Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware attack. Show all posts
Ransomware Threat
2024 cyber crimes Chainalysis Coveware CVE CVE vulnerability Cyber Security Ransomware attack Ransomware Threat

Drop in ransomware payment, 2024 Q1 sees a record low of 28%

 

Ransomware actors have encountered a rocky start in 2024, as indicated by statistics from cybersecurity firm Coveware. Companies are increasingly refusing to acquiesce to extortion demands, resulting in a record low of only 28% of companies paying ransom in the first quarter of the year. This figure marks a notable decrease from the 29% reported in the previous quarter of 2023. Coveware's data underscores a consistent trend since early 2019, showing a diminishing rate of ransom payments. 

The decline in ransom payments can be attributed to several factors. Organizations are implementing more sophisticated protective measures to fortify their defenses against ransomware attacks. Additionally, mounting legal pressure discourages companies from capitulating to cybercriminals' financial demands. Moreover, ransomware operators frequently breach promises not to disclose or sell stolen data even after receiving payment, further eroding trust in the extortion process. 

Despite the decrease in the payment rate, the overall amount paid to ransomware actors has surged to unprecedented levels. According to a report by Chainalysis, ransomware payments reached a staggering $1.1 billion in the previous year. This surge in payments is fueled by ransomware gangs targeting a larger number of organizations and demanding higher ransom amounts to prevent the exposure of stolen data and provide victims with decryption keys. 

In the first quarter of 2024, Coveware reports a significant 32% quarter-over-quarter drop in the average ransom payment, which now stands at $381,980. Conversely, the median ransom payment has seen a 25% quarter-over-quarter increase, reaching $250,000. This simultaneous decrease in the average and rise in the median ransom payments suggest a shift towards more moderate ransom demands, with fewer high-value targets succumbing to extortion. Examining the initial infiltration methods used by ransomware operators reveals a rising number of cases where the method is unknown, accounting for nearly half of all reported cases in the first quarter of 2024. 

Among the identified methods, remote access and vulnerability exploitation play a significant role, with certain CVE flaws being widely exploited by ransomware operators. The recent disruption of the LockBit operation by the FBI has had a profound impact on the ransomware landscape, reflected in Coveware's attack statistics. This law enforcement action has not only disrupted major ransomware gangs but has also led to payment disputes and exit scams, such as those witnessed with BlackCat/ALPHV. 

 Furthermore, these law enforcement operations have eroded the confidence of ransomware affiliates in ransomware-as-a-service (RaaS) operators, prompting many affiliates to operate independently. Some affiliates have even opted to exit cybercrime altogether, fearing the increased risk of legal consequences and the potential loss of income. Amidst these developments, one ransomware strain stands out as particularly active: Akira. 

This strain has remained the most active ransomware in terms of attacks launched in the first quarter of the year, maintaining its position for nine consecutive months. According to the FBI, Akira is responsible for breaches in at least 250 organizations and has amassed $42 million in ransom payments. Implementing robust protective measures, staying informed about emerging threats, and fostering collaboration with law enforcement agencies are essential strategies for mitigating the risks posed by ransomware attacks and safeguarding sensitive data from malicious actors.
Read more »
security measures
Cyber Attacks Cybersecurity Breach data security Hotel Chains Ransomware attack Restaurant Chain security measures

Panera Bread and Omni Hotels Hit by Ransomware Outages: What You Need to Know

 

In a tumultuous turn of events, Panera Bread and Omni Hotels were thrust into the chaos of ransomware attacks, unleashing a cascade of disruptions across their operations and customer services. 

Panera Bread, celebrated for its culinary delights and pioneering loyalty programs, found itself in the throes of a massive outage that paralyzed its internal IT infrastructure, communication channels, and customer-facing platforms. The ransomware strike, striking on March 22, 2024, encrypted critical data and applications, plunging employees and patrons into disarray amidst the ensuing turmoil. 

Among the litany of grievances, Panera Sip Club members were left disheartened by their inability to savour the benefits of their subscription, notably the tantalizing offer of unlimited drinks at a monthly fee of $14.99. The frustration reverberating among members underscored the profound repercussions of cyber incidents on customer experience and brand loyalty. 

As of January 23, 2024, Panera Bread and its franchise network boasted an extensive presence with 2,160 cafes sprawled across 48 U.S. states and Ontario, Canada. However, the ransomware onslaught cast a shadow over the company's expansive footprint, laying bare vulnerabilities in cybersecurity defenses and underscoring the imperative for robust incident response protocols. 

In tandem, Omni Hotels grappled with a parallel crisis as ransomware-induced IT outages wreaked havoc on reservation systems and guest services. The bygone week witnessed a flurry of disruptions, from protracted check-in delays averaging two hours to resorting to manual interventions to grant access to guest rooms. 

The financial fallout of these cyber calamities remains nebulous, yet the toll on customer trust and brand reputation is palpable. The opacity shrouding the attacks has only exacerbated apprehensions among employees and patrons alike, accentuating the exigency for fortified cybersecurity measures and transparent communication strategies.

Amidst the evolving threat landscape, organizations must fortify their cybersecurity defenses and hone proactive strategies to avert the pernicious impact of cyber threats. From regular data backups and comprehensive employee training to the formulation of robust incident response blueprints, preemptive measures are pivotal in blunting the impact of cyber onslaughts and fortifying resilience against future incursions. 

The ransomware assaults on Panera Bread and Omni Hotels serve as poignant reminders of the pervasive menace posed by cyber adversaries. By assimilating the lessons gleaned from these incidents and orchestrating proactive cybersecurity initiatives, businesses can bolster their resilience and safeguard the interests of stakeholders, employees, and patrons alike.
Read more »
Ransomware attack
aerospace research firm Cyber Attacks Cyberattack Cybersecurity NIA investigation Ransomware attack

NIA Investigates Cyberattack on Aerospace Research Firm

 

The National Investigation Agency (NIA) is examining a ransomware attack on the National Aerospace Laboratories (NAL), India’s leading aerospace research institution, which occurred on November 15 last year. Suspected to be a cyberterrorist attack, the NIA has initiated an investigation into the incident. People familiar with the matter, speaking on the condition of anonymity, disclosed that the federal anti-terror agency has filed a case regarding the ransomware attack, believed to have been orchestrated by the notorious cybercrime group LockBit.

NAL Bengaluru, an affiliate of the government’s Council of Scientific and Industrial Research, stands as the sole government aerospace R&D laboratory in India's civilian sector. It fell victim to a ransomware attack on November 15, with LockBit threatening to expose stolen data, including classified documents, unless an unspecified ransom was paid. "We have registered a case to investigate the ransomware attack at the NAL from the cyberterrorism angle," stated an NIA officer.

The NIA operates a specialized anti-cyberterrorism unit tasked with investigating cyber attacks perpetrated by state or non-state actors targeting government and private entities in India. In the past, it has collaborated with other agencies, including CERT-In, during the ransomware attack at the All India Institute of Medical Sciences in November 2022. Tarun Wig, an information security expert and co-founder of Innefu Labs, described LockBit as "one of the most prolific cybercriminal groups," noting that ransomware attacks, typically driven by financial motives, frequently target Indian establishments.

LockBit, recognized as one of the world's most active ransomware-as-a-service operations, engages in data theft, encryption, extortion, and data leakage. Initially known as ABCD when it surfaced in 2019, LockBit has targeted thousands of businesses, schools, medical facilities, and government entities worldwide. Following a multinational law enforcement operation led by British authorities and involving agencies from 10 countries, including the US, France, Germany, and Japan, the UK's National Crime Agency announced last month that it had disrupted LockBit's services, compromising their criminal operations.

Graeme Biggar, director-general of the British agency, stated, "Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." This action has effectively crippled LockBit's capabilities and credibility, according to Biggar, who labeled LockBit as the world's most harmful cybercrime group. Additionally, the US Department of Justice revealed that it had partnered with the Federal Bureau of Investigation to disrupt LockBit's activities, highlighting its extensive ransom demands and the significant ransom payments it has received.
Read more »
Threat Landscape
American HealthCare Change Healthcare Cyber Attacks Ransomware attack Threat Landscape

Change Healthcare Detects Ransomware Attack Vector

 

The cyberattack's widespread destruction underscores how threat actors can do significant damage by targeting a relatively unknown vendor that serves a vital operational function behind the scenes.

The AlphV ransomware group disrupted basic operations to the critical systems of US healthcare services by attacking a vital financial and claims processing link in a highly interconnected industry. The outage and cascading effects of the cyberattack on the healthcare IT systems continued into the fourth week on Thursday.

UnitedHealth Group reported unauthorised access on its systems on February 21. The reconnecting and testing of Change's claims systems will be completed in phases next week.

The US Department of Health and Human Services launched an inquiry into the incident on Wednesday to investigate whether protected health information was stolen and if Change met privacy and security standards. 

The department's Office for Civil Rights (OCR) announced the investigation in a letter on Wednesday, with Director Melanie Fontes Rainer writing that it was necessary to look into the situation "given the unprecedented magnitude of this cyberattack, and in the best interests of patients and health care providers." 

The statement comes following a crisis meeting on Tuesday with White House officials, medical sector leaders, HHS Secretary Xavier Becerra, and Andrew Witty, CEO of UnitedHealth Group, Change Healthcare's parent company. 

According to Fontes Rainer, the investigation will focus on whether protected health information was compromised and if Change Healthcare and UHG followed Health Insurance Portability and Accountability Act (HIPAA) requirements. 

“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” Rainer said. 

The American Hospital Association referred to the attack as the most significant and consequential incident of its kind against the U.S. healthcare system in history.
Read more »
SMB
BEC BEC frauds Cyber Attacks Information Information Security Ransomware attack SMB

SMB Cyber Threats: Information-Stealing Malware, Ransomware, and BEC

 

In today's digital landscape, small and medium-sized businesses (SMBs) are increasingly becoming prime targets for cybercriminals looking to exploit vulnerabilities for financial gain. A recent report from cybersecurity firm Sophos sheds light on the top cyber threats facing SMBs, highlighting information-stealing malware, ransomware, and business email compromise (BEC) as the most prevalent dangers. 

These malicious programs are designed to clandestinely gather sensitive data and login credentials, posing significant risks to businesses that may not have robust cybersecurity measures in place. The insidious nature of infostealers lies in their ability to operate discreetly, often evading detection until substantial damage has been done. 

Christopher Budd, director of Sophos X-Ops, underscores the escalating value of stolen data among cybercriminals, particularly concerning SMBs. He elucidates a hypothetical scenario where attackers exploit infostealers to compromise a business's accounting software, thereby gaining access to critical financial information and potentially siphoning funds into their own accounts. 

This underscores the dire consequences of falling victim to information-stealing malware, which can have far-reaching financial and reputational implications for SMBs. Despite the prevalence of infostealers, ransomware remains the most significant threat to SMBs' cybersecurity. While Sophos reports that the number of ransomware attacks has stabilized, the evolution of ransomware tactics continues unabated. 

One alarming trend highlighted in the report is the rise of remote encryption attacks, wherein threat actors leverage unmanaged devices within a victim organization to encrypt files on other systems. This sophisticated approach underscores the adaptability and persistence of ransomware operators in their quest to extort businesses for financial gain. 

Following closely behind ransomware, BEC attacks represent another formidable threat to SMBs. These attacks involve cybercriminals engaging in deceptive email correspondence or even phone calls with victims to gather sensitive information or manipulate them into transferring funds. The increasing sophistication of BEC tactics poses significant challenges for SMBs, as attackers leverage social engineering techniques to bypass traditional cybersecurity defenses. 

To mitigate these cyber threats effectively, SMBs must adopt a multi-faceted approach to cybersecurity. This includes implementing robust endpoint protection solutions, regularly updating software to patch known vulnerabilities, and providing comprehensive employee training on cybersecurity best practices. 

Additionally, adopting measures such as multi-factor authentication and encryption can add layers of security to sensitive data and communications, making it more challenging for cybercriminals to exploit vulnerabilities.

The SMBs must remain vigilant in the face of evolving cyber threats and prioritize cybersecurity as a fundamental aspect of their business operations. By staying informed about emerging threats and investing in proactive cybersecurity measures, SMBs can fortify their defenses and safeguard their digital assets against malicious actors. With cyber threats continuing to evolve in sophistication and scale, proactive cybersecurity measures are essential for protecting the interests and integrity of SMBs in today's digital landscape.
Read more »
SEC
Cyber Crime Cyberattacks Cybersecurity CyberThreat Financial crime MarineMax Ransomware attack SEC

MarineMax's Cyber Resilience: Responding to SEC on Cyberattack Incident

 


MarineMax, a national retailer of boats and million-dollar yachts, reported on March 12 that a "cybersecurity incident" disrupted its operations, according to documents filed with the Securities and Exchange Commission (SEC). 

According to the company, unauthorized access to the information systems of the company was gained by a third party. However, the company has not indicated who the threat actor is, or what type of attack occurred, whether it was a ransomware attack or an incident of another nature. 

Many of MarineMax's internal systems were rendered unavailable as a result of the attack, which is believed to have started on Sunday, and caused significant delays in customer service, sales, and customer support for MarineMax customers across the country. 

There has also been a significant decline in MarineMax dealership sales and service as IT systems deal with the aftermath of the hurricane. In addition to financing approvals, inventory availability, and overall deal progression, many dealerships are reporting problems with the dealership's sales and service processes. 

As a result of the attack, MarineMax has not discontinued its operations, but cybersecurity experts were hired to assist in the investigation and law enforcement was also notified. People asked the company if it was dealing with a ransomware attack or another type of cyber incident, but they did not respond to my inquiry. 

As the filing indicates, the attack has not materially affected the company's operations. However, officials are still assessing whether it will at some point in the future based on their findings.  Although MarineMax has not responded to questions as to whether data was stolen, it doesn't maintain sensitive data in the environment impacted by the incident, which has mentioned in the filing that these are not stored there. 

During a recent cyber attack, MarineMax was subjected to an incident that was deemed a 'cybersecurity incident', as defined in rules provided by the Securities and Exchange Commission. The incident involved the compromise of portions of the company's information environment by an unauthorized party, as detailed in the filing by MarineMax. 

The Securities and Exchange Commission recently amended its incident-disclosure rules to require a Form 8-K to be filed within 24 hours of the organization determining a cyber-incident to be material. This means that it has a significant impact on operational performance and could have a potential impact on investors' investments.

Last year, several industry giants faced a cyberattack, including Brunswick Corporation, which manufactures boats and parts for ships, a company that has been in the boating industry since the late 1800s. 

An incident that affected the production of marine electronics at a subsidiary of the company in June, that cost the company more than $85 million, was reported by the company.  A German manufacturer of luxury yachts and military vessels also came under attack by ransomware over the Easter weekend in 2023, which occurred over the Easter holiday.
Read more »
Ransomware attack
Cyber Attacks data security Healthcare Breach Hospitals Ransomware attack

UnitedHealth Group Cyberattack Fallout: Government Intervention and Industry Critique

 

In a recent cybersecurity incident, UnitedHealth Group revealed that its tech unit, Change Healthcare, fell victim to a cyberattack orchestrated by the infamous ransomware gang, Blackcat. The attack, which disrupted healthcare organizations nationwide, targeted electronic pharmacy refills and insurance transactions, prompting urgent responses from both the affected healthcare provider and the U.S. government. 

The attack prompted the U.S. government to announce accelerated Medicaid and Medicare payments to healthcare units impacted by the cyberattack against Change Healthcare. However, this response drew criticism from industry associations such as the American Hospital Association and the American Medical Association. 

The latter expressed concerns that the measures did not adequately protect individual practices and called for more comprehensive financial assistance, including advanced payments for physicians. Facing cash flow concerns resulting from the inability to receive payments for insurance claims, the American Medical Association urged the Department of Health and Human Services to reintroduce widespread accelerated payments, a practice prevalent during the Covid years. 

Hospitals were encouraged to submit payment requests to their healthcare contractors, seeking relief from the financial strain caused by the cyberattack fallout. Change Healthcare responded to the crisis by introducing a new service to help healthcare providers navigate the outage. This online prescription service aims to provide temporary assistance while the company works to restore its pharmacy network, a process expected to take weeks. 

Despite these efforts, the American Hospital Association criticized Change Healthcare's response, with its president and chief executive describing the temporary assistance program as "not even a band-aid" for the problems caused by the cyberattack. The incident highlights the increasing cybersecurity threats faced by the healthcare industry and the ripple effects of such attacks on critical services. 

As healthcare providers grapple with the immediate fallout, the collaboration between the government, industry stakeholders, and affected organizations becomes crucial in addressing both the short-term challenges and implementing long-term cybersecurity resilience measures. 

In conclusion, the UnitedHealth Group cyberattack serves as a stark reminder of the vulnerability of healthcare systems to malicious cyber activities. The ongoing efforts to mitigate the impact, coupled with the industry's critique of the government's response and Change Healthcare's actions, underscore the need for a unified and proactive approach to cybersecurity in the healthcare sector.
Read more »
Threat Intelligence
Canada City of Hamilton Cyber Attacks Municipal City Ransomware attack Threat Intelligence

Canadian City Says Timescale for Recovering from Ransomware Attack 'Unknown'

 

The Canadian city of Hamilton is still getting over a ransomware attack that compromised nearly every facet of municipal operations. 

Since February 25, when the ransomware attack was first reported, city officials have been working nonstop. Foundational services, such as waste collection, transit, and water and wastewater treatment, are functioning as of Wednesday.

However, the attack has impacted nearly every online payment system, forcing the city to rely on cash transactions and other manual processes. All fines, tickets, and tax payments must be made in person. 

Numerous municipal services, including cemeteries, child care centres, and public libraries, were reported by the city as having phone system or website issues. Before March 15, there will be no more city council meetings, and the city's libraries will no longer provide WiFi, public computers, printing services, or other services. 

“The City of Hamilton took swift action to investigate, protect systems and minimize impact on the community. We engaged a team of experts, insurers, legal counsel, and relevant authorities and [are] working diligently to restore the City’s system in a safe and secure manner,” the city said in a statement. “While a timeline for recovery is not yet known, the City is committed to resolving the situation as quickly and effectively as possible.” 

Hamilton is located roughly 40 miles from Toronto and has a population of nearly 600,000. The city stated that it is currently investigating whether citizen data was stolen. No ransomware group has claimed responsibility for the attack yet, and local officials have not responded to calls for comment. 

City officials held a press conference on Tuesday, and City Manager Marnie Cluckie stated that it is "impossible to know how long it will take us to get up and running again.” 

Cluckie declined to comment on whether the city is in talks with the ransomware group, stating that they will "do what is best for the city." She confirmed that the city has cyber insurance. 

During the press conference, Cluckie was asked if the attack would follow the same schedule as the Toronto Library, which dealt with troubles for more than four months after a ransomware attack. Cluckie claims the hired cyber specialists would only advise her that each assault and recovery is unique.

Hamilton is the second municipality in Canada to deal with a ransomware attack over the last week. Ponoka, a small town about an hour west of Edmonton, recently dealt with a ransomware attack that caused system failures for the government.
Read more »
Ransomware attack
American HealthCare Change Healthcare Cyber Attacks Medical Data Ransomware attack

UnitedHealth's Cyberattack Should Serve as a 'Wake-up Call' for HealthCare Sector

 

The US Health and Human Services Department (HHS) announced Tuesday that it would assist doctors and hospitals in locating alternate claims processing platforms to help restart the flow of business following a cyberattack on a UnitedHealth Group (UNH) subsidiary that crippled operations of a large swath of America's health systems for the past two weeks. 

On February 21, a cyberattack paralysed Change Healthcare, which hospitals, doctors' offices, and pharmacies use to handle payments and prior authorizations for patient visits and medicines.

United gave a lengthy status update Tuesday afternoon, stating that the attack was carried out by BlackCat, a well-known Russian-backed ransomware outfit. 

The FBI was aware of BlackCat, also known as ALPHV, and was successful in breaching the group at the end of last year, but was unable to put it down. BlackCat has previously targeted a number of healthcare companies. It claimed to have collected up to 6 gigabytes of data during the last attack, and that it received $22 million in bitcoin, a transaction visible on the blockchain, but it is still being determined where it came from. 

Based on the most recent statistics, 90% of claims are still being processed for health providers, and pharmacies should be fully operational by Thursday, UHG explained in a statement Tuesday.

Additionally, the company noted, "We've made progress in providing workarounds and temporary solutions to bring systems back online in pharmacy, claims and payments." 

While smaller systems that rely heavily on Change Healthcare are suffering, larger systems with many vendors or the financial capacity to quickly switch to another provider are less affected. 

"This may be the first of its kind, where an outage at the interoperability layer weakens the capacity of the system to function," stated Aneesh Chopra, former US chief technology officer and currently co-founder and president of CareJourney, a healthcare analytics company. "This is a wake-up call on the need for redundancy in systems so we have backup options when a particular vendor goes down.” 

Third-party risks 

Tech platforms have had difficulty allowing their software to interact with each other and provide seamless connectivity for health systems due to regulations safeguarding patient data. However, newer products have made interoperability easier to achieve, which also makes them more susceptible to attacks. 

United's attack makes sense for that reason because it choked off a key mechanism in the inner workings of the system. The change enables several healthcare system companies to handle payments and claims. For example, CVS (CVS) reports that 25% of its claims are processed using Change.

This is in stark contrast to earlier attacks that target specific organisations, such as insurance and hospitals, and affect only one aspect of the system. 

United is also a tempting target because its Optum brand comprises Optum Financial, a different division of UHG that operates a number of payment systems.
Read more »
sensitive healthcare data
Cyberattack Data Breach GDPR obligations health insurance companies privacy watchdog Ransomware attack sensitive healthcare data

Privacy Watchdog Issues Warning

 

Information about over 33 million individuals in France, roughly half of the nation's population, was compromised in a cyber assault after January, as per statements from the country's data protection authority.
The Commission Nationale Informatique et Libertés (CNIL) disclosed this development recently after being notified by two healthcare insurance firms, Viamedis and Almerys.

The agency cautioned that the breached data, impacting policyholders and their families, encompasses details such as "marital status, date of birth, social security number, the name of the health insurer, as well as the guarantees of the contract."

Thankfully, unlike the situation involving Australian health insurer Medibank, sensitive medical records and treatment histories were not accessed.

CNIL emphasized that the responsibility lies with the health insurance firms to inform the affected parties. However, individuals are advised to remain vigilant against potential phishing schemes aiming to defraud them.

While the contact information of policyholders remained untouched, CNIL highlighted the possibility of combining the breached data with other previously compromised information for further malicious activities.

In light of the magnitude of the breach, CNIL swiftly initiated investigations to assess the adequacy of security measures implemented both before and after the incident, in alignment with GDPR obligations.

Failure of the implicated companies to adhere to cybersecurity protocols mandated by the EU's GDPR could result in penalties of up to €20 million or 4% of their global revenue, whichever is greater.

The ransomware attack on Medibank stirred considerable distress in Australia when the perpetrators began disclosing sensitive healthcare claims data for approximately 480,000 individuals, including details on drug addiction treatments and abortions, for extortion purposes.

Last month, Australia, the United Kingdom, and the United States publicly attributed the attack to Russian hacker Aleksandr Ermakov, imposing financial sanctions and travel restrictions on him.
Read more »
User Privacy
Class Action Lawsuit Data Breach Data Leak Ransomware attack User Privacy

South Staffs Water Faces a Group Action Following Clop Ransomware Attack

 

Following the theft and disclosure of their data by the Clop/Cl0p ransomware group, nearly one thousand victims recently filed a class action lawsuit against South Staffordshire Plc. 

South Staffordshire Plc, which owns South Staffordshire Water and Cambridge Water, served 1.6 million Midlands customers when Clop targeted its networks in August 2022.

The cyber attack on its systems became well-known at the time because Clop falsely claimed it had targeted Thames Water, which serves consumers in Greater London and other parts of south-east England. 

The inept cyber crooks published a lengthy rant against Thames Water, criticising its alleged cyber malfeasance and urged customers to come together to sue them. Two and a half years later, Manchester-based Barings Law is seeking legal action over the breach, for which South Staffs has admitted liability. 

Bank sort codes, account numbers used for direct debit payments and bank transfers, names, residences, and other sensitive information were among the details that Barings said its claimants saw published on the dark web. It states that South Staffs did not fulfil its obligation to safeguard its clients' personal information.

“This cyber attack has exposed a significant number of individuals to potential risks and damages,” stated Adnan Malik, head of data breach at Barings Law. “Our clients are seeking not only financial compensation, but also accountability from South Staffs Water for the lapses in data protection. We are regularly fielding enquiries from the public who are concerned they may have been victims of this terrible incident.” 

“This data breach is a serious infringement of privacy rights, and we will robustly pursue justice on behalf of the claimants to ensure that they receive fair compensation for the potential repercussions of this breach. Barings Law remains committed to championing the rights of those affected and holding accountable any entity that neglects its responsibility to protect sensitive data,” Malik added. 

Barings was established in 2009 and is becoming known for specialising in similar collective claims involving cyberattacks that resulted in the theft and disclosure of personally identifiable information (PII). Notable actions against Capita and Carphone Warehouse have advanced in the last 12 months. 

The Capita lawsuit pertains to two 2023 incidents that compromised common people's data: the first was a ransomware attack that impacted multiple pension funds, and the second was an inadvertent leak of data housed in an insecure Amazon Web Services (AWS) S3 storage bucket. As of mid-January 2024, over 5,000 people had signed up to join. 

Capita has denied the legitimacy of this claim, stating that "no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity".
Read more »
Threat Landscape
Business Security Cyber Security Data Backup Ransomware attack Threat Landscape

Cohesity Research Shows That Most Firms Break Their "Do Not Pay" Policies by Paying Millions in Ransoms

 

While a "do not pay" ransomware policy may sound appealing in theory, thwarting attackers' demand for ransom in exchange for stolen data is easier said than done. A recent study conducted by Cohesity, a leader in AI-powered data security management, reveals this truth.

The study surveyed over 900 IT and security decision makers who "take an if not when" approach regarding cyberattacks on their business. According to the study, 94% of participants stated that their organisation would pay a ransom to retrieve data and resume commercial operations, with 5% responding, "Maybe, depending on the ransom amount." 

The majority of those surveyed had paid a ransom in the previous two years, and the vast majority predicted that the threat of cyberattacks will increase dramatically by 2024. Worryingly, 79% of respondents reported that their firm has been the victim of a ransomware assault between June and December 2023. As a result, 96% of respondents believe the threat of cyberattacks to their industry would increase this year, with 71% expecting it to increase by more than 50%. 

9 out of 10 companies paid ransom 

Sixty-seven percent of respondents stated their organisation would be prepared to pay more than $3 million to retrieve data and restore business processes, while 35% were willing to pay $5 million as ransom. The study also demonstrated the need of being able to respond and recover, as 9 in 10 respondents indicated their organisation had paid a ransom in the previous two years, despite 84% claiming their company had a "do not pay" policy.

"Organisations can't control the increasing volume, frequency, or sophistication of cyberattacks such as ransomware," explained Brian Spanswick, Cohesity's chief information security officer and head of IT. "What they can control is their cyber resilience, which is the ability to respond quickly and recover. 

Expanding ransomware tactics

Since every ransomware incident is unique, the best people to determine whether or not to pay a ransom should be law enforcement or the cyber insurance provider for a company. Now, it appears that each ransomware attack is becoming more sophisticated and intense as the attack surface keeps expanding. 

Delinea, a privileged access management (PAM) company, stated in its annual State of Ransomware report that the growing quantity and frequency of ransomware assaults indicate a shift in attackers' strategy. 

According to Delinea, new tactics that use "stealth" to exfiltrate sensitive and private data have supplanted the tried and tested approaches of crippling a business and holding it hostage. For this motive, hackers usually make threats to either exploit the data to secure an attractive cyber insurance payout or sell it to the highest bidder on the darknet. 

Remember that external as well as internal sources can pose a threat to an organisation's cybersecurity. 90% of respondents stated insider threats are more or equally difficult to identify and avoid than external attacks, as the Securonix 2024 Insider Threat Report attests.
Read more »
Security Professionals
Cyber Security IT Firms Ransomware attack Royal United Services Institute RUSI Security Professionals

Aftermath of Ransomware Attacks Take a Mental and Physical Toll on Security Pros


A research conducted by the Royal United Services Institute (RUSI) has underlined the mental and physical toll that cybersecurity workers face in their work.

Through a series of interviews with people who had been at the forefront of ransomware attacks and their aftermath, RUSI discovered that people were experiencing financial, reputational, and social harm in addition to illnesses related to stress as a result of ransomware assaults.

Ransomware attacks involve evading an organization’s network security, and then encrypting and exfiltrating their data, followed by demanding payment to get the data returned safely.

Personal Insight From Victims

Several individuals RUSI spoke with reported sleep deprivation, which left them extremely tired and prone to dozing off at work. Security personnel reported varying degrees of stress; one respondent believed that the stress of a ransomware attack could have contributed to a heart attack that needed to be surgically treated.

In one of the cases, the interviewee needed hospital visits because the strain of a ransomware assault caused them to be severely dehydrated after drinking too much coffee, which made their pre-existing cardiac problem worse.

After their employer hired an outside IT firm to help with recovery, several of the people RUSI spoke with felt under pressure and incompetent; yet, inadequate integration and communication caused inefficiencies following the incident. Furthermore, a lot of security experts—especially those with years of expertise in a single role—see ransomware assaults as a chance to retire or step down.

Also, several victims claimed that excess workload resulted in a challenging work/life balance and many of them said they had lost out on their personal and family time. In one instance, a person was required to look after a senior team member so they could work longer hours.

Beyond cybersecurity personnel, ransomware attacks on hospitals have a physical impact as well. They cause above-average additional deaths from postponed visits and lost data. In addition, the Hackney Council's ability to maintain and repair social housing was hampered by the aftermath of a ransomware attack, leaving some residents to spend protracted lengths of time in mouldy and wet dwellings.  

Read more »
Toronto Zoo
Chief Information Security Office Cyber Attacks Ransomware attack Toronto Police Services Toronto Zoo

Toronto Zoo Suffers a Ransomware Attack


The Toronto Zoo, located in Toronto, Ontario, Canada revealed that it was hit by ransomware attack on January 8th. The attack was first detected on Friday, January 5th. 

As per the official statement released by the zoo authority, an investigation is underway to assess whether the attack had any effect on the its guests, members and donor records. It further stated that it does not keep track of credit card information from customers, therefore it is doubtful that any sensitive data would have gotten out.

The attack has not targeted the Toronto Zoo's systems for the welfare, care, or support of its animals, and operations are continuing as usual. Online ticket purchases are still functional on the Zoo website.

In its statement, the Zoo stated: “We are working with the City of Toronto’s Chief Information Security Office and third-party cyber security experts to resolve the situation and have reported it to Toronto Police Services.” 

"Currently, our animal well-being, care and support systems have not been impacted by this incident and we are continuing with normal zoo operations, including being open to guests. The zoo website is not impacted, and ticket purchases can continue to be made online at torontozoo.com …"

Sadly, these incidences are growing more frequent. The authorities confirmed that they have upgraded their technological infrastructure in recent years.

The Zoo manager have requested the affected individual to be patient if they attempt to contact zoo workers over “the next several days.” Zoo administrators reported the intrusion to Toronto police, and they are collaborating with the city's information security agency and other cybersecurity specialists to remedy the matter.

Earlier, the Toronto Public Library suffered an attack on October which affected several of its services for patrons. While some library services, such as Wi-Fi, have resumed its operations, the library is still undergoing the restoration works to resume the other services on which the patrons rely to apply for jobs, communicate with other individuals, apply for housing and access services provided by the government.  

Read more »
Ransomware threats
Automotive Industry Cyber Attacks Ransomware attack Ransomware threats

Automotive Industry Under Ransomware Attacks: Proactive Measures

 
Ransomware has become a highly profitable industry, with major players like Conti Ransomware and Evil Corp leading the way. Although these entities are not publicly traded and do not report earnings to regulatory bodies like the SEC, it is estimated that ransomware payments reached around $450 million in the first half of the previous year. Shockingly, cyber-attacks are so lucrative that North Korea reportedly derives 50% of its foreign currency from cyber theft, as reported by Nikkei Asia. 

In 2021, automotive companies faced the highest number of cyber-attacks within the manufacturing sector, making up approximately one-third of all attacks, as highlighted in an industrial threat research report by IBM. A prevalent tactic employed by cybercriminals involves targeting the supply chains of automotive manufacturers through vulnerabilities in third-party vendors. 

In the list of industries facing ransomware attacks, the automotive sector ranked eighth out of 35, indicating a moderate vulnerability compared to others like technology, logistics, and transportation. It is less susceptible than some industries but more so than municipal and legal services. A 2021 Gartner report revealed that 71% of automotive Chief Information Officers (CIOs) planned to increase efforts in cybersecurity and information security that year compared to 2020. 

Cybersecurity experts note that the automotive industry's enthusiastic adoption of digitalization and automation in its operations has significantly increased productivity. However, this shift has also made organizations more susceptible to cyber-attacks due to the expanded digital footprint. 

Let’s Understand How Automobile Companies Can Protect Their System

The first step in safeguarding a car manufacturing company's systems is to understand the potential security risks and threats to their equipment. As technology advances, many companies are linking their older systems to the internet to collaborate with outside vendors. While it might take time for businesses to get used to this new security approach, there's a positive trend in increased awareness, making the industry safer. 

To protect against large-scale ransomware attacks, the automotive sector needs to take a proactive stance in detecting and addressing risks in their manufacturing environment. This shift towards a more proactive security strategy is crucial for preventing potential cyber threats and ensuring the safety of the organization's systems.
Read more »
Ransomware group
Cyber Attacks DragonForce DragonForce Ransomware Group Ohio Lottery Ransomware attack Ransomware group

DragonForce Ransomware Gang Prompts Ohio Lottery to Shut Down


On 25 December 2023, the Ohio Lottery faced a major cyberattack, as a result, they had to shut down some crucial systems related to the undisclosed internal application. 

The threat actors behind the breach are the DragonForce ransomware group. 

While the investigation in regards to the breach is ongoing, the company confirms to its customers that its gaming systems are fully functional. The gaming system is still operational, although some services have suffered. At Super Retailers, prize cashing above $599 and mobile cashing are temporarily unavailable. 

The winning numbers for the KENO, Lucky One, and EZPLAY Progressive Jackpots can be found at any Ohio Lottery Retailer; they are unavailable on the internet or mobile app.

In its press release, the lottery states: "On December 24, 2023, the Ohio Lottery experienced a cybersecurity incident impacting some of its internal applications and immediately began work to mitigate the issue. The state's internal investigation is ongoing. We apologize for the inconvenience and are working as quickly as possible to restore all services."

What must the Customers do?

The company has requested customers to check the Ohio Lottery website and mobile app for winning numbers at this time.  WKYC informs that prizes up to $599 can be claimed at any Ohio Lottery Retailer, while prizes over $600 need to be sent by mail to the Ohio Lottery Central Office or using the online claim form. 

Ransomware Gang Claims Responsibility

While Ohio Lottery did not confirm who was behind the cyberattack, a ransomware group called DragonForce claimed responsibility. 

According to a report by BleepingComputer, the threat group claims that they have encrypted devices and accessed sensitive data like Social Security Numbers and the date of birth of affected customers. 

According to the DragonForce gang, over 3,000,000 lottery customers' names, addresses, emails, winning amounts, Social Security numbers, and dates of birth are among the data that have been hacked. The weight of the released data—more than 600 gigabytes—raises questions regarding the scope of the hack. 

DragonForce: A New Competitor in the Ransomware Arena

Despite being a relatively young ransomware gang, the DragonForce gang's methods and data leak website suggest a rather experienced extortion organization. As law enforcement steps up their efforts to combat ransomware activities, new organizations like DragonForce are coming into action, which raises the issue of rebranding within the threat landscape. 

In a similar case, the official Facebook page of the Philippines lottery system was recently hacked by anonymous hackers. The witnesses reported that threat actors were apparently spamming the website page with nude photos. This prompted the Philippine Charity Sweepstakes Office (PSCO) to shut down the page for the time being, during which the Cybercrime Investigation and Coordinating Center (CICC) will conduct its investigation.   

Read more »
Ransomware attack
ALPHV Blackcat Ransomware BlackCat Data Breach Healthcare Data Henry Schein Ransomware attack

Henry Schein Data Breach: Healthcare Giant Reports Second Attack in Two Months


U.S. based healthcare company Henry Schein has confirmed another cyberattack this month conducted by threat actor ‘BlackCat/ALPHV’ ransomware gang. The company was previously attacked by the same group in October. 

Henry Schein

Henry Schein is a Fortune 500 healthcare products and services provider with operations and affiliates in 32 countries, with approximately $12 billion in revenue reported in 2022. 

It first made public on October 15 that, following a cyberattack the day before, it had to take some systems offline in order to contain the threat.

On November 22, more than a month later, the company announced that parts of its apps and the e-commerce platform had once more been taken down due to another attack that was attributed to the BlackCat ransomware.

"Certain Henry Schein applications, including its ecommerce platform, are currently unavailable. The Company continues to take orders using alternate means and continues to ship to its customers," the announcement said.

"Henry Schein has identified the cause of the occurrence. The threat actor from the previously disclosed cyber incident has claimed responsibility."

Today, the company released a statement, noting that it has restored its U.S. e-commerce platform and that it is expecting its platforms in Canada and Europe to be back online shortly. 

The healthcare services company is apparently still taking orders through alternate methods and distributing them to customers in the affected areas.

Henry Schein’s BlackCat Breach

Following the breach, the ransomware gang BlackCat added Henry Schein to its dark web leak forum, taking responsibility for breaching the company’s network. BlackCat notes that it has stolen 35 terabytes of the company’s crucial data. 

The cybercrime organization claims that they re-encrypted the company's devices while Henry Schein was about to restore its systems, following a breakdown in negotiations toward the end of October.

This would make the event this month the third time that BlackCat has compromised Henry Schein's network and encrypted its computers after doing so on October 15.

"Despite ongoing discussions with Henry's team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network," the threat actors said.

The ransomware group further warned of releasing their internal payroll data and shareholder folders to their collective blog by midnight. 

Initially discovered in November 2021, BlackCat is believed to have rebranded itself from the popular DarkSide/BlackMatter gang. DarkSide has earlier gained global recognition by initiating attacks on Colonial Pipelines, prompting extensive law enforcement probes.

Moreover, the FBI has linked the ransomware group to over 60 breaches, between November 2021 and March 2022, affecting companies globally.  

Read more »
Ransomware attack
Australian Government Critical Data Cyber Security Financial Data Malicious actor Payment Ransomware attack

Australia's Cyber Strategy: No Ransomware Payment Ban

Australia has recently unveiled its new Cyber Security Strategy for 2023-2030, and amidst the comprehensive plan, one notable aspect stands out – the absence of a ban on ransomware payments. In a world grappling with increasing cyber threats, this decision has sparked discussions about the efficacy of such a strategy and its potential implications.

The strategy, detailed by the Australian government, outlines a sweeping resilience plan aimed at bolstering the nation's defenses against cyber threats. However, the decision not to ban ransomware payments raises eyebrows and prompts a closer examination of the government's rationale.

According to reports, the Australian government aims to adopt a pragmatic approach to ransomware, acknowledging the complex nature of these attacks. Instead of an outright ban, the strategy focuses on improving cybersecurity, enhancing incident response capabilities, and fostering collaboration between government agencies, businesses, and the wider community.

Critics argue that allowing ransom payments may incentivize cybercriminals, fueling a vicious cycle of attacks. The concern is that paying ransoms may encourage hackers to continue their activities, targeting organizations with the expectation of financial gain. In contrast, proponents of the strategy contend that banning payments may leave victims with limited options, especially in cases where critical data is at stake.

Australia's decision aligns with a growing trend in some parts of the world where governments are grappling with finding a balance between protecting national security and providing victims with avenues for recovery. The approach reflects an understanding that rigid and one-size-fits-all policies may not be effective in the ever-evolving landscape of cyber threats.

The new Cyber Security Strategy also emphasizes the importance of international cooperation to combat cyber threats. Australia aims to actively engage with international partners to share threat intelligence, collaborate on investigations, and collectively strengthen global cybersecurity.

Australia's experiment with a more nuanced approach to ransomware payments is being watched by the whole world, and the results will probably have an impact on how other countries formulate their cybersecurity laws. The continuous fight against cyber dangers will depend on finding the ideal balance between deterring illegal activity and helping victims.

In contrast to other nations that have taken more restrictive measures, Australia has decided not to outlaw ransomware payments in its new Cyber Security Strategy. In light of the always-changing cybersecurity landscapes, it underscores the significance of a comprehensive, cooperative, and flexible approach and demonstrates a practical recognition of the difficulties presented by cyber attacks. The future course of international cybersecurity regulations will surely be influenced by this strategy's success.

Read more »
Vulnerabilities and Exploits
Citrix CitrixBleed Bug DP World LockBit LockBit ransomware Ransomware attack Vulnerabilities and Exploits

Researcher Claims: Teens with “Digital Bazookas” are Winning Ransomware War


One thing that Boeing, the Australian shipping company, the world’s largest bank and the world’s biggest law firm share in common is that they have all suffered a cybersecurity incident, at least once. And, these breaches have apparently been conducted by a teenage hacker, all due to the companies’ failure in patching a critical vulnerability that their security professionals warned about weeks ago, according to a post published by doublepulsar on Monday. 

According to Kevin Beaumont, a freelance security researcher, Some other notable victims of cybersecurity breaches include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm.

These four companies have recently admitted to being struck with at least one security incident. Also, China's ICBC has allegedly paid an undisclosed amount of ransom to retrieve their encryption keys for data that remained unavailable since the breach. 

Beaumont stated the four businesses are among the ten victims he is aware of that are presently being blackmailed by LockBit, one of the most active and destructive ransomware crime syndicates in the world, citing data that allows the tracking of ransomware operators and those familiar with the breaches. Despite a fix being available since October 10, Beaumont claimed that all four of the organizations had yet to apply it to a critical vulnerability. The companies used the networking solution Citrix Netscaler.

CitrixBleed Bug

With a 9.4 severity rating out of 10, CitrixBleed is an easy-to-exploit vulnerability that reveals session tokens that can be used to negate any multifactor authentication mechanisms inside a vulnerable network. Within the affected victim's internal network, attackers are left with the equivalent of a point-and-click desktop PC and are free to move around.

In his post, Beaumont wrote:

Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.

Focusing on cybersecurity fundamentals for enterprise-scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large-scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.

The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.

Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose. 

Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late '90s—while also advertising themselves as the experts. Marketing is a hell of a drug.

Beaumont further highlighted query results from the Shodan search service, which showed that at the time of the intrusion, none of the four firms had installed a CitrixBleed patch. The CVE-2023-4966 vulnerability is being monitored.

The researcher additionally condemned Citrix for Netscaler's logging features, which he claimed made it practically impossible for consumers to determine whether they had been hacked. Because of this, it is possible that some users of the CitrixBleed patch were unaware that LockBit was already present on their networks.

However, Boeing refused to comment on the post.

In the case of Citric and Allen& Overy, the emails sent were left unanswered when the post reached Arstechnica. The tech forum further notes that requests for comment from DP World and ICBC were also not immediately followed.

LockBit uses tools like Atera, which offers interactive PowerShell interfaces without triggering antivirus or endpoint detection alerts, to escalate its access to other parts of the compromised network after the CitrixBleed exploit first provides remote access through Virtual Desktop Infrastructure software. This access persists until administrators take specific steps, even after CitrixBleed is patched.  

Read more »
Vulnerabilities and Exploits
Chinese Bank Citrix Bleed Bug NetScaler Ransomware attack Vulnerabilities and Exploits

China's Biggest Lender ICBC Hit by Ransomware

 

Citrix disclosed a critical vulnerability in its NetScaler technology last month, which may have contributed to this week's disruptive ransomware attack on the world's largest bank, the PRC's Industrial and Commercial Bank of China (ICBC). The incident emphasises the importance for businesses, if they haven't already, to patch against the threat promptly. 

Numerous on-premises Citrix NetScaler ADC and NetScaler Gateway application delivery platforms are impacted by the so-called "CitrixBleed" vulnerability (CVE-2023-4966). 

According to the CVSS 3.1 severity scale, the vulnerability allows attackers the ability to gain control of user sessions and steal private data, with a score of 9.4 out of a possible 10. Citrix has stated that there is no user interaction required, low attack complexity, and remote exploitability linked with the vulnerability.

A few weeks prior to Citrix releasing updated versions of the impacted software on October 10, mass CitrixBleed Exploitation Threat actors had been actively utilising the vulnerability since August. Organisations are also strongly advised to end all active sessions on each impacted NetScaler device by Mandiant researchers who found and reported the flaw to Citrix.

Exploitation of Mass Citrix Bleeding

Before Citrix released updated versions of the compromised software on October 10, threat actors had been actively exploiting the vulnerability since August. Due to the possibility that authenticated sessions may continue after the update, Mandiant researchers who found and notified Citrix of the vulnerability have also strongly advised that organisations end all active sessions on each impacted NetScaler device. 

One clear public instance of the exploit activity is the ransomware attack on the US branch of the state-owned ICBC. The bank said that some of its systems were disrupted by a ransomware attack that occurred on November 8 in a statement earlier this week. The Financial Times and other media outlets cited sources who told them that the attackers were LockBit ransomware operators.

On November 6, security researcher Kevin Beaumont identified one possible attack vector for the LockBit actors: an unpatched Citrix NetScaler at the ICBC box. 

"As of writing this toot, over 5,000 orgs still haven't patched #CitrixBleed," Beaumont stated. "It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs — it gives attackers a fully interactive Remote Desktop PC [on] the other end." 

Recent weeks have seen an increase in the mass exploitation of attacks against unmitigated NetScaler devices. At least part of the activity has been spurred by publicly available technical details of the flaw. 

At least four organised threat groups are reportedly focusing on the vulnerability, according to a ReliaQuest report this week. A group of them has automated CitrixBleed exploitation. In the short time between November 7 and November 9, ReliaQuest reported seeing "multiple unique customer incidents featuring Citrix Bleed exploitation". 

CISA issues CitrixBleed guidance

The exploit activity compelled the US Cybersecurity and Infrastructure Security Agency (CISA) to publish new CitrixBleed threat guidance and resources this week. CISA issued a warning about "active, targeted exploitation" of the bug, urging organisations to "update unmitigated appliances to the updated versions" released by Citrix last month.

The vulnerability is a buffer overflow issue that allows sensitive information to be disclosed. It affects NetScaler on-premises versions when configured as an Authentication, Authorization, and Accounting (AAA) or gateway device such as a VPN virtual server, ICA, or RDP Proxy.
Read more »
Subscribe to: Posts (Atom)