December 02, 2022
Unstructured data not exempt from compliance requirements - TechTarget
Compliance regulations put the pressure on organizations to retain and manage data or else risk heavy fines. Unstructured data, as messy as it can be, is not exempt from such requirements.Organizations should evaluate their backup and data protection strategies with an eye toward unstructured data compliance. As a general rule, regulated organizations should use a continuous data protection tool to back up unstructured data anytime it is modified. Data retention is a huge part of unstructured data compliance. An organization must enable versioning support to make sure all previous versions of a file are retained within the organization's backups for as long as required by law. Determining which compliance regulations an organization must meet should help drive backup and data protection strategy. Meeting different compliance requirements One of the biggest challenges associated with unstructured data compliance is that not all of an organization's data is subject to the same rules. One of the biggest challenges associated with unstructured data compliance is that not all of an organization's data is subject to the same rules. The healthcare industry has numerous examples of this issue. Institutional social media content, medical notes, X-rays and recordings of patient therapy sessions are all examples of unstructured data. Structured data examples include weight and lab tests. Many healthcare providers have file servers that contain a variety of different files. If any of those files contain personally identifiable protected health information, then those files unquestionably fall under the HIPAA data retention and protection requirements. However, HIPAA does not apply to anonymized data. If a document contains medical data that has been stripped of personally identifiable information in a way that makes it impossible to trace the data back to specific patients, then the HIPAA requirements do not apply to that document. Similar examples abound in the business realm. For example, HR departments have a mix of personal unstructured and structured data governed by various compliance requirements. VIDEO Organizations deal with varying retention and protection requirements in different ways. Some simply apply the same policies to all of their data, whether doing so is required for a particular file or not. This approach ensures nothing slips through the cracks. Other organizations use a system of tagging as a way of determining the rules that apply to a given file. The idea is that when a user creates a file, they attach one or more tags to the file. Back-end software uses these tags to determine the file's lifecycle, its retention policy and how the file is to be backed up. The biggest barrier to this approach is that many file servers do not natively support the use of tagging. An organization might need to invest in third-party software or migrate its unstructured data to another platform, such as Microsoft 365, Microsoft SharePoint or Komprise Intelligent Data Management.
November 18, 2022
How to Launch a Green Computing Initiative That Really Makes a Difference
Green computing initiatives are now widely viewed as the way IT can contribute to building a cleaner and healthier global environment.Green initiatives don't usually differ significantly from other business initiatives, says Sheila Patel, vice president, sustainability and business technology, North America, at Capgemini Invent, a unit of business advisory firm Capgemini. “They must start with a vision or definition of a desired future state, which in the sustainability space takes the form of commitments to reducing the environmental impacts of doing business.”Start With BaselinesPatel suggests launching a green computing initiative with a deep analysis of the organization’s current IT infrastructure and practices. If conducted with sufficient structure and rigor -- spanning across processes, practices, and infrastructural lifetimes -- this baselining activity should uncover the hotspots disproportionately contributing to the enterprise’s computational footprint. “These hotspots become the targets for future action,” she says.The next step should be assessing and identifying the most important issues. “Recognize that issues material to your enterprise and employees may be different,” cautions Corie Pierce, vice president, external communications, and sustainability at NTT Data Services. “For example, organizations may prioritize reducing risk related to climate change, while their employees may be more concerned about safe working conditions,” she explains. “With this understanding, you can identify near- and long-term objectives for your green computing initiative and how to measure and report them to your stakeholders to gain buy-in and support.”Enterprises that have already created an environmental, social, and governance (ESG) program, may wish to review their existing goals to determine how IT can best support them with a green initiative. “If your organization does not have a program in place, you can begin by thinking about how and where IT can initiate a program to reduce greenhouse gas (GHG) emissions, reduce waste, and recycle,” says Kathy Rudy, chief data and analytics officer with global technology research and advisory firm ISG.Measuring WastePower consumption, refrigerants, and e-waste are the areas targeted most frequently by IT green initiatives. An important first step is measuring the baseline. “There are numerous software tools and templates available to define the areas to measure,” Rudy says. With a data center, for example, it's necessary to determine the amount of energy required to cool the center, as well as the type of energy that's supplying the power, such as coal, gas, nuclear, wind, solar, or a combination of several sources. “If you're working with a supplier to provide data center services, ask it for an overview of the emissions produced to support your organization,” she advises.IT leaders should also consider how they handle e-waste disposal to determine if they need to create a policy or modify an existing one. “The inventory should also extend to devices used in offices and their power consumption,” Rudy notes.Read the rest of this article on InformationWeek.Related articles:
November 18, 2022
How to Address the Ransomware Threat to SaaS Data | Transforming Data with Intelligence
How to Address the Ransomware Threat to SaaS Data Protecting SaaS data is no easy task, but these three simple steps will help you get started. By Rémy ClaretNovember 18, 2022 Modern businesses depend on digital technologies and increasingly the software and data they depend on to run even their day-to-day operations is no longer on premises but rather in software-as-a-service (SaaS) solutions. Critical SaaS applications now include everything from CRM platforms to office suites and even ERP platforms.However, despite how much even very large organizations rely on these SaaS platforms and the data they hold, there’s still a large gap in data protection vis-à-vis traditional, on-premises data. It’s shocking, but a significant number of large organizations assume—not without reason—that the SaaS provider will protect their data from cybercriminals. SaaS vendors have a vested interest in providing a secure infrastructure, and most invest heavily to ensure that their services are not compromised. Nearly all SaaS providers operate on a shared responsibility model in which the provider takes responsibility for the infrastructure, but customers are ultimately responsible for their data. With so much enterprise data moving into SaaS platforms, cybercriminals -- who are ultimately opportunists -- are now frequently targeting SaaS data. Survey: More Than Half of Ransomware Attacks Target SaaS DataOdaseva recently conducted a global survey of decision makers who work with enterprise data, and 51 percent of them said their SaaS data had been targeted in a ransomware attack within the last year. What’s more, in more than half (52 percent) of these attacks, cybercriminals succeeded in encrypting SaaS data, a higher success rate than they had for on-premises, cloud, and endpoint data. The survey results show that organizations are not protecting SaaS data as strongly as they are other categories, given that SaaS data was encrypted more often. That’s not all the results show -- there’s also a huge gap in how much data organizations were able to recover. Organizations were least likely to be able to recover all of their SaaS data following a successful ransomware attack, with just 50 percent saying they were able to do so. With traditional on-premises data, 81 percent said they were able to fully recover everything.Given that less than three in 10 (28 percent) of the data decision makers surveyed said they were “very confident” that they could recover after a successful ransomware attack on their SaaS data, these results are not surprising. In fact, just 43 percent of respondents said that their organizations backed up all their SaaS data. That leaves 57 percent of respondents with unprotected SaaS data, which is far, far too many.Defending Against Ransomware Attacks on SaaS DataProtecting SaaS data, however, is not a simple task. Unlike on-premises data, IT does not control the software or systems in which their SaaS data is housed, so they must rely on APIs to back up and restore. These APIs have different functions and capabilities; some data can only be read by one API, and can only be written by another. These APIs have hard caps on how much they can be used by a single customer over a 24-hour period to ensure that everyone has access, and, of course, they’re vital for many other functions aside from data protection. Managing their use is extremely complex, and this is just one of the many intricacies of SaaS data protection. The first step is to ensure that access to SaaS data is properly secured. It’s extremely unlikely that SaaS data will be successfully compromised by cybercriminals via an attack on the SaaS infrastructure itself. More likely, it will involve compromised credentials, API leaks, or malware. Do not rely on a simple username and password for access. Passwords can be cracked by brute force tactics or even guessed, if a user has created one that is particularly weak. They can also be compromised through malware and phishing attacks. Simply put, they are a single point of failure. Instead, organizations should use multifactor authentication for SaaS data access. Next, organizations need to audit their SaaS applications and data so they have a clear understanding of what’s mission-critical and what needs to be protected. With this understanding, organizations can find a secure service that meets their recovery time and recovery point objectives (RTOs and RPOs). There are three basic options. Free solutions do exist, but these can be time-consuming to implement, typically come with either minimal or no support, and are meant to handle low volumes and simple data structures. Developing a solution in-house is also not a good choice for most organizations if a market solution exists. Certainly, this option provides maximum flexibility and control, but very few organizations have the skills and expertise to build a solution that can protect all the data while meeting RPOs and RTOs. Even if they do possess the requisite skills, building the data protection solution will still be a complex, expensive task. It may be difficult to justify dedicating the necessary internal resources if a strong market solution is already available. A market solution from a third-party with specific expertise in the SaaS platform enables internal resources to focus on projects that increase value to both customers and employees while providing strong protection.Finally, SaaS data backups must be encrypted, both in transit and at rest. After all, the information contained within these backups is valuable or the organization wouldn’t likely bother protecting it. Encryption will protect that data in the event an unauthorized party is able to gain access to the backups. A Final Thought Ransomware is no longer just a threat to on-premises data. The more organizations depend on SaaS platforms, the more cybercriminals will target them for attack. IT must take stronger measures to protect it. About the Author Rémy Claret is a co-founder and CMO at Odaseva. Rémy has spent over 20 years in the tech industry, including product marketing and sales engineering at enterprise software companies, where he launched and took cloud-based products to market. Rémy has worked for Genesys, Atos, and Schlumberger, where he led customer experience transformation programs for major accounts. He holds a master’s degree in engineering from the French National Institute of Telecommunications and a master’s degree in marketing and sales from the Paris Sorbonne Business School. You can reach Rémy on LinkedIn.
November 18, 2022
Ransomware-as-a-Service Market Now Highly Specialized
Cybercrime as-a-service , Fraud Management & Cybercrime , Ransomware Ransomware-as-a-Service Market Now Highly Specialized Services Include Subscription Models, Bug Bounties and High-Paying Jobs Anviksha More • November 18, 2022     The criminal underground market for ransomware services is now specialized to the point where almost every step of the infection and extortion chain can be outsourced to contractors, cybersecurity firm Sophos says in its latest annual assessment of the threat landscape. See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies Just as the cloud and web services industry lets corporate customers pick and choose from a plethora of paid services, ransomware criminals stand ready to offer extortionists service ranging from malware distribution to network scanning. One enterprising criminal entrepreneur even offers OPSEC-as-a-service, the Sophos report says. The seller offers - either as a one-off setup or a monthly subscription - a service designed to hide Cobalt Strike infections and minimize the risk of detection and attribution, Sophos writes. "Ransomware-as-a-Service began last year and by this year, virtually every type of cybercriminal activity is available as a service for a few hundred dollars. This is just an indication of how sophisticated and professionalized the people in the cybercrime industry have become," says Sean Gallagher, a Sophos principle threat researcher. Dark web marketplaces such as Genesis are entry points for entry-level cybercriminals. They can act as resellers for stolen credentials obtained through malware and malware deployment services, Sophos says. Aping of the corporate world doesn't just extend to outsourcing, but also to bug bounty programs. "It mirrors legitimate software companies. It even has a complicated supply chain, with many functions outsourced to people with specialities," he says (see: Ransomware-as-a-Service Gang LockBit Has Bug Bounty Program). According to earlier analysis from Sophos, the costs of these services can run cheap. The single set of credentials that led to the June 2021 EA breach, which famously allowed the attackers in June 2021 into Electronic Arts' system through the gaming giant's Slack, cost the attacker $10 on Genesis. "In one Raccoon Stealer campaign, based on the crypto and information they were able to steal, they had about a 150% return on their investments," says Gallagher. Money, of course, is the driving force for the growth of this commerce, he says. "This is a billion-dollar industry, so money is at the heart of it. Additionally, these organizations are operating in a way normal companies do, with hiring processes in place. This is a high-paying job and even a source of patriotism, because you are bringing money into the country while attacking another."
November 22, 2022
The State of Cyber Insurance 2022 [Research] - BlackBerry Blog
The State of Cyber Insurance 2022 [Research] The cyber insurance market is in flux, along with how organizations use it.Premiums are increasing, coverage can be confusing, and a sizable number of organizations are currently uninsurable because they lack basic security technology like endpoint detection and response (EDR).These factors are fueling a “cyber insurance gap” for a majority of North American companies — and those without the appropriate coverage face increasing headwinds as a growing number of sales agreements and strategic partnerships require partners and vendors to have this type of insurance. Cyber Insurance Study and White PaperTo understand the state of cyber insurance in 2022, BlackBerry and Corvus Insurance surveyed 415 IT and cybersecurity business decision makers — within both small and mid-sized businesses (SMBs) and large enterprises — and the findings reveal both significant obstacles and potential solutions related to cyber insurance.BlackBerry Director of Global Public Relations, Matt Chandler, spotted a key takeaway, right away, from the responses. “The headline is that organizations are underinsured, or uninsured, and they're looking for the government to help.”And Corvus Insurance CTO, Vincent Weafer, explains the backstory of these findings.“In general, we've come through what is known as a hard market. Ransomware has been rising over the last couple of years, which in turn has driven losses,” he says. Some insurers exited the market. Those who stayed re-evaluated their exposure. “What we are seeing are the frustrations with getting cyber insurance, understanding what you're covered for...premiums have gone up, but the limits have gone down. That's part of what has come out in the survey — and you look across and say, okay, what can be done about this?”You can explore the answer to this question and several others in the new white paper, How Cybersecurity Insurance Provides Protection. 3 Topline Findings on the State of Cyber InsuranceLet’s look at three big-picture findings from the new BlackBerry and Corvus Insurance research:Only 55% of respondents currently have cyber insuranceOf those with insurance, over one-third (37%) aren’t covered for ransomware paymentsOf those with ransomware payment coverage, only 19% of all businesses surveyed have limits greater than the median 2021 ransomware demand of $600,000. That number drops to 14% for SMBs with fewer than 1,500 employees.These factors may explain why half of SMB respondents say they are hoping the government will offer financial assistance to organizations hit by ransomware attacks.Companies standing in this “insurance gap” face a dilemma. One Chief Financial Officer (CFO) who responded to the survey explains it like this:“Do I pay high premiums and keep paying to keep my policy, or do I just set aside a self-funded account as a rainy-day fund and pray we don’t get hit?”I doubt this CFO is alone when you consider that 85% of respondents saw an increase in their cyber insurance premiums over the past 12 months and most reported double-digit rate hikes.Could going without cyber insurance make sense? We explore that in additional detail in the white paper. However, along these same lines, our research revealed something else about those who remain uninsured: Some organizations applying for coverage are being turned down because they lack certain basic controls. Organizations Denied Cyber Insurance CoverageMany cyber insurance policies are becoming more prescriptive — meaning applicants must meet certain security benchmarks, or they will not write a policy. One example of this involves successfully deploying EDR.In our research, we found that more than one-third of respondents (34%) reported being denied cyber coverage for not meeting EDR eligibility requirements. And on the flip side, nearly half (41%) of respondents adopted EDR to meet cybersecurity insurance requirements. Cyber Insurance as a Strategic PartnerIf you look at the previous results from a business risk perspective, you can see a glimmer of how organizations and cyber insurers can work together. Implementing EDR (for example) reduces risk to the organization enough that the organization becomes insurable. This means much of the remaining risk held by the organization can now be passed to the insurer. A key action — implementing a control — allows the organization to reduce its risk twice.And Weafer says this is just the start of how insurers can be a resource:“This can also help you with your investment discussions with the board in terms of ‘Hey, I really want to invest in EDR or managing the deployment. Here's why it makes sense. And here's where we can get some savings if I do this better’.”And he reminds us that insurers have the data that organizations need. “We've got the loss statements. So we can actually work together with the industry to provide those insights. If you invest in zero trust, what is it likely to mean in terms of lower costs of claims and less likelihood to see losses occurring?”Uncover more about what organizations need to be insurable and how they can use cyber insurance as a key part of risk management in our new white paper. Read: How Cybersecurity Insurance Provides Protection.
November 23, 2022
Hive ransomware has extorted more than $100m, FBI warns - Silicon Republic
The FBI and CISA warned that threat actors have ‘especially’ targeted healthcare organisations, along with other critical infrastructure sectors.US security agencies have issued a warning about the growing prevalence of Hive ransomware, which has vicitmised more than 1,300 companies worldwide.The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said threat actors have used this ransomware to target “a wide range of businesses and critical infrastructure sectors”.Targets have included government facilities, communications, critical manufacturing, IT and “especially” healthcare services.Since June 2021, the FBI and CISA claim Hive ransomware has successfully extorted roughly $100m from companies.The security organisations have released a joint cybersecurity advisory with the US Department of Health and Human Services to warn companies about the tactics and techniques of the cybercriminals.If organisations refuse to pay, the ransomware gang threatens to steal data and post it on the internet. The threat actors are also known to reinfect the networks of organisations that restore their systems without paying a ransom.The joint advisory warning contains a list of mitigations organisations should follow to protect themselves from ransomware attacks. These include keeping offline backups of data, ensuring backup data is encrypted and regularly updating anti-virus and anti-malware software.Organisations should also review the security posture of third-party vendors and other linked businesses.Raj Samani, SVP and chief scientist at cybersecurity company Rapid7, said the joint advisory shows that extortion tactics are working and said that “unsurprisingly, one of their biggest targets is the healthcare industry”.Research by Rapid7 suggests that the healthcare and pharmaceuticals industry suffered a large amount of ransomware attacks between April 2020 and February 2022. More than 70pc of data disclosures in the sector involved finance and accounting data, with 58pc including patient data.“Organisations need multiple layers of defence against ransomware attacks in order to protect themselves,” Samani said.“This includes not just technologies to detect potential intrusion, or lateral movement, but also implementing security controls, should the threat remain undetected, such as the use of file encryption.”Cybercriminals have been increasingly targeting critical infrastructure in order to cause further pressure from their attacks and have their ransom demands met.A French hospital was hit with a ransomware attack in August, forcing it to send patients to other institutions as it tried to fix its impacted systems.It came a few weeks after the UK’s National Health Service suffered disruptions from a cyberattack, which targeted systems that facilitate patient referrals, ambulance bookings, out-of-hour appointments and emergency prescriptions.Last year, the Irish health service suffered a “significant and serious” ransomeware attack that affected more than 80pc of IT infrastructure10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
October 28, 2022
Ransomware attacks are hitting heavy industry where it hurts - the wallet - TechRadar
Ransomware attacks against businesses in the manufacturing and production industries are getting more complex, while the payment demands rise. A report from cybersecurity (opens in new tab) experts Sophos claims this sector has had the highest average ransom payment of all - more than $2 million (compared to roughly $800,000 for others). Furthermore, two-thirds (66%) of manufacturing and production organizations surveyed said the attacks had gotten more complex, while 61% said the volume grew in the last year. Industry importance driving up the priceAccording to John Shier, senior security advisor, Sophos, crooks are well aware of the importance of this industry in the supply chain and consequently - do not shy from demanding high payouts. “Manufacturing is an attractive sector to target for cybercriminals due to the privileged position it occupies in the supply chain. Outdated infrastructure and lack of visibility into the OT environment provides attackers with an easy way in and a launching pad for attacks inside a breached network. The convergence of IT and OT is increasing the attack surface and exacerbating an already complex threat environment,” Shier said.“While having reliable backups is an important part of recovery, today's ransomware threat requires a detailed response plan that includes human-led threat-hunting capabilities. Complex attacks require comprehensive protection, which, for many organizations, will include the addition of managed detection and response (MDR) teams who are trained to look for and neutralize active attackers.”But organizations in this industry seem to be handling the threat relatively well. They have the lowest attack rate of all industries, with just above half (55%) suffering a ransomware attack. Whether they keep up the good work is a big question, as the percentage of firms hit rose by 52% year-on-year (compared to 36% in the year before). One way they could tighten up is in cyber-insurance, Sophos said. The company found that just three-quarters (75%) of those surveyed reported having cyber insurance, which is the lowest percentage across all sectors. Just because hackers demand high payouts - that doesn’t mean that businesses are willing to hand the cash over. In fact, the percentage of organizations that paid the ransom was among the lowest across sectors, Sophos found (33% versus the cross-sector average of 46%).
October 29, 2022
How to detect Windows worm that now distributes ransomware • The Register - TheRegister
Raspberry Robin, a worm that spreads through Windows systems via USB drives, has rapidly evolved: now backdoor access is being sold or offered to infected machines so that ransomware, among other code, can be installed by cybercriminals.In a report on Thursday, Microsoft's Security Threat Intelligence unit said Raspberry Robin is now "part of a complex and interconnected malware ecosystem" with links to other families of malicious code and ties to ransomware infections.Ultimately, Raspberry Robin first appeared to be a strange worm that spread from PC to PC with no obvious aim. Now whoever is controlling the malware is seemingly using it to offer access to infected machines so that other software nasties can be deployed, such as ransomware, by other miscreants. "Raspberry Robin's infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously," the Microsoft researchers wrote. "There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms."According to data collected by Microsoft's Defender for Endpoint tool, almost 3,000 devices in about 1,000 organizations have experienced at least one alert about a malicious payload related to Raspberry Robin in the past 30 days. "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active," they wrote.Red Canary researchers first observed Raspberry Robin activities in September 2021. The malware was a worm typically installed via a removable USB device and used compromised QNAP storage servers for its backend command-and-control (C2) servers.A Raspberry Robin infected USB stick contains .lnk file that looks like a legitimate folder. The drive may be set up to auto-run that file – which organizations can block – or the user is tricked into double-clicking on the link file. That .lnk file then runs commands to fetch and execute from a C2 server the main malware code on the victim's PC. See the above Microsoft post for technical details on how to detect a Raspberry Robin intrusion. A PC is infected after inserting the USB drive and/or running the .lnk file. Some infections occurred without a link file and USB drive, though, indicating there is more than one way to catch Raspberry Robin.It's only getting worseMicrosoft, IBM, and Cisco have been tracking Raspberry Robin and its evolution. Two months after Red Canary's report, Microsoft detected Raspberry Robin – which the IT giant is tracking as DEV-0856 – installing on compromised computers the FakeUpdates (also known as SocGolish) backdoor malware, which is also used by Evil Corp – a Russian cybercrime group tracked by Microsoft as DEV-0243 that spreads the Dridex banking trojan.Raspberry Robin also has been used to deploy the IdedID (or BokBot banking trojan), malware loader Bumblebee, and the Truebot trojan. Scumbags also have ordered it to run LockBit ransomware and now Clop ransomware on hijacked machines, according to the Microsoft analysts.It gets worse. This month, Microsoft saw Raspberry Robin being used by a crew tracked as DEV-0950, which overlaps with gangs tagged as FIN11 and TA505. After Raspberry Robin infects a PC, DEV-0950 uses it to run Cobalt Strike – and occasionally Truebot – according to Microsoft. Eventually, Clop is executed on the victim's computer. Raspberry Robin has been a boon for these miscreants, according to the Microsoft researchers."DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," they wrote."Given the interconnected nature of the cybercrime economy, it's possible that the actors behind these Raspberry Robin-related malware campaigns – usually distributed through other means like malicious ads or email – are paying the Raspberry Robin operators for malware installs."In July Microsoft found that Fauppod – malware distributed by another group called DEV-0651 from Azure and Discord – has similar code to Raspberry Robin. It also has delivered FakeUpdates backdoors.IBM's Security X-Force in September found other connections between Raspberry Robin and Dridex – including similarities in structure and functionality – between a Raspberry Robin DLL and a Dridex malware loader."Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same group behind the Dridex Malware, suggesting that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks," wrote Kevin Henson, a malware reverse engineer, and Emmy Ebanks, a cyberthreat responder, with IBM.It's expected that the malware will continue to morph into an increasingly dangerous threat, according to Microsoft."While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards providing a potentially devastating impact on environments where it's still installed," the analysts wrote."Raspberry Robin will likely continue to develop and lead to more malware distribution and cybercriminal activity group relationships as its install footprint grows." ®
October 31, 2022
Top Cybersecurity Measures to Protect Windows Devices From Active Venus Ransomware
Vulnerable computer hardware being hacked and network ransomware digital cybercrime background concept. 3D illustration.Since August 2022, the Venus ransomware has been compromising Remote Desktop (RDP) Services.The main targets of the malware are unprotected Windows devices with publicly available RDP.Successful Venus ransomware has been locking users out of essential files and requesting payment in crypto.What should every organization know about the Venus ransomware, and what are some of the top cybersecurity practices to prevent and fight this type of malware?Before we take the precautionary steps and the best practices for those already impacted, let’s determine the signs of the latest ransomware.How to Recognize Venus Ransomware?Venus ransomware encrypts files, renames them, and notifies victims with a note on the screen.The victims know they’ve been impacted when the note with terms and demands appears on their screen. After locking users out of the files, the threat actor notifies the user with a README.txt file and a desktop wallpaper.The message on the screen confirms that malicious activity has taken place and displays instructions on how to get the files back and pay the ransom. In this case, the user is supposed to contact the criminal for further instructions within five days.The hackers communicate that all the victim’s files have been encrypted and will leak obtained information to the public if the demands are unmet.Another evident clue that the Venus Ransomware has impacted files is the filename extension. Locked files that can’t be opened have an additional ” venus ” suffix.”Worldwide Threat Targeting Public RDAny global Windows device with publicly available Remote Desktop components is susceptible to Venus ransomware. RDP is the access point that is exploited in the attack.In the case of a successful breach, the database of the servers and Office apps are affected as the cybercriminal obtains control over the processes.Some of the hackers’ capabilities following the successful attack include erasing event logs and not allowing Data Execution Prevention to occur.On infected devices, the ransomware encrypts data, generates ransom notes (most likely also encrypted description keys), and changes the wallpaper to display another (primarily identical) ransom message.Cybersecurity Measures For Ransomware PreventionIn most cases, it’s challenging to decrypt the files and reverse engineer the ransomware unless the malware has a specific error. Even by removing the malware, already infected files will not be decrypted.Therefore, it’s essential to set preventive measures to guard assets against cyber ransom exploits.How can one prepare for the very real possibility of Venus ransomware?The critical weakness that enables Venus ransomware is publicly-exposed Remote Desktop Services. Therefore, the best cybersecurity measures include using a Virtual Private Network (VPN) when accessing Remote Desktop Services.Ensure that RDP isn’t available to the public and protect such services with a firewall.According to the latest data, this ransomware has been possible via phishing campaigns over email, torrent websites, and ads riddled with malware.Hackers send the infected attachment over the email or plant the malicious code on ads on the internet.Knowing and understanding these distribution methods is essential in Venus ransomware prevention. More sophisticated email filters and blocking access to sites such as torrent pages and adware is a great start.Some tools are specifically designed to detect the signs of malware (e.g., encryption).Besides such protective software, it’s necessary to guard the infrastructure with layered security that consists of various programs and protocols.That is, cybersecurity has to be solid and comprehensive — covering all devices connecting to the remote network and blocking any pathway that hackers might try and exploit for monetary gain.In addition to these cybersecurity measures, it’s essential to back up the data in separate servers that can’t be accessed remotely. This enables your teams to keep up with their daily tasks even if part of the network is compromised and can’t be accessed.Files Already Encrypted by Venus Ransomware?What should you do if the threat actors have already demanded a ransom? Is there a way to unlock the files, and is it a good idea to pay up?Under pressure, many organizations consider and often do pay the ransom.For instance, the Venus ransom is accompanied by a note urging the victim not to contact third-party aid that might try and decrypt files. Or else, they’ll lose the files forever, even if the ransom is paid.However, paying is not a solution as that act confirms to the threat actors that the attack has been successful, and there is no guarantee that they’ll keep their end of the deal.The simple truth in the eyes of the law is that you’re funding further criminal activity.Although paying seems less costly than rebuilding the infrastructure from scratch, there is no guarantee that criminals won’t leak the data anyway or not lend you the key for file encryption.Moreover, it’s illegal to pay the ransom — report the criminal activity instead.Contacting and communicating with the criminal organization is not advised either.Final WordAlthough the Venus ransomware has been active since August 2022, many organizations and individuals can still be susceptible to the threat and not have the proper tools to aid detection and mitigation.The malware is a reminder of how difficult it is to weed out ransomware.Over the last couple of years, this kind of exploit has increased. Besides the increased ransomware attacks, it has evolved into more sophisticated variants.New versions can do even more than encrypt the files — they can lock the user out of the system, download data from affected files, delete data, cease various functions using remote commands, and more.Proper anti-ransomware protection and robust cybersecurity architecture are essential for any business that wants to avoid dangerous and costly ransom notes.
October 27, 2022
How To Prevent A School Ransomware Attack - Security Boulevard
Buffalo, New York; Broward County, Florida; and now, Los Angeles, California.Across the United States, ransomware hackers are targeting schools at an unprecedented rate. In fact, 56% of the education sector experienced a school ransomware attack in 2021, according to a Sophos report. That’s nearly a 25% increase from the previous year.In this guide, we’ll help you understand ransomware incidents and what you can do to prevent an attack on your school district.A closer look at ransomware in schoolRansomware is a sophisticated variant of malware (i.e., malicious software). This type of attack infiltrates your school network or cloud domain and gains unauthorized access to sensitive data, personal information, and other critical files.Even worse, ransomware hackers typically restrict access to that information so that you can’t retrieve the stolen data. Then, hackers either threaten to leak data to the public or hold the information ransom in exchange for payment.How does ransomware impact your school district?For some educational institutions, ransomware is a death blow. After suffering a cyber attack in December 2021, Lincoln College was forced to close its doors after 157 years in operation. The incident was a major disruption that took nearly four months to remedy. By the time the college regained access to its systems, enrollment had plummeted.The story of Lincoln College is an extreme example of how devastating ransomware can be, but an important one to keep in mind. Generally speaking, a school ransomware attack has two outcomes:Ransom payment: Hackers on average request $2.47 million from the education sector, but some demands have been as high as $40 million. However, the average payment received is only $230,000 — still a major blow to any school’s budget. One Texas school district recently paid over $500,000 to ransomware hackers, claiming “there was no other choice.”Refusal to pay: If payment isn’t received, hackers may leak student data to the public or on the dark web, where there’s no telling who may access it or what they’ll do with the information.For instance, in September 2022 a ransomware gang called Vice Society launched an attack against the Los Angeles Unified School District (LAUSD) — the second-largest district in the United States. With a goldmine of sensitive information in hand, the hackers demanded a massive ransom.After the district announced it would not be paying the ransom, Vice Society released over 500GB of data online. According to Brett Callow, threat analyst at Emsisoft, the ransomware gang is responsible for at least eight other ransomware incidents.Why your school is being targetedImmediately after the LAUSD attack, the FBI issued a warning. Citing the frequency of ransomware incidents affecting the education sector, the FBI announced that attacks would likely increase in the upcoming school year.However, the accelerated pace of ransomware has been a long time coming. In fact, school ransomware attacks hit an all-time high in 2020 with over 1,700 districts affected. So, what’s to blame for this emerging crisis?According to the FBI’s warning, K-12 institutions may be seen as particularly lucrative targets due to the amount of personal data accessible through school systems or their managed service providers (i.e., cloud edtech vendors). Whether it be a student’s personal information or their parents’ financial information, school networks and clouds are loaded with highly valuable data.What’s also important to note is that many school districts have a lackluster cybersecurity program. With limited funding, a shortage of physical resources and few staff members qualified for the job, most districts are ill-prepared to secure their data.And with more schools leaning on cloud vendors, attack surfaces are starting to expand. An EdWeek report reveals that the vast majority of schools operate in the cloud using services like Google Workspace or Microsoft 365. That means they’re entrusting edtech providers and other third-party vendors with their sensitive data — adding yet another entry point into their system.Worst of all, schools aren’t matching their cloud investments with cloud security. Only 20% of school cybersecurity budgets are allocated to safeguarding cloud-based data, per EdWeek. In other words, 8 in 10 schools are critically exposed to the threat of a cyber attack. If a ransomware gang like Vice Society launched a strike, they’d be nearly defenseless in the cloud.Best practices for preventing ransomware attacks in your districtYou know what ransomware is and how catastrophic it can be for your district — so what can you do to stop a ransomware gang in its tracks?To help you out, let’s highlight a few best practices.1. Prioritize cybersecurity spendingEducational institutions are among the slowest to implement a mature approach to cybersecurity. Typically, schools prioritize funding for other areas such as upgrading classrooms and facilities or recruiting teachers and staff.But as cybercriminals become more daring and sophisticated as they target the education sector, it’s obvious that the status quo isn’t going to cut it for much longer. Schools need to prioritize cybersecurity spending, particularly as it comes to cloud security, which most districts tend to neglect.2. Increase cybersecurity awareness and educationTeach students and staff how to recognize phishing attempts, how to be a responsible digital citizen, and whom it’s safe to share their information with online. In a nutshell, make sure your community understands why cybersecurity is important and what part they play in keeping the school district safe.3. Enable 24/7 protectionImplement a solution that can stand guard over your data even when your security team is off the clock. Without a dedicated team of cybersecurity experts on staff, school IT departments struggle to keep up with thousands of students and their personal data.Round-the-clock cloud security platforms like ManagedMethods watch over the cloud environment so that administrators can focus on other tasks.4. Automate security workflowsCybersecurity is a tall order for the average K-12 technology director. There are only so many hands to go around, which means cybersecurity is often a slow, manual, and tedious process. Inevitably, human error results in a critical vulnerability going undetected, which can expose the district to risk.The right cloud security technology will automate workflows and streamline security, taking a major weight off your IT department’s shoulders. Multiply the power of your security team by automating important processes like risk detection and remediation.5. Investigate anomalous activityWhen strange behavior is identified, don’t make assumptions. Conduct a thorough assessment of the activity and get to the bottom of the threat before bad becomes worse.That means you need to know exactly where the risk originated, which student or staff member is involved and where data has been shared. With ManagedMethods, that’s exactly what you get, allowing you to quickly organize the most effective response.6. Remove unsanctioned apps from your cloud domainStudents may download cloud apps without express permission. Because the security of that app’s provider hasn’t been vetted or sanctioned by your technology team, you can’t guarantee that it isn’t a risk to your data. Even worse, it could be a malicious app created by a hacker to collect personal information.ManagedMethods allows you to automatically detect unsanctioned apps and remove them from your cloud domain with just a few clicks (or automatically). That way, you can reduce risk and keep data under wraps.7. Leverage an automated cloud security platformManagedMethods is designed specifically for Google Workspace and Microsoft 365, meaning it’s literally made to protect your cloud environment. Through automated risk detection and remediation, you can monitor your cloud domain and identify ransomware threats before they compromise your data.The post How To Prevent A School Ransomware Attack appeared first on ManagedMethods.*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Alexa Sander. Read the original post at:
October 27, 2022
Preparing for the worst: How some CIOs are using tabletop games to simulate ransomware attacks
Health CIOs and chief information security officers are preparing for ransomware attacks with something more commonly associated with hobby shops than hospitals: tabletop games.  The recent ransomware attack on Chicago-based CommonSpirit Health that shut down EHRs and canceled appointments brought new attention to the damage ransomware can have on health systems and raised questions about how to stop attacks. Most ransomware preparation revolves around stopping ransomware attacks before they happen. While training staff to avoid clicking on unknown links, implementing multifactor authentication and creating strong passwords is worthwhile, tabletop games allow CIOs to prepare for the worst in a controlled environment. Aaron Weismann, chief information security officer at Radnor Township, Pa.-based Main Line Health, has been running tabletop ransomware exercises since 2020. "I think tabletop exercises are effective at training staff how to respond to real-life cyberattacks. They take the edge off one of the most catastrophic events that can happen to an organization," Mr. Weismann told Becker's. "When a ransomware attack hits, people can grab their incident response workbook and say, 'I know what to do.' Along those lines, they provide really great opportunities for information security awareness. You can easily tie phishing, web browsing, portable media, insider threat and other potentially risky organizational activities."The actual gameplay of a ransomware tabletop exercise tends to differ from a traditional board game. Often, the exercises look more like structured discussions and roundtables than conventional board games. "We bring in external teams to develop fact patterns based on our industry placement, organizational structure, and identified weaknesses," Mr. Weismann said. "That team then sits down with a group of IT and clinical personnel, including executive leadership. As we proceed through the exercise, we identify what we'll do when and with what tooling or infrastructure. We also identify what we can't do, why, and discuss how we might be able to achieve those goals or objectives in the future."Mr. Weismann is working to better gamify the exercises and believes the more interactive and immersive the tabletop exercises, the more staff will be prepared for the real thing.Amar Singh, CEO and CISO at Cyber Management Alliance Limited, a company specializing in cybersecurity training and tabletop exercises, stressed the importance of making sure tabletop exercises are personalized to an organization's cybersecurity needs."Through a verbally simulated scenario, we evaluate whether your best-laid response plans are actually viable in the face of a real attack," he said. "During the ransomware tabletop exercise, we work toward creating a real attack environment that's relevant to your business." Mr. Singh follows up the exercises with an executive summary that allows organizations to review the gaps they still need to address regarding staff training and preparation.For healthcare organizations, ransomware attacks can be catastrophic because of their ability to disrupt care. The amount of sensitive data healthcare organizations store makes them perfect targets.As Mr. Singh put it, "They can either steal your data, lock you out of your systems and make your patients suffer or threaten to leak the sensitive personal information if their ransom demands are not met.""As a community-based healthcare organization, our biggest fears are impacts to patient safety and health outcomes and inability to care for new patients," Mr. Weismann said. "So we want to make sure that we as an organization are preparing for that worst case. If we're attacked and that level of impact doesn't come to fruition, then we're over-prepared and understand how to respond appropriately."Not all ransomware tabletop games are created equal. Mr. Singh's company offers games that range in scenarios from a simple phishing attack to a nation-state launching a sophisticated multistep attack targeting a healthcare organization. The rising use of ransomware tabletop games represents the realization that the growing sophistication of ransomware attacks means it's worth the time to prepare for the worst and learn how to mitigate an organization's losses."To succeed in defending against a ransomware attack, the first and most important aspect is acknowledging that your existing technological and procedural controls will fail at some point. Once there is acceptance, one then needs to focus on response and recovery," Mr. Singh said. "That's where tabletop exercises come into focus. A regularly conducted, well-designed and professionally facilitated ransomware tabletop exercise can significantly help improve response and recovery times." 
October 29, 2022
More than one-third of OT/ICS organizations lack visibility into their networks | SC Media
Despite some progress on OT/ICS security, over a third of organizations still don't know if their company was compromised, according to a new survey by Nozomi Networks and the SANS Institute. (Photo by Brandon Bell/Getty Images)A Nozomi Networks report conducted in tandem with the SANS Institute found that despite some progress on OT/ICS security, some 35% of organizations still don’t know whether their company had been compromised, and that attacks on engineering workstations doubled in the last 12 months.The report, released Friday, found that ransomware and financially motivated attacks topped the list of threat vectors at 39.7%, followed by nation-state attacks at 38.8%. Non-ransomware criminal attacks came in third, cited by 32.1%, followed closely by hardware/software supply chain risk at 3.4%.While 62% of respondents rated the risk to their OT environment as high or severe, that figure is down from 69.8% in 2021.“While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available,” said Andrea Carcano, co-founder and CPO at Nozomi Network. “The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience.”Ariel Evans, chief executive officer at RiskQ, said most companies don’t have a digital asset inventory, which not only prevents them from being compliant with regulatory requirements — it leaves them unable to protect their assets. “You can’t protect what you can’t see,” said Evans.The main driver for the lack of OT/ICS awareness relates back to the nature of how OT networks have traditionally been managed and operated, explained Jason Hicks, executive advisor and Field CISO at Coalfire. Hicks said historically they were disconnected from the firm’s other networks and the internet. Tasks like software updates typically come into those environments via thumb drives.“Also, many of the devices are running specialized operating systems, that don't tolerate being scanned for vulnerabilities, and don't support running your typical endpoint protection suite,” Hicks said. “Imagine if your vulnerability scan shut down power to a substation, for example. Due to all these factors, it's not common for the operators to have the kind of security-focused visibility tools we are used to having on corporate networks.”Joseph Carson, chief security scientist and Advisory CISO at Delinea, added that OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Carson said gaining centralized visibility and management of such a complex environment can be extremely challenging.“This limited view creates gaps that can be exploited by threat actors, enabling them to infiltrate the network and move between systems without being detected,” Carson said. “The conflicting network architecture also means that standard security measures such as role-based access control and multi-factor authentication are close to impossible to implement without purpose-built tools. These issues elevate the potential threat of a nation-state actor infiltrating the system and causing serious disruption.”
October 30, 2022
New open-source tool scans public AWS S3 buckets for secrets - Bleeping Computer
A new open-source 'S3crets Scanner' scanner allows researchers and red-teamers to search for 'secrets' mistakenly stored in publicly exposed or company's Amazon AWS S3 storage buckets.Amazon S3 (Simple Storage Service) is a cloud storage service commonly used by companies to store software, services, and data in containers known as buckets.Unfortunately, companies sometimes fail to properly secure their S3 buckets and thus publicly expose stored data to the Internet. This type of misconfiguration has caused data breaches in the past, with threat actors gaining access to employee or customer details, backups, and other types of data.In addition to application data, source code or configuration files in the S3 buckets can also contain 'secrets,' which are authentication keys, access tokens, and API keys.If these secrets are improperly exposed and accessed by threat actors, they could allow them far greater access to other services or even the company's corporate network.Scanning S3 for secretsDuring an exercise examining SEGA's recent assets exposure, security researcher Eilon Harel discovered that no tools for scanning accidental data leaks exist, so he decided to create his own automated scanner and release it as an open-source tool on GitHub.To help with the timely discovery of exposed secrets on public S3 buckets, Harel created a Python tool named "S3crets Scanner" that automatically performs the following actions:Use CSPM to get a list of public bucketsList the bucket content via API queriesCheck for exposed textual filesDownload the relevant textual filesScan content for secretsForward results to SIEMActions performed by the S3crets ScannerThe scanner tool will only list S3 buckets that have the following configurations set to 'False,' meaning that exposure was likely accidental:"BlockPublicAcls""BlockPublicPolicy""IgnorePublicAcls""RestrictPublicBuckets"Any buckets that were intended to be public are filtered out from the list before the textual files are downloaded for the "secrets scanning" step.When scanning a bucket, the script will examine the content of text files using the Trufflehog3 tool, an improved Go-based version of the secrets scanner that can check for credentials and private keys on GitHub, GitLab, filesystems, and S3 buckets.Trufflehog3 scans the files downloaded by S3crets using a set of custom rules designed by Harel, which target personally identifiable information (PII) exposure and internal access tokens.When used periodically to scan an organization's assets, the researcher believes that "S3crets Scanner" can help firms minimize the chances of data leaks or network breaches resulting from the exposure of secrets.Finally, the tool can also be used for white-hat actions, like scanning publicly accessible buckets and notifying the owners of exposed secrets before bad actors find them.
October 27, 2022
5 unstructured data backup challenges and how to handle them - TechTarget
Backup admins who have worked with structured data won't find unstructured data completely unrecognizable. As with any kind of data backup, unstructured data must be accessible, secure and stored where it is suitably protected from unauthorized activities that could damage it. Technologies that typically back up structured data also work on unstructured data. These can include NAS, cloud, disk, flash and even tape. However, there are some challenges to watch out for with unstructured data. Data storage capacity is a major challenge. Organizations must accommodate the rapid creation of unstructured data over time. To ensure that data is protected, administrators must project how much storage is needed today, six months from now or next year. To protect and back up unstructured data, organizations might also need to revisit policies for data management, specifically for data retention and destruction. If unstructured data files are no longer necessary, backup admins can archive or destroy them to free up space. Unstructured data backup challenges Along with standard backup challenges, unstructured data has its own set of difficulties due to its size and complexity. Backup admins should expect to face the following issues: Along with standard backup challenges, unstructured data has its own set of difficulties due to its size and complexity. Data storage is already expensive. Unstructured data can make it difficult to sort through and minimize unnecessary data storage. Additional backup and replication costs can add up. With significant amounts of data to back up, costs associated with backup techniques, such as replication, can be expensive and might necessitate additional technical staff to manage everything. Changes to primary systems might necessitate backup changes. In situations where the primary production systems are upgraded to accommodate unstructured data, an organization might need to revise its backup model and associated systems. Expansion of data increases time needed for backup and disaster recovery. Backups take longer and retrieval of backup data in an emergency might also require more time. That increase in downtime might not be acceptable in terms of the organization's recovery time objectives (RTOs). Compliance requirements can cause complications. If unstructured data includes protected elements, such as personally identifiable information, it can lead to additional costs. How to address common challenges One way to address the above and other backup challenges is to restructure the entire backup process. This can involve how the organization creates backups, backup size and frequency of creation. Some businesses might need to increase RTOs to accommodate longer data retrieval intervals or even change the technologies they use for data backups. Another way is to use data compression and deduplication to reduce the size of unstructured data files, but that can affect performance. Unstructured data management applications can analyze unstructured data, classify it, define its characteristics, determine where it is stored and backed up, and assign administrative privileges, all while keeping track of unstructured data's effects on storage devices and overall backup activities. To optimize unstructured data management and protection, backup admins should do the following: Determine how much data can be stored in primary and secondary storage. Consider the use of metadata indexing and data indexing to manage unstructured data. Determine how much storage capacity is necessary and how scalable the storage is. Establish the level of automation. Examine system pricing, such as licensing fees, maintenance and support fees, cost per terabyte stored, and other costs.
October 20, 2022
Ransomware Insurance Security Requirement Strategies - Trend Micro
Risk Management Ransomware Insurance Security Strategies Ransomware accounts for 75% of all cyber insurance claims yet 40% of business currently lack the coverage needed. Discover how to improve your ransomware prevention strategy to reduce cyber risk and meet insurance requirements. By: Vince Kearns October 20, 2022Read time:  ( words) Save to Folio Subscribe A cyber insurance policy is a necessary element in a company’s risk mitigation strategy. However, obtaining/renewing a policy is becoming more difficult, and premiums have drastically increased. Direct-written premiums increased by 92% in 2021 according to the National Association of Insurance Commissioners.The primary reason for the hardening of the cyber insurance market? Ransomware. Since ransomware accounts for 75% of all insurance claims, premiums are directly correlated with the 148% increase in attacks through Q3 2021 as well as higher ransom demands and recovery costs.As costs continue to soar, many businesses lack the appropriate cyber insurance coverage. According to a BlackBerry and Corvus Insurance survey, nearly 40% of respondents revealed they currently lack coverage for any ransomware payment demands.Businesses of all sizes need to take stock of their ransomware prevention strategy – not only to reduce the chances or scope of an attack, but to demonstrate the necessary cybersecurity maturity to obtain the appropriate policy for your business.Common ransomware attack vectorsUnderstanding the modern attack mechanics and vectors is critical to effective ransomware prevention. As the attack surface continues to rapidly expand due to digital transformation and remote workers, cyber criminals have a variety of entry points to choose from. Here are the most common attack vectors for enterprises:1. Phishing attacks like BEC are responsible for 91% of cyber threats, including ransomware. Trend Micro Research reported a staggering 137.6% increase in phishing attacks blocked and detected in 2021.2. Unpatched vulnerabilities on any internet-facing systems (websites, VPNs, etc) continue to be exploited for ransomware attacks. Of the 1,543 vulnerabilities disclosed by market-leading bug-bounty program Trend Micro™ Zero Day Initiative™, 68% were categorized as critical or high severity.3. Remote desktop protocol (RDP) is valuable for businesses, but if it’s not properly protected, it can grant malicious actors the same benefits. Ransomware operators will use brute force, credential stuffing, or even purchase legitimate credentials from the dark web to exploit RDP.4. Websites that seem trustworthy can have malicious ransomware code hidden in web scripts. Any individual that visits that site will automatically download the code, which can be executed to infect the user’s system and move laterally across the IT infrastructure to exfiltrate data.Tips for ransomware preventionSimilar to adding reinforced locks and alarms to doors, enterprises need to focus on securing potential attack vectors. This will strengthen your overall cybersecurity maturity and demonstrate proactive, risk-based protection – which is exactly what cyber insurance underwriters want to see. Here are the security practices you can apply to the attack vectors listed above:1. PhishingStronger email defense depends on layered messaging security. Look beyond native security to cutting-edge capabilities such as gateways to detect internal malicious emails, writing style and computer graphic analysis, and integration with a broader security platform.Trend Micro’s VP of Threat Intelligence, Jon Clay, compiled a list of questions to across the four pillars of cybersecurity – people, culture, process, and technology – to identify potential email security gaps. Read more.2. Unpatched vulnerabilitiesTo create a strong defense program against vulnerability exploitation, consider the following patch management best practices:Establish a prioritized patching process by focusing on the bugs relevant to the apps used in-house, identifying which are being activity exploited and are part of the business’ critical infrastructure.Make a zero-day plan that includes consistent monitoring for suspicious activity inside of networks and stay up to date with bug bounty programs that leverage global threat intelligence.Communicate with SaaS vendors about possible rollbacks to previous versions of software and whether they can be done via automation.Utilize virtual patching to protect systems while waiting for a vendor patch to be released. Operational technologies (OT) are prime candidates for virtual patching, as frequently untouched and unsupported OT systems are a growing target for cyber criminals.Share benefits with stakeholders by communicating that the risk of financial loss outweighs the investment.3. Remote desktop protocol and websitesGo beyond multi-factor authentication (MFA) by deploying a SASE architecture as part of a zero-trust strategy. SASE is composed Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) capabilities to strengthen protection and control across the attack surface.Here’s how it all works: ZTNA – an ideal replacement for VPN – validates access, authenticates the user’s identity via MFA, and continuously monitors user behavior for suspicious activities that would trigger termination. ZTNA traffic is automatically forwarded to a SWG, which blocks threats from inbound and outbound web traffic and content not owned by the organization. CASB allows you to not only restrict access to the SaaS app, but also the functions you can perform within the app. For example, you can access Twitter, but you can’t tweet.A unified platform approach to ransomware preventionDeploying point products across the attack surface will only hinder visibility and lead to false positives. Leverage a unified cybersecurity platform backed by the security functions listed mentioned above to give security teams total visibility across endpoints, cloud, networks, email, etc.Bonus tip: a platform with extended detection and response (XDR) capabilities will collect and correlate deep threat activity data across multiple security layers to surface verified and actionable alerts, freeing teams to focus on investigation and remediation.A strong and holistic ransomware prevention strategy is crucial to improving your security posture and demonstrating to cyber insurance underwriters that you meet or even go beyond coverage requirements.For more information on preventing ransomware and cyber insurance, check out the following resources:How to Prevent Ransomware as a Service AttacksPreventing Ransomware Attacks on ICS Environments[eBook] Securing Your Organization from Modern RansomwareCyber Insurance Coverage Checklist: 5 Security ItemsCyber Insurance Market 2022: FAQs & Updates with iBynd Authors Vince Kearns Cyber Risk Specialist
October 23, 2022
Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself - Microsoft Security Blog
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment.July 2022 update – New information about DEV-0206-associated activity wherein existing Raspberry Robin infections are used to deploy FakeUpdates, which then leads to follow-on actions resembling DEV-0243.June 2022 update – More details in the Threat actors and campaigns section, including recently observed activities from DEV-0193 (Trickbot LLC), DEV-0504, DEV-0237, DEV-0401, and a new section on Qakbot campaigns that lead to ransomware deployments.Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.That depth of signal intelligence gathered from various domains—identity, email, data, and cloud—provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated “cut” from their tool’s success.The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.Within this category of threats, Microsoft has been tracking the trend in the ransomware as a service (RaaS) gig economy, called human-operated ransomware, which remains one of the most impactful threats to organizations. We coined the industry term “human-operated ransomware” to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target’s network.Unlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries—for example, a security product that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them—with no guarantee they’ll leave their target environment once they’ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren’t successfully evicted.Ransomware attacks have become even more impactful in recent years as more ransomware as a service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.All human-operated ransomware campaigns—all human-operated attacks in general, for that matter—share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment. In this blog, we detail several of the ransomware ecosystems  using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here’s a quick table of contents:How RaaS redefines our understanding of ransomware incidentsThe RaaS affiliate model explainedAccess for sale and mercurial targeting“Human-operated” means human decisionsExfiltration and double extortionPersistent and sneaky access methodsThreat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacksDefending against ransomware: Moving beyond protection by detectionHow RaaS redefines our understanding of ransomware incidentsWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the “human-operated” aspect of these attacks—attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.We know, for example, that the underlying techniques used in human-operated ransomware campaigns haven’t changed very much over the years—attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there’s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it’s only possible on the most critical assets and segments of the network. Without the ability to steal access to highly privileged accounts, attackers can’t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.In the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like Microsoft 365 Defender, whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.The RaaS affiliate model explainedThe cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and skillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction servicesRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.Figure 1. How the RaaS affiliate model enables ransomware attacksAccess for sale and mercurial targetingA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a “load”. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them en masse to “bank” for later profit. Some advertisements for the sale of initial access specifically cite that a system isn’t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn’t manifest itself as specifically attacking the target’s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.In some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a “jump server” to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren’t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.“Human-operated” means human decisionsMicrosoft coined the term “human-operated ransomware” to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks—including objectives and pre-ransom activity—evolve depending on the environment and the unique opportunities identified by the attackers.These attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.After the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator’s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker’s next steps.If there’s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker.  This human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks “in production” from an undetected location in their target’s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.Exfiltration and double extortionRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening to leak data if a ransom hasn’t been paid, has also become a common tactic among many RaaS affiliate programs—many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.This trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don’t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below.  Persistent and sneaky access methodsPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers’ demands doesn’t guarantee that attackers ever “pack their bags” and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.The handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.Some of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:AnyDeskAtera Remote Managementngrok.ioRemote Manipulator SystemSplashtopTeamViewerAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.The time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can’t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can’t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.Figure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022The human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacksFor organizations to successfully respond to evict an active attacker, it’s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it’s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.In the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:Microsoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled “Ransomware-linked emerging threat activity group detected”. We also add the note “Ongoing hands-on-keyboard attack” to alerts that indicate a human attacker is in the network. When these alerts are raised, it’s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.A note on threat actor naming: as part of Microsoft’s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a “development group”. We use a naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use “contractors,” who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group todayA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. DEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.A subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure as a service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon as a service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444. The leaked chat files from a group publicly labeled as the “Conti Group” in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload—even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group,” even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.Microsoft hasn’t observed a Conti deployment in our data since April 19, 2022, suggesting that the Conti program has shut down or gone on hiatus, potentially in response to the visibility of DEV-0230’s deployment of Conti in high-profile incidents or FBI’s announcement of a reward for information related to Conti. As can be expected when a RaaS program shuts down, the gig economy nature of the ransomware ecosystem means that affiliates can easily shift between payloads. Conti affiliates who had previously deployed Conti have moved on to other RaaS payloads. For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly. Similarly, DEV-0230 shifted to deploying QuantumLocker around April 23, 2022.ELBRUS: (Un)arrested developmentELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.In 2018, this activity group made headlines when three of its members were arrested. In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called “Combi Security” and “Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn’t performed by ELBRUS but by a ransomware as a service affiliate Microsoft tracks as DEV-0289.ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.While they aren’t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server.  DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programsAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the “REvil gang” or “BlackCat ransomware group”. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment.  Figure 3. Ransomware payloads distributed by DEV-0504 between 2020 and June 2022DEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren’t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos, which they can buy when a RaaS isn’t available, or they don’t want to pay the fees associated with RaaS programs.DEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren’t protected with tamper protection.DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others. BlackCat remains DEV-0504’s primary payload as of June 2022.DEV-0237: Prolific collaboratorLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.After the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to public discourse around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn’t want Hive’s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and June 2022Beyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.Figure 5. Examples of DEV-0237’s relationships with other cybercriminal activity groupsLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload xxx.exe, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive. While the group used other payloads such as BlackCat in the same timeframe, Nokoyawa became a more regular part of their toolkits. By June 2022, DEV-0237 was still primarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads, including Agenda and Mindware.DEV-0237 is also one of several actors observed introducing other tools into their attacks to replace Cobalt Strike. Cobalt Strike’s ubiquity and visible impact has led to improved detections and heightened awareness in security organizations, leading to observed decreased use by actors. DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike.DEV-0450 and DEV-0464: Distributing Qakbot for ransomware deploymentThe evolution of prevalent trojans from being commodity malware to serving as footholds for ransomware is well documented via the impact of Emotet, Trickbot, and BazaLoader. Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates. Qakbot is delivered via email, often downloaded by malicious macros in an Office document. Qakbot’s initial actions include profiling the system and the network, and exfiltrating emails (.eml files) for later use as templates in its malware distribution campaigns.Qakbot is prevalent across a wide range of networks, building upon successful infections to continue spreading and expanding. Microsoft tracks DEV-0450 and DEV-0464 as  Qakbot distributors that result in observed ransomware attacks. DEV-0450 distributes the “presidents”-themed Qakbot, using American presidents’ names in their malware campaigns. Meanwhile, DEV-0464 distributes the “TR” Qakbot and other malware such as SquirrelWaffle. DEV-0464 also rapidly adopted the Microsoft Support Diagnostic Tool (MSDT) vulnerability (CVE-2022-30190) in their campaigns. The abuse of malicious macros and MSDT can be blocked by preventing Office from creating child processes, which we detail in the hardening guidance below.Historically, Qakbot infections typically lead to hands-on-keyboard activity and ransomware deployments by DEV-0216, DEV-0506, and DEV-0826. DEV-0506 previously deployed Conti but switched to deploying Black Basta around April 8, 2022. This group uses DEV-0365’s Cobalt Strike Beacon infrastructure instead of maintaining their own. In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to facilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.Another RaaS affiliate that acquired access from Qakbot infections was DEV-0216, which maintains their own Cobalt Strike Beacon infrastructure and has operated as an affiliate for Egregor, Maze, Lockbit, REvil, and Conti in numerous high-impact incidents. Microsoft no longer sees DEV-0216 ransomware incidents initiating from DEV-0464 and DEV-0450 infections, indicating they may no longer be acquiring access via Qakbot.DEV-0206 and DEV-0243: An “evil” partnershipMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.Once successfully executed, the JavaScript framework, also referred to SocGholish, acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as “EvilCorp,”  The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware’s inner payloads. In DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the “EvilCorp” activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. Figure 6. The handover from DEV-0206 to DEV-0243On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections. Raspberry Robin is a USB-based worm first publicly discussed by Red Canary. The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.DEV-0401: China-based lone wolf turned LockBit 2.0 affiliateDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 is confirmed to be a China-based activity group.DEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2. Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.Once inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.Figure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.Like many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay.  In a notable shift—possibly related to victim payment issues—DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022. Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.DEV-0537: From extortion to destructionAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 in this blog. DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.Once initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn’t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. DEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim’s data and resources.Defending against ransomware: Moving beyond protection by detectionA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. Attackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven’t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.Building credential hygieneMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.Credential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn’t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.Too often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven’t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.Here are some steps organizations can take to build credential hygiene:Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can’t be used to move laterally. Run services as Network Service when accessing other resources.Use tools like LUA Buglight to determine the privileges that applications really need.Look for events with EventID 4624 where the logon type is 2, 4, 5, or 10 and the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn’t be exposed on member servers or workstations.Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords.Use a cloud-based identity security solution that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identitiesAuditing credential exposureAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. BloodHound is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use this detection guidance to watch for malicious use.Microsoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.Prioritizing deployment of Active Directory updatesSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.Cloud hardeningAs attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:Cloud identity hardeningMultifactor authentication (MFA)Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.Identify and secure workload identities to secure accounts where traditional MFA enforcement does not apply.Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their computers. Refer to this article for an example.Disable legacy authentication.Cloud adminsAddressing security blind spotsIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn’t protected by  antivirus or EDR solutions. It’s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.Organizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn’t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.Turn on tamper protection features to prevent attackers from stopping security services.Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.Reducing the attack surfaceMicrosoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:Common entry vectors:Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):In addition, Microsoft has changed the default behavior of Office applications to block macros in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.Hardening internet-facing assets and understanding your perimeterOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as RiskIQ, can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.Ransomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.Some observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:Ransomware attackers also rapidly adopt new vulnerabilities. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacksThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft 365 Defender is designed to make it easy for organizations to apply many of these security controls.Microsoft 365 Defender’s industry-leading visibility and detection capabilities, demonstrated in the recent MITRE Engenuity ATT&CK® Evaluations, automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.In line with the recently announced expansion into a new service category called Microsoft Security Experts, we’re introducing the availability of Microsoft Defender Experts for Hunting for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.Join our research team at the Microsoft Security Summit digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&A. Register today.
October 22, 2022
What happens behind the scenes during a hospital ransomware attack
The healthcare industry is under attack. One of the nation's largest health systems, Chicago-based CommonSpirit Health, has been dealing with a ransomware incident that has led to EHR outages and canceled appointments at its hospitals around the nation. Some facilities are just now starting to get their systems back online. While the hospital chain has released few specifics about the attack that began in early October, cybersecurity experts told Becker's what goes on behind the scenes at one of these events.Hackers may have access to a company's systems weeks or months before it knows it's been breached, these experts say. The organizations either discover the attack themselves via suspicious activity, or are notified in not-so-subtle ways."You receive that deadly scary warning slide that comes up and says you're under a ransomware attack and your data is now held hostage and access to that data is not possible," said Vikki Kolbe, a cybersecurity advisor based in the Boston area. "Or you don't even get a message but one day come in as a privileged user and try to go about your business and can't pull up your data."But that doesn't mean your entire system will be affected. At CommonSpirit, which operates more than 140 hospitals, some facilities went unscathed from the incident. That's likely because of "the nature of their network architecture and how they share the use of systems across their organization," said Jon Moore, chief risk officer and senior vice president of consulting services for cybersecurity firm Clearwater.Hackers often get in through relatively simple ways, like phishing emails. These breaches used to be called malware, but are now referred to as ransomware because money is demanded, in the form of untraceable cryptocurrency. Healthcare organizations are now stocking up on the digital currency just in case, said Patrick Angel, a cybersecurity consultant based in Dallas.The hackers might also "ping" a public-facing or visible server to find out whether it's using an outdated operating system or has unpatched vulnerabilities, Mr. Angel said."The older the physical server, the older their operating system and therefore the more likely it has very few if any security features available," he said. "Healthcare is one of the industries notorious for having some of the oldest technology around."The hackers may sit quietly on the network for months, seeing how many systems or how much data they can access, a technique referred to as "mining," Mr. Angel said.The cyberattackers often encrypt the data so organizations can't access it, and regularly lock up the companies' backup databases as well. The hackers also sometimes steal the data then threaten to release it publicly unless the ransom is paid.While the FBI has advised organizations not to pay the cyber ransoms — and it's technically illegal if it involves a sanctioned individual or country — anywhere from 30 percent to 80 percent of companies end up forking over the money, estimates show. The businesses might conclude it's the quickest — and cheapest — way to get the data back and prevent any further breaches.The average payment is $228,125, according to cybersecurity researcher Coveware's analysis of 2022 second quarter data. Last year, insurer CNA Financial Corp. reportedly paid $40 million to stop an attack, according to Bloomberg.Organizations typically have cybersecurity insurance, but the quality depends on whether they can withstand "white hat" hackers hired by the insurers, Ms. Kolbe said. There are also now companies and experts that act as go-betweens between ransomware groups and the hacked businesses.The average downtime caused by the attacks is 24 days, according to Coveware. CommonSpirit's IT issues, which are still ongoing, started being reported Oct. 3.Some of these events never become public. One health system chief information security officer declined to comment to Becker's because doing so would be an acknowledgement that one admits to a ransomware attack.However, more than 90 percent of ransomware events are avoidable, a 2019 Gartner report found. "Following the simple basics of IT hygiene is very valuable," Mr. Angel said. That includes "hardening," patching, deleting inactive or unused accounts, regularly backing up data, inventorying devices and data, and having data classification standards. The acronym for incident response is PICERL — or preparation, identification, containment, eradication, recovery, lessons learned — Mr. Moore of Clearwater said."Preparation comes before the incident," he said. "Once the organization identifies that they have an incident, they will move to try to contain the attack. This might include taking services offline to prevent further spread. Next, they will try to eradicate any malicious software or alterations that the attacker may have made. Finally, they will try to recover their systems and collect lessons learned."
October 22, 2022
What is Malware? Definition, Purpose & Common Protections - eSecurity Planet
Anyone who has used a computer for any significant length of time has probably at least heard of malware. Short for “malicious software,” malware is any piece of computer software designed to disrupt the regular function of a network or device, to gain unauthorized access to certain hardware or systems, or to send user data to others without that user’s consent.Malware has been present in the digital space since the 1980s, with early prank malware like the Morris Worm or the (c)Brain. However, malware is not quite as amusing in a modern context. From ransomware attacks locking businesses out of their data until they pay potentially millions of dollars to spyware tracking users’ every move through their infected device, the effects of malware can be devastating.Today, malware is a common threat to the devices and data of anyone who uses the Internet. Since 2008, antivirus and cybersecurity software testers AV-TEST have kept track of the number of newly-developed malware worldwide, totaling at nearly 1 billion as of September 2022. An August 2022 Statista report counted 2.8 billion malware attacks worldwide in the first half of 2022 alone.With so many attacks and unique types of malware out there, it’s important to have some idea of how malware works, how it can infect your devices, and what to do if you find yourself infected with it.How Does Malware Work?Malware’s functions vary wildly depending on what type of malware you’re dealing with. Broadly, malware will somehow be injected into a device or network and, if it can gain access to the files or systems it needs to, it will begin its work.For example, once it infects your device, a keylogger will start tracking every keystroke you make and sending a log of those keystrokes to the hacker, allowing them to reconstruct any sensitive information you might have entered after infection, such as your PIN, password, or social security number.To better understand how malware works, however, let’s look at some common types of malware and see how they function and what parts of a device or network they usually affect.Want to Learn More About Malware? Check Out How to Prevent Different Types of MalwareCommon Types of MalwareAdwareEasily one of the most frustrating types of malware, adware is software designed to harass users with a torrent of unwanted or malicious ads. Adware is often smuggled onto a device, either by users who don’t know what they’re downloading or by hiding it in an otherwise innocuous piece of software like a search engine toolbar plugin for your browser.This isn’t quite the same as a legitimate piece of software, such as a mobile game from a reputable developer, coming packed with online ads. Usually, those ads will be screened by the developer or whoever published the software online and don’t do anything unusual beyond wasting your time. Adware advertisements might appear in places where ads typically don’t show up; might be completely unrelated to the software or website you’re using, including the depiction of explicit material; and might even begin performing a number of unwanted tasks on your device.These unwanted tasks can include:opening new tabs on your browser without you clicking on anythingwebsite links redirecting to completely different websites from what you expectfully crashing your browser.Some signs of adware infection include:Your browser is noticeably slower than usualNSFW ads on otherwise SFW websitesNew toolbars, plugins, or extensions appearing on your web browser without you installing themYour browser’s homepage changing without your permissionRansomwareOne of the most dangerous kinds of malware for businesses, ransomware can slip into a network or device and encrypt sensitive files or lock down the entire device unless the victims pay the hacker a usually-sizable fee to unlock it – and even then, decryption fails most of the time. Modern ransomware hackers often double or triple up on the extortion by demanding additional fees to ensure that sensitive files are not leaked to the public.Ransomware is one of the most virulent forms of malware on the modern Internet. A report from IBM claims that 21% of all cyber attacks the company remediated in 2021 were ransomware, making it the most common type of attack in the report. The method of infection can vary from attack to attack and can include social engineering strategies, such as phishing and email spoofing, or a fraudulent website masquerading as legitimate, among others.Once a system is infected, ransomware attacks usually come in 3 stages:Surveillance: The hackers scan their target for more information on the system they are attacking. In particular, they’ll look for sensitive files which can be used for potential double-extortion attempts or additional access credentials with which to spread the ransomware across more devices.Activation: The ransomware begins encrypting sensitive files or locking down the system. In the former case, an attacker will utilize a process called asymmetric encryption to lock down these files, encrypting with a public key but keeping a private key for decryption. This means the files can’t be restored without the attacker’s help. To apply more pressure, the attacker might also encrypt backup files to render them inaccessible. In the latter case, the ransomware will freeze the device’s screen or apply so many pop-ups to the device that it’s rendered unusable.The Ransom Note: The ransomware notifies its victims of the infection via a .txt file on the infected device or a pop-up. This note will provide instructions on how to pay the ransom, usually through difficult-to-trace means like cryptocurrency.If You Need to Learn More About How to Keep Your Data Safe, Take a Look at Ransomware Prevention: How to Protect Against RansomwareRootkitsRootkits are essentially software toolboxes which allow hackers to infiltrate a device’s systems and gain remote control of it. This makes them incredibly difficult to detect and remove, though there are tools like rootkit scanners which can help.Typically, attackers will use rootkits to spy on users and launch cyber assaults, such as a distributed denial of service (DDoS) attack, but the aforementioned software toolbox contains a variety of malicious implements. This can include programs with which the hacker can disable security software, install keyloggers, or steal sensitive information like passwords or credit card details.There are a few viable ways to install a rootkit, but they will typically target some weakness in either an application installed on the target device or the target device’s operating system (OS). There are also several different types of rootkits to be aware of:Application Rootkits: Application rootkits replace a device’s files, altering common applications like Notepad. Whenever a user uses the infected file, it gives the attacker access to their computer.Bootkits: This type of rootkit targets a computer’s bootloader, the software responsible for loading the computer’s OS into RAM upon startup. Bootloaders are usually launched by a disc, USB drive, or hard drive, which tells the computer where its bootloader program is. Bootkits replace the legitimate bootloader with an infected version. This type of rootkit is especially difficult to detect and drive out, since it won’t typically show up in a user’s file system. Additionally, removal might further damage the computer if the bootkit has altered the device’s boot records.Firmware Rootkits: Firmware rootkits are usually used to infect a device’s hard drive or basic input/output system (BIOS), but they can be used to infect routers or intercept data written on hard discs as well. Firmware rootkits are also known as “hardware rootkits.”Kernel Mode Rootkits: One of the most complicated forms of rootkit, kernel mode rootkits target the core components of a device’s operating system, called a kernel. They often evade detection by operating at the same security level as the operating system itself, making them capable of especially devastating cyber attacks. However, kernel mode rootkits also require a high degree of technical competency, as any bugs or glitches within the rootkit can leave an easy trail for antivirus software to sniff out.Memory Rootkits: The final type of rootkit we’re covering will camouflage itself within a computer’s random-access memory (RAM). While there, they can inflict significant damage while also severely hampering a device’s performance by consuming massive amounts of RAM resources with whatever programs they have running. Memory rootkits are also often the shortest-lived type of rootkit, with most being erased when a computer reboots.Need More Intel on Rootkits? Check Out Top 5 Rootkit Threats and How to Root Them OutSpywareAs the name implies, spyware hides on your devices in order to monitor and transmit your data to the hacker or hackers who deployed it. This information can range from what websites you visit to your download history to your bank PIN. This software can function similarly to Facebook or Google’s targeted ad technology which can track which websites you visit and provide ads based on that history, such as getting ads for cribs after looking up baby names.There are innumerable methods of infiltration for spyware, from social engineering tactics to malicious software concealed in software bundles to exploiting security vulnerabilities in your device’s hardware or software. It’s one of the most infectious forms of malware out there.Types of spyware are often classified based on what information they’re gathering. Keyloggers track your device’s keystrokes, password stealers’ function is in the name, and infostealers attempt to snatch a variety of sensitive information from its victims.TrojansNamed for the Trojan Horse from Homer’s Odyssey and Virgil’s Aeneid, trojans function similarly to their mythological namesake by convincing users to install it on their device via social engineering schemes. This can come in the form of downloading free programs such as a game or a screensaver, visiting questionable video-hosting websites, or opening an attachment infected with the trojan.Since its name more describes how it gets into a system than what it does there, trojans cover a broad range of malware:Spyware can often be injected into a device as a trojan.Once downloaded, a computer worm can automatically spread itself across connected devices, such as via the Internet or via local area network (LAN) to devastating effect.Remote access trojans (RATs) can provide hackers with backdoors into the infected device and allows hackers to control target computers via a remote network connection.Downloader Trojans can be used to download other forms of malware onto a device.What are Some Common Signs of a Malware Infection?While malware comes in a variety of different shapes and sizes, there are some factors which many of the various types can all share:Slowed system performanceYou can’t access the Control PanelStrange pop-up windows and messagesUnusually high network activityYour antivirus program or other security solution is randomly disabledMissing or corrupted programsPrograms being opened or accessing the Internet without your permissionThis isn’t a comprehensive list, and even if your computer hasn’t shown any of these signs, there’s still a chance malware has infiltrated your machine. As such, it’s best to keep an antivirus program or similar security solution handy to increase your odds of catching malware before it can do too much damage.Need to Know More About How Malware Can Infect Your Device? Take a Look at 8 Ways Malware Creeps Onto Your DeviceWays to Protect Your Network Against MalwareThankfully, as scary as malware can be, individuals and businesses have ways to protect themselves against malware.Both businesses and users alike can benefit from having good antivirus software onhand to detect and remove potential threats. Though, as digital rights group Electronic Frontier Foundation notes, “antivirus software is usually ineffective against targeted attacks.” While it’s still good to have antivirus software to deal with untargeted attacks (such as the links on a malicious website), ransomware and similarly-focused assaults will need additional protections.An important piece of advice is to maintain a robust series of backups for all your important files and data, usually multiple backups using several different storage methods if possible. An offline storage solution, such as a hard drive or USB drive, is especially helpful, though not necessarily feasible if your business handles enough data to require, say, its own cloud storage solution. Still, maintaining and regularly updating your backups will help blunt a lot of the damage malware typically inflicts on its victims. And immutable backups are a particularly important ransomware protection.Businesses can implement strategies like a zero-trust framework to help keep themselves safe, as well as adopt more sophisticated security solutions than individual users typically have access to. Examples include Intrusion Detection and Prevention (IDPS) tools to block potentially-malicious network traffic, network access control (NAC) to help maintain network safety with more and more employees working remote, and increasingly-vital next-generation firewalls (NGFW) for defending your data and applications from attack.Finally, one of the simplest yet most effective tools for keeping yourself and your network safe against malware is personal vigilance. Avoid opening email attachments from accounts you don’t recognize, stay away from shady websites, make sure your passwords are secure and difficult to crack, and don’t download anything from sources you don’t absolutely trust. Indeed, malware can often be avoided by simply not clicking on infected links or files, making employee security awareness training one of the most critical defenses of all.How to Identify and Remove Existing MalwareIf you know your device or network is plagued with malware, there are a few steps you can take to get rid of it before it can do more damage. The first step, if possible, is to disconnect from the Internet. This can help prevent the malware from sending your data to the hacker who deployed it. If you must download a tool or software to begin removing the malware, disconnect as soon as it has finished downloading. Only reconnect once you’re sure the issue has been dealt with.A good antivirus or malware-scanning software will usually have programs in place to remove detected instances of malware, but that can’t always be relied upon to fix the problem.If your software solution proves ineffective, the next step is usually restarting or rebooting your machine. It can be good to boot in Safe Mode. Some types of malware, such as memory rootkits, will disappear once your system reboots. How an OS enters safe mode differs between each system, but instructions can usually be found online, such as Microsoft’s instructions for Windows 10.If a restart fails to solve the problem, a full system recovery or reinstallation might be necessary to fully rid yourself of malware’s grip on your device. However, this can usually result in significant data loss, which is why maintaining backups for important data is so critical.Ultimately, no foolproof solution has yet been found for preventing cyber attacks, beyond disconnecting from the Internet and living up in the mountains away from civilization, but knowing more about malware, how it works, and how to get rid of it can be a big help in keeping your device and data safe.Looking to Learn More About How to Keep Cybercriminals Away From Your Data? Read The Scammers’ Playbook: How Cybercriminals Get Ahold of Your Data
October 23, 2022
US govt warns of Daixin Team targeting health orgs with ransomware - Bleeping Computer
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.The federal agencies also shared indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) in a joint advisory issued today to help security professionals detect and block attacks using this ransomware strain."The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022," the advisory revealed.Since June, Daixin Team attackers have been linked to multiple health sector ransomware incidents where they've encrypted systems used for many healthcare services, including electronic health records storage, diagnostics, imaging services, and intranet services.They're also known for stealing patient health information (PHI) and personal identifiable information (PII) and using it for double extortion to pressure victims into paying ransoms under the threat of releasing the stolen information online.The ransomware gang gains access to targets' networks by exploiting known vulnerabilities in the organizations' VPN servers or with the help of compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) toggled off.Once in, they use Remote Desktop Protocol (RDP) and Secure Shell (SSH) to move laterally through the victim's networks.Daixin Team ransom note (CISA/FBI/HHS)​To deploy the ransomware payloads, they escalate privileges using various methods, such as credential dumping.This privileged access is also used to "gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment" with the same goal of encrypting the systems using ransomware."According to third-party reporting, the Daixin Team's ransomware is based on leaked Babuk Locker source code," the federal agencies added. "This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/." Before encrypting their victims' devices, they use Rclone or Ngrok to exfiltrate stolen data to dedicated virtual private servers (VPS).U.S. health organizations are advised to take the following measures to defend against Daixin Team's attacks:Install updates for operating systems, software, and firmware as soon as they are released.Enable phishing-resistant MFA for as many services as possible.Train employees to recognize and report phishing attempts.In August, CISA and the FBI also warned that attackers known for mainly targeting the healthcare and medical industries with Zeppelin ransomware might encrypt files multiple times, making file recovery more tedious.