucial. WORM functionality (Write Once, Read Many) helps by ensuring that data, once written, cannot be changed. This article explains why WORM is important, how it’s used, its benefits, and challenges. Let’s explore why WORM matters in data security.Understanding WORM FunctionalityWORM functionality embodies the principle of immutability, whereby data can be written to a storage medium only once and subsequently accessed multiple times for reading purposes. Once it’s written, the data becomes impervious to alteration, deletion, or tampering. That ensures an effective creation of a digital seal of authenticity. This attribute is particularly invaluable in industries governed by strict regulatory frameworks, like finance, healthcare, legal, and archival sectors.The Implementation of WORM TechnologyImplementing WORM functionality encompasses a spectrum of storage technologies, each offering unique advantages and considerations. Historically, optical disks like CD-R and DVD-R served as the primary medium for WORM storage, owing to their innate write-once nature. However, with the evolution of sophisticated storage solutions, including tape drives, specialized disk arrays, and cloud-based platforms, WORM functionality has transcended traditional boundaries and embraced modern architectures.Contemporary WORM implementations often rely on software-based mechanisms integrated into storage arrays or cloud platforms, facilitating seamless integration with existing IT infrastructures. This software-driven approach enhances flexibility and scalability, and that’s not all! It also enables organizations to adapt to evolving regulatory requirements and technological advancements.Applications of WORM FunctionalityThe versatility of WORM functionality extends across diverse domains, where data integrity, compliance, and security are paramount considerations. Some notable applications include:Financial Transactions and Audit TrailsIn finance, WORM plays a key role in creating unchangeable audit trails and transaction logs. That helps organizations be more transparent, accountable, and compliant with regulations.Healthcare Records ManagementThe healthcare industry heavily relies on electronic health records (EHRs) to store patient information. WORM storage ensures the integrity and confidentiality of EHRs, helping healthcare providers comply with regulations like HIPAA.Data Archiving and Long-Term PreservationWORM storage is vital for archiving historical data and documents for extended periods. Whether it’s financial records, legal contracts, or scientific research data, WORM technology helps maintain the integrity and authenticity of archived information.Compliance and Regulatory Requirements:Industries like finance, healthcare, and law use WORM to meet strict data retention and security regulations; by making critical records unchangeable, organizations in these sectors can reduce compliance risks and avoid legal liabilities.Benefits of WORM Functionality:Adopting WORM functionality yields many benefits, ranging from enhanced data integrity to regulatory compliance even beyond. Some key advantages include:Data Integrity and AuthenticityWORM makes sure data stays the way it was first written. That keeps information true and reliable, and this helps build trust among the people who use it and the ones who make the rules.Compliance AssuranceIn businesses where there’re strict rules to follow, like finance or healthcare, WORM helps to stick to these rules. It helps store data safely and meet legal requirements without any worries.Protection Against Cyber ThreatsWORM keeps data safe from hackers and malicious online stuff. Even if there’s a cyberattack, data stays safe and unchanged, which lessens the harm caused.Cost-Effective Storage ManagementEven though setting up WORM systems may seem expensive, in the beginning, they save money in the long run. They do so by preventing data loss and legal troubles, which ultimately helps avoid costly fixes and fines.Legal AdmissibilityIn legal matters or fights, data protected by WORM stands strong as proof. Since it can’t be changed, it’s trusted and believed subsequently, making an organization’s position stronger.Challenges and ConsiderationsDespite its undeniable benefits, the implementation of WORM functionality presents several challenges and considerations that organizations must address:Initial InvestmentSetting up WORM-enabled storage systems requires a considerable upfront investment in specialized hardware, software licenses, and infrastructure upgrades. Before diving into WORM implementation, organizations must carefully assess the costs against the potential benefits and regulatory requirements. This evaluation ensures that the investment aligns with the organization’s strategic goals and budgetary constraints.Performance ImpactSome WORM storage solutions may experience slower write speeds or higher latency when compared to traditional storage systems. This performance difference can potentially impact overall system performance and user experience. To mitigate these issues, organizations should conduct thorough performance testing and optimization measures. By fine-tuning the system, they can minimize any adverse effects on operational efficiency and ensure smooth performance.Data AccessibilityOnce data is written to a WORM storage medium, it becomes immutable, meaning it can’t be changed. That poses challenges in situations where data amendments or updates are necessary. To address this, organizations must establish robust data management policies and procedures. These policies should cover aspects such as data access, retention, and archival requirements. By implementing clear guidelines, organizations can ensure data accessibility while complying with regulatory mandates.Compatibility and InteroperabilityEnsuring compatibility between WORM-enabled systems and existing IT infrastructure is crucial for seamless integration and data accessibility. Organizations need to assess interoperability considerations, including data formats, protocols, and APIs. By understanding these factors, they can facilitate smooth data exchange and interoperability across different systems. That ensures that WORM functionality integrates effectively with existing workflows and technologies, enhancing overall operational efficiency.Regulatory ComplianceMeeting regulatory requirements is a key consideration for organizations implementing WORM functionality. Industries such as finance, healthcare, and law are subject to stringent data retention and security regulations. WORM technology helps organizations comply with these regulations by ensuring data immutability and tamper-proof storage. By adhering to regulatory mandates, organizations mitigate the risk of non-compliance penalties and legal sanctions, safeguarding their reputation and financial well-being.ConclusionWORM technology is crucial in modern data storage and management, providing unmatched benefits such as data integrity, compliance, and security. By using WORM storage, organizations protect critical data, meet regulations, and reduce risks like breaches and legal issues. Despite challenges in setup and operation, WORM technology significantly improves data governance and risk management.As regulations and cyber threats become more complex, WORM’s importance grows. It has become a key part of data protection and governance strategies for organizations. Embracing WORM helps strengthen defenses, build trust, and fully utilize data assets in the digital world. Overall, WORM is vital for organizations looking to navigate the evolving landscape confidently and effectively protect their data.
February 13, 2024New media could bring fresh competition to tape archive market | TechTarget
Tape is king of the cold archive, but as data needs grow and the line between cold and active archive continues to blur, it might have to share the court with some new entrants.Tape is a well-established archive player, being performant, energy-efficient and low in cost. But several archive alternatives such as optical disks, data etching on ceramics and DNA polymer, which share these tape characteristics and can achieve similar results, are looking to soon bring new tech to market.Archive is becoming increasingly important, and has been for decades, according to Marc Staimer, president of Dragon Slayer Consulting."IT people -- storage people -- are some of the most risk-averse people you'll ever meet," he said.But now it turns out that being risk averse could be valuable to businesses, as IT admins have continued to oversee sprawling data storage programs, Staimer said. Analytics and AI have enabled the value of this data. But to reap that value, companies need to be able to store it and access it. For a long time, tape storage has been the answer.Whoever is going to be able to do storage at scale, meeting performance requirements as well as advanced use cases, could potentially replace the spot where tape is. But tape is not standing still.Christophe BertrandAnalyst, Enterprise Strategy GroupFor any archive option to share in tape's dominance, it will have to solve the problem of scale, according to Christophe Bertrand, an analyst at TechTarget's Enterprise Strategy Group."Whoever is going to be able to do storage at scale, meeting performance requirements as well as advanced use cases, could potentially replace the spot where tape is," he said. "But tape is not standing still."Reigning champMagnetic tape has been used in data storage since the 1950s, just before the onset of hard disk drives and about a decade before flash memory came about. Today, tape comes in two form factors -- Linear Tape-Open (LTO), and enterprise tape or TS11xx -- and is widely used in archives. Beyond its high density of up to 150 TB compressed and low costs, tape is difficult for nefarious actors to gain access to given its physical air gap, and it only consumes energy while in use.Tape has also kept up with the times, now fully supporting object data. And it continues to prove to be adaptable, according to Matt Ninesling, senior director of tape portfolio management at Spectra Logic. Data management vendors such as Hammerspace are now extending their file systems to tape to better utilize the media as well.Another advantage of tape is that when looking at its roadmap, the production lines won't have to change in order to produce higher densities, Bertrand said.Tape has found a place for both cooler data such as backups and cold data such as archives, according to Rich Gadomski, head of tape evangelism for Fujifilm and a director of the Active Archive Alliance, which helps guide and implement modern active archive strategies. Once data goes cold, customers can't afford to keep it on spinning disk, which is where tape comes in.Different spinning disksBut estimates of persistent data that needs to be stored are increasing into the tens of zettabytes by the end of the decade, Gadomski said.To help tackle the growing archive needs, companies might want to consider alternatives."If what the prognosticators say is true, and we are faced with this incredible avalanche of data, it is not a bad idea to have other technologies," he said.Optical disk drives, commonly thought of in the form of Blu-rays, are one such example. Optical disks plateaued at a set layer count, limiting density until recently. In 2022, Folio Photonics unveiled a new fluorescent film that was capable of increasing the storage per disk from 128 GB per disk to 500 GB to 1 TB per disk, or 10 TB per disk pack. Folio, which hopes to bring its new technology to market before 2026, is targeted at $5 per terabyte, which would be lower than LTO.As Folio moves closer to a commercialization date, CEO Steve Santamaria isn't looking to replace tape outright. Instead, he's focused on specific use cases where things such as time to first byte -- the time it takes to access and retrieve the first bit of data stored -- and better random access to data are desirable. He also said hyperscalers are looking for different, cheap cold storage options."I think there's room for everybody," Santamaria said. "I really don't think it's a winner-take-all."Optical disk drives aren't without issue, according to Staimer. They are faster at random reads, but slower at sequential reads. Folio has shown speeds up to 365 MBps, while LTO-9 lists speeds up to 1,770 MBps. The infrastructure for tape libraries is common, while companies would have to invest in optical, and the density is currently lacking, he said."Hitting 1 TB per disk gives you 10 TB in a disk pack. Tape is significantly larger," Staimer said. An LTO-9 tape drive can hold 18 TB without compression.VIDEOThrough the storage glassGlass is becoming another alternative to tape. Microsoft's Project Silica uses femtosecond lasers to write data to quartz glass and "polarization-sensitive microscopy using regular light to read," according to Microsoft.Another company, Cerabyte, uses lasers to etch patterns into ceramic nanocoatings on glass. Ceramic is resistant to heat, moisture, corrosion, UV light, radiation and electromagnetic pulse blasts.Ceramic also has another advantage over tape: Its high durability leads to fewer refresh cycles, according to Martin Kunze, chief marketing officer and co-founder of Cerabyte, a startup headquartered in Munich."Tape has limited durability and needs to be either refreshed or all migrated onto new formats," Kunze said.This undertaking is expensive and time-consuming, he said.Kunze added that tape is vulnerable to vertical market failure. Western Digital is the only company manufacturing the reading and writing heads for tape."Assume there is a decision on the board: 'We don't [want to] run this company anymore because it doesn't bring in as much revenue,'" he said. The single point of failure could leave enterprises in the lurch.He sees another problem with tape -- it's stodgy."It's not sexy to work in tape," Kunze said, adding that younger generations of archive technologists are looking beyond tape and will bring innovative ideas to young, new tech.Storage in DNAOver the last 3.5 billion years, information has been stored in DNA, noted Murali Prahalad, president and CEO of Iridia."That tells you that if it's done right, under the right conditions, [DNA] is the perfected storage model," Prahalad said.Iridia is looking to release its DNA storage product as a service, which would be placed in a similar market to Amazon Glacier.Compared with tape, DNA has advantages similar to those of ceramic in that it needs fewer refresh cycles and can withstand harsh environments, although not to the same degree as ceramic or even optical drives. Prahalad also sees DNA as an addition to the archive market rather than as a way of replacing tape outright.Another DNA company, Biomemory, believes the data archive deluge will be so vast that it cannot be solved using current media, according to Erfane Arwani, its CEO and co-founder."Let's go for technologies that do not rely on electronics, but something else -- polymers," Arwani said.Biomemory currently sells DNA storage in the form of cards, at roughly $1,000 per kilobyte, but sees the price dropping in the future.Dragon Slayer's Staimer said DNA has a lot of potential because it is easier to replicate over copying a bunch of data to more tape drives, and it could be inexpensive over a long period of time. But performance is still an issue."It is very slow to read and very slow to write," Staimer said. "DNA will miss the AI boat because it takes too long to get the data out."The market of todayAs companies consider alternatives to tape, Staimer suggested they remember two things. First, that newer media types are still in the development phase, and how they'll work in production or how much they'll cost is not yet known. But, second, that every technology is at risk for replacement."Any technology can be superseded," Staimer said. "If you come out with a technology that matches the performance or is a lot cheaper and lasts longer, it will supersede tape."Adam Armstrong is a TechTarget Editorial news writer covering file and block storage hardware and private clouds. He previously worked at StorageReview.com.
November 27, 2023In What Could Be a Trend, Ransomware Operation Files SEC Complaint Against Victim for ...
Ransomware operation AlphV/BlackCat has filed a U.S. Securities and Exchange complaint against one of its alleged victims, MeridianLink, for allegedly failing to comply with the four-day rule to disclose a cyberattack. AlphV/BlackCat listed the software company on its data leak with a threat that it would leak allegedly stolen data unless a ransom is paid within 24 hours. MeridianLink provides digital solutions for financial organizations such as banks, credit unions and mortgage lenders.
November 28, 2023Cyberattack on US hospital owner diverts ambulances from emergency rooms in multiple states
Washington CNN — A cyberattack that diverted ambulances from hospitals in East Texas on Thanksgiving Day is more widespread than previously known and has also forced hospitals in New Jersey, New Mexico and Oklahoma to reroute ambulances, hospital representatives told CNN on Monday. All of the affected hospitals are owned, or partly owned, by Ardent Health Services, a Tennessee-based company that owns more than two dozen hospitals in at least five states. Among the hospitals currently unable to accept ambulances are a 263-bed hospital in downtown Albuquerque, New Mexico; a 365-bed hospital in Montclair, New Jersey; and a network of several hospitals in East Texas that serve thousands of patients a year. It’s just the latest example of how the scourge of ransomware – which locks computers so hackers can demand a fee – has disrupted services at health care providers throughout the coronavirus pandemic. In a statement Monday, Ardent Health Services confirmed that a ransomware attack caused the disruption and that its facilities were “diverting some emergency room patients to other area hospitals until systems are back online.” Hospital facilities were also forced to reschedule some non-emergency surgeries. Patient care “continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics,” Ardent Health said on Monday. A nurse working at one of the affected New Jersey hospitals told CNN that staff rushed “to print out as much patient information as we could” as it became clear that the hospital was shutting down networks because of the hacking incident. “We are doing everything on paper,” said the nurse, who spoke on condition of anonymity because they were not authorized to speak to reporters. “Everything becomes a lot slower,” the nurse said, referring to the reliance on paper, rather than computers, to track things like lab work for patients. “We drill on that a few times a year, but it still sucks.” Chiara Marababol, a spokesperson for two New Jersey hospitals – Mountainside Medical Center and Pascack Valley Medical Center – affected by the hack, said the hospitals continue to care for patients in emergency rooms. “[H]owever, we have asked our local EMS systems to temporarily divert patients in need of emergency care to other area facilities while we address our system issues,” Marababol told CNN in an email. Officials with the federal US Cybersecurity and Infrastructure Security Agency (CISA) reached out to Ardent Health Services on November 22, the day before Thanksgiving, to warn the company of malicious cyber activity affecting its computer systems, a person familiar with the matter told CNN. Ardent Health spokesperson Will Roberts confirmed CISA officials contacted the company “to make us aware of information about suspicious activity in our system.” But that was after Ardent Health detected “an anomaly” on its computer systems on November 20 and “engaged additional external cybersecurity resources to investigate,” Roberts told CNN. On Thanksgiving Day, Ardent Health realized it was ransomware. A CISA spokesperson referred questions about the communications to Ardent Health. The outreach to Ardent Health was part of a program CISA began this year to try to warn organizations in critical industries that they risk falling victim to ransomware attacks unless they take defensive measures. CISA officials claim to have thwarted numerous ransomware attacks through the program. The broad fallout from the Ardent Health hack shows how cyberattacks that hit a parent company or key service provider can have cascading impacts on critical infrastructure operators such as hospitals. Cybercriminals, often based in Eastern Europe or Russia, have throughout the coronavirus pandemic repeatedly disrupted healthcare organizations across the US, locking computers and demanding a ransom. Many of the hacks have hit smaller health clinics that are ill-equipped to deal with the threat. And in the last nine months alone, other cyber attacks have resulted in ambulances being diverted from hospitals in Connecticut, Florida, Idaho and Pennsylvania. A 2021 study by CISA specialists found that a ransomware attack can hinder patient care and strain resources at a hospital for weeks, if not months.
November 23, 2023Offline backups are a key part of a ransomware protection plan - TechTarget
Ransomware is a major threat today, and it can be particularly harmful when it targets data backups. Offline backups are one method IT administrators lean on to protect against ransomware. Offline backups are stored on an isolated storage infrastructure that is disconnected from production applications and infrastructure, as well as from the primary backup environment. The result is an air-gapped backup copy that businesses can use for recovery in the event that the primary backup copy becomes compromised. Historically, an offline backup environment would be a good fit for data that requires less frequent access, such as long-term retention data, and data that is less business-critical. However, the simultaneous rise of cyber attacks and introduction of data privacy legislation have led to an increase in offline backups for mission-critical, frequently accessed data. While offline backup ransomware protection is an effective option, it is a complex process. Offline backups play a role in ransomware protection, and there are numerous paths to get there. Before deciding to use offline backups for ransomware protection, organizations must consider some key factors. The backup method's practicality, cost, effectiveness and ability to meet recovery objectives are critical to keep in mind. The longstanding approach to creating an offline backup environment is shipping backup copies to an off-site, disconnected tape storage location. Offline backup can be a complex and slow process The longstanding approach to creating an offline backup environment is shipping backup copies to an off-site, disconnected tape storage location. The problem with this approach is that today's IT operations teams are understaffed and significantly strapped for time, particularly in the area of cybersecurity. Many simply do not have the cycles to deploy and manage yet another infrastructure -- especially considering that the isolated infrastructure will require manual software updates to avoid security vulnerabilities.Another backup environment to protect and pay for A potential pitfall of these alternatives is infiltration of the isolated environment. As a result, the environment must be closely audited for network isolation, control over when the network connection is open, and role-based access to and control over the network and vault environment. In addition, IT operations staff must look for an option that has data immutability and indelibility. Immutability renders the backup copy read-only, so no one can make unapproved changes to the data. Indelibility inhibits the backup copy from being deleted before the conclusion of a dedicated hold period. These safeguards help protect against data exfiltration and corruption in the event that a malicious actor is able to access the isolated environment.Be aware of offline backup window and recovery time For any implementation, admins must consider the backup window. They must know how long it will take to complete the backups, as well as any potential lags or gaps between backup jobs. This fundamentally affects the business's ability to meet required recovery points. Also important to factor in is the required recovery time. Both the backup window and recovery time are largely dependent on the frequency and size of backups jobs, as well as how much data the organization backs up. VIDEO Can cloud backups be offline? New options are emerging that offer an operational isolation, such as hosting the data off site in the cloud or through a service provider. These methods require a network connection to production-facing portions of the environment in order to transfer the backup copy to the isolated environment. There are a few drawbacks to using the cloud for offline data backups. Since it is isolated, but not completely offline like tape libraries, the cloud is easier for a ransomware attack to reach. In addition, any cloud-hosted option is potentially subject to egress fees when data is recovered. This is important for IT operations staff to be aware of upfront because it is potentially a very expensive factor to overlook. Krista Macomber, senior analyst at Futurum Group, writes about data protection and management for TechTarget's Data Backup site. She previously worked at Storage Switzerland and led market intelligence initiatives for TechTarget.
October 09, 2023Autonomous Fleets Are Almost Here. Are They Safe From Cyberattacks? | Opinion
As our society transforms into a more connected world, an essential component of this shift is the need for safe and secure driving experiences on our roads. The recent hacking of a Tesla in under two minutes by France security firm Synacktiv demonstrates how serious a concern this is—attackers were able to breach the cyber controls of the vehicle to carry out a number of malicious acts, including opening the trunk of the vehicle while in motion and accessing the infotainment system.As more connected and autonomous vehicles (CAVs) and electric vehicles (EVs) hit the market, it is clear that manufacturing speed is outpacing security measures. The cybersecurity of vehicles is often overlooked in the auto rollout, even though the connected nature of modern vehicles makes them susceptible to hacking and other cyber challenges.The cybersecurity of a vehicle is vital—without it, serious injuries or even fatalities can occur. Imagine the above Tesla scenario but worse—a hacker takes control over the car and locks the doors while speeding up the vehicle on a highway. The driver or passenger of the car then gets a notification on his mobile phone asking for a ransomware in bitcoins—otherwise the hacker will crash the vehicle into the side of the road.This is an extreme scenario, but such a Ransomware 2.0 incident is possible today. The big question is—Are we ready to enable incident management for such auto cyber challenges?Another complicated part of this challenge is that the cyber risk is carried by the owner or operator of either individual vehicles or perhaps an entire EV fleet. The fleet could be made up of cars, buses, or trucks, and the necessary cybersecurity controls must be in place to enable greater cyber hygiene of these vehicles. As EVs are computers on wheels, the potential for a distributed denial of service (DDoS) attack on multiple vehicles could disable an entire fleet of vehicles on our roads. Imagine hundreds of delivery or critical service vehicles out of service and those potential repercussions.Fleets also depend on other critical systems to work. An Idaho hospital cyberattack earlier this year, where ambulances were diverted to other hospitals, demonstrates just how important it is to secure the entire vehicle ecosystem and not just the vehicle itself. This attack also allows us to imagine how serious it would be if the reverse scenario was true—What if the ambulance fleet itself was rendered inoperable?If that's not enough, think about the fragile state of our current supply chain and all the issues it has faced since the pandemic. Now imagine if a cyberattack was responsible for an entire delivery fleet to stall. The supply chain and transportation infrastructure would be totally crippled, leading to major economic disruptions.It is important to highlight that these cyber challenges multiply manifold as trucking fleets move to autonomous trucks and lead to questions around legal liability in case of any cyber incident.Data collection cannot be overlooked either. CAV and EV data is rich in personally identifiable information (PII) and might also contain other sensitive information such as payment card information or commercial data (such as fleet tracking and performance). Data governance regulations need to be implemented to secure the transmission and storage of this data to ensure privacy and compliance to legal and contractual obligations.A close-up of a self-driving car.Smith Collection/Gado/Getty ImagesAlthough there are generic cybersecurity mandates in many countries, jurisdictions must legislate automotive cybersecurity specific legislations for cars operating on our roads. Countries are actively exploring the best ways to move forward with vehicle regulation—there has been emphasis on ensuring automotive manufacturers enable cybersecurity in all future models, however, with regard to operations of EVs, policies and best practices are still, slowly, being developed and legislated.One area where more focus is needed is from an owner/operator perspective, both for individual users and for fleet owners. As consumers, we are concerned about the safety features of our new vehicle, but we do not ask any questions about the cybersecurity level of the car. There is a need for user awareness of the ordinary consumer on the criticality of cybersecurity for the smooth operations of the modern vehicle.Fleet owners need to ensure they have effective cyber controls in place. They should have an asset inventory of all the software on their vehicles and ensure that they are aware of vulnerabilities and breaches for these software applications. Furthermore, they should carry out active cyber risk assessments for any third parties that develop vehicle software.Finally, they must carry out real-time cyber monitoring of the vehicles and ensure that incident management processes are in place to mitigate against any adverse cyber events. Only by proactively enabling this holistic cyber governance can these fleet owners survive in this brave new connected world.AJ Khan is the founder and CEO of Vehiqilla Inc and a Catalyst Industry Fellow at Rogers Cybersecure Catalyst, Toronto Metropolitan University's center for research, training, and innovation in cybersecurity.The views expressed in this article are the writer's own.
October 09, 2023Bill for MGM Ransomware Attack Expected to Top $100 Million - CPO Magazine
MGM's ransomware attack in September is expected to have $100 million negative impact for Q3 due to cleanup costs and lost business.
October 10, 2023Q&A: Penetration Tester Shares Where to Make Healthcare Security Improvements
Cybersecurity incidents continue to grab headlines this year, from the MOVEit file-transfer vulnerability to LockBit ransomware attacks.As the threat landscape has grown in recent years, healthcare organizations have increasingly felt its damaging impacts. In Germany, for instance, a 2020 ransomware attack on a hospital redirected a patient away from the nearest hospital, resulting in a fatal outcome.“Hospitals have historically been seen as out of scope for threat groups in the past,” says Anna Quinn, security analyst and penetration tester at Rapid7. “Ransomware as a Service is picking up. Threat groups are becoming much less discriminating about who they attack. We’re not safe in our bubble anymore.”Healthcare organizations must also prepare for more targeted attacks from nation-state actors and other politically motivated groups, she adds.What can healthcare organizations do to improve their cybersecurity strategies? One immediate step: Turn on multifactor authentication, which has also been recommended by the Cybersecurity and Infrastructure Security Agency during Cybersecurity Awareness Month. Rapid7’s 2023 Mid-Year Threat Review found that 39 percent of incidents observed by the company’s managed services team were from missing or careless MFA.Quinn spoke to HealthTech about the importance of network segmentation, how to take advantage of pen testing and how physical security is connected to cybersecurity.Click the banner to get the expertise you need to strengthen your ransomware protection. HEALTHTECH: What are areas of focus healthcare organizations can target immediately to bolster their security? What about areas that require long-term efforts?QUINN: For both the short and long term, asset inventory and management is going to be one of the most effective things that you can do as an organization to make sure that you are protected. It’s not just knowing what devices you have but knowing where the devices live, both physically and on the network; knowing how many you have; what operating systems or firmware they're running; and when they were last updated.This is an extensive project for a lot of hospitals. There’s a lot of gear shifting around all the time. All of this makes it incredibly tricky to track, and it makes asset inventory even more critical, because it can be so easy to lose track of what you have, and that can allow an attacker to potentially find untracked and unpatched devices and get further into the network.In the long term, I would suggest investing in strong network segmentation. As a security or network engineer entering a healthcare organization, you will often notice that the network doesn’t have a lot of strong segmentation, and in some cases you may inherit a network that requires a lot of updating. Unfortunately, there isn’t always the funding to support large-scale infrastructure revisions, which can really impact things long-term. It can be costly to get a network into a completely segmented and safe position. But that's one of the biggest contributors to making sure that you are going to be safe as an organization.Strong network segmentation can help mitigate the risks of any breaches that occur. With proper segmentation, for example, you can make sure that your dialysis machines are on their own network and segmented away from everything else. You can make sure that your lab equipment and similar devices are secured away, so that in the worst-case scenario, if you do get hit by ransomware, the ransomware will not deploy to those particular specific networks. That can save lives.DISCOVER: Answer your questions about identity-related vulnerabilities and segmentation.HEALTHTECH: Why should healthcare organizations conduct regular penetration testing? How should they approach pen testing? What are some common misconceptions?QUINN: Healthcare organizations should conduct regular pen testing to find and cut off any paths that an attacker might be able to find within their networks. More and more, it’s a prerequisite that we assume that a breach has already occurred in our organization, regardless of whether it was accomplished through phishing, an exploit or an insider threat. It becomes imperative that we address the network as though it has already been compromised and that we find out how an attacker could compromise further systems or cause damage to the environment through such access.One common misconception is that pen testing and vulnerability scanning are the same thing. The biggest differentiators that we have between pen testing and vulnerability scanning is that vulnerability scanning will find vulnerabilities within the network, but it won’t chain those together and create an attack path.Say that you have a server that has a known exploit against it: The pen tester could actually exploit that vulnerability, chain that with other discovered misconfigurations or vulnerabilities, and gain access to systems that you believed would be secured. Meanwhile, a vulnerability scan will simply tell you about that vulnerability. That’s why it's important to do pen testing: to see what additional compromise can happen should a system become compromised.It’s easy to review a vulnerability scan against our network and say that we’re all patched, we’re all up to date, we should be safe. But without that verification and manual testing, there could be additional vulnerabilities that an attacker can exploit to cause an extensive compromise of your environment. Active Directory in particular has quite a few misconfigurations and vulnerabilities that could lead to a compromise, and these don’t tend to be caught by the typical vulnerability scanner.Pen testers are there to help. Many businesses see preparing for a pen test as preparing to either succeed or fail as a security team. But that’s not the approach that’s most conducive to a good test. What we should be trying to accomplish in pen testing is to have a known party find these vulnerabilities for you. You want them to find all of your vulnerabilities; you want them to find attack paths that could be abused. If we do not find them on our side, an attacker will, and the attacker is not going to have the same mindset that we have when we approach it. They are going to be looking to cause damage. They’re going to be looking to exploit those systems to extort anything they can get from you or bring you down. HEALTHTECH: What are the top lessons you’ve learned in your experience as a pen tester that you can share with other healthcare organizations?QUINN: A flat network, as we call it, could be something where, if I had gotten onto a workstation, I could contact most other servers or devices on that network, and I could attack those. It makes it incredibly easy for an attacker to move around the network.I’ve had healthcare facilities that I’ve tested that had relatively flat networks. In one case, I was able to get into the virtual sitter systems and view patients in their rooms. I could access patient data because the computers on the floor did not have adequate segmentation. This allowed me to sign in with breached credentials, and I was able to get into their Epic system and access patient data.In addition to that, MFA is a massive security factor that needs to be implemented. Implementing MFA, while it can be a bit of a cost to a company, can drastically decrease the risk of breach.Last, I would say that cybersecurity and physical security are actually very closely linked. And it’s not just whether you can get to critical systems. It’s whether an actor can get to a network jack that hasn’t been properly decommissioned, and in doing so, connect to the network and gain access through that. It is whether an attacker can get into your facility and potentially implant devices to call back to C2 servers and compromise your network. Having strong physical security controls and access restrictions in the hospital is incredibly important.Strong physical security and policies around device removal can also prevent access to sensitive wireless networks, which may otherwise be properly secured. One of our lead researchers, Deral Heiland, recently performed extensive tests against medical pumps, discovering that many of them still contained Wi-Fi passwords for medical centers around the country after being decommissioned and recycled. If an attacker can gain access to such passwords, they can get onto protected medical device networks and cause a significant operational impact.READ MORE: How can healthcare organizations grow with smarter backup strategies?HEALTHTECH: When it comes to conversations about combating ransomware in healthcare, what do you think is missing from the conversation? Where should people focus?QUINN: It’s funding. It can be quite costly to perform some of the actions that I’ve recommended here, especially when you’re doing network or infrastructure upgrades at scale. It can be costly as well to increase your workforce for security, whether physical or cyber. It is a difficult battle at times for security teams to justify making such sizable cost investments when executives and board members don’t see the work put in to prevent significant cyberattacks. It’s definitely a pain point for a lot of organizations that I’ve worked with. I’ve worked with a few facilities that have skeleton crews of two or three people doing the best that they can. We need more people for stronger security. We need funding and we need people to help fight on these front lines. The goal is to help people and to save lives, and we all need to invest in that if we truly believe in that mission. Getty Images: filo (bubble graphics, icons), bounward (icons); Streamline (icons)
October 11, 2023Second Annual Ponemon Institute Report Finds That Two-Thirds of Healthcare ... - Yahoo Finance
Proofpoint, Inc.The average total cost of a cyber attack experienced by healthcare organizations was nearly $5 million, a 13% increase from the previous yearSUNNYVALE, Calif., Oct. 11, 2023 (GLOBE NEWSWIRE) -- Proofpoint, Inc., a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, today released the results of their second annual survey on the effect of cybersecurity in healthcare. The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023,” found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyber attack experienced by healthcare organizations was $4.99 million, a 13% increase from the previous year.Among the organizations that suffered the four most common types of attacks—cloud compromise, ransomware, supply chain, and business email compromise (BEC)—an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates. These numbers reflect last year’s findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyber attacks on patient safety and wellbeing.The report, which surveyed 653 healthcare IT and security practitioners, found that supply chain attacks are the type of threat most likely to affect patient care. Nearly two-thirds (64%) of surveyed organizations suffered a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care as a result (an increase from 70% in 2022). BEC, by far, is the type of attack most likely to result in poor outcomes due to delayed procedures (71%), followed by ransomware (59%). BEC is also most likely to result in increased medical procedure complications (56%) and longer lengths of stay (55%).“For the second consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Our findings also show that more IT and security professionals view their organization as vulnerable to each type of attack, compared to 2022. These attacks are also putting an even greater strain on resources than last year—costing on average 13% more overall and 58% more in the time required to ensure the impact on patient care was corrected.”Other key findings of the report include:Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it are on the decline: 54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year. The number of surveyed organizations making a ransom payment also dropped, from 51% in 2022 to 40% this year. However, the average total cost for the highest ransom payment spiked 29% to $995,450. Further, 68% said the ransomware attack resulted in a disruption to patient care, with most (59%) citing delays in procedures and tests that resulted in poor outcomes.All organizations surveyed had at least one data loss or exfiltration incident involving sensitive and confidential healthcare data within the past two years: 43% of respondents say a data loss or exfiltration incident impacted patient care; of those, 46% experienced increased mortality rates and 38% saw increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause (identified by 32% of respondents).Concerns about supply chain attacks declined, despite these attacks significantly disrupting patient care. Only 63% of respondents expressed concern about the vulnerability of their organization to supply chain attacks, compared to 71% last year. At the same time, 64% of respondents say their organizations’ supply chains were attacked an average of four times and 77% of those that suffered a supply chain attack saw disruption in patient care, an increase from last year’s 70%.Healthcare organizations feel most vulnerable to and most concerned about cloud compromise. Seventy-four percent of survey participants view their organization as most vulnerable to a cloud compromise, on par with last year’s 75%. However, a higher number are concerned about the threats posed by the cloud: 63% vs. 57% in 2022. Cloud compromise, in fact, rose to the top as the most concerning threat this year from fifth place last year.BEC/spoofing concerns increased significantly. The number of respondents concerned about BEC/spoofing jumped to 62% from last year’s 46%. More than half (54%) of organizations experienced five of these types of incidents on average. The growing concern may reflect the finding that BEC/spoofing attacks are more likely than others to result in poor outcomes due to delayed procedures (71%), increased complications from procedures (56%), and lengthier stays (55%).Low preparedness against BEC/spoofing and supply chain attacks puts patients at risk. Although the number of organizations concerned about BEC/spoofing phishing grew, only 45% take steps to prevent and respond to this type of attack. Similarly, despite the prevalence of disruptions to patient care from supply chain attacks, only 45% of organizations have documented steps to respond to them.Lack of in-house expertise and insufficient staffing an even bigger challenge than before to cybersecurity posture. Respondents identified lack of in-house expertise and insufficient staffing as the two biggest challenges to keeping their organization’s cybersecurity posture from being fully effective, and more organizations feel this challenge this year: 58% noted lack of expertise as a challenge vs. 53% in 2022, and 50% identified insufficient staffing vs. 46% last year.“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”To download Cyber Insecurity in Healthcare: The cost and impact on patient safety and care 2023, please visit: https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-reportFor more information on Proofpoint’s healthcare solutions, please visit: https://www.proofpoint.com/healthcareAbout Proofpoint, Inc.Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTubeProofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.PROOFPOINT MEDIA CONTACT:Estelle DerouetProofpoint, Vap.email@example.com
October 11, 2023Exploitation Accounts For 29% of Education Sector Attacks - Infosecurity Magazine
The education sector has been confirmed as a prime target for threat actors, with 29% of attacks originating from vulnerability exploitation and 30% from phishing campaigns on K-12 schools in 2023.The figures come from the latest report by Critical Start, a Managed Detection and Response (MDR) cybersecurity solutions provider.The firm’s biannual Cyber Threat Intelligence Report, published earlier today, sheds light on noteworthy cyber-threats and emerging trends affecting various industries, including finance, education manufacturing and state and local government.One of the key findings in the report is the increasing use of Quick Response (QR) codes in phishing attacks. In these attacks, cyber-criminals disguise themselves as Microsoft security notifications and embed QR codes within PNG images or PDF attachments to deceive victims.Read more on QR code-based attacks: QR Code Campaign Targets Major Energy FirmThe report also revealed that ransomware groups are collaborating more extensively than previously thought, sharing tactics and procedures in greater detail. Critical Start believes this cooperative approach among threat actors emphasizes the evolving nature of the cybercrime landscape.Another notable security concern is related to Microsoft Teams, which allows external accounts to send harmful files directly to an organization’s staff, potentially bypassing security measures and anti-phishing training. This increases the risk of successful attacks.The report also discussed the actions of Volt Typhoon, a threat actor sponsored by the Chinese state, who is likely to continue carrying out cyber-espionage campaigns in support of China’s broader government agenda against US critical infrastructure.“The volume and sophistication of cyber-attacks is continuously growing and evolving, making it impossible for organizations to feel on top of internal vulnerabilities and remain cognizant of every external threat,” said Callie Guenther, senior manager of cyber-threat research at Critical Start. “To democratize cyber threat intelligence, this report highlights the most prominent security-related issues plaguing business and how they can proactively reduce cyber risk.”
October 11, 2023Most CISOs confront ransomware — and pay ransoms | Cybersecurity Dive
The odds of a CISO encountering a major cyberattack are about as high as it can get with 9 in 10 CISOs reporting at least one disruptive attack during the last year, according to Splunk research released Tuesday.Almost half of the 350 security executives surveyed said their organizations were hit by multiple disruptive cyberattacks during the last year.Ransomware accounts for many of these attacks. Almost every survey respondent, 96%, reported a ransomware attack and more than half experienced a ransomware attack that significantly impacted business operations and systems, the report found.The number of ransomware attacks confronted by organizations has a direct correlation with the frequency with which ransoms are paid. More than 4 in 5 CISOs surveyed said their organization paid the ransom.At that level of ransom payment activity, CISOs have to operate under the assumption that ransom payments are effectively part of the job.“CISOs have a duty to anticipate ransoms and also implement them in their budgeting for cyber insurance,” Ryan Kovar, leader of Surge, Splunk’s blue team security research team, said via email.“Minimally, they need to have a plan before they get ransomed that places them in a position of strong resilience,” Kovar said.Ransoms payments are part of the jobThis high rate of ransom payments, which can fuel cybercriminal activities, underscores why the U.S. government and some of its allies floated a potential ban on ransom payments earlier this year.“Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said at a May event hosted by the Institute for Security and Technology.A ban against ransom payments would represent a major shift in strategy, opening up a new and complicated measure to counter financially motivated threat actors.The Biden administration, as recently as September 2022, decided against an outright ban on ransom payments. Instead, cyber authorities strongly encourage organizations not to pay.The financial implications of ransom payments vary widely, according to Splunk’s report. Most organizations paid ransoms under $250,000, but nearly 1 in 10 paid ransoms over $1 million.“That’s a lucrative business for ransomware gangs — and many desperate organizations gamble with their reputations in the hope of decrypting their data, recovering their systems and preventing the release of sensitive material,” Splunk researchers said in the report.
October 12, 2023Simpson Manufacturing Takes Systems Offline Following Cyberattack - SecurityWeek
Engineering and manufacturing firm Simpson Manufacturing says it has taken some of its IT systems offline following a cyberattack this week.Headquartered in Pleasanton, California, Simpson Manufacturing produces building materials, including anchors, connectors, and new construction and retrofitting materials.In an 8K-Form filing this week, the company told the Securities and Exchange Commission that, on Tuesday, it discovered a cyberattack that impacted some of its systems.“On October 10, 2023, Simpson Manufacturing Co., Inc. experienced disruptions in its Information Technology (IT) infrastructure and applications resulting from a cybersecurity incident,” the company said.Upon discovering the malicious activity, the manufacturer took steps to contain the incident, “including taking certain systems offline”.Simpson Manufacturing says it has been working on addressing the issue, but the incident is expected to continue to cause disruption to parts of its business operations.“The company has engaged leading third-party cybersecurity experts to support its investigation and recovery efforts. The investigation to assess the nature and scope of the incident remains ongoing and is in its early stages,” Simpson Manufacturing says.Advertisement. Scroll to continue reading.Although the company did not provide information on the type of cyberattack it has experienced, taking systems offline is typically the response to a ransomware attack.SecurityWeek has emailed Simpson Manufacturing for a statement and will update this article as soon as a reply arrives.According to a July 2023 report from Dragos the number of ransomware attacks targeting industrial organizations and infrastructure has doubled over the past year, mainly fueled by a drop in ransomware revenue in 2022, as more and more victims refused to pay a ransom.In January, British manufacturing company Morgan Advanced Materials fell victim to a ransomware attack that damaged some of its applications and file systems. In August, the company told the London Stock Exchange that some applications were still being recovered and that the incident had a £23 million (approximately $28 million) impact on the first half of 2023’s operating profit.Related: MGM Resorts Says Ransomware Hack Cost $110 MillionRelated: Motel One Discloses Ransomware Attack Impacting Customer DataRelated: Johnson Controls Ransomware Attack Could Impact DHS
October 12, 2023Making Sense of the 2023 Ransomware Landscape - Security Boulevard
Ransomware actors thrive in a fluid and dynamically changing business ecosystem and times of radical upheaval, and that’s what they’ve gotten since Russia’s invasion of Ukraine. While the notorious Qakbot botnet, linked to more than 40 ransomware attacks over the past 18 months, was recently dismantled, plenty of new threat actors and their affiliates remain.Understanding the current ransomware landscape is the first step to helping defenders protect their organizations. With this goal in mind, DomainTools researchers analyzed the most prolific ransomware families and the challenges they present in 2023.Here are some of the most important trends they identified:LockBit–and the Ransomware-as-a-Service (RaaS) Model–is ThrivingLockBit is now the most deployed ransomware variant in the world. Their operation has brought in about $91 million in ransom payments from U.S. victims alone since its first reported attack in January 2020.The creators behind LockBit 2.0, which recently turned 3.0, have experienced tremendous success over the last few years, leveraging the now well-established ransomware-as-a-service (RaaS) model in its pursuit of riches. In spring 2023 alone, LockBit 3.0 was used in the attack of over 300 organizations compared to just over 100 victim organizations by its closest competitor, AlphVM. They show no signs of slowing down. The group has been actively advertising its services within popular darknet forums to recruit affiliates and expand its market share. It even launched its own bug bounty program with remuneration amounting to as much as $1 million, enough to rival the programs of legitimate businesses and government authorities. In short, LockBit exemplifies just how well-oiled of a machine the ransomware trade has become.As the marketplace continues to mature, we’ll see it become increasingly commodified and competitive. Just as with regular consumers, affiliates will have the opportunity to browse and negotiate better terms, service, and/or support from their RaaS provider. The competitive nature of the RaaS model could lead to higher-quality ransomware products, making the lives of defenders that much more difficult.Mayhem in the Cybercriminal Underworld Creates Mayhem in Defense StrategiesIn early 2022, cybersecurity defenders also had to contend with the gang Conti. The group eventually disbanded in May 2022 due to internal discord over geopolitical events, demonstrating once again that they do not exist within a vacuum. Conti had publicly announced its support for Russia days after the invasion of its neighboring country, leading a Ukrainian member to leak masses of the group’s internal documents and data in retaliation; now dubbed the “Conti Leaks,” leaving room for the AlphVM and CL0P syndicates to grow their operations. The dissolution of Conti has also given rise to new players like Royal, Black Basta, Karakut and Quantum, made up in part of old Conti members. Of note, the former two players have already begun to make their mark, standing among the Top Five Ransomware Groups by Victimology for Spring 2023.All of this movement has made it harder for defenders to determine who’s who. Where in the past, the infrastructure, code bases and TTPs – or tactics, techniques and procedures – may have once been relatively unique to each group, the lines have now blurred as gangs disperse, reshuffle, and reorganize. Consequently, it is only going to become increasingly vital that organizations work alongside reputable companies that can provide accurate threat intelligence.Crackdown on Payments Leads to Attacks on Vulnerable IndustriesLast but not least, the past year has seen significant disruption to the services that ransomware gangs use to finance their operations. This includes the closure of unlawful cryptocurrency exchanges and the sanctioning of individuals tied to cybercriminal groups. What’s more, victims are less likely to pay up on ransom demands due to a combination of factors: better security posture and preparedness among companies with backups, reluctance among insurance companies to settle claims, and general expert opinions advising against taking such action. In fact, Chainalysis’ report noted a significant drop in ransoms paid, falling from $766 million in 2021 to $457 million in 2022. To combat this, it seems some criminal groups are turning their attention to healthcare, IT services and government administration—industries that have, historically, been underfunded, but who are also under heightened pressure to pay and restore services quickly to mitigate the impact to people’s lives and livelihoods. Healthcare, in particular, has been hard hit, having moved up to the second most targeted industry in 2023.What’s NextWe are facing a ransomware landscape that is only becoming more sophisticated as commoditization drives business innovation among cybercriminal groups. Add to this a muddying of the waters as gangs disband and reform, using a pick-and-mix of TTPs, infrastructure and code bases, as well as a rising trend among threat actors to target vulnerable industries as a way of compensating for reduced payouts. These trends pose a significant challenge for defenders. Organizations must be diligent about maintaining their defense-in-depth and work collectively with the most current threat intelligence to identify new trends and techniques in order to stay one step ahead of these motivated threat actors.
October 17, 2023Rising AI-Fueled Phishing Drives Demand for Password Alternatives
Online phishing scams are becoming more frequent and more sophisticated, according to the Online Authentication Barometer, published by the FIDO Alliance on October 16, 2023.When asked about phishing attacks, over half (54%) of respondents to the FIDO Alliance survey said they have seen an increase in suspicious messages and scams. Meanwhile, 52% believe phishing techniques have become more sophisticated, likely due to threat actors leveraging AI to create phishing schemes and deploy phishing campaigns.“Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person,” reads the report.Passwords Still Dominant Across Use CasesThe FIDO Alliance found that password usage without two-factor authentication (2FA) is still dominant across use cases.The survey showed that people enter a password manually nearly four times a day on average, or around 1280 times a year.Vulnerable passwords are particularly used to log on to a work computer or account, with 37% of respondents using this method instead of multi-factor authentication (MFA).Andrew Shikiar, executive director and CMO at FIDO Alliance, commented: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions […], rather than iterating on ultimately flawed legacy authentication like passwords and one-time passwords (OTPs).” The negative impact caused by legacy user authentication was also revealed to be getting worse. Nearly six in ten people (59%) have given up accessing an online service and 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year.Read more on Infosecurity Europe: The Dark Side of Generative AI – Five Malicious LLMs Found on the Dark WebBiometrics Tops MFA Options, Passkeys Use Is GrowingWhen given the option, users are willing to adopt some of the “non-phishable and frictionless solutions” Shikiar said.Biometrics ranks as the top MFA solution as it is both the preferred method for consumers to log in and what they believe is the most secure.Speaking with Infosecurity, Roger Grimes, a data-driven defense evangelist at cybersecurity awareness company KnowBe4, praised the shift from password to MFA solutions.However, he warned that “not all MFA, and especially not all biometrics solutions, are resistant to phishing techniques. That’s why cybersecurity organizations should promote the use of phishing-resistant MFA, such as FIDO-enabled MFA methods.”The survey showed that one of these FIDO-enabled methods, passkeys, has grown in consumer awareness, rising from 39% in 2022 to 52% today.Its use has been publicly backed by many big players in the industry, such as Google, Apple and PayPal.Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,010 consumers across the UK, France, Germany, the US, Australia, Singapore, Japan, South Korea, India and China.What Is the FIDO Alliance?The Fast IDentity Online (FIDO) Alliance is a non-profit organization created in 2013. It has been responsible for developing and maintaining FIDO standards, a set of open, standardized and authentication protocols.FIDO authentication is based on public key cryptography, which is more secure than password-based authentication and is more resistant to phishing and other attacks.FIDO authentication is supported by a wide range of web browsers, operating systems, and devices. This makes it easy for users to adopt FIDO authentication without changing their hardware or software.The latest FIDO protocol, FIDO2, was jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C).“The FIDO Alliance is doing an amazing job at maintaining these authentication standards, and offers a FIDO certification,” said Grimes, who maintains a list of phishing-resistant MFA options.
October 06, 2023CDW data to be leaked next week after negotiations with LockBit break down - Theregister
CDW, one of the largest resellers on the planet, will have its data leaked by LockBit after negotiations over the ransom fee broke down, a spokesperson for the cybercrime gang says.Speaking to The Register, the spokesperson, who uses the alias LockBitSupp, implied that during negotiations CDW offered a sum that was so low it insulted the crooks."We published them because in the negotiation process a $20 billion company refuses to pay adequate money," the source said. "As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no longer in progress. We have refused the ridiculous amount offered." LockBit did not respond to questions relating to what its original ransom demand was or what CDW offered in the negotiations. It also shirked questions concerning the nature of the data stolen and what methods it used to breach the company.According to the countdown timer on LockBit's victim blog, CDW's files are scheduled to be published in the early hours of the morning on October 11. CDW has yet to comment on the incident, which appears to have been ongoing since at least September 3, when the company was first posted to LockBit's blog.The Register has contacted CDW for clarity but the company has not offered a response.Its automatic email reply reads: "Thank you for contacting CDW. Your inquiry has been received and will be reviewed. Should there be a fit or an interest in engaging further, we will be in touch as soon as possible." The UK Information Commissioner's Office (ICO) confirmed that it had not received a breach report from CDW.Cybersecurity analyst and researcher Dominic Alvieri said the company was technically posted to LockBit's blog three times in total. It was originally "flashed" – a tactic involving the quick posting and deletion of a company to encourage a fast response from the victim."When deadlines come and go it is a sign the company is negotiating or has at least acknowledged the incident," he said."The repost is usually the final stages. The ransoms process can take weeks/months."Posting a company to a victim blog multiple times isn't something that happens in every case but it is a known aggressive tactic adopted by ransomware groups to hurry negotiations, experts told The Register."Ransomware groups are ramping up their tactics in forcing victims to pay quickly and this is all part of their business model to extort more money in a timely fashion from their targets," said Jake Moore, global cybersecurity advisor at ESET. "LockBit has previously used pressure tactics to force other victims of their attacks in order to speed up ransom negotiations to ultimately pay up and with varying success."There is always a chance, however, that this is a tactic used to force their victims' hands to act quickly yet no real substance be in the original claim."This is the common gamble played between cybercriminals and their victims where one wrong move and a poker face could cost companies huge amounts in ransom payments and more problems thereafter from leaked data in public view."One historical example of LockBit setting deadlines and not dumping the stolen data was during the attack on Royal Mail International earlier this year.The deadline was set for February 13 and no data was published. A day later, instead of making Royal Mail International's stolen data public, LockBit posted the full negotiation history between it and the company in the form of a downloadable chat log.The chat logs revealed the ransom demand was originally set at $80 million, later offering a 50 percent discount after the company branded the demands "absurd."At the time, the release of the chat logs was seen as an example of these scare tactics. After Royal Mail's continued refusal to pay, LockBit eventually staggered the publication of its data, much of which included employee information, in 10 separate dumps.The UK's National Cyber Security Centre (NCSC) has a longstanding stance against paying ransoms to cybercriminals.In a study by security company CyberEdge, it was found that less than half of businesses paying ransoms recover all of their data.In the Royal Mail negotiations, the transcript shows the negotiator attempting to convince LockBit to hand over two files as proof the criminals' decryptor worked.LockBit realized after a few days that the two files would have allowed Royal Mail to fully recover its systems without paying for the decryptor.Towards the end of the negotiations, where Royal Mail appeared to stall LockBit for as long as it could by saying it was waiting for its board to decide on whether to pay the discounted ransom fee, LockBit grew frustrated with the tactics and published the data after days on non-responsiveness from Royal Mail.LockBit's lies, and other strange tacticsOver the years, LockBit has been accused of orchestrating various "PR stunts" to cause confusion and raise its notoriety level.These have included "fake" ransomware attacks on large organizations, posting their details to LockBit's website along with a countdown timer to indicate the publication date of the stolen files, just as it does with genuine victims.One such example came in June 2022, when it claimed to have breached incident response specialists Mandiant. In typical fashion, the countdown timer spent days reaching zero, and what was published wasn't the data it claimed to have stolen from the company, but instead a response to claims that the group was linked to the sanctioned cybercrime outfit Evil Corp."The PR stunt was likely orchestrated by LockBit because an association of their activities to Evil Corp could have financially devastating consequences for their operations," said ReliaQuest in a blog post. "Paying ransoms to these cyber threat groups is still not illegal in most countries; however, a formalized association with Evil Corp would render those payments potentially out of the law, with significant civil and criminal implications for the organizations involved in them. "Given that LockBit is one of the most prolific ransomware groups in activity at the moment, it is likely that they intend to continue their highly successful and profitable ransomware operations for the following months."LockBit repeated the same trick later that year, this time against French multinational IT company Thales. Although in Thales's case, it was only half fibbing.At the time, Thales's public statements repeatedly denied evidence of an IT intrusion, but on November 10, 2022 – three days after LockBit promised to publish its data – Thales confirmed that data had been stolen and published.However, it said the theft was carried out by "two likely sources," one of which was "confirmed through the user account of a partner on a dedicated collaboration portal," and the other was unknown. ®