PC PORTAL

Experienced. Trusted. Solutions.

IT Security

By

We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said.

“It is a nightmare. Do all you can to prevent ransomware.”
 – A survey respondent

Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.

By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.

Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.

Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.

But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.

Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.

Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.

Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.

KEY FINDINGS

  • 50% of ransomware demands were more than $50k
  • 40% of ransomware attacks consumed 8 or more man-hours of work
  • 46% of businesses said their clients were also impacted by the attack
  • 38% of businesses said the attack harmed their brand or reputation
  • 45% were ransomware victims in both their business and personal lives
  • 50% of victims were deceived by a malicious website email link or attachment
  • 45% of victims were unaware of the infection for more than 24 hours
  • 17% of victims were unable to recover their data, even after paying the ransom
Download the eBook

The post We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said. appeared first on Webroot Blog.

By

Why SMBs are Under Attack by Ransomware

Ransomware attacks generate big headlines when the targets are government entities, universities and healthcare organizations. But there’s one increasingly frequent target of ransomware attacks that tends to slip under the radar. Small and midsize businesses (SMBs) have become bigger financial targets for hackers. As Webroot Senior Threat Researcher Kelvin Murray points out in a recent Hacker Files podcast, the SMB sector has become a cash cow for cybercriminals. According to Murray, there are more SMB targets than criminals have time to target, mostly due to inadequate security among SMBs.

Listen to the full episode of the Hacker Files podcast hosted by Joe Panettieri here.

It’s also become far easier for anyone with malign intentions but lacking coding skills to launch attacks. Murray cites the availability of ransomware kits on the dark web that anyone can download and figure out how to launch. Going by the name Ransomware as a Service, these kits reduce the sophistication required for perpetrators to target SMBs and collect hefty ransom payments.

Business email compromise (BEC) is also on the rise. In BEC attacks the perpetrator, pretending to be a colleague or vendor, contacts you under the pretense of requesting payment or disbursement for a seemingly legitimate business purpose. Businesses easily fall for these scams because, with so many invoices and payments occurring on a daily basis, it’s easy to slip a fake one in.

All of this malicious activity points to the need for a layered approach to cybersecurity. This includes essential security measures like firewalls, endpoint protection and DNS protection. And, since even firewalls can be circumvented, it means keeping backups of all business data so you never have to pay a ransom to get your data back.

Attacks like BEC are less about malware and more about manipulating people. This is why security awareness training with phishing simulations are increasingly important. Murray emphasizes that security awareness training is necessary due to the increasing popularity of remote working. While the corporate office is usually equipped with firewalls, DNS protection, corporate logins and security guards at the front door, now that everybody’s working from home, all of those things are absent. In their place you have faulty routers, dodgy setups, people sharing houses with other people and maybe even sharing PCs.

You can listen to the full Hacker Files podcast hosted by Joe Panettieri here.

The post Why SMBs are Under Attack by Ransomware appeared first on Webroot Blog.

By

Is the Value of Bitcoin Tied to Ransomware Rates?

With investors currently bullish on Bitcoin, is its high value is driving cybercriminals to pursue crypto-generating forms of cybercrime like ransomware and illicit miners?

At time of writing, the value of one Bitcoin is north of $58 thousand. Famously volatile, a crash is widely expected to accompany the current bubble, perhaps before the end of 2021. The reason for this volatility is at least partly attributed to an event known as “the halvening,” where the reward generating supply of the cryptocurrency is cut in half, simultaneously increasing demand.

At the same time, the average cost of a ransomware incident is also rising steeply. A study by Palo Alto Networks charted a growth rate of 171 percent in ransoms paid between 2019 and 2020, with the average cost now over $312 thousand. The steepest ransom doubled between 2015 and 2020, from $15 million to $30 million.

An iron law?

So, is it fair to argue that the two trends positively correlated? When the price of Bitcoin rises we should expect ransomware activity to rise with it? Not necessarily, says threat researcher and cryptocurrency expert Tyler Moffitt.

For one, Moffitt cautions it’s important to keep the relative values of U.S. dollars and the various cryptocurrencies in mind when comparing the cost of ransomware. Demanding $50 million in Monero last month for hacking the Taiwanese PC manufacturer Acer and demanding $10 million in Bitcoin for a hack last year will not have netted cybercriminals the same amount. Patient ones, at least.

“Ransomware actors can always grow their demands based on the value of the U.S. dollar,” says Moffitt. “But they have the added benefit of being able grow profits exponentially by riding the Bitcoin market.”

As could be expected with such a volatile asset, these swings sometimes happen quickly. Like when ransomware actors had Baltimore’s public schools between a rock and hard place with WannaCry. The price of Bitcoin had crashed in 2018, but as the ransom demand was on the desk of the city the price surged, sending the total value of the ransom up with it.

In a sense, it’s the volatility of Bitcoin that undermines any direct, positive relationship with ransomware rates. While it’s tempting to see today’s sky-high price and assume cybercriminals would rush to get their slice of that pie, they too know how markets work. It’s possible a ransom of Bitcoin this year could be worth far less next year. For ransomware actors, it’s better to ride out the market, treating their Bitcoin stash like a cybercrime savings plan for aging hackers.

“A lot of ransomware actors aren’t turning their Bitcoin into cash as soon as they get it,” says Moffitt. “Many of them live cheaply on the hope that the $200 million they made in their cybercrime careers will one day net them billions.”

A more direct relationship

Cryptojacking—the process of secretly hijacking a victim’s computing power to generate cryptocurrency—has a much simpler relationship with the value of various currencies. Because miners only collect their currency after doing the work (redirected CPU in this case), it’s only worth doing when values justify it.

“With cryptojacking, we do actually see an increase or decrease in the number of attacks based on its price. So right now, in a bull year when the price keeps rising, you’re going to earn more when you mine,” says Moffitt.

Browser-based cryptojacking uses scripts injected into the webserver, usually by exploiting an unpatched server or capitalizing on an out-of-date WordPress plugin, etc. Then any browser that visits that webpage will mine cryptocurrency using the viewers browser. This attack skyrocketed from its inception in 2017 into 2018.

A watershed moment in browser-based cryptojacking followed the great crypto-crash of 2018 mentioned above. At least according to their official statement, the drop in mining profitability caused the ostensibly-legitimate mining script company Coinhive to shut down in early 2019.

“The ‘crash’ of the crypto currency market, with the value of [Monero] depreciating over 85% in the last year,” was cited by the company as a reason for closing up shop, though some researchers doubt how much truth there is to that claim.

In reality, Coinhive scripts were used by cybercriminals to mine on unsuspecting users’ devices. Researchers at Cornell University discovered that 99 percent of the sites they found running malicious mining scripts were no longer running them following the shutdown of Coinhive.

Its authors concluded, “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.”

Executable-based cryptojacking is when criminals leverage a breach on a machine, whether through phishing, exploits, RDP, and then drop a payload that on execution will use the machines resources to mine crypto. This attack was around before browser-based scripts and is still alive today. In fact, it’s the tactic seeing the most growth during cryptocurrency bull markets.

Monero, a favored cryptocurrency for miners based on its efficiency using consumer-grade devices, witnessed a rebound during this period. Over the course of 2020 and into 2021, the value rose from around $50 to around $250, perhaps explaining why Webroot found 8.9 million cryptojacking scripts in use in 2020.

In summary, both of these crypto-generating schemes require patience from their perpatraitors. When ransomware actors land a big payment from an extorted business, they may be forced to wait out market forces to maximize their earnings. For cryptojackers, profits trickle in over time. First they must determine whether they’re worth the effort and if they too want to play the long game with their take.

The post Is the Value of Bitcoin Tied to Ransomware Rates? appeared first on Webroot Blog.

By

This World Backup Day, Our Customers Do the Talking

“I solemnly swear to back up my important documents and precious memories on March 31st.”

Are you taking the pledge this World Backup Day? Now in its tenth year, World Backup Day remains one of our favorite reminders of the risks of not backing up the data we hold dear.

According to the World Backup Day site, “This independent initiative to raise awareness about backups and data preservation started out — like most good things on the internet – on reddit by a couple of concerned users.”

The day goes beyond reminding businesses and private citizens of what they stand to lose due to device theft, hardware failure and other common forms of data loss. It’s a reminder that more and more of our culture is digital, and some of our greatest achievements reside online. Without them, we risk losing a piece of the very greatness of our civilization. (It’s a lot easier to come to work every day in support of the Carbonite mission when you put it like that.)

Here are some of the threats we’ve recently faced online:

  • 121 million ransomware attacks in the first half of 2020 alone, up 20 percent over 20191
  • Eighty-nine percent of businesses claim to have been targeted by COVID-19-related malware in 20202
  • Phishing attacks claiming to be companies like Netflix, HBO and YouTube skyrocketed early in the pandemic3

Numbers are great, and necessary for showing the scope of the problem, but I wanted to see how data loss—and backups—affect real people. So I reached out to our community for stories about times when backup saved their backsides. Here’s what they had to say.

“In the past six weeks we have had two clients hit with ransomware. We have been able to use our backups to bring up server live environments within 45 minutes and it has saved a lot of time and data.” —David H.

“We managed IT for a remote office of a national law firm. The senior partner worked out of our office, and we had a contract to back up all client data firm-wide, as we felt there were numerous vulnerabilities in their system. One morning at 7 a.m., the server RAID array died, and not only were none of the drives recoverable but their tape backup also had not been working properly for at least six months. After the first few hours of them discovering all the things that did not work, I reminded the partner that we had been backing up their data and had a full, clean back up from six hours before the crash. Our extra backup saved the day!” —David Y.

“Backups saved us from a ransomware attack. We were able to isolate the server with the infected machine and restore our files from a local backup. Total downtime was less than 30 hours.” —PJ

“I have been saved from losing both personal and business data more than once!”—Vasilis

“I was able to use a backup to restore all my client’s data after a ransomware attack. Needless to say, they were very happy!”—Nathan

“We are extremely lucky in the fact that we haven’t had any cyberattacks. We did have an issue when our sever failed, and backup basically saved us.”—Simon

“Having good off-site backups enabled recovery from a large fire which rendered on-site backups useless.”—Warren

“We came in one day to find the office doors busted down and the computers raided. They left the cashbox alone, just stole RAM and hard drives. We were encrypting the hard drives, so we didn’t lose any data to the wild as the encryption couldn’t be cracked. But we were back up and running within two hours from backups alone.” —Sharif

Hardware failure, natural disasters, ransomware, device theft, file corruption—it’s not surprising that all of the most common forms of data loss surfaced when we reached out to our users. Don’t fall victim to them!

Back up your data this March 31 to keep from feeling like a fool come April.

Sources:
1 SonicWall Capture Labs
2 VMware/Carbon Black Global Threat Report June 2020
3 Webroot RTAP

The post This World Backup Day, Our Customers Do the Talking appeared first on Webroot Blog.

By

A Defense-in-Depth Approach Could Stop the Next Big Hack in its Tracks

Last year’s SolarWinds attack and its aftermath have provided numerous lessons concerning the dangers of IT supply chain attacks. Not all apply to every small and medium-sized business—most are unlikely to be targeted by highly trained state-backed hackers with virtually limitless funding—but some will be.

We learned, for instance, that even IT pros could use a refresher on basic password hygiene through security awareness training. A more substantive lesson is the importance of defense in depth, an approach that prioritizes mutually reinforcing layers of security.

In the case of SolarWinds, the Trojanized Orion update was able to elude endpoint security because it was issued by such a trusted source. As we’ve discussed, however, the damage from the compromise could have been limited significantly by using a defense in depth approach backed by leading threat intelligence.

A firewall with the right threat intelligence embedded could have blocked communications with the command-and-control server thus preventing a Trojanized Orion install from connecting back to the attackers and stopping them from furthering the attack. An endpoint DNS solution could have stopped the Trojanized Orion version by refusing to resolve the domain names of the command-and-control servers, again disrupting the infection to the point that no real damage could be done.

This is what we mean when we stress the importance of a layered defense. Take a hypothetical scenario in which the opposite happens, for example. A zero-day threat with no known connection to malicious IPs, files, or other data objects may not be known to the threat intelligence feed informing a network security solution. Once it has made its way to the endpoint, however, it begins to engage in behaviors known to be malicious. Examples include elevating privileges, moving laterally, or trying to establish outbound communications to name a few.

In this case, it is the endpoint security solution’s turn to save the day. If equipped with a rollback or remediation feature, endpoint solutions can not only stop the activity but also remediate the damage already done. These two layers work in concert to pick up the slack left by the other, helping organizations remain resilient against different types of attacks.

Remote work threatens defense in depth

Most larger organizations and a growing number of smaller ones have caught on to the need for layering endpoint and network protection. Firewalls embed threat intelligence and DNS security solutions are used to both block malware and control internet use. But recent events have worked to undermine this growing understanding.

Remote work exploded in 2020 with the advent of COVID-19, rapidly ushering in a new way of working before all of the security details could really be worked out. This presents a new set of stubborn challenges for IT security admins that’s not likely to fade soon. Outside of the corporate firewall, it is the Wild West. Every employee’s home network has a different set of security protocols and internet use is unregulated.

Webroot’s report on COVID-19 work habits found that three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both. The 2020 Webroot Threat Report also found that personal devices were about twice as likely to encounter a malware infection as business devices. Together these numbers suggest a significant security threat for companies with remote workers.

DNS security solutions are one way of addressing this risk. Installed as an agent on each corporate endpoint, they route traffic through protected DNS servers that can identify, stop and disrupt communications threats. Of course, personal device use still represents a problem for companies not enforcing strict policies against their use. Nevertheless, DNS security remains a way to protect business-issued devices beyond the company network.   

The “next one” will look different

Focusing solely on how the SolarWinds attack is not the key to preventing future breaches. The next large supply chain attack will likely look very different than the SolarWinds attack. In fact, other than the infamous CC Cleaner hack of 2017, in which more than 2.3 million users of the computer cleanup software were duped into downloading malware onto their own machines, these types of attacks leveraging trusted but Trojanized updates are relatively rare.

But this fact makes defense in depth more critical, not less. Zero days will continue to be encountered. There is no telling which techniques the next one will employ, so it is important to make use of multiple tools to limit potential damage.

Cybercriminals will continue to undermine individual defenses. Smart organizations will hedge their cybersecurity bets so they are not all overcome at one time.

The post A Defense-in-Depth Approach Could Stop the Next Big Hack in its Tracks appeared first on Webroot Blog.