Search This Blog

Showing posts with label ransomware attacks. Show all posts

SOCs Face Stern Test in 2023 as Hackers Target Governments and the Media

 

The number of incidents in the government and mass media segments will increase this year, according to Kaspersky research experts' predictions for challenges in Security Operation Centers (SOCs) in 2023. SOCs in these and other industries, as well as supply chain attacks via telecommunications providers, are likely to face more recurring targeted attacks. More initial compromises through public-facing applications will be another threat to SOCs. Data destruction may occur in organisations that are threatened by ransomware attacks. 

Repeated targeted attacks by state-sponsored hackers 

The average number of incidents in the mass media sector doubled from 263 in 2021 to 561 in 2022, according to Kaspersky experts. Numerous high-profile incidents occurred over the course of the past year, one of which was when Iranian state TV broadcasting was halted due to hacker activity while the nation was in the midst of protests. Similar DDoS attacks to those that occurred in the Czech Republic also targeted media outlets. Among the 13 other analysed segments, such as industrial, food, development, financial, and others, mass media emerged as the top target for cybercriminals, following the government sector, where the average number of incidents increased by 36% in 2022. 

2023 will see a continuation of this growth along with routine targeted attacks by state-sponsored actors. While this is typically relevant for governmental organisations, the mass media sector has come under increased attack during global conflicts that are frequently accompanied by information warfare and in which the media invariably play a significant role. 

“Large businesses and government agencies have always been targets of cybercriminals and state-sponsored actors, but geopolitical turbulence increased attackers’ motivations and enlivened hacktivism, which cybersecurity specialists have not regularly encountered until 2022,” stated Sergey Soldatov, head of security operation center (SOC) at Kaspersky. “The new wave of politically-motivated attacks is especially relevant for the government and mass media sectors. To effectively protect a company, it’s necessary to implement a comprehensive threat detection and remediation provided through Managed Detection and Response services.” 

Supply chain assault 

Attacks on telecommunications firms by perpetrators could lead to an increase in supply chain strikes in 2023. The telecom sector experienced a disproportionate number of high severity incidents in 2021 for the first time. Although the average proportion of high severity incidents decreased in 2022 (from 79 per 10,000 systems monitored in 2021 to about 12 in 2022), these businesses continue to be prime targets for cybercriminals. 

Ransomware destroyers 

In 2022, Kasperksy noticed a new ransomware trend that will persist in 2023: ransomware actors will both encrypt and destroy corporate data. This is pertinent to organisations that experience politically motivated attacks. More initial compromises through applications with a public facing pose a threat to SOCs. Compared to phishing, penetration from the perimeter requires less preparation, and outdated vulnerabilities are still available. 

Mitigation tips

Kaspersky researchers advise taking the following precautions to guard against the pertinent threats: 

  • Keep all of your devices' software updated to stop hackers from breaking into your network by taking advantage of flaws. Patches for fresh vulnerabilities should be applied as soon as possible. Threat actors are no longer able to exploit the vulnerability once it has been downloaded. 
  • High-profile attacks can be defended against with dedicated services. Before the intruders succeed in their objectives, the Kaspersky Managed Detection and Response service can assist in locating and stopping intrusions in their early stages. If an incident occurs, Kaspersky Incident Response service will assist you in responding and reducing the effects. In particular, locate the compromised nodes and safeguard the infrastructure from future intrusions. 
  • Utilize the most recent Threat Intelligence data to keep abreast of the TTPs that threat actors are actually employing. 
  • Select a trustworthy endpoint security product with behavior-based detection and anomaly control features, like Kaspersky Endpoint Security for Business, for efficient defence against known and unknowable threats.

Threat from Cyberspace Pushing Data Budgets Up and Delaying Digital Transformation

 

A new report has revealed that the cost of data backup is rising due to the growing threat from cybercrime. This includes the requirement to guarantee the consistency and dependability of hybrid cloud data protection in order to counteract potential losses from a ransomware attack. 

More than 4,300 IT leaders were polled for the Data Protection Trends Report, and many of them claimed that there was a "availability gap" between how quickly their businesses needed a system to be recovered and how quickly IT could get it back online. This issue is serious because, according to the survey, 85% of respondents experienced a cyberattack in the previous year. 

Making sure the data protection provided by Infrastructure as a Service and Software as a Service solutions corresponds with that provided by workloads focused on data centres was one of the top priorities for IT leaders polled for the survey this year.

More than half of those surveyed in the study, which was commissioned by data protection software vendor Veeam, also mentioned a "protection gap" between the amount of data they can lose and the frequency with which IT protects it. These gaps, according to more than half of those surveyed, have led them to consider switching primary data protection providers this year.

Many of those surveyed claimed that ransomware is "winning," with cyberattacks causing the most significant outages for businesses in 2020, 2021, and 2022, despite all of these efforts to increase backup reliability and spend on cybersecurity tools. 

Hackers' increasing threat to data budgets

In the past 12 months, at least 85% of all study participants reported experiencing an attack, up from 76% the year before. Data recovery was noted as a major concern, with many claiming that only 55% of encrypted data was recoverable following a ransomware attack.

This was partially due to the increase in attacks. Due to the strain that ransomware protection and recovery put on budgets and staff, it is also harder to implement digital transformation. Resources intended for digital transformation initiatives have been diverted as IT teams must concentrate on the unstable cyber security landscape. 

According to Veeam's researchers, cyberattacks "not only drain operational budgets from ransoms to recovery efforts, but they also reduce organisations' ability to modernise for their future success, forcing them to pay for prevention and mitigation of the status quo."

With 52% of respondents already using containers and 40% of organisations planning to do so soon, Kubernetes is proving to be one of the major forces behind bettering data security strategies. Despite this, the report's authors discovered that most organisations only protect the underlying storage rather than the workloads themselves. 

The CTO and senior vice president of product strategy at Veeam, Danny Allan, stated that "IT leaders are facing a dual challenge. They are building and supporting increasingly complex hybrid environments, while the volume and sophistication of cyberattacks is increasing. This is a major concern as leaders think through how they mitigate and recover business operations from any type of disruption.”

Ransomware Gangs are Starting to Forego Encryption

 

Criminal organisations are now employing a new strategy to ensure ransomware payouts: they skip the step of encrypting target companies' systems and instead go straight to demanding the ransom payment for the company's valuable data.

Malicious hackers are constantly looking for less-flashy but still effective ways to continue their ransomware attacks as law enforcement's focus on the problem grows.

Typically, a ransomware attack begins with the installation of malware that encrypts files onto a company's networks, followed by the appearance of a ransom note on each screen.

By concentrating only on data extortion, hackers can launch their attacks more quickly and without the need for encryption tools, which can occasionally go down in the middle of an attack. 

According to Drew Schmitt, a principal threat analyst at GuidePoint Security, law enforcement is also more interested in looking into attacks that use encryption because it results in more damage.

Schmitt added that businesses that have strong endpoint security tools, firewalls, ongoing monitoring, and security plans that restrict employees' access to internal files will be the most successful at thwarting ransomware attacks.

Security leaders must know how to lessen the effects of a ransomware attack. Here are a few of our suggestions: 

  • Keep encrypted backups of your data offline and make sure that your team consistently performs backups. Additionally, your team should prioritise restoring all crucial systems and data first and routinely test backups to determine how long data restoration efforts will take. 
  • Make it a company-wide rule that no device should be used to store corporate data locally. Unlike data stored in the cloud, if a device is infected, you risk losing all locally stored data. 
  • To prevent ransomware from spreading to other network devices, immediately isolate the infected device.
  • If at all possible, determine the type of ransomware used and/or the threat actors who carried out the attack to see if a decryption key may already be in existence. Engage an external incident response provider with digital forensics capabilities to lead the charge if you lack the expertise to carry out this investigation internally. 
  • Your team should have the relevant source code or executables backed up in addition to system images (or escrowed, have a licence agreement to obtain, etc.) so that you don't lose the application code entirely if the ransomware infection affects it. 

Prosecutors Review Broward Administrators’ Action Over the Data Breach


Broward prosecutors are investigating whether the former Schools Superintendent, Robert Runcie, and two other administrators have infringed any law when they used highly guarded information about a district ransomware attack in a private business pitch. 

While the district did not share details of the ransomware attack with the public, by involving an outside PR firm to help dodge questions and evade to include internal investigation details in writings. 

Runcie and former administrators Brian Katz and Philip Dunn, on the other hand, revealed numerous previously concealed details regarding the ransomware attack in September 2021 “case study” for Safer School Solutions, which is a Fort Lauderdale company owned by Katz and Dunn. 

The report included details of how the ransomware attack hindered the operation of 2,000 servers; how the district prioritized keeping the schools open over looking after the breach; and how law enforcement asked the district to offer a ransom, but not pay it to the hackers. The report also involved the district’s response to the Parkland shooting and the pandemic. 

A few months later, an education group led by Runcie granted the company a $1 million contract to offer security services to six school districts, none of which were in Florida. 

Runcie, who resigned from his position as superintendent in August 2021, is currently facing accusations of perjury in a different case. He has been charged with lying to a statewide grand jury that investigated the school district purchases by the Attorney General's Office of Statewide Prosecution. 

Attempts to contact him by phone, email, and through his attorney remain unsuccessful. 

Broward Data Breach 

In November 2021, Broward County Public School reported that the security incident on March 7, 2021, may have resulted in unauthorized access to some of its systems, potentially containing sensitive data of some faculty, staff, and students. 

While they were initially unaware of the data being compromised, it may have taken place during the investigation in June. 

The Broward school district later announced on its website that the affected victims were being notified about the breach. About 50,000 students and employees reportedly received notifications from the district of their data being breached during the ransomware attack that happened months ago. 

The school district was secretive about the attack, which happened between Nov. 12, 2020, and March 6, 2021, for months. This was apparenly advised by the lawyers and public relation company the district hired.  

Cloud Email Services Strengthen Encryption to Ward Off Hackers

 

The use of end-to-end encryption for email and other cloud services is expanding. This comes as no surprise given that email is one of the top two cyberattack vectors. 

Mail servers made up 28% of all affected hardware, according to Verizon's annual 2022 Data Breach Investigations Report, and 35% of ransomware activities involved email. In its 2022 report, the EU Agency for Cybersecurity noted that ransomware is responsible for 10 terabytes of data theft each month, with 60% of businesses likely having paid a ransom. An updated Gartner study from 2021 found that 40% of ransomware attacks begin with email.

To address these issues, Google, Microsoft, and Proton, whose Proton Mail service was a pioneer in secure email, expanded their end-to-end encryption offerings. 

Google revealed a beta of client-side encryption services for Gmail on the web in a blog post last month. Up until January 20, 2023, customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard may apply for the beta.

The tech giant stated that client-side encryption "helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs," noting that it encrypts all data at rest and in transit in Google Workspace between its facilities. 

Moreover, it claims that Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar already support client-side encryption. Users simply need to click the lock icon and choose the option for additional encryption, according to Google, in order to add client-side encryption to any message. Writing and including attachments work as expected.

Microsoft, which last updated its message encryption in 2019, declared in April of last year that updates to Windows 11 would include security patches to address phishing and malware threats. 

If so, Microsoft will probably also include end-to-end encryption since Office 365 Message Encryption currently uses Transport Layer Security encryption. Despite the fact that this service, according to the provider, enables users to encrypt and rights-protect messages intended for internal and external recipients using Office 365, non-Office 365 email applications, and web-based email services like Gmail.com and Outlook.com, it does not shield users from phishing or malware attacks as well as E2EE. 

Google's announcement came after that of Proton, a platform for encrypted cloud storage that was introduced in 2013 by CEO Andy Yen in Geneva, Switzerland. With a focus on mobile devices, the company increased its encryption offerings last fall. These new additions included secure cloud storage and a secure calendar feature, both of which have apps for iOS and Android devices. 

Users can safely upload, save, and share files to and from their phone using Proton Drive, a free encrypted cloud service that was made available in late September and made its iOS and Android debuts in December. 

The three main functions of Proton Drive are as follows:

  • Any uploaded file on the user's device is encrypted before it is stored on Proton servers. 
  • Metadata such as file and folder names, file extensions, file sizes, and thumbnails are encrypted. 
  • File expiration and viewing passwords are included, allowing for secure sharing with non-Proton users.

Proton said that since the beta launch of Proton Drive last September, with over 500,000 users participating, it has seen an average of one million files uploaded per day, roughly half of which are photos.

Additionally, it offers two paid levels of service for its encrypted drive, Drive Plus with 200GB storage for $4.99/month or $47.88/year and Proton Unlimited with 500GB for $11.99/month or $119.88/year, all of which are available to individual users.

Ransomware Attacks on U.S. Hospitals Causing Deaths

Every day we are witnessing ransomware attacks, and companies worldwide are investing millions to protect their network and systems from digital attacks, however, it is getting increasingly challenging to fight against cyber threats because cyber attackers do not only use traditional methods, they are also inventing advance technologies to fortify their attacks.

Hospitals and clinics are a top target of malicious attackers since reports suggest that the annual number of ransomware attacks against U.S. hospitals has virtually doubled from 2016 to 2021 and is likely to rise in the future given its pace, according to what JAMA Health Forum said in its recent research. 

As per the report, the security breaches exploited the sensitive information of an estimated 42 million patients. “It does seem like ransomware actors have recognized that health care is a sector that has a lot of money and they're willing to pay up to try to resume health care delivery, so it seems to be an area that they're targeting more and more,” lead researcher Hannah Neprash said. 

JAMA Health Forum conducted research over five years on U.S. medical facilities, in which they have discovered that the attackers exposed a large volume of personal health data over time and in coming years the attacks will increase by large.

According to Neprash’s database, clinics were targeted in 58% of attacks, followed by hospitals (22%), outpatient surgical centers (15%), mental health facilities (14%), and dental offices (12%). 

Threat actors exploit open security vulnerabilities by infecting a PC or a network with a phishing attack, or malicious websites and asking for a ransom to be paid. Unlike other cyber attacks, the goal of malicious actors, here, is to disrupt operations rather than to steal data. 

However, it becomes a great threat because it can jeopardize patient outcomes when health organizations are targeted. 

In 2019, a baby died during a ransomware attack at Springhill Medical Center in Mobile, Ala. As per the data, 44% of the attacks disrupted care delivery, sometimes by more than a month. 

“We found that along a number of dimensions, ransomware attacks are getting more severe. It's not a good news story. This is a scary thing for health care providers and patients,” Neprash added. 

Ponemon Institute, an information technology research group published its report in September 2021, in which they found out that one out of four healthcare delivery organizations reported that ransomware attacks are responsible for an increase in deaths. 

“Health care organizations need to think about and drill on — that is practice — these back-up processes and systems, the old-school ways of getting out information and communicating with each other. Unfortunately, that cyber event will happen at one point or another and it will be chaos unless there is a plan,” said Lee Kim, senior principal of cybersecurity and privacy with the Healthcare Information and Management Systems Society, in Chicago.

Why Must Businesses be Equipped With Modern Ransomware Capabilities?


The most contemporary threat to the survival of businesses may be the "if, not when" approach surrounding ransomware. Ransomware attacks are increasingly prevalent targets for businesses of all sizes and in all sectors, and we know that 94% of enterprises had a cybersecurity issue just last year.

However, several companies still operate with archaic security measures that are incompetent in combating modern ransomware. 

It has been falsely believed that ransomware attacks are declining. In reality, Q1 of 2022 reported a 200% YoY hike in ransomware activities. Moreover, the increase in Ransomware as a Service (RaaS) offerings indicates that ransomware attacks have in fact turned into a commodity for threat actors. 

Ransomware as a Service 

The RaaS market opens a new and challenging trend for organizations and IT experts. 

With RaaS – a subscription ransomware model that charges affiliates for setting up malware – the access barriers for hackers are lower than ever. 

The unsophisticated nature of RaaS hackers is the reason why the average downtime has decreased to just 3.85 days (as compared to the average attack duration of two months in the year 2019). 

While the decrease in attack downtime sounds promising, the emergence of RaaS still indicates a fact for the business leaders, i.e. all organizations are vulnerable. Consequently, demanding the role of IT and business experts to combat the risk by implementing robust cybersecurity protocols. 

The need for the aforementioned action could be estimated by reviewing the ransomware attack cases that organizations have witnessed in recent times. 

Bernalillo County’s Ransomware Breach 

In January 2022, threat actors breached data centers in Bernalillo County, New Mexico. The largest detention facility in the county's automatic locking systems and security cameras were among the critical infrastructure disruptions that continued for several days. 

Months after subverting the ransomware agents, Bernalillo County officials finally implemented a stronger cybersecurity strategy that included endpoint detection and response (EDR) systems, multi-factor authentication (MFA) on all employee accounts, 24/7 security monitoring, and new virus-scanning software. 

Bernalillo County’s Ransomware Breach has taught security experts several lessons. The incident highlights how ransomware can cause non-financial harm to persons and businesses. Since, residents of Bernalillo County suffered severe service interruptions during the incident, while county convicts were confined to their cells for several days. 

The incident also emphasized the importance of rapid response to such situations. Cybersecurity measures such as MFA, remote monitoring, and EDR work wonders in preventing ransomware attacks, but only if implemented before the cyberattack. 

Unfortunately, a lot of business executives still hold off on putting strong cybersecurity policies in place. As a result, ultimately and inevitably, their organizations end up suffering like the residents of Bernalillo County. 

Prioritizing a Robust Security Strategy is Crucial 

Organizations must not compromise in implementing security protocols and services. In order to boost the effectiveness of cybersecurity, business and IT leaders are suggested to have access to the same evolving AI and machine learning capabilities that are utilized by modern hackers. 

An adequate tactile protection plan usually requires a third-party vendor in order to provide security insights or monitoring capabilities. However, business and IT leaders only consider Ransomware Protection as a Service (RPaaS) solutions that provide adaptive tactics for cloud-based, on-premises, and hybrid data centers. Doing so will eventually ensure the organization’s cybersecurity package scales as it grows—or, in some instances, shrink —without the need for extra software. 

Preparing For “When,” And Not “If” 

The first step to combat a ransomware threat is by accepting that any organization, big or small, could be a target sooner or later. This realization will eventually become more crucial in combatting the attacks, as one witnesses a constant rise in casual ransomware attacks via RaaS, and as international conflicts have further increased the chances of large-scale breaches and ransomware attacks. 

Although one cannot entirely evade ransomware attacks, breaches could still be dodged by taking cybersecurity measures such as a robust cyber defense, that will consequently secure an organization from any financial loss or a mission-critical service outage.  

Hacking Group Takes Down "Antwerp" from Website

 

The City of Antwerp is no longer listed as one of the organizations that the hacker group Play has compromised on its website. Uncertainty surrounds the meaning of this. Geert Baudewijns, a cyber security specialist, asserts that it's possible that either talk between the hackers and the City of Antwerp is in progress or that there is already a deal in place, in which case a ransom payment may have been made. 

A week and a half ago, the City of Antwerp was the target of a significant cyber-attack, which has since caused the suspension of several of the city's public services. A City Hall position is not often easy to get, and the hacking impacts libraries, museums, and schools. 

The Play hacker collective claimed responsibility for the hacking of its website on the so-called "dark web" not long after the City of Antwerp's websites were compromised. The city officials had until Monday, December 19 to comply with the collective's ransom demand. 

If not, the gang threatens to upload more than 500 gigabytes of information on the city and its residents, including all personal information, to the internet. 

Negotiation or ransomware? 

Only two possible explanations exist for the city's disappearance from the Play website. Geert Baudewijns of Secutec, a cyber-security specialist, told VRT News, a local media outlet, "Either the talks are proceeding apace. or the city has made the payment. Despite the fact that I am not taking part in the negotiations, I can speak from negotiation experience." 

"A firm may occasionally be required to pay a ransom equal to up to 10% of its annual revenue." For municipal or city officials, however, things may be very different. I am unable to remark on that.

According to Tim Verheyden of VRT NWS, Play is well-known in the hacker community. They were in charge of significant cyberattacks against the United States, Canada, Bulgaria, Switzerland, and now the City of Antwerp. The reason it is no longer visible on Play's website has not yet been addressed by the City of Antwerp.

Cybereason Issues a Warning on a Rapid Growth of Royal Ransomware

 

The Royal Ransomware Group has emerged, and Cybereason, the XDR company, today released a new worldwide danger notice alerting public and private sector companies about the group's use of distinctive tactics, strategies, and procedures in attacks to elude detection. Due to the fact that hackers target weak enterprises around the holidays and on the weekends, businesses should be extremely vigilant against ransomware assaults. 

Since its initial appearance this year, the Royal Ransomware Group has attacked scores of companies all around the world. The group appears to be run by the Conti Group and other well-known ransomware organizations. Organizations should take precautions to prevent being victims because the threat level from Royal attacks is “HIGH.” 

Important report findings 

Unusual method of dodging anti-ransomware defenses: Royal ransomware extends the idea of partial encryption by having the capacity to encrypt a specific piece of the file content and basing it on configurable percentage encryption, making detection by anti-ransomware solutions more difficult. 

Ransomware that uses multiple threads: Royal ransomware uses several threads to hasten the encryption process. 

Global ransomware operation: The Royal ransomware purportedly runs independently and globally. The gang doesn't seem to target a particular industry or nation or utilize ransomware-as-a-service. 

High Severity: Given the sharp rise in attacks from this group over the previous 60–90 days, Cybereason rates the threat level from Royal Ransomware as HIGH. 

Mitigation Tips 

Maintain excellent security hygiene by, for instance, implementing a programme for staff security awareness and making sure operating systems and other software are routinely patched and updated. 

Verify that important players can be reached whenever needed: Attacks that happen over holidays and weekends may cause critical reaction activities to be delayed. 

Conduct routine drills and exercises on a table: Include important stakeholders from other departments outside security, such as Legal, HR, IT, and senior executives, so that everyone is aware of their duties and responsibilities and can react as quickly as possible.

Implementing unambiguous isolation procedures will block any more network intrusions and stop ransomware from spreading to other systems. The ability to disconnect a host, lock down a hacked account, and block a malicious domain are all skills that security teams should have. 

When feasible, think about locking down important accounts: Attackers frequently raise access to the admin domain level before deploying ransomware to spread the malware throughout a network. In the active directory, teams should set up highly secure, emergency-only accounts that are only used when other operational accounts are momentarily disabled as a precaution or rendered inaccessible due to a ransomware assault. 

Install EDR on every endpoint: The fastest method for both public and private sector enterprises to combat the ransomware plague continues to be endpoint detection and response (EDR).

LockBit Latest Variant LockBit 3.0, With BlackMatter Capabilities

 

Healthcare sectors' cybersecurity intelligence has been requested to review the IOCs and has also been recommended to take proactive steps to fight against BlackCat and LockBit 3.0 ransomware variants which are rampantly targeting healthcare sectors. 

On 2nd December the Department of Health and Human Services Cybersecurity Coordination Center published two new research analyst notes in which it explained and issued alerts against four ransomware   namely Venus, Hive, Lorenz, and Royal.

Dat from the past attacks suggest that well-practiced, properly prepared plans and a clear understanding of the attack are crucial to setting up a successful ransomware response. For the BlackCat and LockBit 3.0 threats in particular; it is highly recommended that the healthcare sector's response against such attacks should be planned and proactive. 

“BlackCat can also clear the Recycle Bit, connect to a Microsoft cluster and scan for network devices. It also uses the Windows Restart,” according to the issued alert. 

As per the data, healthcare is among one of the  most targeted industries, for example, the pharmaceutical sector, which is constantly targeted by hackers. HC3 believes BlackCat will continue to exploit healthcare department in the foreseeable future. 

The sector is urged to take the “threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.” 

Historically, LockBit targeted the RaaS model and entities for higher ransoms and leveraged double extortion tactics. The most recent version of LockBit 3.0 comes with advanced extortion tactics and utilised a triple extortion model which asks the victim to pay for their sensitive information. 

“Once on the network, the ransomware attempts to download command and control (C2) tools such as Cobalt Strike, Metasploit, and Mimikatz, encrypted files can only be unlocked with LockBit’s decryption tool,” according to the alert. 

While the group has been targeting health sectors worldwide, the U.S. and its healthcare sectors have been victimized deliberately by the group. HC3 asked the organizations to review the provided IOCs and recommended security measures to prevent further attacks.

Microsoft Warns Businesses to Enhance their Security Standards

 

Tech giant Microsoft warned organizations to patch their security flaws in order to stay safe from some of the worst security threats. 

Tech giant Microsoft, in its latest Digital Defence Report of 2022, has warned organizations to patch their security vulnerabilities in order to stay safe from some of the worst threats around right now. 

Microsoft in its 114-page Digital Defense Report highlighted alarming statistics on threats such as identity theft, ransomware, and phishing attempts that the organization has faced over the last year. 

Security loopholes 

According to the data, 99% of all ransomware attacks employ “OS-built tools” to try to tamper with existing protection and backup solutions. 

Microsoft also identified that passwords and other critical account data are still being utilized in ransomware attacks. In 75% of attacks, “acquired elevated compromised user accounts” were used to propagate malicious payloads. In the same proportion, attempts that exploited admin tools were successful. 

In a section titled “Cyber Resilience”, Microsoft asserts that all of the attacks that it recorded employed siphoned credentials, and recommended employing multi-factor authentication (MFA) and other measures to safeguard data. Switching to new credential techniques might bring its own security challenges issues. 

The MDDR discusses “MFA fatigue”. Here, hackers with no access to a system persistently make account access requests and rely on legitimate account holders to get frustrated and accept the request. 

According to the tech giant, this can be countered via the adoption of authenticator applications that don’t rely on alerts but instead employ temporary codes delivered within the app. Free alternatives to traditional two-factor authentication methods include Microsoft Authenticator, Google Authenticator, and Twilio’s Authy. 

Zero Trust Technique 

Additionally, Microsoft promotes the Zero Trust security model in this year’s MDDR. In what is becoming an industry-wide norm, “zero trust” environments work on the assumption that every employee might be a security threat. Beyond MFA, the company outlines other strong 

Zero Trust practices such as verifying users and devices before allowing access to resources, giving that access the minimum level of privilege required, and always assuming that systems have been breached, necessitating constant monitoring for attacks. 

The MDDR claims that “basic security hygiene” protects against 98% of all attacks, so while Zero Trust is inconvenient, it is absolutely necessary for organizations in the modern age to survive. 

Microsoft recommends throughout the MDDR that businesses can use multiple of its products into their tech stack to guard against and counter threats, including Security Service Line for assistance during a ransomware attack and Microsoft Defender for Endpoint for cloud-based protection.

Ransomware Crimes: More Than $1 Billion Netted in 2021


Cybercrime victims shelled out a record $1.2 billion, in order to have their data returned last year for ransomware attacks have significantly increased in size and intensity, as per the latest released federal data. 

According to a report by Financial Crimes Enforcement Network (FinCEN), banks processed over a billion dollars in transactions last year that were assumingly ransomware payments. The report concluded that this amount is more than double the amount of money from 2020. The top five highest-paid ransomware incidents all involved attackers with connections to Russia, FinCEN added.
 
The report “reminds us that ransomware- including attacks perpetrated by Russia-linked actors – remains a serious threat to our nation and economic security,” says Himamauli Das, FinCEN’s acting director, in a statement given this week. 

Ransomware is a kind of malware that allows hackers access to its victims’ digital devices, restricting the owner of their own files and data. Consequently, the hacker threatens victims, demanding a ransom payment from them, in order for them to restore access to the files. 

FinCEN, established in the year 1990, is an arm of the U.S. Department of Treasury. It is in charge of tracking international money laundering, terrorist financing, and other financial crimes. 

According to a report by FinCEN, hackers initially targeted people with ransomware attacks, but later advanced to targeting company giants and demanding bigger ransom payouts. In the year 2019, hackers created variations of ransomware attackers, namely ‘double extortion’, where they restrict owners to access their files and threaten to leak personal/ humiliating data to the public – if the demands are not met. 

The year 2021 witnessed some of the biggest ransomware attacks on record, aimed at large companies and nonprofits. A Russian hacking group, for example, attacked the Colonial Pipelines, one of the largest pipelines in the U.S. in May 2021. The company later paid the ransom amount of $4.3 million in order to retrieve its stolen data. However, the federal authorities eventually recovered at least $2.3 million of the paid ransom. Additionally, hackers also attacked organizations like Planned Parenthood, Sinclair Broadcasting, Shutterfly, and payroll processing company Kronos last year. 

According to FinCEN, organizations reported 1,489 ransomware assaults in total in 2021, up 188% from the year 2020. 

More recently, a ransomware attack last May marked the last straw for Lincoln College, a historically Black College in rural central Illinois that opened in 1865. The school gave hackers a $100,000 ransom, a payout that compounded financial troubles caused by plummeting enrollment in recent years. The 157-year-old institution shuttered in May. 

Ransomware attacks have recently increased in frequency, with the growing remote work and e-learning, and with educational institutions becoming more prone to the attacks. 

In regards to the ongoing ransomware attacks, the Biden administration this week conducted a two-day summit, attended by around three dozen nations, the European Union, and a number of private-sector organizations, in order to find the best ways to combat the attacks. 

U.S. President Biden as well signed a new law, earlier this year, that requires owners of factories, banks, nuclear reactors, and other critical infrastructure operations to report when (or if) their computer systems or servers are attacked by ransomware. However, reporting is currently optional for the ransom victims, making it difficult to calculate full impact of the crime.  

Azov Ransomware Tries to Frame Cybersecurity Researchers

 

Azov ransomware, a newcomer to the malware market, is being propagated via pirated software, key generators, and adware bundles, in an attempt to frame security researchers by claiming they are behind the attack. 

The ransom note, named RESTORE_FILES.txt, appears to be politically motivated to push western nations into assisting Ukraine in their war against Russia and claims to have encrypted the file in protest of the seizure of Crimea. 

The note falsely claims on Twitter that security researcher Hasherazade designed the data wiper, with the help of Vitali Kremez, Michael Gillespie, Lawrence Abrams, MalwareHunterTeam and also asks victims to contact the researchers for the recovery of the files. 

According to Lawrence Abrams of BleepingComputer, none of the researchers mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the data wiper. 

Furthermore, the note does not include any contact details for the original author meaning there’s currently no way of retrieving from an Azov infection and hence the ransomware should be treated as a data wiper for the moment. 

 Modus operandi of Azov wiper

In a new campaign started over the past two days, a hacker reportedly purchased installs via the SmokeLoader malware botnet, normally propagated through websites offering pirated content including game mods, cheats, and key generators, to deliver the data wiper. 

Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer info-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files, Bleeping Computer reported. 

To mitigate the risks, users should immediately change the passwords on their online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.

Initials Access Brokers are Playing Major Role in Data Breaches

 

As the cybercrime ecosystem continues to expand in Australia, the job of security professionals has also come under scrutiny. In the past month, alone seven major Australian enterprises including Optus, Medibank, and Woolworths have suffered data breaches. 

According to the latest Recorded Future intelligence report, the rise of initial access brokers (IABs) has led to increasing data breaches. IABs employ several multiple tools, techniques, and procedures (TTPs) to achieve initial access to the targeted network. 

IABs modus operandi 

IABs often launch the first stage of a ransomware attack and then sell this access to other hackers who deploy the ransomware to paralyze the victim’s computer system. 

IABs are primarily active on top-tier Russian-language platforms like Exploit, XSS, and RAMP, and typically operate using multiple languages and online pseudonyms to bypass detection. The advertising on underground forums includes a series of important details that hackers will need to select their next victim. These include victim country, annual revenue, industry, type of access, rights, data to be exfiltrated, devices on the local network, and pricing. 

While many ransomware affiliates are happy to negotiate publicly, with IABs advertising on these forums, others are thought to work directly and secretly with a pre-selected group of access brokers. Either way, the advantage of working alongside IABs is clearly to accelerate their campaigns. 

According to the latest research conducted by KELA, IABs sell initial access for $4600, and sales take between one and three days to finalize. Once access has been purchased, it takes up to a month for a ransomware attack to take place -- and potentially for the victim to be subsequently named on a leak site. The average price for access was around USD 2800 and the median price - USD 1350.

How to counter the threat 

Fortunately, there are multiple things businesses can do to mitigate the threat, not only of initial info-stealing attacks but also the ransomware that follows. 

Organizations should train employees to recognize and neutralize social engineering attacks. When it comes to ransomware, maintain offline backups of sensitive data, segment networks to contain an attack’s blast radius, and apply two-factor authentication everywhere. Continuous monitoring and robust threat intelligence will also provide a useful early warning system. 

Most importantly, the right defensive posture can help organizations to regain the initiative and put enough roadblocks in the way that their adversaries give up and move on to the next target.

Ransomware Attacks Continue Targeting U.S. Industrial Organizations

 

Industrial sectors have been facing a hard hit by ransomware gangs in recent years, with manufacturing companies being exposed to a higher risk. U.S organisations have particularly succumbed to cyberattacks as they experience large spikes. 
 
According to the industrial cybersecurity firm Dragos, 25 of the 48 threat groups known to target industrial organizations and infrastructure were active in the third quarter of 2022. Several new ransomware groups including Sparta Blog, Bianlian, Donuts, Onyx, and Yanluowang are among those on the list. 
 
As per Dragos Q3 analysis regarding the ransomware attacks on industrial organizations, North America was the site of 36% of all reported cases worldwide, with 46 incidents being reported. This represents a significant 10% increase from the previous quarter when the region was hit by 25% of cases. 
 
On the other hand, the analysis also detected that the rate of attacks at a global level remained flat quarter over quarter, with 128 incidents for Q3 vs 125 in Q2. 
 
Most of the observed attacks were targeted at the manufacturing sectors, totaling 68%. Out of the confirmed attacks (those publicly reported, seen in the firm's telemetry, or confirmed on the Dark Web), 88 were against the manufacturing segments, especially those producing metal products, which experienced a total of 12 attacks. 
 
As indicated by Stephen Banda, senior manager of security solutions of Lookout, the manufacturing sector is developing at a swift pace, digitizing manufacturing, inventory tracking, operations, and maintenance increase agility and efficiency, with less production downtime and greater nimbleness. However, it also opens up new attack surfaces for threat actors. 
 
“To remain competitive, manufacturers are investing in intellectual property and new technologies like digital twins […] In short, manufacturers are transforming the way they produce and deliver goods – moving toward industrial automation and the flexible factory. This transformation, known as Industry 4.0, puts pressure on mobile devices and cloud solutions.” States Stephen Banda to Dark Reading. Yet for most manufacturers, security solutions still remain on-premises, he adds. 
 
“This creates efficacy and scalability challenges when tasked with protecting productivity solutions that have moved to the cloud[…]Security therefore must also move to the cloud to adequately safeguard manufacturing operations,” notes the Lookout senior manager.

Ransomware Attacks Target Government Agencies in Latin America

Federal government agencies in Latin America were targeted in several ransomware attacks in the past months, the latest targets of the attack being Chile and the Dominican Republic. 

Following the escalation of cyber attacks, the Recorded future studied the attacks on Latin governments from January 2022 until May 2022. In this study, they examined vulnerabilities, attack vectors, and indicators of compromise (IOCs). 

It was uncovered that the most advanced ransomware groups are targeting Latin federal agencies; the team of researchers highlighted the poor security measures against cybersecurity threats in the region. 

Chile’s Ministry of Interior reported last week that the department has been hit by ransomware that targeted Windows and VMware ESXi servers. As a result of the attack, online services and their functions were disrupted. The ransomware encrypted files on compromised systems and renamed them with the extension .crypt. 

Chilean government released public press on the attack and made public some indicators of compromise (IoC) hence the team of cyber analysis believes that the recent attack involved the relatively new RedAlert ransomware, which is also known as N13V. 

RedAlert ransomware uses double extortion, encrypting the victim’s files and threatening to publicize the stolen data from its systems unless a ransom is paid. RedAlert’s Tor-based leak website did not report or write anything on the Chilean government agency at the time of writing. 

Several government agencies in the Dominican Republic were also attacked by ransomware recently. The country’s national cybersecurity center notified on August 24 that the Ministry of Agriculture’s Dominican Agrarian Institute (IAD) was attacked. However, the team highlighted that the government does not plan to pay a ransom. 

“We identified several government entities in Latin America (LATAM) that have been affected by ransomware attacks, likely involving Russian or Russian-speaking threat actors, beginning on or around April 2022. Countries affected include Costa Rica, Peru, Mexico, Ecuador, Brazil, and Argentina, among others, all of which have publicly condemned Russia for invading Ukraine at the United Nations General Assembly (UNGA). Some of these countries also voted to suspend Russia from the United Nations Human Rights Council (UNHRC) in early April 2022”, the Recorded Future said.

Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat

 

BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.

Analyzing the New Black Basta Ransomware

 

Black Basta, a new ransomware group has been highly active since April 2022 and has already breached a dozen companies worldwide. The list of victims includes the American Dental Association and German wind turbine giant Deutsche Windtechnik. 

Modus operandi of Black Basta 

While Black Basta assaults are relatively new, some information on their methodology has been made public. The data encryptor employed by ransomware requires administrator privileges to execute, otherwise, it is harmless. 

To launch the encryption executable, the ransomware targets a legitimate Windows service. After execution, the ransomware erases shadow copies from the compromised system using vssadmin.exe. This action removes the Windows backup so that after encryption victim cannot revert the system to its previous state. 

Subsequently, Black Basta drops two files: dlaksjdoiwq.jpg and fkdjsadasd.ico in the user Temp folder. The second file is a custom icon for all files with the “.basta” extension. The icon is assigned by designing and setting a new registry key “HKEY_CLASSES_ROOT\.basta\DefaultIcon”. 

The persistence technique of the Black Basta ransomware is executed by “stealing” an existing service name, deleting the service, and then creating a new service named ‘FAX. Before the encryption routine begins, the ransomware checks the boot options using GetSystemMetrics() API and then adds HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax entry in the registry to start the FAX service in safe mode. 

After completing all the customizations, the ransomware sets up the operating system to boot in safe mode using bcedit.exechecks. Due to the reboot mode change, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption. 

 Methodologies Identical to Conti group 

Researchers at MalwareHunterTeam attribute the Black Basta ransomware to the team behind Conti ransomware. This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. 

Lawrence Abrams of BleepingComputer also mentioned that the threat actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity. 

To prevent Black Basta ransomware from further encryptions, it must be eliminated from the operating system. Unfortunately, removal will not restore already compromised data. The sole solution is recovering it from a backup if one was created beforehand and is stored elsewhere. 

Additionally, to avoid permanent data loss, researchers recommend keeping backups in multiple different locations (e.g., remote servers, unplugged storage devices, etc.

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

US Health Provider LEHB Hit by Ransomware Attack, Network Compromised

Law Enforcement Health Benefits (LEHB), health and welfare funds for Philadelphia police offers, sheriffs, and county detectives, disclosed that the company was hit by a ransomware attack in 2021. "The Conti ransomware group has been responsible for a large number of these incidents, successfully attacking at least 16 US healthcare organizations and first responder networks during the year – as well as Ireland’s Health Service Executive and Department of Health," writes The Daily Swig. 

According to LEHB, attackers started coding files stored in the company network on 14 September 2021. An inquiry into the issue revealed that on Friday 25th, 'few affected files' containing members' data might have been excluded from the network by threat actors. Suspicious access to the US Department of Health and Human Services (HSS) breach portal hints that more than 85,000 users from LEHB may have been impacted by the incident. The compromised data includes names, DoBs, Social Security numbers, driving license info, bank account numbers, and health information. 

However, every LEHB member wasn't affected, and the data elements mentioned above were also not the same for every member. LEHB denies any case of identity theft or abuse of compromised data from the ransomware hit. However, the incident impacted members and offered credit monitoring services to those whose Social Security numbers might have been used. The health plan provider suggests its members set up 'fraud alerts' and security freezes on credit files, and ask for a free credit report. 

Cyber attack incidents are getting sophisticated as each day passes, resulting in LEHB implementing extra precautionary steps to protect its network and enhance internal procedures to detect and mitigate future cybersecurity threats. LEHB is assessing and updating its company policies and procedures to reduce the chances of ransomware incidents in the future. 

The Daily Swig reports "the healthcare sector has been particularly hard hit by ransomware since the start of the Covid-19 pandemic, with the FBI’s 2021 Internet Crime Report revealing earlier this month that of all critical infrastructure sectors, it was healthcare that faced the most ransomware attacks last year."