August 15, 2023Most Impactful Ransomware Attacks of 2023 - Security Boulevard
2023 looks set to be another record-breaking year for ransomware. In the first half of the year our data found that publicized attacks represented a 49% increase over the first six months of 2022. But it’s important to remember that not every ransomware attack is made public. A more disturbing figure is the number of undisclosed ransomware attacks of 2023, a massive 1,815 in the first six months of this year. By taking these figures into account can we paint a more realistic picture of the real ransomware landscape.This year has seen many notable attacks, and in this blog, we highlight some of the biggest publicly reported attacks of the year along with some of the biggest fallouts we’ve seen to date.Read on to see what attacks earned a spot on our top 10 list.1In January we saw Royal Mail fall victim to a ransomware attack at the hands of LockBit. The group hacked into the UK’s postal services’ software and blocked all international shipments by encrypting files. Negotiations took place between the two sides, but after two weeks, LockBit set a ransom demand of $80 million, 0.5% of the company’s revenue, in exchange for the decryption of the files. Royal Mail chose to not pay the ransom and take the risk of their data being leaked, which ultimately happened.2Months later, the US Marshals Service is still recovering from an attack which took place in February. The attack impacted a computer system which held sensitive law enforcement data belonging to the Technical Operations Group (TOG) who provide surveillance capabilities to track fugitives. “Most critical tools” were restored within 30 days, but the Marshal’s service is still to bring in a new version of the impacted system online with better security. Stolen data included employees’ personally identifiable information alongside returns from legal processes, administrative information and PII pertaining to subjects of USMS investigations and third parties.3Medusa hit the headlines when the group claimed an attack on Minneapolis Public Schools, exfiltrating a trove of data and demanding $1million to keep the information from being posted on the dark web. The reason behind the headlines was more sinister than the attack itself, it was the data they eventually leaked that caused a stir. Confidential information including complete sexual assault case folios were among the 300,000 files dumped by the ransomware group in March after the attack. Other leaked information included medical records, discrimination complaints, SSNs and contact information of district employees.4Another ransomware attack with sinister consequences was reported in March when ALPHV, aka BlackCat, infiltrated Lehigh Valley Health Network’s computer system. The incident involved systems used for “clinically appropriate patient images for radiation oncology treatment” and other sensitive information. The notorious ransomware group leaked naked images of breast cancer patients along with medical questionnaires, passports, and other sensitive patient data after the healthcare provider refused to pay the ransom demanded. LVHN have since faced lawsuits in relation to this ransomware attack.5British outsourcing company Capita was hit by a ransomware attack in March, since reporting that recovery from the incident is expected to cost up to $25million. Expenses have been attributed to “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.” The attack was “significantly restricted” by the company’s security team, but it was confirmed that customer, supplier, and employee data may have been stolen during the incident. BlackBasta claimed responsibility for the attack and has published data belonging to the organization. Not only has Capita incurred exceptional costs but the share price for the company dropped 12% after the attack.6Managed Care of North America (MCNA) Dental exposed a data breach which impacted almost 9 million patients. LockBit claimed the attack, threatening to publish 700GB of sensitive confidential information unless the $10million ransom was paid. Data including PII, health insurance information, care for teeth or braces documentation, and bills and insurance claims was later posted on the group’s dark web site. On the notice MCNA provided, there was also an extensive list of over one hundred healthcare providers that may have been indirectly impacted by the incident.7The fallout from a ransomware attack on City of Dallas in May this year is still making the news. The city was forced to shut down some of its IT systems, with a number of functional areas including the police and fire department experiencing disruption. It has recently come to light that over 26,000 people were affected by the attack orchestrated by Royal ransomware group. Information including names, addresses and medical information is among the data exfiltrated by the threat actors. Some city employees have already reported identity theft, with some of their children also having personal information stolen. In August, it was announced that the Dallas City Council approved $8.6 million in payments for services relating to the attack, including credit monitoring for potential identity theft victims.8In June it was announced that St Margaret’s Health (SMH) in Illinois would be closing after 120 years of serving the community, partially due to a 2021 ransomware attack. The attack crippled operations for months, catastrophically impacting the hospital’s ability to collect payments from insurers for services rendered and forced the shutdown of the hospital’s IT network, email systems, electronic medical records, and other web operations. Other factors leading to the closure included unprecedented expenses tied to COVID-19, low patient volumes and staff shortages.9At least four Australian banks were impacted when a major ransomware attack hit law firm HWL Ebsworth in June. BlackCat claimed the attack, successfully accessing HWL’s servers and exfiltrating 4TB of data. Westpac, NAB, the Commonwealth Bank and ANZ were among the many public and private sector entities who may have had data stolen during the incident. The ransom was reportedly $5million AUSD which the law firm refused to pay. 1.4TB of the exfiltrated data was publicly released which included financial information, customer documentation, and local and remote company credentials.10Ransom demands are not declining, which is made clear by the $70million ransom demanded by Bassterlord following an attack on TSMC. The threat actor, who is affiliated with LockBit, live tweeted the ransomware attack, sharing screenshots of information relating to the company. LockBit posted the attack on their site and stated should the ransom payment not be made the data would be leaked along with published points of entry into the network and password and company logins. TSMC has reported that it has not been breached but rather the systems of one of the IT hardware suppliers, Kinmax Technology, was hacked.11Barts Health NHS Trust, the largest health trust in the UK, was hit by a ransomware attack in June which was claimed by ALPHV, aka BlackCat. The gang stated that it had stolen 7TB of sensitive data in what is claimed to be the biggest breach of healthcare data in the United Kingdom. Samples of the stolen data included employee identification documents including passports and driver’s licenses and labelled internal documents. They also claim to have “citizens’ confidential documents.” The trust is still investigating the scope of the attack.12A class-action lawsuit has been filed against Tampa General Hospital following a cybersecurity incident reported in July. The incident resulted in the theft of protected personal health information (PHI) of up to 1.2 million patients. Although data was stolen, the hospital clarified that the hackers had failed in their attempt to launch a ransomware attack, with robust security systems preventing encryption of files and further damage. The class-action law suit filed against the hospital is for “failing to protect the personal data of its patients.” The hospital is also being accused of failing to notify impacted individuals on time, taking nearly two months to notify them.We will continue to update this blog as the year continues with other notable ransomware attacks that make the headlines.
August 15, 2023Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics
Aug 15, 2023THNLinux / RansomwareThe threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors.Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. Not anymore.The new version, per Trend Micro, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors."Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors," Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio said.A BinDiff analysis has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul.Some of the crucial changes include the addition of a '--whitelist' parameter to instruct the locker to skip a list of virtual machines as well as the removal of command-line arguments --size, --log, and --vmlist.The Linux variant is also designed to tamper with the motd (aka message of the day) file to display the ransom note, employ AES-256-CTR encryption instead of Salsa20, and solely rely on the file size for its encryption process.In other words, files larger than 1.048 MB but smaller than 4.19 MB will only have the first 100,000 (0xFFFFF) bytes of the file encrypted, while those exceeding 4.19 MB have a chunk of their content locked depending on the outcoming of a Shift Right operation.Files that have a size smaller than 1.048 MB will have all their contents encrypted."It's likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm," the researchers said."Furthermore, by altering the code, Monti's operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
July 19, 2023The Role of Tape Backups in Disaster Recovery Planning (DRP) - Storware
In today’s business environment, disaster recovery planning is essential to maintain uninterrupted operations. Unforeseen events like natural calamities, cyber intrusions, power failures, and human mistakes can lead to substantial damages in terms of data, efficiency, and profits. Hence, to counter such challenges, companies need to develop a robust disaster recovery strategy that specifies the actions to be taken during a crisis.For a long time, tape backups have been vital to disaster recovery planning due to their durability and reliability, making them ideal for such scenarios. So, this blog post explores the role of tape backups in disaster recovery planning, how they fit into the plan, their advantages, and the associated risks.Overview of Disaster Recovery PlanningDisaster recovery planning is developing a strategy to safeguard your company against the adverse consequences of unforeseen occurrences like power outages, cyber assaults, equipment breakdowns, and natural calamities. This plan itemizes the measures your business will take to guarantee the uninterrupted operation of crucial operations in case of a catastrophe.Importance of disaster recovery planningAll organisations need to have a disaster recovery plan since it can reduce downtime, safeguard business assets, and preserve customer confidence. In the event of a disaster, a well-executed disaster recovery plan can enable swift recovery and the resumption of business operations with minimal disruption. Furthermore, a disaster recovery plan can assist in fulfilling legal and regulatory requirements, particularly in industries that mandate disaster recovery plans. Moreover, having a disaster recovery plan can enhance an organisation’s reputation and credibility. Customers and partners are likelier to trust a company with a plan to secure their information and ensure business continuity.Key components of a disaster recovery planAn essential aspect of disaster recovery planning is to encompass the following significant components:The initial step is to conduct a risk assessment to identify potential hazards and threats to your business, such as natural calamities, cyber-attacks, power outages, and equipment failures. After identifying potential risks, the next step is to conduct a business impact analysis to evaluate the impact of these risks on your business. This involves identifying critical business functions, systems, and data and determining how long your business can operate without them.Based on the risk assessment and business impact analysis, it is necessary to develop recovery strategies to restore critical business functions and systems. These may include backup and recovery strategies, alternative communication channels, and alternative work locations. After devising recovery strategies, creating a comprehensive plan specifying your organisation’s actions to recuperate from a calamity is crucial. The plan should include a thorough guide for restoring vital systems and data, as well as procedures for communication and notification. Following the plan’s development, testing it, and ensuring it functions as intended is crucial. Consistent testing and training are essential in guaranteeing the organisation’s ability to recover from a disaster swiftly.Tape Backups in Disaster Recovery PlanningTape backups play a vital role in disaster recovery planning due to their reliability and security in backing up critical data and systems. They enable the creation of off-site backups stored in a safe location, separate from the primary business site. Should a disaster occur, these backups can be swiftly accessed and utilized to restore crucial systems and data. Moreover, tape backups are versatile and can back up various data and systems, such as servers, databases, and applications. This feature makes them an ideal backup solution for organisations of all sizes and industries.Advantages of using tape backups in disaster recoveryRegarding disaster recovery planning, using tape backups offers several benefits. Firstly, they are a dependable way to back up essential data and systems because they are less vulnerable to vulnerabilities than digital storage. Also, they can be stored for extended periods without losing quality, which makes them a reliable option for long-term archiving.Furthermore, tape backups are cost-effective as they require minimal hardware and are often less expensive than other methods. Meanwhile, tapes have a long lifespan and can last many years if stored correctly. Lastly, tape backups offer enhanced security as they can be kept securely away from the central business premises protecting against theft, fire, and other disasters.Best practices for using tape backups in disaster recoveryTo guarantee that your tape backups are adequate during disaster recovery, it’s crucial to adhere to the best practices for utilizing tape backups. Listed below are some best practices for tape backups in disaster recovery:Regular backups: Consistent backups are essential to guarantee the safety of your data and systems. It’s advisable to back up your vital data and systems at least once a week.Off-site storage: Storing your backups off-site is crucial to safeguarding them from calamities that may impact your primary business location. The recommendation is to store your backups securely far from your primary business location.Backup testing: Regularly testing your backups is vital in ensuring their efficiency. The widely advised etiquette is to test your backups at least once a quarter.Safe transportation: If you need to transport your backups to an off-site location, it’s necessary to ensure their safety during transportation. This involves using a secure transport service and keeping track of your backups during transit.Documentation and tracking: Keeping a record and tracking the location of backup tapes is crucial in quickly retrieving them in case of a disaster.Challenges and Risks of Using Tape Backup for Disaster RecoveryIn disaster recovery, using tape backups presents several difficulties organisations must face. Arguably, the most significant challenge is the time required to restore data from tape backups. Compared to alternatives like disk backups, tape solutions are notably slower. As a result, restoring large quantities of data from tape backups can be a time-consuming process. Another obstacle is the possibility of data loss due to tape degradation. When you store tapes in less-than-ideal conditions, degradation can occur over time. This may result in the loss or corruption of data, which can be a significant issue during disaster recovery.Using tape backups in disaster recovery also poses various risks. For instance, the physical damage to tapes represents a potential threat to data. Should tapes become damaged, organisations may be unable to recover data, which can be problematic. Similarly, the possibility of theft or loss of tapes carrying sensitive data presents another risk. Losing or having tapes stolen can result in data breaches and severe repercussions for the organisation.Mitigating the risksTo reduce the risks associated with data backup tapes, there are various measures that organisations can adopt. One of the primary measures is to ensure that you keep tapes in a secure and climate-controlled environment that safeguards them against damage from moisture, heat, or other environmental factors. Another critical step is establishing a secure chain of custody for the tapes, with well-defined processes governing their handling and transportation. Also, conducting regular tests and versification of the tape backups is essential to ensure that you restore the data accurately and promptly during a disaster.This involves testing backup and restore procedures to confirm they are properly functioning. Organisations can ensure their data remains secure and recoverable during an unforeseen catastrophe by adhering to these best practices and regularly testing and verifying the tape backups.Alternatives to Tape BackupsAlthough tape backups have been a favored backup solution for a long time, there are now a few other alternatives to consider. These include:Cloud storage: As a backup alternative, cloud storage has become more popular recently. This option provides an off-site backup choice that is easily accessible and rapidly recoverable.Disk-based backup: Hard or solid-state drives are examples of disk-based backup options offering quicker backup and recovery times than tape backups.Both disk-based backup and cloud backup offer distinct pros and cons. Disk-based backup boasts faster backup and restoration times and increased flexibility, yet it can prove pricier than tape backup. On the other hand, cloud backup presents a cost-effective and scalable option. Still, there may be better fits for some organisations.How to choose the right backup option for your organisationTo identify the most suitable backup option for your organisation, there are various elements you need to take into account, which include:Recovery Point Objective (RPO) refers to the maximum amount of data loss your organisation can bear should a disaster occur. If your RPO is low, you should opt for a backup solution that frequently creates backups with minimal data loss.Recovery Time Objective (RTO): This implies the longest acceptable downtime for your organisation in the event of a disaster. If your RTO is low, you need a fast restore time backup option.Cost: You must evaluate each backup option’s initial and ongoing expenses. While tape backups may have a lower initial price, they require more maintenance and have higher long-term costs.Compliance: If your organisation has strict compliance requirements, you must choose a backup solution that meets those requirements.Scalability: You must consider how effortlessly you can expand or reduce your backup solution as your organisation grows or changes.Security: It is crucial to ensure that your backup solution provides sufficient protection to safeguard your data from unauthorized access or theft.Considering these factors, you can select the backup option catering to your organisation’s requirements.Final ThoughtTape backups have been a common choice for disaster recovery planning for many years. Despite challenges and risks, they provide dependability, affordability, and durability benefits. While tape backups are essential for disaster recovery planning, exploring other backup solutions, such as cloud storage or disk-based backups, is crucial.To create an effective disaster recovery plan, it’s crucial to evaluate all backup options, including tape backups. By following proper procedures for tape backups and considering alternative backup solutions, organisations can guarantee that they will recover from a disaster and maintain normal operations.Learn more about Tape backup:
July 21, 2023EditShare Assists PROGRESS With Archive Preservation, Monetization
EditShare Assists PROGRESS With Archive Preservation, Monetization EditShare has a continuing relationship with PROGRESS.film, one of the biggest theatrical distributors in Europe and owner of vast archives of historical film. As well as supporting in-house production, the EditShare storage network is closely integrated with AI technology from Veritone to build a platform to monetize the archive.PROGRESS was founded in East Berlin in 1950 and, until the fall of the Wall, was the only film distributor in East Germany. Today it holds the complete film heritage of East Germany, along with exclusive collections from East and West Europe, Vietnam, Ukraine, the US and more. The archive runs to more than 26,000 films.Part of PROGRESS is a production company, LOOKS.film, specializing in historical documentaries. Original footage shot by LOOKS is also added to the archive, becoming a resource for film-makers of the future. LOOKS selected EditShare as the best platform to support its production activities, and parent company PROGRESS recognized that the flexibility, security and power of the EditShare solution was ideal as the foundation of its archive projects.The goal was to create workflows which would enable the team to bring online vast amounts of film at multiple locations across Europe, and link it with excellent metadata in part generated by AI software. By integrating the EditShare storage network with a highly automated commerce platform from Veritone using APIs to build a seamless solution, PROGRESS provides archive access to film-makers everywhere, with a cost-effective license and delivery workflow.“We acknowledge that our archive represents a unique library of unmatched historical and cultural significance,” says Gunnar Dedio, CEO at PROGRESS. “We wanted to make this as widely available as possible, by giving film-makers simple online access to search through our archive, select the footage they need, and to create a license and download their content.“After extensive technical trials, we identified the two best players in the field, EditShare, and Veritone,” he continued. “They worked together on the APIs which enabled us to create the powerful, seamless system we have today.”At the heart of this system is the three-tier storage network from EditShare. At the top layer is an EFS server with a total of 120TB of storage, providing fast and agile access for online users including eight editing suites. Supporting that is another EditShare disk structure providing 320TB of nearline storage, making all content in current use readily accessible, and providing a buffer layer to move content in and out of archive.The third tier is an EditShare ARK LTO8 tape library. Currently this has around a petabyte of storage but can continue to grow, and provides secure backup as well as highly resilient long-term archiving. EditShare FLOW asset management manages all levels of storage and generates proxies as required, and runs on its own servers.“This scope and significance of the archive project at PROGRESS is huge,” says Said Bacho, chief revenue officer at EditShare. “But it is achieved with standard building blocks from EditShare: server nodes, nearline storage and tape archives, brought together with FLOW software. We are very proud of this project, and it shows clearly what can be achieved with technology based on open standards and simple APIs.”
July 18, 2023White House Cybersecurity Strategy Implementation Plan Released - CPO Magazine
... at new ransomware payment and cyber incident reporting requirements. ... operations to actively disrupt players in the “ransomware ecosystem.
July 18, 2023Four steps to reducing cyber risk vulnerabilities | Analysis - Strategic Risk Europe
From ransomware and data breaches to insider risks, cyber events remain significant sources of financial loss and disruption for companies of all sizes.Reducing this risk requires understanding a company’s major business priorities, and how you would continue to deliver value to your customers, even during a serious cyber incident. Building this concept of cyber resilience for your own company is no easy task, as it requires a coordinated effort across an organisation’s risk, cybersecurity, and financial leadership.But in today’s world of sophisticated cyber adversaries, it is critical to ensure your organisation can take a digital hit, and survive.Against a dynamic risk such as cyber, a “set it and forget it” approach is not sustainable as cybercriminals continue to find new ways to exploit vulnerabilities.There are several best practices that we see proving effective, however, in narrowing cyber exposures and improving organisations’ resilience to cyber risk.Current best practices that cyber insurance underwriters like to see, and which cyber criminals don’t, include:Security awareness trainingIn cyber risk management, ironically humans are often considered the weakest link in the cybersecurity chain. KnowBe4 even puts phishing success benchmark rates as high as 33.2% in 2023.However, with appropriate security awareness training, employees can also become an organisation’s sentinels and identify threats early on.Training helps establish behavioural expectations and exposes staff to real-world scenarios, showing them what they should look out for, and what to avoid.“Building a security culture in any organisation is not possible without increasing staff awareness”Security awareness training is also a good way to discover where in an organisation’s systems users are susceptible to cyber threat vectors, and which behaviours make them more susceptible, allowing the organisation to put in place additional technical controls or training specific to the employee’s role to help minimise impact.Building a security culture in any organisation is not possible without increasing staff awareness. Training can inform and enable everyone in the organisation to take responsibility for increasing cybersecurity as security cannot be the sole responsibility of the security department.Identity and access management (IAM)Identity and access management has become the new perimeter in cyber security.One reason phishing is still a leading vector for harvesting credentials is criminals’ understanding that the right identity and access privilege is equivalent to holding the keys to the castle.A digital identity can belong to a human as well as a non-human – that is, software or another system that an organisation permits to access its network.A holistic IAM program is essential to managing all identities within an organisation.Three tactics have proven especially helpful in strengthening IAM. These are:Multi-factor authentication (MFA). This tactic uses hardware tokens or additional means of verifying a user’s identity, such as an alphanumeric code sent to an authorised email or mobile phone. MFA has been demonstrated to stop an attacker who has phished account details or stolen access credentials.Privileged access management (PAM). This form of access management can monitor, manage and automate privileged user accounts. PAM is a far better way of prioritising system access than simply assigning “local admin” access to multiple users. A zero-trust or least-privilege environment, which is becoming more common in larger networks, requires privileged access management.Lifecycle management. The processes in place for managing identities are important as organisations may struggle with handling identities as users move within the organisation to different roles or leave. The current climate where layoffs are occurring has created some risk for organisations that have not been managing their identities well, as there may be users that are no longer with an organisation but still have access to resources. From a financial perspective, especially for organisations that heavily utilise Software-as-a-Service (SaaS) applications, having a good lifecycle management process in place is important so that when employees do leave or switch to a different role, their access to the SaaS application would get removed, reducing the number of users the organisation has to pay for.Vulnerability managementIn a physical location, doors and windows are considered vulnerabilities because they can provide a ready means of access.The “doors and windows” in a digital network take the form of open ports, such as the Remote Desktop Protocol, and vulnerabilities and weaknesses that may exist through connected devices or software.For an organisation reducing its external footprint, limiting the open and accessible doors and windows they have open, is essential.A comprehensive vulnerability management program includes vulnerability scanning, vulnerability assessments and penetration testing, end-of-life system identification and remediation, and patching or hardening systems.”There are thousands of vulnerabilities out there, so organisations need to ensure they have a process in place to identify the ones that pose the most risk”Segmenting critical and older systems within one’s network is vital as well.As organisations are dealing with vulnerabilities found from vulnerability scans, vulnerability assessments, and penetration tests, they need to think through the risk that the vulnerability poses to them and not rely on just the severity rating of the vulnerability to determine whether it should be fixed.There are thousands of vulnerabilities out there, so organisations need to ensure they have a process in place to identify the ones that pose the most risk otherwise they may spend time remediating vulnerabilities that don’t pose a big risk to them, while ignoring the ones that do.BackupsUninterrupted access to their data is critical for virtually all organisations. That is a reason ransomware remains a major threat vector in cyber.Good backups of data not only offer peace of mind but also strengthen an organisation’s position when it experiences a ransomware attack.Good backups that are readily accessed can make a difference in deciding whether to pay a ransom demand.Any backup strategy should be sound and tested.Recommended tactics for backups include multiple copies and locations, if managing one’s own data backup; regularly backing up critical systems; protecting backups by limiting access, encrypting, scanning for malware, and ensuring the files are immutable – cannot be altered or deleted.”There is no replacement for a strong security culture and that starts at the top.”Regularly testing backups to ensure they are ready when needed is also strongly advised.These best practices have proven helpful in reducing cyber risk and obtaining better cyber insurance coverage, but they are only a starting point.There is no replacement for a strong security culture and that starts at the top.Aligning senior executives and the entire organization around what threats are most critical to ensuring operations helps everyone stay alert for an attack and respond quickly so an incident doesn’t become a crisis.Alpha Diallo is senior manager of security at Resilience, a company with operations in Europe, the United Kingdom and the United States that helps financial, risk, and information security leaders continuously improve their organizations’ cyber resilience.
July 11, 2023Beware of Big Head Ransomware: Spreading Through Fake Windows Updates
Jul 11, 2023THNRansomware / Windows SecurityA developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers.Big Head was first documented by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment."One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said at the time. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software."A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey.In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagate the malware, archive.exe to facilitate communications over Telegram, and Xarch.exe to encrypt the files and" display a fake Windows update."The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process, with the percentage of progress in increments of 100 seconds," the cybersecurity company said.Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it's running within a virtualized environment before proceeding to encrypt the files.In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine's language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.Trend Micro said it detected a second Big Head artifact with both ransomware and stealer behaviors, the latter of which leverages the open-source WorldWind Stealer to harvest web browser history, directory lists, running processes, product key, and networks.Also discovered is a third variant of Big Head that incorporates a file infector called Neshta, which is used to insert malicious code into executables on the infected host."Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload," Trend Micro researchers said."This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware."The identity of the threat actor behind Big Head is currently not known, but Trend Micro said it identified a YouTube channel with the name "aplikasi premium cuma cuma," suggesting an adversary likely of Indonesian origin."Security teams should remain prepared given the malware's diverse functionalities," the researchers concluded. "This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
July 11, 2023The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle
Ransomware attacks are pervasive and devastating, targeting organizations and causing havoc on operations, finances, and reputation. To defend against these threats, security teams must understand the ransomware attack lifecycle.As reliance on digital systems and networks increases, the risk of ransomware attacks grows exponentially. These attacks can cripple businesses, disrupt services, compromise data, and lead to significant financial losses. Cybercriminals continually evolve their tactics, demanding constant adaptation from security teams.In this blog, we will explore the intricacies of ransomware attacks, breaking down the attack lifecycle. Understanding this anatomy empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident.Phase 1: Reconnaissance and target selectionPhase 1 of a ransomware attack involves the threat actor researching and selecting organizations to attack. During this phase, threat actors identify potential targets and gather critical information about them.Identifying potential targetsThreat actors engage in reconnaissance to identify organizations that are more likely to yield a high return on their malicious activities. They carefully assess factors such as the industry, size, financial stability, and the value of the data held by the potential targets. Organizations that heavily rely on their digital infrastructure and are more likely to pay a ransom to regain access to critical systems and data are prime targets.Techniques used for reconnaissanceThreat actors employ various techniques to gather information during the reconnaissance phase. These techniques may include passive reconnaissance, where they collect publicly available data from websites, social media platforms, and professional networking sites. They may also utilize active reconnaissance, such as scanning for open ports and vulnerabilities, conducting phishing campaigns to gather employee information, or leveraging third-party sources like leaked databases and dark web forums.Vulnerability factorsSeveral factors can make organizations more vulnerable to targeting during the reconnaissance phase. Lack of Security Awareness: Organizations that do not prioritize cybersecurity awareness and training for their employees may inadvertently provide attackers with valuable information through social engineering tactics.Inadequate Patch Management: Failure to promptly apply software patches and updates leaves systems vulnerable to known vulnerabilities that threat actors can exploit.Weak Access Controls: Poorly managed user accounts, weak passwords, and insufficient access controls increase the likelihood of unauthorized access to sensitive systems and data.Absence of Network Segmentation: If an organization’s network lacks proper segmentation, a successful initial access point can provide attackers with the opportunity to move laterally within the network and escalate privileges.Lack of Monitoring and Detection: Organizations that lack robust monitoring and detection capabilities may not notice the initial signs of a reconnaissance attempt, allowing threat actors to proceed undetected.Phase 2: Initial accessPhase 2 of a ransomware attack is the critical stage where threat actors strive to gain initial access to an organization’s network and systems.During this stage, threat actors employ a range of techniques to achieve initial access, including:Phishing Emails: One of the most common and successful methods, threat actors craft convincing emails designed to deceive recipients into clicking on malicious links or opening infected attachments.Exploit Kits: These toolkits contain prepackaged exploits that target vulnerabilities in software, commonly used web browsers, or plugins. By visiting compromised websites, unsuspecting users can unwittingly trigger the exploit kit and grant the attacker initial access.Vulnerable Software: Exploiting weaknesses in software, particularly outdated or unpatched applications, is another avenue threat actors may exploit to gain a foothold within an organization’s network. This was recently observed through CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities to attack over 100 organizations globally.VulnDB’s vulnerability intelligence record highlighting the severity and importance of the MOVEit vulnerability.Social engineering tactics play a significant role in the success of initial access attempts. Threat actors exploit human psychology to deceive individuals and gain access to sensitive information or systems. Pretexting, where a false scenario or pretext is created to gain the target’s trust, and baiting, which offers enticing rewards or incentives, are common social engineering tactics used to manipulate individuals. Moreover, tailgating—or taking advantage of individuals holding doors open for others—can be used to gain unauthorized physical access to secure areas within an organization.Phase 3: Lateral movement and privilege escalationOnce threat actors have gained initial access to an organization’s network and systems, they proceed to Phase 3 of a ransomware attack: lateral movement and privilege escalation. This stage involves the navigation and expansion of their reach within the compromised network. Threat actors explore the compromised network to locate valuable data, critical systems, and potential targets for encryption. They employ lateral movement, traversing through the network to gain control over multiple machines, servers, or devices, which increases the likelihood of finding and encrypting valuable information while making it challenging for defenders to contain the attack.Threat actors may use several techniques to achieve lateral movement.Exploiting Misconfigurations: They take advantage of misconfigured network shares, weak or shared passwords, and unsecured remote desktop protocols (RDP) to gain unauthorized access to other systems within the network.Credential Theft and Reuse: They employ various tactics to steal or acquire legitimate user credentials, such as using keyloggers, credential harvesting, or compromising administrative accounts. These stolen credentials are then reused to move laterally within the network.Pass-the-Hash: This technique involves stealing hashed credentials from compromised systems and using them to authenticate and gain access to other systems without needing to know the plaintext passwords.Once within the network, threat actors seek to escalate their privileges. By elevating their access rights, they gain increased control over critical systems and can maneuver more freely within the network. Privilege escalation techniques may include:Exploiting Vulnerabilities: They identify vulnerabilities in software, operating systems, or network configurations that can be leveraged to elevate their privileges. This may involve exploiting unpatched systems or misconfigured permissions.Leveraging Stolen Credentials: If threat actors have successfully stolen credentials during the initial access phase, they can use these credentials to escalate their privileges within the network, gaining administrative or higher-level access.Abusing Trusted Applications or Services: They manipulate trusted applications or services that have higher privileges or access rights to gain elevated permissions within the network.It is important to note that lateral movement and privilege escalation are not necessarily linear processes. Threat actors adapt their tactics based on the network’s topology, security measures, and available targets, maneuvering opportunistically within the network.Phase 4: Deployment of ransomware payloadIn Phase 4 of a ransomware attack, threat actors execute their ultimate objective: deploying the ransomware payload. This phase involves the encryption of the victim’s files and the subsequent demand for a ransom payment. Ransomware comes in various forms, each with its own characteristics and objectives. Some common types include:Encrypting Ransomware: This type of ransomware encrypts the victim’s files, rendering them inaccessible until a decryption key is obtained by paying the ransom. Examples include notorious strains like WannaCry and Ryuk.Locker Ransomware: Locker ransomware locks the victim out of their system or specific applications, denying access to the device or critical functionalities. It often displays a ransom message directly on the victim’s screen, demanding payment to regain access.Hybrid Ransomware: Hybrid ransomware combines elements of both encrypting and locker ransomware. It encrypts files while simultaneously locking the victim out of the system, amplifying the impact and urgency of the attack.To deploy the ransomware payload effectively, threat actors may leverage various techniques including:Email Attachments and Links: Malicious attachments or links embedded within phishing emails are a common delivery method for ransomware. Opening the attachment or clicking on the link initiates the download and execution of the ransomware payload.Drive-by Downloads: By visiting compromised or malicious websites, victims unknowingly trigger the download and execution of ransomware through vulnerabilities in their web browsers or plugins.Exploit Kits: Exploit kits can exploit vulnerabilities in software or operating systems to deliver ransomware onto the victim’s system. The kits automatically detect and target vulnerabilities, enabling threat actors to distribute the ransomware payload more efficiently.Ransomware-as-a-Service (RaaS) and its role in the attack lifecycleRansomware-as-a-Service (RaaS) has emerged as a significant contributor to the proliferation of ransomware attacks. RaaS allows less technically skilled threat actors to access ransomware tools and infrastructure developed by more sophisticated actors. It operates on a profit-sharing model, where the developers take a percentage of the ransom payments. RaaS lowers the barrier to entry for cybercriminals, enabling the widespread distribution and execution of ransomware attacks.Recommended Reading: The History and Evolution of Ransomware AttacksRaaS platforms provide aspiring threat actors with user-friendly interfaces, technical support, and even customer service. They often offer customization options, allowing attackers to tailor the ransomware to their specific targets. The availability of RaaS has led to a surge in ransomware attacks globally, as it empowers a wider range of cybercriminals to participate in these lucrative campaigns.Flashpoint’s monthly ransomware infographic highlighting the most prevalent groups, industries, and nations involved in ransomware events.Phase 5: Encryption and impactThe true consequences of the attack begin to unfold during the encryption and impact phase. During this phase, threat actors encrypt the victim’s files and inflict significant damage on their systems. Ransomware employs sophisticated encryption algorithms to lock the victim’s files, rendering them inaccessible without the decryption key. The encryption process typically targets a wide range of file types, including documents, images, videos, databases, and more. Threat actors often use strong encryption algorithms like RSA or AES to ensure the victim cannot decrypt the files without the decryption key.As the encryption process unfolds, the victim’s files become unusable, with each file typically receiving a unique encryption key. The ransomware may also overwrite or modify the original file, making recovery without the decryption key even more challenging. The impact on the victim’s systems can be severe, leading to operational disruption, data loss, financial consequences, and reputational damage.The consequences of a successful ransomware attack can be devastating for both organizations and individuals, and often entails many of the following:Operational Disruption: Ransomware attacks can cripple an organization’s operations, causing significant disruptions and downtime. Critical systems may become inaccessible, leading to productivity losses, delayed services, and financial repercussions.Data Loss and Corruption: If proper backups are not in place, victims may lose access to their valuable data permanently. Ransomware may also corrupt files during the encryption process, making recovery even more challenging.Financial Losses: Organizations may face substantial financial losses due to ransom payments, costs associated with recovery and remediation efforts, and potential regulatory penalties. Moreover, there may be indirect financial impacts stemming from reputational damage and customer loss.Reputational Damage: Publicly disclosed ransomware attacks can tarnish an organization’s reputation. Clients, partners, and stakeholders may lose trust in the organization’s ability to protect sensitive information, leading to a loss of business opportunities and customer confidence.Legal and Regulatory Ramifications: Depending on the nature of the compromised data, organizations may face legal and regulatory consequences, especially if personal or sensitive information is involved. Violations of data protection regulations can result in significant fines and legal liabilities.Phase 6: Extortion and communicationIn Phase 6 of a ransomware attack, threat actors establish communication with their victims and begin the process of extortion. At this time, they’ll demand ransom payments in exchange for providing the decryption keys or access to the victim’s systems. During this phase, threat actors initiate contact with the victim to convey their demands and establish a line of communication. They often use anonymizing technologies, such as the Tor network, to mask their identities and make it difficult to trace their activities. Communication can occur through various channels, including email, instant messaging platforms, or even dedicated ransom negotiation portals set up by the attackers.Threat actors employ different methods to demand ransom payments from their victims. These methods may include:Bitcoin or Cryptocurrency Payments: Threat actors typically demand ransom payments in cryptocurrencies, such as Bitcoin, due to the pseudonymous and decentralized nature of these currencies, which makes them difficult to trace.Payment Deadlines and Threats: Threat actors often impose strict deadlines for payment, accompanied by threats of permanently deleting the decryption keys or increasing the ransom amount if the deadline is not met. These tactics aim to pressure victims into complying with their demands.Proof of Data Exfiltration: In some cases, threat actors may claim to have exfiltrated sensitive data from the victim’s systems and threaten to publicly release it unless the ransom is paid. This adds an additional layer of pressure and urgency for victims to comply.Engaging or not engaging with threat actors during the extortion phase raises legal and ethical considerations. Organizations must carefully evaluate their options:Legal Considerations: Paying the ransom may be illegal in some jurisdictions or against organizational policies. Additionally, organizations may have legal obligations to report the incident, particularly if personal or sensitive data has been compromised.Funding Criminal Activities: Paying the ransom may contribute to funding further criminal activities, as the money can be used to finance future attacks. Supporting cybercriminals through ransom payments perpetuates the ransomware ecosystem.No Guarantee of Decryption: There is no guarantee that threat actors will provide the decryption keys or restore access to the victim’s systems even after the ransom is paid. Organizations must consider the risk of paying the ransom and not receiving the promised outcome.Cyber Insurance Coverage: Organizations with cyber insurance policies should consult with their insurance providers regarding their coverage and the implications of paying the ransom.It is crucial for organizations to consult legal counsel, law enforcement agencies, and experienced incident response professionals before making any decisions regarding ransom payment. Each situation is unique, and a thorough evaluation of the risks, legal obligations, and ethical considerations is necessary.Phase 7: Recovery and mitigationThe recovery and mitigation phase of an attack is where organizations focus on restoring systems, recovering encrypted data, and implementing measures to prevent future attacks.Recovering from a ransomware attack requires a systematic approach. Key strategies for recovering encrypted data and restoring systems include:Isolate and Contain: Immediately isolate the affected systems to prevent further spread of the ransomware. Disconnect compromised devices from the network and shut them down to mitigate the risk of re-infection.Incident Analysis: Conduct a thorough analysis of the incident to identify the ransomware variant, its impact, and the compromised systems. This analysis can help determine the appropriate recovery strategy.Data Restoration: If backups are available, restore data from clean and secure backups. It is crucial to ensure backups are offline or properly protected to prevent them from being compromised by the ransomware.Decrypting Data: In some cases, decryption tools may be available from trusted sources, such as law enforcement agencies or security companies. These tools can help decrypt files without paying the ransom. However, this is not always possible, depending on the specific ransomware variant.System Rebuilding: In situations where data restoration is not feasible or backups are unavailable, organizations may need to rebuild affected systems from scratch using known good configurations and software.Effectively responding to ransomware incidents requires a well-defined incident response plan, and may include some of these best practices:Incident Response Plan: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a ransomware attack. This plan should include roles and responsibilities, communication protocols, and predefined actions for different scenarios.Rapid Response: Ensure you have the alerting capabilities to act swiftly and decisively to contain the attack, isolate affected systems, and initiate the recovery process. Promptly engage internal IT teams, incident response experts, and relevant stakeholders.Communication and Notification: Establish clear lines of communication both internally and externally. Notify appropriate personnel, such as legal, PR, and executive teams, and consider legal and regulatory obligations for disclosing incidents involving compromised data.Forensic Investigation: Conduct a thorough forensic investigation to understand the root cause, identify the attack vector, and collect evidence for potential legal actions or future prevention measures.Employee Awareness and Training: Continuously educate employees about the risks of ransomware, phishing, and social engineering. Regularly train staff on cybersecurity best practices, including strong password management, recognizing suspicious emails, and reporting incidents promptly.Prevention is key in mitigating future ransomware attacks. Implementing proactive security measures can significantly reduce the risk and impact of such incidents. Consider these important measures:Patch Management: Regularly apply security patches and updates to operating systems, software, and firmware to address known vulnerabilities that threat actors often exploit.Endpoint Protection: Deploy robust antivirus and anti-malware solutions, along with advanced endpoint detection and response (EDR) tools to detect and block malicious activities.Network Segmentation: Implement network segmentation to restrict lateral movement and contain the impact of an attack. Separating critical systems from the rest of the network helps prevent the rapid spread of ransomware.Least Privilege Access: Enforce the principle of least privilege, granting users only the necessary access rights required to perform their duties. This minimizes the potential damage that can be caused by compromised accounts.Regular Data Backups: Maintain regular, encrypted, and secure offline backups of critical data. Regularly test the restoration process to ensure backups are viable for recovery in the event of a ransomware incident.Know your enemyRansomware attacks continue to evolve, becoming more sophisticated and widespread. Threat actors adapt their tactics, techniques, and tools to exploit vulnerabilities and maximize their financial gain. As such, ongoing vigilance and adaptation are essential.But at each stage of a ransomware attack, robust threat intelligence can stop an emerging risk in its tracks and minimize—or even prevent—damage to your organization.An effective threat intelligence program enables you to understand threat actors and their TTPs each step of the way. Critical capabilities for your threat intelligence program include:Vulnerability intelligence that gives practitioners access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack. A robust alerting system that allows security practitioners o set up customizable, automated ransomware alerts of leaked assets as a result of an extortion incident, and gain insight into the extent of exposure and damage. Real-time and continuous data collection that includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.A managed attribution solution that allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations.Robust risk management practices and incident response plans in place in order to respond effectively and recover from security breaches.Flashpoint’s ransomware dashboard provides an up-to-date, easy-to-consume view of global ransomware trends, victims, as well as the ransomware groups themselves.To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, begin a free trial, or watch this video to discover the top ways to prevent an attack at your organization.
July 11, 2023HCA confirms breach after hacker steals data of 11 million patients - Bleeping Computer
HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.HCA Healthcare is one of America's largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to" "meet the demands." This is likely related to financial demands, although it wasn't explicitly mentioned.However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.The threat actor's post on a hacking forumSource: BleepingComputerThe organization confirmed yesterday that the data leaked on the hacking forum is authentic, with the stolen database impacting roughly 11,000,000 people."HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients," explains an HCA Healthcare data breach notification.HCA says that the data was stolen from an "external storage location" used to format patient email messages."There has been no disruption to the care and services HCA Healthcare provides to patients and communities," says HCA.The stolen data includes the following:Full namesCity, state, and ZIP codeEmail addressTelephone numberDate of birthGenderService date and locationNext appointment dateThe above data is valuable to threat actors conducting phishing attacks and scams, who could use it to launch convincing social engineering attacks against the exposed individuals.HCA Healthcare does not believe that the stolen data contains detailed clinical information such as conditions, diagnosis, and treatment, payment information such as credit card and bank account numbers, or other sensitive information like passwords, social security numbers, and driver's licenses.HCA Healthcare has informed law enforcement agencies about the incident and continues investigating whether its networks and systems are free of malicious activity that might indicate threat actors still have access.Also, access to the breached storage location has been disabled as an urgent containment measure, and the organization is working on implementing additional security and data protection measures.For a complete list of impacted facilities across the country, check the bottom section of HCA Healthcare's announcement.
July 11, 2023Largest UK health data breach claimed by ALPHV/BlackCat under investigation | SC Media
July 13, 2023Thales Report: Ransomware Attacks and Human Error Drive Cloud Data Breaches
Thales announced the release of the 2023 Thales Data Threat Report, its annual report on the latest data security threats, trends and emerging topics based on a survey of nearly 3000 IT and security professionals in 18 countries. This year’s report found an increase in ransomware attacks and increased risks to sensitive data in the cloud. Nearly half (47%) of IT professionals surveyed believe that security threats are increasing in volume or severity with 48% reporting an increase in ransomware attacks. More than a third (37%) have experienced a data breach in the past 12 months, including 22% reporting that their organisation had been a victim of a ransomware attack. Respondents identified their cloud assets as the biggest targets for cyber-attacks. Over a quarter (28%) said SaaS apps and cloud-based storage were the biggest targets, followed by cloud-hosted applications (26%) and cloud infrastructure management (25%). The increase in cloud exploitation and attacks is directly due to the increase in workloads moving to the cloud as 75% of respondents said 40% of data stored in the cloud is now classified as sensitive compared to 49% of respondents in 2022. These are just a few of the key insights from the 2023 Thales Data Threat Report, conducted by 451 Research, which surveyed both private and public sector organisations. It reveals how businesses are responding and planning their data security strategies and practices in light of a changing threat landscape and the progress they are making to address threats. Human Error and the Impact of Ransomware Simple human error, misconfiguration or other mistakes can accidentally lead to breaches – and respondents identified this as the leading cause of cloud data breaches. For those organisations that have suffered a data breach in the past 12 months, misconfiguration or human error was the primary cause identified by 55% of respondents. This was followed by the exploitation of a known vulnerability (21%) and of a zero-day / previously unknown vulnerability (13%). The report finds that identity and access management (IAM) is the best defence, with 28% of respondents identifying it as the most effective tool to mitigate these risks. Meanwhile, the severity of ransomware attacks appears to be declining, with 35% of 2023 respondents reporting that ransomware had a significant impact compared to 44% of respondents reporting similar levels of impact in 2022. Spend is moving in the right direction too, with 61% reporting they would shift or add a budget for ransomware tools to prevent future attacks – up from 57% in 2022 – yet organisational responses to ransomware remain inconsistent. Only 49% of enterprises reported having a formal response ransomware plan, while 67% still report data loss from ransomware attacks. Addressing the Challenges of Digital Sovereignty Digital sovereignty is becoming more top of mind for data privacy and security teams. Overall, the report found that data sovereignty remains both a short- and long-term challenge for enterprises. 83% expressed concerns over data sovereignty, and 55% agreed that data privacy and compliance in the cloud has become more difficult, likely due to the emergence of requirements around digital sovereignty. Emerging threats from quantum computers that could attack classical encryption schemes are also a cause for concern for organisations. The report found that Harvest Now, Decrypt Later (“HNDL”) and future network decryption were the greatest security concerns from quantum computing – with 62% and 55% reporting concerns respectively. While Post Quantum Cryptography (PQC) has emerged as a discipline to counter these threats, the report found that 62% of organisations have five or more key management systems, presenting a challenge for PQC and crypto agility. Sebastien Cano, Senior Vice President for Cloud Protection and Licensing activities at Thales, comments: “Enterprises continue to see a serious threat landscape. Our findings indicate good progress is being made in certain areas, including MFA adoption and increased use of data encryption. However, there is still a lot of security gaps regarding data visibility. In an increasingly cloud-first world, organisations must maintain better control over their data so they can serve their stakeholders with greater safety and trust. As data sovereignty and protection regulations around the world tighten, security teams will need far more confidence in protecting where their data is being stored and how it is moving and being used.”
July 13, 2023White House Issues National Cybersecurity Strategy Implementation Plan - HealthITSecurity
The strategy's focus on securing IoT devices and disrupting major ransomware operations will ideally ease the burden on healthcare organizations ...
July 13, 2023Ransomware payments set to hit a new high in 2023 - here's how to stay safe | TechRadar
Cybercrime related to cryptocurrencies overall has significantly dropped this year, compared to previous years, but the rise in ransomware attacks is showing no signs of abating. This is according to a new report from Chainalysis, which claims attackers managed to extort $175.8 million more in 2023, compared to the same time last year, stealing at least $449.1 million through June.“If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021’s $939.9 million,” Chainalysis added. This year-on-year growth could signal, the researchers further state, that the downward trend we’ve been experiencing lately, has come to an end. One of the reasons for this reversal, Chainalysis argues, is that hackers have, once again, become interested in “big game hunting”. They have started going after large, deep-pocketed organizations, and it seems to have paid off. Another reason could be that the hackers were more successful last year. The number of successful small attacks has also grown, they added.The most successful threat actor is Clop, an infamous threat actor linked to the Russian government. Its average payment size for 2023 was $1,730,486, while its median payment size was $1,946,335. Clop is best known for having breached multiple managed file transfer solutions, through which they stole sensitive data on hundreds of large organizations. Most of these were later asked for payment in exchange for deleting the data.Analysis: Why does it matter? Some researchers have argued that the ransomware forest fire that’s been raging for the better part of the last decade has slowly started to dwindle. With a few major players arrested, and their infrastructure dismantled, the industry was hopeful that ransomware will lose its appeal among cybercriminals. This was further aided by raised awareness among key targets - critical infrastructure operators, government organizations, healthcare firms, and small and medium-sized organizations. Businesses have started deploying air-gapped backups, better access controls, strong firewalls, malware removal and antivirus programs, multi-factor authentication, and more. Furthermore, they started educating their employees on the dangers of phishing and social engineering, which is almost exclusively the initial attack vector in a ransomware campaign. This allowed the victim organizations to refrain from paying the ransom demands, which in turn, resulted in threat actors losing interest. Now, Chainalysis’ new report suggests that ransomware operators might be coming back with a vengeance, and that they’re targeting primarily large organizations. A ransomware attack usually starts with the attacker initiating contact with an employee, either via email, or through social media channels. After a little back-and-forth, they’ll try and get the victim to download and run a malicious attachment capable of exploiting different software flaws. If successful, they will have established a foothold on the target networks, after which they’d map out the network and identify key endpoints, data, and systems.Then, at an appropriate moment, they’ll exfiltrate the data and encrypt the systems, demanding payment in cryptocurrencies in exchange for the decryption key. If the organization declines, the stolen data gets published or sold on the dark web. In recent times, some groups abandoned encrypting systems, probably because developing, running, and maintaining the ransomware is hard (and expensive) work. Instead, they just go for data theft and threaten to leak it if the payment isn’t met.What have others said about the report? In its writeup, Wired says ransomware groups became “more aggressive and reckless” about publishing sensitive and potentially damaging stolen information.“In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish "personal information and research" if the university didn’t pay up,” the publication states. Speaking to Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, the publication learned hackers were possibly short on cash last year, which played a major role: “We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” Burns was cited as saying. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”Koven also added that the development in the Russia-Ukraine conflict also played a role in the resurgence of ransomware: “I really think the tide of the Russia-Ukraine conflict has impacted these numbers,” Koven said. “Whether that’s actors have settled into safe locations, whether their year of military service has finished, or whether perhaps there’s a mandate to release the hounds.”SC Media added that the “sudden disappearance of two major investment scams” may explain the revenue fall, to some extent. These were Vidilook and the Chai Tai Tianqing Pharmaceutical Financial Management who, among themselves, stolen “hundreds of millions of dollars."Go deeperIf you want to learn more on the topic, start by reading our guide on ransomware, as well as what is blockchain and how cryptocurrencies work. Furthermore, make sure to read our in-depth guides on the best malware removal and best endpoint protection software.
May 29, 2023LTO Tape Capacity Shipments Up In 2022 - Forbes
LTO tape gettyThe LTO Program (HPE, IBM and Quantum Corporations) released an updated report on LTO magnetic tape shipments out to 2022. LTO tape is an open tape format developed and enhanced by HPE, IBM and Quantum to address growing demands for data protection and particularly for archiving data in midrange and enterprise-class server environments. In addition to supporting the LTO tape format IBM also provides its own enterprise tape systems and formats.The LTO Program announced that total capacity shipments in 2022 were 148.3 exabytes of compressed storage capacity shipped (compression factor is 2.5:1). This was an increase of over 0.5% over 2021 as shown in the figure below. LTO capacity shipments were impacted by COVID in 2020 and by issues in 2018 tied to availability of higher capacity tape formats.Compressed LTO Tape Capacity Shipment HistoryLTO Program AnnouncementUnit shipments of magnetic tape declined by over 20% from 2021 to 2022 as shown in the figure below (total 2022 shipments looked to be about 7,000 tape media units). This decline in unit shipments for magnetic tape mirror similar declines for HDDs, where unit shipments declined about 33% from 2021 and 2022. NAND flash memory, particularly used for enterprise and data center applications experienced a similar decline in demand in 2022 compared to 2021. Enterprise and data center users had bought storage media in anticipation of higher projected growth and since the second half of 2022 have been working down their storage inventory.LTO Tape Media Shipment HistoryLTO Program AnnouncementsLTO demand for storage capacity in 2022 was driven by hyperscale data centers and enterprise adoption of LTO tape for lower storage costs, secure storage providing a natural “air gap” and as a move to greener storage requiring less energy to operate. LTO-9 tape (the most recently announced LTO generation) demonstrated the most rapid capacity adoption rate since LTO-5.At the 2023 NAB show in Las Vegas I had a chance to talk with Fujifilm, the major supplier of LTO tape media. The LTO-9 tape was announced in the Fall of 2020 and became widely available by the 2nd half of 2021. LTO-9 tape has a raw capacity of 18TB with compressed (2.5:1) storage capacity of 45TB. I was told that LTO-10 tapes should be announced with a raw capacity of 36TB later in 2023 or early in 2024.The LTO tape roadmap goes out to LTO-14 with an announced raw storage capacity of 576TB and a compressed storage capacity of about 1.4PB. LTO tape announcements tend to occur about every three years. If LTO-10 comes out in 2024 then LTO-14 will be available in about 12 years (or about 2036).The chart below is the latest Coughlin Associates history and projections for hard disk drive, solid state drive and tape capacity shipments out to 2028. Barring a significant economic downturn, we expect demand for digital storage to support AI, IoT, media and entertainment as well as genomic and other medical applications to drive increased storage demand. This should bring growth back to HDDs, SSDs and magnetic tape capacity shipments as all of these storage media increase in their per device storage capacities.History and Projections for Digital Storage Capacity Shipments of HDDs, SSDs and Magnetic TapeCoughlin Associates ChartThe LTO program announced capacity and unit shipments for 2022 showing over a 0.5% capacity shipment growth with actual unit shipments down by over 20%. This correlates with declines in 2022 for HDD and SSD enterprise and data center unit shipment declines. Continued growth in digital storage demand to enable digital transformations should lead to continued growth in capacity demand for all storage media.Follow me on Twitter or LinkedIn. Check out my website.
June 03, 2023LTO tape shipments continued to grow in 2022 - TechTarget
Linear Tape-Open technology continues to set records in shipments to customers looking for a secure and cost-effective storage medium. LTO technology achieved another record in 2022, with 148.3 exabytes of capacity shipped, a slight increase from 2021's 148 exabytes. LTO is an open-format storage medium that uses magnetic tape for data storage. The annual shipments are tracked by the LTO Program, a joint effort of several vendors to deliver the LTO format. Data generation and the requirement to retain data for business and compliance purposes are ongoing challenges, according to Christophe Bertrand, an analyst at TechTarget's Enterprise Strategy Group. "Customers say, 'I'm going to keep a lot of data for a long time while trying to optimize costs,' and that's where tape comes in," Bertrand said. The drivers that fueled LTO growth in 2022 were the same in 2021, such as the need for ransomware protection and data growth, particularly at the hyperscalers, according to Phil Goodwin, an analyst at IDC. "A number of hyperscalers have figured out that it's very economical to store very large amounts of data that are infrequently accessed [on LTO tapes]," he said. Continuous issues and needs There is no indication that storage needs will decline anytime soon, and that includes for tape, Goodwin said. LTO is lower cost in capacity compared with other storage media. "I don't see the fundamental economics changing dramatically in a way to shift people away from tape to other types of media," Goodwin said. One such customer that has no intention of moving away from tape is Allan McNabb, vice president and COO of Image Building Media, a marketing firm in Tampa, Fla. "As a longtime user of LTO tapes, I can attest that their usefulness for data storage and backup has only grown over time," he said. "While cloud-based storage may be all the rage these days, it's important to note that tape storage still has its advantages." Storage tends to be a bit inelastic. Phil GoodwinAnalyst, IDC Global economics could potentially change this, but it's unlikely, he said. If all business slows, the rate of data growth might also slow, but this likely won't have a negative effect on the tape capacity that is being shipped. If data is generated, customers must store and protect it. "Storage tends to be a bit inelastic," Goodwin said. Bertrand agreed that tape will continue to grow in popularity unless a disrupter, such as a new storage medium, emerges. "It would have to have similar or better characteristics from a storage standpoint," he said, also noting that price would be a consideration. Plus, the new storage medium would have to provide an effective tool for ransomware. Tape provides companies with a way to fight ransomware by making stored data physically untouchable to bad actors, Bertrand said. "[With tape, there is] the ability to eject the media, making it invisible," he said. If companies experience an attack, they can push the tape cartridge back into the library for a recovery. VIDEO Limits to LTO The LTO Program aims to double the capacity of the tape medium approximately every two to three years, with plans to ship 1.4 PB of capacity per cartridge in the coming decade. However, capacity alone is not the sole consideration in storage. While tape offers security and cost benefits, it won't displace the need for SSDs or HDDs, Goodwin said. Individual tape devices have limitations in terms of speed, and tape generally has a higher initial access time compared with the other storage media. While it won't replace disk entirely, there are certain cases where using tape as the main storage medium makes sense, according to Bertrand. He pointed to active archives as an example. These repositories require large storage capacities and enable companies to access data they might need only occasionally. But using SSDs and HDDs can be inefficient and too costly for this purpose. Automation has also made tape a more practical storage medium by reducing the amount of manual labor needed to maintain the storage, Bertrand said. He added that capacity to cost will continue to improve along with the increasing growth in data. McNabb said it's not just low cost that's drawn him to tape -- it's also dependability. "In my own experience, I've found LTO tapes to be incredibly reliable," he said. "They're sturdy and can withstand harsh environmental conditions, which is especially important for those who need to store data off site or in remote locations." Adam Armstrong is a TechTarget Editorial news writer covering file and block storage hardware and private clouds. He previously worked at StorageReview.com.
May 26, 2023Ransomware driving professionalisation of cyber crime | ITWeb
The success of ransomware gangs has spurred a significant trend of professionalisation among cyber criminals, where different groups develop specialised services to offer one another, according to a new report from WithSecure (formerly known as F-Secure Business).Ransomware has been around for decades, but the threat has continuously adapted to improvements in defenses through the years. One notable development is the current dominance of multi-point extortion ransomware groups, which employ several extortion strategies at once (usually both encryption to prevent access to data and stealing data to leak publicly) to pressure victims for payments.According to an analysis of over 3 000 data leaks by multi-point extortion ransomware groups, organisations in the United States were the most common victims of these attacks, followed by Canada, the United Kingdom, Germany, France and Australia. Taken together, organisations in these countries accounted for three-quarters of the leaks included in the analysis.The construction industry seemed to be the most impacted and accounted for 19% of the data leaks. Automotive companies, on the other hand, only accounted for about 6%. A number of other industries sat between the two due to ransomware groups having different victim distributions, with some families targeting one or more industry disproportionately to others.While the threat of ransomware has inflicted considerable pain on organisations in different countries and industries, its transformative impact on the cyber crime industry cannot be overstated.“In pursuit of a bigger slice of the huge revenues of the ransomware industry, ransomware groups purchase capabilities from specialist e-crime suppliers, in much the same way that legitimate businesses outsource functions to increase their profits,” explained Senior Threat Intelligence Analyst Stephen Robinson. “This ready supply of capabilities and information is being taken advantage of by more and more cyber threat actors, ranging from lone, low-skilled operators, right up to nation state APTs. Ransomware didn't create the cyber crime industry, but it has really thrown fuel on the fire.”In one notable example highlighted in the report, WithSecure investigated an incident that involved a single organisation compromised by five different threat actors, each with different objectives and representing a different type of cyber crime service: The Monti ransomware group.Qakbot malware-as-a-service.A cryptojacking group known as the 8220 Gang (also tracked as Returned Libra).An unnamed initial access broker (IAB).A subset of Lazarus Group, an advanced persistent threat associated with North Korea’s Foreign Intelligence and Reconnaissance General Bureau.According to the report, this professionalisation trend makes the expertise and resources to attack organisations accessible to lesser-skilled or poorly resourced threat actors. The report predicts it is likely the number of attackers and size of the cyber crime industry will both grow in the coming years.“We often talk about the damage ransomware attacks cause to the victims. Less attention is paid to how ransom payments provide additional resources to attackers, which has encouraged the professionalisation trend described in the report. Near-term, we’re likely to see this changing ecosystem shape the resources and type of attacks facing defenders,” said WithSecure Head of Threat Intelligence Tim West.The full report, The Professionalisation of Cyber Crime, is available at: https://www.withsecure.com/en/expertise/research-and-innovation/research/the-professionalization-of-cyber-crime.More information on ransomware is available at: https://www.withsecure.com/en/expertise/blog-posts/ransomware-profits-are-transforming-cyber-crime.
May 26, 2023Survey: Backups Are Prime Targets for Ransomware Attacks, Most Remain Exposed
Veeam's 2023 Ransomware Trends Report shows many pay ransom but don't always recover. Organizations with the proper data protection architecture are ...
May 28, 2023Are We Seeing Fewer Ransomware Attacks? Not Now - Government Technology
As I walked the show floor at the RSA conference and held meetings with vendors and clients in San Francisco last month, I heard a surprising theme that I disagreed with.The conversation often started with something like this: “Great book with cyber stories, but isn’t ransomware dying?” (Note: They were referring to the book I co-authored with Shamane Tan called Cyber Mayday and the Day After.)Or, “Ransomware is way down, isn’t it?”Or, “What’s your biggest fear, now that ransomware is going away?”And no, these colleagues and “industry experts” from an assortment of cyber vendors were not delusional, just misinformed. When I asked one colleague to send me some proof, he sent me several articles backing up his claims:Security Magazine — Ransomware attacks decreased 61% in 2022: “The 2022 State of Ransomware Report from Delinea and conducted by Censuswide surveyed 300 U.S.-based information technology (IT) decision-makers about the impact of ransomware on their organizations over the past year. The survey found that 25% of organizations were victims of ransomware attacks over the past 12 months, a 61% decline from the previous 12-month period, when 64% of organizations reported being victims.”Security Week — Ransomware Revenue Plunged in 2022 as More Victims Refuse to Pay Up: “According to data from Coveware, a company that helps organizations respond to ransomware attacks, the percentage of companies that paid up in 2022 dropped to 41%, from 50% in 2021 and 70% in 2020.”TechTarget — July  another down month in ransomware attack disclosures: “SearchSecurity has tracked ransomware in 2022 via a database of public reports and disclosures, as well as an article series that covers the most notable attacks each month. According to SearchSecurity's data sets, there was approximately a 300% drop between attacks in January and June. July saw similar numbers, with just 13 confirmed disclosures last month; in addition, only three disclosures were for attacks in July.”Inside P&C — Cyber frequency fell 22% in 2022 as ransomware dropped 54%: Coalition: "Cyber claims frequency declined 22% year over year in 2022, driven mostly by a 54% drop in ransomware attacks, according to InsurTech Coalition.”BUT NOT SO FASTWhile there is debate about how much ransomware incidents dropped in 2022, the trend (if there ever was one, which I doubt) has certainly flipped in 2023. Consider these reports:Politico — Ransomware comes back with a vengeance: “Researchers at a leading cryptocurrency tracing company have bad news for Washington: Ransomware is back, and it might be worse than ever.“Through the first four months of this year, cybercriminal gangs are on pace to surpass their earnings from a record-setting 2021, according to new data collected by Chainalysis.“The bounceback in extortion revenue follows a 40 percent dip in ransom payments in 2022, which many had interpreted as a promising sign the Biden administration was making headway against keyboard crooks.”WION: Nearly two-thirds of India-based companies victims of ransomware attack: “In an alarming statistic that describes the State of Ransomware in 2023, it has been revealed that 73 percent of India-based organisations surveyed by cybersecurity company Sophos were victims of ransomware attacks.”The Hacker News — Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code: "The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems."While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a report shared with The Hacker News."Insurance Journal — Viewpoint: Could Increasing Ransomware Frequency Bring Back Repeat of Hard Market?: “Insurance pricing is cyclical. When loss ratios are sustainably higher, over time prices rise in response, creating a hard market. The last hard market in cyber was in 2021 when an onslaught of ransomware and high-profile cyber attacks drove a spike in demand for cyber insurance and a decreased supply of capital, which led to increased premiums.“Once prices are higher and loss performance begins to improve, the market looks appealing — driving new entrants and adding pressure on existing players trying to stay competitive. This drives prices back down and creates a soft market. Eventually, the loss ratio climbs back up, and the cycle inevitably begins anew.”NEW RANSOMWARE TRENDS TO WATCHSo if ransomware isn't going away, what are some important 2023 ransomware trends to watch?First, be aware that backup repositories are targeted in 93 percent of ransomware attacks, according to Infosecurity magazine and Veeam’s 2023 ransomware trends report: “Veeam also found that in 93% of ransomware incidents, the threat actors target the backup repositories, resulting in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) of backup repositories being completely lost."Second, the report showed that organizations are still ill-prepared to face this threat: “Most (80%) continue to pay the ransom despite multiple advisories against it. They primarily do that to get their data back, yet 21% don’t, even after paying the ransom.”Third, Infosecurity magazine also claims that the time to deploy ransomware has dropped 94 percent: “Phishing remained the No. 1 initial access vector last year, identified in two-fifths (41%) of incidents, followed by exploitation of public-facing applications (26%).”FINAL THOUGHTI found this U.K. ransomware story with a twist to be interesting: “Rogue IT worker extorted company after hijacking ransomware attack.” Here's an excerpt: “An IT worker in the UK has been convicted of unauthorized computer access and blackmail after attempting to take advantage of a ransomware attack on his employer.“Ashley Liles was found to have attempted to blackmail his employer, Oxford Biomedica, into paying a ransom in the wake of a 2018 security breach. …“Liles accessed board members’ private emails more than 300 times and altered the original ransom note to change the payment address to his own cryptocurrency wallet.”This story just highlights the importance of addressing insider threats and employee ethics and integrity — even during a ransomware emergency.
May 26, 2023Cyber Insurance Cannot Offset the Dangers of Ransomware - CPO Magazine
Data protection against ransomware and cyberattacks is becoming ... associated with data breaches, ransomware, and other cybersecurity incidents.
May 28, 2023Ransomware demands increasingly paid amid growing attack severity | SC Media
SiliconAngle reports that increasingly severe ransomware attacks have been accompanied by the growing willingness to pay attackers' demands.More than 80% of data among one in seven organizations could be compromised in ransomware attacks, with 93% of attacks aimed at backups and 75% of those hindering recovery efforts, while the rate of organizations paying ransoms rose by 4% to 80% in 2022 even though anti-ransomware payment policies were in effect among 41% of organizations, according to a report from Veeam.Researchers also found that risk management programs have been in place among 87% of organizations but only 35% noted that their programs were well-suited. Moreover, cyber insurance coverage for ransomware attacks has also been declining, with 20% of surveyed IT leaders citing ransomware exclusions from their policies, despite increasing insurance costs.Organizations have been urged to conduct regular evaluations of ransomware recoverability in their risk management plans, ensure clean backups, and leverage a staged restoration approach in the event of a ransomware attack.