Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransom. Show all posts

AT&T Paid Attackers $370K to Delete Stolen Customer Data

 

AT&T reportedly paid a hacker more than $370,000 to remove stolen customer data. In an extraordinary turn of events, the ransom may not have gone to those responsible for the breach.

Last Friday, AT&T disclosed that an April data breach had exposed the call and text records of "nearly all" of its customers, including phone numbers and call counts. In a filing with the Securities and Exchange Commission (SEC), AT&T claimed it has since tightened its cybersecurity measures and is working together with law authorities to investigate the incident.

It now appears that AT&T has taken additional steps in response to the intrusion. According to Wired, AT&T paid a ransom of 5.7 bitcoin to a member of the hacking group ShinyHunters in mid-May, which was worth little more than $373,000 at the time. In exchange for this money, the hacker allegedly deleted the stolen data from the cloud server where it was stored, as well as providing video footage of the act. 

However, there is no guarantee that the millions of people affected by the latest massive AT&T attack will be entirely safe, as digital data can be easily copied. The security expert who mediated negotiations between AT&T and the hacker told Wired that they believe the only complete copy of the stolen dataset was wiped. However, partial fragments may remain at large. 

Prior to AT&T's announcement of the incident, it was revealed that Santander Bank and Ticketmaster had also been penetrated using login credentials that had been taken by an employee of the independent cloud storage provider Snowflake. According to Wired, following the Ticketmaster breach, hackers may have infiltrated over 160 companies at once using a script.

French Hospital CHC-SV Refuses to Pay LockBit Ransomware Demand

 

The Hôpital de Cannes - Simone Veil (CHC-SV) in France revealed that it has received a ransom demand from the Lockbit 3.0 ransomware gang and refused to pay the ransom. 

On April 17, the 840-bed hospital announced a serious operational disruption caused by a cyberattack, forcing it to shut down all computers and reschedule non-emergency procedures and appointments. 

Earlier this week, the establishment revealed on X that it had received a ransom demand from the Lockbit 3.0 ransomware operation, which it referred to the Gendarmerie and the National Agency for Information Systems Security (ANSSI). 

At the same time, the LockBit ransomware organisation added CHC-SV to their darkweb extortion site, warning to release the first sample pack of files stolen during the attack before the end of the day. The healthcare organisation tweeted that they will not pay the ransom and will notify affected individuals if the threat actors begin leaking data. 

“In the event of a data release potentially belonging to the hospital, we will communicate to our patients and stakeholders, after a detailed review of the files that may have been exfiltrated, about the nature of the stolen information.” 

Meanwhile, the hospital's IT workers are currently working to restore compromised systems to normal operational status, as internal inquiries into the incident continue. 

Ruthless stance 

 
The FBI's disruption of the LockBit ransomware-as-a-service operation through 'Operation Cronos' and the simultaneous release of a decryptor in mid-February 2024 have had a negative impact on the threat group. 

Affiliates have lost faith in the project, and others have chosen to remain anonymous for fear of being identified and prosecuted. Despite the inconvenience, the ransomware operation relaunched a week later, with fresh data leak sites and updated encryptors and ransom demands. 

LockBit's attitude regarding assaults on healthcare providers has always been ambiguous at best, with the group's leaders failing to enforce the declared restrictions on affiliates carrying out attacks that compromised patient care. The attack on CHC-SV confirms the threat group's utter disdain for the sensitive topic of preventing disruptions to healthcare services. 

UnitedHealth Paid Ransom After Massive Change Healthcare Cyber Assault

 

The Russian cybercriminals who targeted a UnitedHealth Group-owned company in February did not leave empty-handed.

"A ransom was paid as part of the company's commitment to do everything possible to protect patient data from disclosure," a spokesperson for UnitedHealth Group stated earlier this week. 

The spokesperson did not reveal how much the healthcare giant paid following the cyberattack, which halted operations at hospitals and pharmacies for more than a week. Multiple media outlets claimed that UnitedHealth paid $22 million in bitcoin. 

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," UnitedHealth CEO Andrew Witty said in a statement Monday. 

UnitedHealth attributed the intrusion on the Russian ransomware gang ALPHV, also known as BlackCat. The group claimed responsibility for the attack, stating that it took more than six terabytes of data, including "sensitive" medical records, from Change Healthcare, which handles health insurance claims for patients who visit hospitals, medical centres, or pharmacies. 

The attack's scale—Change Healthcare performs 15 billion transactions every year, according to the American Hospital Association—meant that even people who were not UnitedHealth clients could have been affected. The attack has already cost UnitedHealth Group almost $900 million, company officials said in reporting first-quarter earnings last week. 

Ransomware attacks, which include disabling a target's computer systems, are becoming more widespread in the healthcare industry. In 2022, a study published in JAMA Health Forum found that the yearly frequency of ransomware attacks against hospitals and other providers increased.

It was "straight out an attack on the U.S. health system and designed to create maximum damage," Witty informed analysts last week during an earnings call about the Change Healthcare incident. According to UnitedHealth's earnings report, the cyberattack is ultimately estimated to cost the organisation between $1.3 billion and $1.6 billion this year.

Cybersecurity Crisis on US Healthcare Sector Children Hospital in Alarms

 

In a recent and alarming development, Lurie Children's Hospital, a distinguished pediatric care facility in Chicago, has been forced to disconnect its network due to a pressing "cybersecurity matter." This precautionary step is a response to the escalating cyber threats targeting healthcare systems nationwide, causing concern among experts and regulatory bodies. 

The decision to take the network offline emphasizes the severity of the situation, highlighting the hospital's firm commitment to protecting patient data and maintaining operational integrity. Cybersecurity experts are issuing warnings, emphasizing the urgent need for heightened vigilance across the healthcare sector, as potential vulnerabilities pose a significant threat on a national scale. 

Lurie Children’s Hospital, utilizing Epic System’s electronic health record software, has affirmed its proactive response to the ongoing cybersecurity issue. The hospital is actively engaged in collaboration with experts and law enforcement to address the situation, underscoring the gravity of the threat. 

While the Illinois-based medical facility remains operational, it has proactively disabled phone lines, email services, and the electronic medical system. These necessary precautions have, unfortunately, led to disruptions, impacting scheduled surgeries and creating communication challenges for families attempting to reach doctors, CBSNews reported that these disruptions began on Wednesday. 

This incident further amplifies the growing concerns voiced by regulators and experts about the expanding landscape of cybersecurity threats in the healthcare sector. 

In response to a 2023 report warning of "dramatic increases" in cyber attacks impacting US hospitals, the Department of Health and Human Services has released voluntary cybersecurity objectives for the health sector. The report underscored the potential compromise of hospital operations and financial extortion, emphasizing the crucial need for heightened vigilance and proactive measures within the healthcare industry. Moreover, the health sector witnessed an unprecedented surge in data breaches last year, affecting a staggering 116 million patients, as reported by STAT

This significant increase is primarily attributed to the rise in hacking and IT incidents, more than doubling the impact compared to the preceding year, prompting a plea for strengthened cybersecurity measures to safeguard patient information. 

The concerning trend goes beyond data breaches, as evidenced by surpassing the record-breaking breaches of 2015 last year, impacting over 112 million individuals. The current year continues to witness a worrisome escalation, with numerous health organizations reporting breaches related to hacking or IT incidents. 

A recent incident at Chicago's Saint Anthony Hospital, involving an "unknown actor" copying patient data, further underscores the vulnerabilities in the healthcare sector. Ransomware attacks have surged, fueled by the widespread adoption of connected medical devices, cloud services, and remote work systems. 

John Riggi, the American Hospital Association's national cybersecurity and risk advisor, highlights the national security implications of these attacks, advocating for heightened cybersecurity measures. Riggi condemns attacks on children's hospitals, considering it a "new low" that directly impacts vulnerable patients. 

Nitin Natarajan from the federal Cybersecurity & Infrastructure Security Agency notes that health organizations are viewed as "target rich, cyber poor," making them attractive targets for adversaries. The broader spectrum of cybersecurity threats extends beyond healthcare, as FBI Director Christopher Wray alerts Congress to state-sponsored Chinese hackers targeting U.S. infrastructure. 

However, there is currently no indication that the Lurie incident is related to such a national security threat. The healthcare sector is now at a pivotal moment, necessitating immediate and robust responses to mitigate the growing risks posed by cyber threats.

Cybersecurity Nightmare: A Bank's Dilemma – To Pay or Risk It All

 


Schools, hospitals, and other institutions need to take more precautions to prevent cybercrimes from disrupting operations and putting people's data and safety at risk. As part of a congressional hearing held on Wednesday in Washington, DC, a familiar face among the Navarro and Judson school districts testified about how this issue is affecting individual children. 

In the event of a major cyberattack taking place, the possibility of a bank's failure is not too remote. The number of cyberattacks against financial institutions has risen significantly since 2006, and the number of attacks is expected to continue to rise shortly.  

As a result of the increasing risk of cyberattacks, and their potential impact on banks, financial institutions and the government are the top concerns when it comes to cyberattacks. Financial institutions are 300 times more likely to experience them than other institutions. 

As part of a joint hearing of two committees of the House Committee on Oversight and Accountability, Gosch offered a rare view into how institutions faced with ransomware threats are coping with these increasingly common attacks. As Gosch and Judson Independent encountered, a wide range of institutions are facing the same dilemma, not the least of which are banks as they have become disproportionately attractive targets for cybercriminals searching for ransomware. 

The US credit bureaus have reported that at least 15 banks and credit unions have reported that ransomware groups have stolen customer information from them this summer. Several reports have been made recently by cyber security consortiums that offer security services to banks that frequently refer to ransomware as a major concern. 

According to the district's Assistant Superintendent of Technology, the Judson Independent School District in San Antonio, Texas, which has approximately 30,000 students and staff, was attacked by adversaries using ransomware in June 2021, but no state or federal agency ever visited or offered assistance for regaining access to school resources after the attack.  

On Sept. 27, Lacey Gosch, the chairwoman of the House Oversight Subcommittee, urged lawmakers not only to restore budgets for school libraries, but also to increase funding for cyberattack mitigation, data protection, and equipment upgrades. It was also recommended that formal programs be developed within schools to help with school cybersecurity recovery and mitigation. 

It was also reported that a witness from the University of Vermont Medical Center – which suffered from a ransomware attack in October of 2020 – was present at the joint hearing of the House Oversight Committees on Cybersecurity, Information Technology, Government Innovation, Economic Growth, Energy Policy, and Regulatory Affairs. 

As Stephen Leffler, the president of the medical centre, said during the hearing, it was by far much more difficult for his staff to deal with the cyberattack than what they had to deal with during the COVID-19 pandemic, which affected the entire area. As a result of the attack, the hospital was taken offline for 28 days and the organization had to pay 65 million dollars for the incident. 

The Pros and Cons of Paying Ransoms 


Gosch's story is a cautionary tale that illustrates the stakes banks face when trying to prevent and mitigate ransomware attacks as the threat of ransomware for banks continues to grow and the threat of ransomware is growing. 

Moreover, showing banks the dilemma they are facing when receiving a ransom note in the wake of an attack, serves as an illustration of the difficulty they face. As a result, the FBI claims that paying the ransom encourages perpetrators to target more victims and increases the likelihood that other individuals will engage in this type of criminal activity. 

The biggest problem with a ransom payment is that it does not even guarantee that the data has been deleted. It was not until 12 days after being informed of the ransomware attack that Judson Independent negotiated a ransom with the ransomware actors, on Gosch's 34th day at the company. 

In exchange for the promise, but not the guarantee, that the hackers would delete the stolen data, Judson Independent paid a negotiated ransom of $547,000 to them. It was a difficult decision for Gosch, but he felt it was necessary to protect his constituents, even though it was difficult. 

There is an insurance policy available to the district against cyber-attacks, but it is primarily for attorneys' fees, data mining, and identity protection. "The insurance does not cover ransom payments or the costs of upgrading to mitigate damage to the system," Gosch stated. Cyber insurance coverage for ransom payments is a hot topic among experts.  

There has been some controversy about it. It has been reported, however, by the Royal United Services Institute, a London-based think tank, that cyber insurance providers do sometimes cover ransom payments. Despite this, according to the institute, there is no evidence that victims with cyber insurance are significantly more likely to pay ransom than victims without cyber insurance. 

Security in the Software Sector: Lessons Learned from the MOVEit Mass Hack

 


MOVEit's mass hack into its system will likely be remembered as one of the most damaging cyberattacks in history, and it is expected to make history. 

An exploit in Progress Software's MOVEit managed file transfer service was exploited by hackers to gain access to customers' sensitive data through SQL commands injected into the system. The MOVEit service is used by thousands of organizations to secure the transfer of large amounts of sensitive files. 

There was a zero-day vulnerability exploited in the attack, which meant Progress was not aware of the flaw and was not able to patch it in time, which essentially left Progress' customers without any defence from the attack. 

There has been a public listing of alleged victims of the hacks started by the Russia-linked Clop ransomware group since June 14, the group that claimed responsibility for the hacks. Banks, hospitals, hotels, energy giants, and others are all included in the growing list of companies affected, part of a campaign being conducted in an attempt to pressure victims into paying ransom demands so that their information will not be breached online. 

The company Clop announced in a blog post this week that it will release the "secrets and data" of all victims of MOVEit who refused to negotiate with Clop on August 15. There had been similar hacks targeting the file-transfer tools of Fortra and Acellion earlier in the year as well; it was unlikely that this was Clop's first mass hack. 

The latest Emsisoft statistics indicate that more than 40 million people have been affected by the MOVEit hack, according to Emsisoft's latest statistics. Since the hacks started almost a year ago, those numbers have continued to increase almost daily. 

"Without being able to assess the depth and scope of the damage, at this point, there is no way to make an informed guess," Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. "We do not yet know how many organizations were affected and what data was compromised.” 

There is no doubt that around a third of those known victims have been affected by third parties, and others are impacted by vendors, subcontractors, and other third parties. According to him, because of this complexity, it's very likely that some organizations that may have been affected aren't aware that they have been affected, and that's what makes it so irreparable. 

While this hack had an unprecedented impact because of its scale, its methodology isn't new and there's nothing innovative about the way it was executed. In recent years, supply chain attacks have become more prevalent as a result of zero-day flaws being exploited by adversaries, and one exploit can potentially affect hundreds if not thousands, of customers due to the potential for the release of a zero-day vulnerability. 

Taking action now to prevent the threat of a mass hack should be as critical for organizations as anything else they can do. 

Recovering From the Disaster 


When you have been the victim of a hack, it may seem like the damage has already been done and there is no way to recover from it. Even though it can take months or years to recover from an incident like this, and many organizations are likely to be affected by it, they need to act quickly to understand not only which type of data was compromised, but also their possible violations of compliance standards or laws governing data privacy. 

Demands For Ransom


"Supply-chain attacks" are what is referred to as the hack in question. Initially, the news was announced in November last year when Progress Software revealed hackers had managed to infiltrate its MOVEit Transfer tool using a backdoor. 

In an attempt to gain access to the accounts of several companies, hackers exploited a security flaw in the software. Even organizations that do not use MOVEit themselves are affected by third-party arrangements because they do not even use MOVEit themselves. 

It has been understood by the company that uses Zellis that eight companies are affected, many of them airline companies such as British Airways and Aer Lingus, as well as retailers like Boots that use Zellis. It is thought that MOVEit is also used by a slew of other UK companies. 

A hacker group linked to the ransomware group Clop has been blamed for the hack. It is believed to be based out of Russia, but the hackers could be anywhere. As a consequence, they have threatened to publish data of companies that have not emailed them by Wednesday, which is the deadline for beginning negotiations. 

As the BBC's chief cyber correspondent Joe Tidy pointed out, the group has a reputation for carrying out its threats, and organizations in the next few weeks may find their private information published on the gang's dark website. 

The information told me that there is a high probability that if a victim does not appear on Clop's website then they may have signed up for a ransom payment by the group in which they may have secretly paid it, which can range from hundreds of thousands to millions of dollars. 

The victims are always advised not to pay to prevent the growth of this criminal enterprise as paying can fuel the growth of this malicious enterprise, and there is no guarantee that the hackers will not use the data for a secondary attack. 

When such a massive breach like MOVEit Mass Hack occurs, it is highly challenging to recover data from such an event, which requires meticulous efforts to identify the extent of the compromised data, and any potential compliance violations, as well as violations of local privacy laws. 

Many articles warn that paying ransom demands is not a guarantee that a cybercriminal will not come after you in the future, and will not perpetuate the criminal enterprise. MOVEit Mass Hack can be viewed as an example of a cautionary tale about the software sector that shouldn't be overlooked. A key aspect of this report is the emphasis it places on cybersecurity strategies and supply-chain vigilance so that the effects of cyber threats can be mitigated as quickly as possible.

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.

Schools: Prime Targets for Hackers Amid Poor Cybersecurity and Ransom Payments

 

New data indicates that school districts have become highly susceptible to online exploitation, emerging as the primary target for hackers. According to a recent global survey conducted by the British cybersecurity company 

Sophos, a staggering 80% of schools experienced ransomware attacks last year, representing a significant increase from the 56% reported in 2021. This doubling of the victimization rate over two years has led researchers to label ransomware as the most significant cyber risk faced by educational institutions today.

Comparing various industries, schools fared the worst in terms of victimization rates, surpassing even sectors like healthcare, technology, financial services, and manufacturing. 

The survey, which included responses from 400 education IT professionals worldwide, revealed that United States institutions are particularly attractive targets for hacking groups, especially since the events surrounding Russia's invasion of Ukraine.

Two factors have made schools especially vulnerable to cyber threats in the United States. First, the cybersecurity measures in educational settings often lag behind those in major businesses, such as banks and technology companies. Second, schools prove to be easy targets for exploitation due to their willingness to pay ransoms. 

Last year, nearly half of the attacks on schools resulted in ransom payments, further enticing threat actors. Unfortunately, this combination of weak defenses and a readiness to pay has made schools a "double whammy" for hackers, according to Chester Wisniewski, the field chief technology officer of applied research at Sophos.

The motivation to pay ransoms seems to be influenced by insurance coverage. In districts with standalone cyber insurance, 56% of victims paid the ransom, while those with broader insurance policies covering cybersecurity saw a payment rate of 43%. Insurance companies often cover ransom demands, giving them significant sway over which districts comply with the extortion demands.

Elder, a school representative, acknowledges the difficult decisions schools face when dealing with ransomware attacks. While it is essential to safeguard confidential information and protect people, the pressure to manage resources and finances can make the choice challenging.

Ultimately, the data suggests that schools must prioritize and strengthen their cybersecurity practices to avoid falling prey to hackers and ransom demands. 

Relying on insurance alone may not provide a comprehensive solution, as hackers continue to exploit vulnerabilities, and insurance companies struggle to keep pace with evolving threats.

Inside the World of Ransomware Negotiations: From Colonial Pipeline to JBS

 

In January 2021, JBS, the world's largest meat-processing company, revealed that it paid a ransom of $11 million in Bitcoin to cyber attackers. 

Similarly, in May of the same year, Colonial Pipeline, the largest refined-products pipeline in the U.S., experienced a severe cyber attack, leading to the company shutting down operations and freezing its IT systems. To restore operations, Colonial Pipeline paid a ransom of $4.4 million in Bitcoin.

What linked both incidents was the use of ransomware. Ransomware is a type of malware designed to deny users access to their data, with attackers demanding a ransom in exchange for restoring access.

Despite reports of a decrease in ransomware attacks in 2022, a Statista survey showed that 71% of companies worldwide were affected by ransomware that year, with the average ransom payment reaching $925,162. Now, in 2023, there is a resurgence of ransomware attacks, as reported by security company Black Kite.

The negotiation tactics for ransom payments are seldom reported in the news due to law enforcement agencies like the FBI and Cybersecurity and Infrastructure Security Agency strongly advising against paying ransoms. However, many organizations still choose to pay the ransom as they consider it the quickest way to recover their systems.

The process of ransom payments involves the attackers dictating the communication and payment channels, often utilizing cryptocurrencies like Bitcoin for their anonymity and speed. 

Ransomware attackers typically exploit the sensitive data they have encrypted to put pressure on affected organizations during negotiations. Negotiators might assume different personas, even pretending to be empathetic and building a rapport with attackers to secure the best deal possible.

The recovery of ransom payments can be challenging, but it is not impossible. In some cases, law enforcement agencies have successfully followed the money trail in cryptocurrency wallets to recover part of the ransom. However, tracing illicit ransom payments remains costly and time-intensive.

While paying a ransom might lead to data recovery, it does not guarantee full restoration, and organizations often remain vulnerable to subsequent attacks from the same threat actors.

Banning ransom payments entirely might not solve the problem, as some situations may warrant paying the ransom, such as critical infrastructures being affected.

The battle against ransomware requires cooperation between the private sector and government agencies. The government's involvement is crucial in intelligence gathering and threat mitigation, as cyber attackers constantly evolve their tactics.

Regulatory compliance also plays a significant role in cybersecurity at the national level, setting the tone for security measures in the private sector.

The U.S. government's National Cyber Strategy aims to hold private companies responsible for cybersecurity, emphasizing their role in cybersecurity efforts and engaging the private sector in disruption activities through scalable mechanisms.

It remains to be seen how these strategies will unfold, but tapping into offensive cyber talent could potentially enhance America's defensive and offensive cyber capabilities significantly.

Backups can be Quicker and Less Expensive than Paying the Ransom

 

Ransomware operators want to spend as little time as possible within your systems, which means the encryption they use is shoddy and frequently corrupts your data. 

As a result, paying ransoms is typically a more expensive chore than simply refusing to pay and working from our own backups. That is the perspective of Richard Addiscott, a senior director analyst at Gartner. 

"They encrypt at an extremely fast rate," he said on Monday at the firm's IT Infrastructure, Operations, and Cloud Strategies Conference 2023 in Sydney. "They encrypt faster than you can run a directory listing."

Therefore, ransomware creators use poor encryption techniques and end up losing some of the data they later try to sell you. If ransomware operators deliver all the data they claim, Addiscott said, it is not simple to restore from corrupt data dumps delivered by criminals. Many people don't; instead, they start a new round of discussions regarding the cost of more releases by demanding a ransom. 

According to him, just 4% of ransomware victims actually manage to get all of their data back. Only 61 percent actually retrieve any data. Additionally, the average disruption to a victim's business is 25 days. 

Addiscott proposed that organisations design and practise ransomware recovery playbooks to shorten the period. Securing funding to prepare for a speedy post-ransomware recovery requires couching the risk in business terms rather than IT terms. 

According to Addiscott, the themes that are likely to release the purse strings are revenue protection, risk reduction, and cost control. Although he shook his head as he recalled instances when business leaders authorised enormous and speedy ransom payments that dwarfed the denied investments that may have rendered them unnecessary. 

He advised good preparation because ransomware crooks have figured out one technique to speed up stalled payment negotiations: whacking their victims with a DDoS attack, so they're battling two fires at once, and are thus willing to pay to make at least one problem go away. 

Ransomware operators also like to double-dip by demanding payment from the organisations whose data they have stolen, then mining the data to locate new targets. Addiscott mentioned an attack on a healthcare provider in which clients were confronted with a payment demand or their medical records will be revealed. 

Customers identified in a stolen data heist may be targeted with the suggestion that they notify suppliers that they want payments made in order to reduce the risk of their data being disclosed. Immutable backups and an isolated recovery environment, according to Addiscott, are a good combination of defences. 

However, he also stated that the people behind ransomware are brilliant, vicious, inventive, and relentless, so they will find new and even more nefarious ways to strike. 

The analyst did have one piece of good news: there would be a 21% decrease in ransomware attacks in 2022 compared to 2021. He hypothesised that the decline was caused by sanctions making it more difficult for Russian-based ransomware groups to operate.

The LockBit Ransomware Takes Responsibility for the Royal Mail Cyberattack

 

The LockBit ransomware operation has asserted responsibility for the cyberattack on Royal Mail, the UK's leading mail delivery service, which forced the company to stop its international shipping services due to "severe service disruption." 

This emerges after LockBitSupport, the public-facing representative of the ransomware group, earlier told BleepingComputer that the LockBit cybercrime group did not target Royal Mail. They instead blamed the attack on other threat actors who used the LockBit 3.0 ransomware builder, which was leaked on Twitter in September 2022. LockBitSupp did not clarify why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's Tor negotiation and data leak sites rather than those operated by a different threat actor.

However, LockBitSupp validated LockBit's involvement in the attack in a post on a Russian-language hacking forum after discovering that one of their affiliates deployed the gang's ransomware payloads on Royal Mail's systems.

The representative of the ransomware gang also stated that they would only provide a decryptor and delete data stolen from Royal Mail's network after a ransom was paid. The entry for the Royal Mail attack on LockBit's data leak site currently states that stolen data will be published online on Thursday, February 9, at 03:42 AM UTC.

The attack was termed a "cyber incident"

On January 10, Royal Mail discovered the attack and hired outside forensic experts to assist with the investigation.

A Royal Mail spokesperson told BleepingComputer on January 11 when we reached out for more details, "Incident was detected yesterday, UK/ domestic mail remains unaffected."

"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations. Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause," the company tweeted.

The incident was also reported to UK security agencies, and the company is investigating it alongside the National Crime Agency and the UK National Cyber Security Centre (NCSC).

However, Royal Mail has yet to acknowledge that it is the victim of a ransomware attack, which could result in a data breach because LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met.

For the time being, the company is still referring to the attack as a "cyber incident" and claims to have restored some of the services that were impacted by the attack. The incident last month follows a November 2022 outage that caused the Royal Mail's tracking services to be unavailable for more than 24 hours.

The Royal Mail's recurring IT problems come at a time when its mailing services are already under strain due to planned national strikes and ongoing talks with the Communication Workers Union.     

Ransomware Profits Shrink, as Victims Refuse to Pay

 

As per data from blockchain analysis firm Chainalysis, ransomware revenue for 2022 has dropped from $765.6 million to at least $456.8 million, representing a -40.3% year-over-year drop. The number of attacks is as high as it has ever been, but the number of victims who refuse to pay the ransom has increased as well. 

Working with Coveware, Chainalysis has observed a significant decrease in the number of ransomware victims willing to pay: 76% in 2019, but only 41% in 2022. According to Chainalysis, this is a "highly encouraging" trend that is likely influenced by a variety of factors. 

Ransomware victims have realized that even if they pay the ransom, there is no guarantee that their data will be handed back or that the ransomware actor will delete the "stolen" files instead of selling them on the dark web. But since the public perception of the ransomware phenomenon has matured, data leaks no longer pose the same risks to brand reputation as they did in previous years.

Companies and government agencies, which are the primary targets of modern ransomware operations, have also improved their backup strategies, making data recovery a much cleaner and easier process than it was only a few years ago.

Insurance companies are also much less likely to permit their customers to use an insurance payout to satisfy a ransom demand. Eventually, because many ransomware operations are based in Russia, victims who choose to pay may face harsh legal consequences as a result of the country's economic sanctions following the invasion of Ukraine.

Despite the fact that victims are not paying as much as they used to, the ransomware industry is far from dead: in 2022, the average lifespan of file-encrypting-malware strains has dropped from 153 days to just 70 days year on year. The "Conti" ransomware operation ended, while other ransomware-as-a-service (raas) operations, such as Royal, Play, and BlackBasta, went live. At the end of 2022, LockBit, Hive, Cuba, BlackCat, and Ragna were still in business (and still demanding ransom payments).


This Linux Malware Bombards Computers with DDoS Bots and Cryptominers

 

Security experts have discovered a new Linux malware downloader that uses cryptocurrency miners and DDoS IRC bots to attack Linux servers with weak security. After the downloader's shell script compiler (SHC) was uploaded to VirusTotal, researchers from ASEC found the attack. It appears that Korean users were the ones who uploaded the SHC, and Korean users are also the targets. 

Additional research has revealed that threat actors target Linux servers with weak security by brute-forcing their way into administrator accounts over SSH. Once inside, they'll either set up a DDoS IRC bot or a cryptocurrency miner. XMRig, arguably the most well-liked cryptocurrency miner among hackers, is the miner that is being used.

It generates Monero, a privacy-focused cryptocurrency whose transactions appear to be impossible to track and whose users are allegedly impossible to identify, using the computing power of a victim's endpoints.

Threat actors can use the DDoS IRC bot to execute commands like TCP Flood, UDP Flood, or HTTP Flood. They can execute port scans, Nmap scans, terminate various processes, clear the logs, and other operations. Malicious deployments are continuously thrown at Linux systems, most frequently ransomware and cryptojacking.

"Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks," ASEC stated in its report. "Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers."

The continued success of Linux services in the digital infrastructure and cloud industries, as well as the fact that the majority of anti-malware and cybersecurity solutions are concentrated on protecting Windows-based devices, according to a VMware report from February 2022, put Linux in a risky situation.

How Can Schools Minimize Cybersecurity Risks?

 

Cyberattacks are now a daily threat to K-12 schools, and the problem may worsen as educators rely more on technology for teaching and learning, and as hackers become more sophisticated. As per the K12 Security Information Exchange, a nonprofit dedicated to assisting schools in preventing cyberattacks, there have been over 1,330 publicly disclosed attacks since 2016, when the organization began tracking these incidents. Hackers have targeted municipalities of all sizes. 

Most notably, two central districts—Los Angeles Unified and New York City—will face cybersecurity challenges in 2022. Experts say that if the largest districts can be affected, anyone can. Smaller districts are especially vulnerable because they frequently lack the cybersecurity resources required to protect themselves.

Cyberattacks are costly to school districts. According to a recent GAO report, districts lose three to three weeks of instructional time on average after an attack, and recovery time can range from two to nine months. To prevent unnecessary costs, districts should ensure that their networks are secure.

Education Week has extensive coverage on what to do if your school or district is the victim of a cyberattack, as well as how to prevent attacks. Here is an accumulation of articles and videos on this topic published by Education Week that you can use to tackle this challenge.

Guidance from the FBI and the Cybersecurity and Infrastructure Security Agency discourages paying the ransom because it doesn't guarantee that the data hackers are holding ransom will be decrypted or that the systems will no longer be compromised. Despite this advice, the decision of whether or not to pay a ransom can be complicated.

Two district leaders also spoke with Education Week about how they handled the aftermath of a ransomware attack that shut down schools for two days. There is no magic formula that will entirely protect districts from cyberattacks, but there are steps that can be taken to mitigate the risks. In this special report, K-12 technology leaders and experts offer recommendations on how to prevent these incidents, particularly with the emergence of school-issued devices, as well as what districts' top cybersecurity priorities should be.  

Student data privacy concerns a wide range of issues, from students' smartphones to classroom applications discovered and adopted by teachers, to district-level data systems, to state testing programmes. Experts offer their perspectives on why schools struggle to protect student data.

Executives and Telemedicine: Targets of New Ransom Payment Schemes.

 

Ransomware developers are constantly coming up with new ways to infect victims and persuade them to pay up, but a couple of recent strategies appear especially cunning. The first involves targeting healthcare organizations that provide online consultations and sending them booby-trapped medical records for the "patient," while the second involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading. Last month, the United States 

The Department of Health and Human Services (HHS) issued a warning that Venus ransomware attacks were targeting a number of healthcare organizations in the United States. Venus, which was discovered in mid-August 2022, is known for hacking into victims' publicly exposed Remote Desktop services in order to encrypt Windows devices.

According to Holden, internal Venus group discussions show that this group has no trouble gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

That could explain why their latest scheme focuses on framing executives at public companies for insider trading charges. Venus recently reported success with a method that entails carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company's stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Planting emails into an inbox is difficult, according to Holden, but it is possible with Microsoft Outlook.pst files, which the attackers may also have access to if they have already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

According to Holden, the CLOP ransomware gang is currently experiencing a different issue: a lack of victims. According to the intercepted CLOP communication obtained by KrebsOnSecurity, the group boasted twice about successfully infiltrating new victims in the healthcare industry by sending infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

CLOP members reported that one tried-and-true method of infecting healthcare providers involved accumulating healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient with liver cirrhosis.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money-making collective is a relatively new organization, security experts say CLOP members come from a Threat Actor (TA) group known as "TA505", which MITRE's ATT&CK database describes as a financially motivated cybercrime group active since at least 2014. According to MITRE, "this group is known for frequently changing malware and driving global trends in criminal malware distribution."

In April 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at convincing more victims to pay an extortion demand: directly emailing the ransomware victim's customers and partners and alerting that their data would be leaked to the dark web unless the victim firm paid up.

According to Tripwire, the HHS advisory on Venus states that multiple threat actor groups are likely distributing the Venus ransomware. Tripwire's advice for all organizations on avoiding ransomware attacks includes the following:
  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

Medibank: Hacker Gained Access to 9.7M Customers' Data and Refuses to Pay a Ransom

 

On Monday, Medibank Private Ltd (MPL.AX), Australia's largest health insurer, stated that no ransom payment will be made to the criminal responsible for a recent data theft in which the data of approximately 9.7 million current and former customers was compromised. 

Highlighting the findings of the firm's investigation thus far, Medibank confirmed that the data theft accessed the name, date of birth, address, phone number, and email addresses of approximately 9.7 million current and former customers. Cyber security issues in Australia have skyrocketed in recent years, according to a government report, with one attack occurring every seven minutes.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," Medibank CEO David Koczkar said.

Paying a ransom could encourage the hacker to directly extort customers, causing more people to suffer, according to Koczkar. The insurer reiterated that business operations remained normal during the cyberattack, with customers continuing to have access to health care.

Medibank has warned its customers to be cautious because the criminal may leak the data online or attempt to contact them directly.

In the last few weeks, Singapore Telecommunications' (STEL.SI) unit Optus disclosed a breach of up to 10 million customer accounts, and Woolworths (WOW.AX) revealed that the data of millions of customers using its bargain shopping website had been compromised.  

Medibank has announced that it will commission an external review in order to learn from the cyberattack, as well as expand its Cyber Response Support Program. 

Paying Off Hackers is Common, Says Top Australian Govt Cybersecurity Firm

 

Corporate insurers routinely pay hackers a ransom for the return of stolen customer data, according to a top Australian government cybersecurity provider, as the country's largest health insurer revealed the growing scope of a recent breach on  Oct 25. 

The claim from Macquarie Telecom, which manages cybersecurity for 42% of Australian federal employees, including the Australian Taxation Office, suggests a lack of preparedness in an industry that has been in the spotlight recently due to a wave of high-profile hacks.

"These are the largest corporations in the world, falling over themselves to pay criminals as fast as possible to cap their liability," Macquarie CEO David Tudehope told Reuters in an interview, referring to cyber insurance firms that he did not name. "In what other sphere of life do you see reputable corporates pay millions of dollars to criminals and somehow it's all okay?"

Insurers that paid ransom to hackers had no way of ensuring data deletion, which meant sensitive customer information remained at risk of being exposed online, according to Tudehope.

This month, Medibank Private, Australia's largest health insurer, revealed that a criminal had stolen the personal health data of 100 of its 4 million customers and demanded payment for the data's return. On Tuesday, Medibank announced that the criminal had revealed the personal information of another 1,000 customers, and that the number was likely to grow.

Optus, the country's No. 2 telco, said last month that a hacker demanded payment after stealing data from about 10 million customer accounts, equivalent to 40% of the Australian population.A person claiming to be the Optus hacker later withdrew the demand due to privacy concerns. Meanwhile, the federal government has announced that companies that suffer data breaches will face fines of up to A$50 million.

"This is an enormous wake-up call for the country," Cyber Security Clare O'Neil told parliament. "We need to do more as a country to step up."

O'Neill added that a national crisis management group formed during the COVID-19 outbreak was activated on Saturday and has met three times to discuss the Medibank hack. Tudehope, the CEO of Macquarie Telecom, declined to comment on specific incidents, but blamed underprepared cybersecurity chiefs who were too focused on internal stakeholder management and overly reliant on all-in-one protections such as firewall software.

"The challenge in cyber is it just changes so quickly and the people in senior management who, in many cases, do not have the background in cybersecurity because it wasn't a thing as they worked their way up through their career," Tudehope said.

"They're making decisions they don't have a strong understanding of in many cases," he added. "The people who have a deeper level of IT security (knowledge) are often at junior or middle levels of an IT department or government agency."

As per Tudehope, most businesses will face cyber attacks and should have a recovery plan in place, such as having confidential data backed up frequently in a separate location to ensure hackers cannot access it.

Ransomware Attacks Forced Organizations to Shut Down Operations Completely

 

Ransomware attacks have evolved constantly and now the spike in attacks is causing a massive concern for thousands of organizations worldwide. Hackers are taking advantage of security vulnerabilities and encrypting data belonging to all sorts of organizations: from private firms to healthcare facilities and governments. 

What motivates the ransomware attackers to become even more sophisticated and demand tens of millions of dollars is that numerous firms agree to pay the ransom and not reveal the attack. It usually happens because they are afraid of the devastating social consequences. 

Earlier this week, Trend Micro, a global cybersecurity leader, disclosed that a quarter of healthcare organizations hit by ransomware attacks were forced to shut operations completely. The study also revealed that 86% of global healthcare organizations impacted by ransomware attacks suffered operational outages. 

More than half of the global HCOs (57%) acknowledged being hit by ransomware attacks over the past three years. Of these, 25% were forced to shut down their operations, while 60% disclosed that some business processes were affected by an attack. 

On average, it took most responding organizations days (56%) or weeks (24%) to fully restore these operations. In a survey of 145 healthcare business and IT professionals, 60 percent of HCOs also suffered a data breach, potentially increasing compliance and reputational risk, as well as investigation, remediation, and clean-up costs. 

The good news is that most (95%) HCOs say they regularly update patches, while 91% limit email attachments to thwart malware risk. Many also employed detection and response tools for their network (NDR) endpoint (EDR) and across multiple layers (XDR). 

"In cybersecurity, we often talk in abstractions about data breaches and network compromise. But in the healthcare sector, ransomware can have a potentially genuine and very dangerous physical impact," Trend Micro Technical Director Bharat Mistry stated. 

"Operational outages put patient lives at risk. We can't rely on the bad guys to change their ways, so healthcare organizations need to get better at detection and response and share the appropriate intelligence with partners to secure their supply chains." 

The study published by cybersecurity firm Sophos in June revealed that HCOs spend nearly $1.85 million to recover systems after a ransomware attack, the second-highest across all sectors. The average ransom paid by healthcare organizations surged by 33% in 2021, an almost threefold increase in the proportion of victims paying ransoms of $1 million or more.

How Ransomware Turned Into the Stuff of Nightmares for Modern Businesses

 

Few cyberthreats have progressed as rapidly in recent years as ransomware, which has become a global scourge for businesses over the last two decades. 

Ransomware has evolved from simple infect and encrypt attacks to double- and now triple-extortion attacks, making it one of the most dangerous security threats of the modern era. Meanwhile, with the rise of ransomware-as-a-service, it has become more accessible to would-be cybercriminals as well.

Techradar spoke with Martin Lee, Technical Lead of Security Research at Cisco Talos, to learn more about the threat posed by ransomware and the steps businesses can take to protect themselves.

What characteristics make ransomware attacks so effective and difficult to counter?

Ransomware is essentially the 21st century equivalent of kidnapping. The criminal steals something valuable and demands payment in exchange for its return. The ransomware business model has progressed over time to become a highly efficient source of revenue for criminals.

A ransomware attack should not be taken lightly. Criminals attempt to evoke an immediate response by encrypting and rendering a system inaccessible. If a critical system is disrupted, the bad folks know that the victim will have a strong incentive to pay.

Ransomware attacks are launched through every possible entry point. Criminals will look for any vulnerability in perimeter defences in order to gain access. The profitability of ransomware drives criminals' tenacity; the attacks' ubiquity makes them difficult to defend against. To defend against such attacks, excellent defences and constant vigilance are required.

What are the most significant changes in ransomware operations since the days of simple infect and encrypt attacks?

Modern criminal ransomware attacks first appeared in the mid-2000s. Initially, these were mass-market' attacks in which criminals distributed as much malware as possible without regard for the nature or identity of the systems being targeted. Although the vast majority of malware would be blocked, a small percentage would be successful in infecting and encrypting systems, and a small number of these would result in payment of a ransom.

In 2016, ther noticed a change in the ransomware model. SamSam, a new ransomware variant, was distributed in an unusual manner. The group behind this malware planned ahead of time, exploiting vulnerabilities in externally facing systems to gain a foothold within the organisation. Once inside, they expanded their access, looked for key systems, and infected them with ransomware.

Criminals can significantly disrupt the operation of an organisation by researching their target and disrupting business critical systems. Criminals use this approach to demand a much higher ransom than if they compromise a single laptop, for example.

In what ways do you expect ransomware attacks to develop further in the years to come?

Ransomware has proven to be a reliable source of revenue for criminals. However, the success of the attacks is not guaranteed. The less profitable the activity becomes as more attacks are blocked.

Malicious emails and attempts to download malware can be blocked by perimeter defences. Filtering connections at the IP address or DNS layer can prevent malware from communicating with its command and control systems. End-point protection systems can detect and block malicious malware, and effective backup solutions can restore affected systems.

With a better understanding of the effects of ransomware and stronger defences, fewer successful attacks will be witnessed and ransomware will become unprofitable. However, as organisations become smarter, so do criminals, and ransomware will continue to exist.

North Korean Hackers Employ H0lyGh0st Ransomware to Target Businesses

 

Researchers from Microsoft’s Threat Intelligence Center (MSTIC) this week claimed that the North Korean hackers are employing the H0lyGh0st ransomware to target small and midsize businesses worldwide. 

The hacking group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, has been employing ransomware since at least June 2021 and has successfully exploited multiple businesses since September 2021. 

The activities of DEV-0530 are similar to other ransomware gangs out there. The group engages in double extortion, threatening to publish personal data stolen from victims unless a ransom is paid. 

In recent years, North Korean hackers have siphoned hundreds of millions of dollars from foreign businesses to help their country which is struggling economically due to the U.S. sanctions and the COVID-19 pandemic. However, it is equally possible that the hackers are employing ransomware for personal gain, which could explain an “often-random selection of victims.” 

According to Microsoft, the activities of DEV-0530 are partially linked to a group known as Plutonium (also known as DarkSeoul or Andariel). Both groups have been spotted operating from the same infrastructure, employing custom malware controllers with similar names, and emailing accounts belonging to each other. 

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says. 

The researchers also identified that the hacker’s activities are consistent with the UTC+9 time zone employed in North Korea. DEV-0530’s first malicious payload was spotted in June last year, BLTC_C.exe, which was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language. 

In November 2021 DEV-0530 successfully exploited several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple nations. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access. 

Subsequently, the hackers would steal “a full copy of the victims’ files” and then shift to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st. 

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft researchers explained.