PC PORTAL

Experienced. Trusted. Solutions.

ransomware

By

Cyber News Rundown: COVID-related Attacks Target Canadian Companies

Reading Time: ~ 2 min.

New Jersey Hospital Pays Massive Ransom

Officials have decided to pay roughly $670,000 in ransom following a ransomware attack on the University Hospital in New Jersey. The hospital was likely forced into this decision after being unable to restore from backups the 240GB of data stolen in the attack on their systems. It’s not entirely clear what information was stolen, but given the haste of payment it was likely highly sensitive patient data.

COVID-Related Cyberattacks Target Canadian Companies

A recent survey revealed that over 25% of all Canadian business organizations had been targeted by a COVID-19-themed cyberattack since the beginning of the year. Most of the organizations surveyed also reported seeing a significant rise in overall cyberattacks since the pandemic began. Worrisome findings also revealed that 38% of organizations surveyed were unsure if they had fallen victim to any type of cyberattack, which could mean the amount of customer information for sale on black markets could be significantly higher.

Boom! Mobile Website Compromised

Customer data has been compromised for users of the Boom! Mobile website, which was infiltrated by malicious JavaScript. It’s still unclear how the unauthorized code got onto the site or how long was active. Officials for the mobile company have confirmed they do not store payment card data and that no Boom! Mobile accounts were compromised.

Major Ransomware Attacks Increase Through Q3

Researchers have reported a massive increase in ransomware attacks in Q3 of 2020, with the Maze group being responsible for 12% of all attacks. They also reported that Ryuk ransomware variants were responsible for an average of 20 attacks per week. With the ongoing neglect of cybersecurity in major corporations, ransomware attacks will likely continue as long as their authors find them profitable.

Chicago Food Delivery Service Stricken with Data Breach

Nearly 800,000 customer records were compromised following a data breach at ChowBus, a Chicago-based food delivery service. With roughly 440,000 unique email addresses exposed, many individuals are now more susceptible to additional phishing attacks or identity theft. Fortunately, however, ChowBus does not store payment card information on its site.

The post Cyber News Rundown: COVID-related Attacks Target Canadian Companies appeared first on Webroot Blog.

By

Cyber News Rundown: Ryuk Wreaks Healthcare Havoc

Reading Time: ~ 2 min.

Ryuk Shuts Down Universal Health Services

Computer systems for all 400 Universal Health Services facilities around the globe have reportedly been shut down following an attack by the Ryuk ransomware group. Ryuk is known for targeting large organizations, but the healthcare industry has been gaining popularity among these groups due to high volumes of sensitive information and typically low levels of security. It’s unknown if the healthcare firm has paid ransoms for the encrypted data or if they are restoring systems from available backups.

Global Insurance Firm Targeted by Ransomware

The Fortune 500 insurance firm AJG was forced to take several computer systems offline over the weekend after identifying a cyber-attack. It’s still unclear which ransomware variant was responsible for the attack and officials with the firm haven’t revealed if customer or employee information was stolen. Third-party researchers confirmed multiple AJG servers, unpatched for a serious vulnerability, could have been the entry point for the attack.

French Shipping Company Knocked Offline by Ransomware

All computer systems and websites belonging to CMA CGM, a French shipping giant, were knocked offline by a crippling ransomware attack. This attack on CMA CGM makes them the fourth international shipping company to fall victim to a cyberattack, which have proven profitable, in as many years. The company has verified that the Ragnar Locker ransomware group was behind the attack, though they have not revealed the ransom asked.

Cyber Attack Forces Swatch to Disconnect Online Services

Though not confirmed by Swatch, the Swiss watchmaker was reportedly forced to take many of their systems offline after likely falling victim to a ransomware attack. While the company did not verify the type of attack, ransomware’s prevalence this year makes it a likely culprit. Swatch has announced they plan to seek legal action against the attackers.

DDoS Attacks See Substantial Rise in 2020

There were over 4.8 million DDoS attacks during the first half of 2020, a 15% rise over the same period last year. May alone saw more than 900,000 DDoS attacks, a record for most in a single month. Ninety percent of these attacks lasted for under an hour, marking another shift from previous years’ attacks. They have also increased in complexity, leaving victims and researchers with little time to defend themselves.

The post Cyber News Rundown: Ryuk Wreaks Healthcare Havoc appeared first on Webroot Blog.

By

Cyber News Rundown: Magecart Massive Attack

Reading Time: ~ 2 min.

Magecart Launches Largest E-commerce Attack to Date

Roughly 2000 e-commerce sites were compromised in the latest Magecart campaign targeting an out-of-date version of Magento software. It’s believed an additional 95,000 sites that haven’t patched to the latest Magento version could also be targeted by the payment skimming malware. The campaign began last Friday and by Monday had stolen data from over 1,900 stores serving tens of thousands of customers.

Staples Delivery System Responsible for Data Breach

Nearly two weeks after being contacted by a cybersecurity firm regarding their use of unsecured VPN servers, Staples has released a statement about a data breach that stemmed from a flaw in their delivery systems. Because Staples’ delivery tracking system required only an order number to pull up the entire order summary, customers were able to enter any number around their own order and access payment and other sensitive information belonging to other Staples customers. While the company has since resolved the flaw, it seems they have not yet contacted victims whose information was exposed.

Staffing Firm Suffers Second Ransomware Attack in 2020

Artech Information Systems, a global IT staffing firm, has recently fallen victim to their second ransomware attack of the year. Following a January attack by the REvil ransomware group, which released a small portion of company data after not receiving a ransom payment, Artech has now been infiltrated by the MAZE group, likely using a prior backdoor to the systems. Secondary ransomware attacks typically stem from improper resolution of the initial attack that leaves a system an easy target for another group.

Misconfigured Elasticsearch Exposes Over 100,000 Razer Customers

A security researcher found an unsecured Elasticsearch cluster late last month containing highly sensitive information for over 100,000 Razer customers. The exposed data contained personally identifiable information and order details with everything but the actual payment card data. Fortunately, Razer was quick to resolve the issue after being notified and set up an email worried customers could contact for more information.

SunCrypt Ransomware Targets University Hospital New Jersey (UHNJ)

Over 240GB of data was allegedly stolen from the University Hospital New Jersey after a SunCrypt ransomware attack. The attack was likely initiated against university systems shortly after a TrickBot infection last month compromised systems. The owners of SunCrypt have already released 1.7GB of the stolen data, which equates to roughly 48,000 documents containing highly sensitive personal information on patients and employees.

The post Cyber News Rundown: Magecart Massive Attack appeared first on Webroot Blog.

By

Ransomware: The Bread and Butter of Cybercriminals

Reading Time: ~ 4 min.

Substitute your digital space for your home and encryption for the safe and you have what’s known as ransomware. Ransomware is a type of malware. After the initial infection, your files are encrypted, and a note appears demanding payment, which is usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have?

Substitute your digital space for your home and encryption for the safe and you have what’s known as ransomware. Ransomware is a type of malware. After the initial infection, your files are encrypted, and a note appears demanding payment, which is usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.

The roots of ransomware can be traced back to 1989. The virus, known as PS Cyborg, was spread through diskettes given to attendees of a World Health Organization International AIDS conference. Victims of PS Cyborg were to mail $189 to a P.O. box in Panama to restore access to their data.

Historically, ransomware was mass distributed indiscriminately which happened to be mostly personal machines that ended up getting infected. Today, the big money is in attacking businesses. Most of these infections go unreported because companies don’t want to expose themselves to further attacks or reputational damage.

Criminals know the value of business data and the cost of downtime. Because they service multiple SMB customers simultaneously, managed service providers (MSPs) are now an especially attractive target. A successful attack on an MSP magnifies the impact of attacks and the value of the ransom.

Primary ransomware attack vectors – with more detailed descriptions below – include:

  • Phishing
  • Cryptoworms
  • Polymorphic malware
  • Ransomware as a Service (RaaS)
  • Targeted attacks

Want more on ransomware and how it’s advancing? Click here for a new Community post.

Phishing: Still the No. 1 Ransomware threat

Ninety percent of all Ransomware infections are delivered through email.  The most common way to receive ransomware from phishing is from a Microsoft Office attachment. Once opened the victim is asked to enable macros. This is the trick. If the user clicks to enable the macro, then ransomware will be deployed to the machine. Phishing remains a significant and persistent threat to businesses and individuals. The Webroot 2020 Threat Report showed a 640% increase in the number of active phishing sites since 2019.

Cryptoworms

Cryptoworms are a form of ransomware that able to gain a foothold in an environment by moving laterally throughout the network to infect all other computers for maximum reach and impact. The most spectacular incarnation of a cryptoworm was WannaCry in 2017, where more than 200,000 computers were affected in 150 countries causing hundreds of millions in damages.

Polymorphic malware

One of the more notorious forms of ransomware circulating today is polymorphic malware, which makes small changes to its signature for each payload dropped on machine – effectively making it a brand new, never before seen file. Its ability to morph into a new signature enables it to evade many virus detection methodologies. Studies show that 95% of malware is now unique to a single PC. This is largely due to the shape-shifting abilities of polymorphic malware code. Today, nearly all ransomware is polymorphic, making it more difficult to detect with signature-based, antivirus technologies.

Ransomware as a Service (RaaS)

Ransomware has become so lucrative and popular that it’s now available as a “starter kit” on the dark web. This allows novice cybercriminals to build automated campaigns. Many of these kits are available free of charge for the payload, but criminals owe a cut (around 30% but this can vary based on how many people you infect) to the author for a ransom payment using their payload. Grandcab, also known as Sodinokibi, was perhaps the most famous to use this tactic.

Targeted attacks

Cybercriminals are moving away from mass distribution in favor of highly focused, targeted attacks. These attacks are typically carried out by using tools to automatically scan the internet for weak IT systems. They are usually opportunistic, thanks to the vulnerability scanners used. Targeted attacks often work by attacking computers with open RDP ports. Common targets include businesses with lots of computers but not a lot of IT staff or budget. This usually means education, government municipality, and health sectors are the most vulnerable.

Stay cyber resilient with multi-layered defense

As you can see, ransomware authors have a full quiver of options when it comes to launching attacks. The good news is, there are as many solutions for defending systems against them. The best way to secure your data and your business is to use a multi-layered cyber resilience strategy, also known as defense in depth. This approach uses multiple layers of security to protect the system. We encourage businesses of all sizes to deploy a defense-in-depth strategy to secure business data from ransomware and other common causes of data loss and downtime. Here’s what that looks like.

Backup

Backup with point-in-time restore gives you multiple recovery points to choose from. It lets you roll back to a prior state before the ransomware virus began corrupting the system.

Advanced threat intelligence

Antivirus protection is still the first line of defense. Threat intelligence, identification and mitigation in the form of antivirus is still essential for preventing known threats from penetrating your system.

Security awareness training

Your biggest vulnerability is your people. Employees need to be trained on how to spot suspicious emails and what to do in case they suspect an email is malicious. According our research, regular user training can reduce malware clickthrough rates by 220%.

Patch and update applications

Cybercriminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your system exposed to an attack.

Disable what you’re not using

Disable macros for most of the organization as only a small percentage will need them. This can be done by user or at the group policy level in the registry. Similarly, disabling scripts like HTA, VBA, Java, and Powershell will also stop these powerful tools that criminals use to sneak infections into an environment.

Ransomware mitigation

Make sure your IT staff and employees know what to do when a ransomware virus penetrates your system. The affected device should immediately be taken offline. If it’s a networked device, the entire network should be taken down to prevent the spread of the infection.

Want to learn more about how to protect your business or clients from ransomware? Here are five actionable tips for better defending against these attacks.

The post Ransomware: The Bread and Butter of Cybercriminals appeared first on Webroot Blog.

By

Cyber News Rundown: Ransomware Targets Major Cruise Line

Reading Time: ~ 2 min.

Ransomware Attack Targets Major Cruise Line

Officials for Carnival Cruises have confirmed that a portion of their IT systems were encrypted following a cyberattack identified over the weekend. The company also revealed that sensitive information for both employees and customers was illicitly accessed, though they did not admit to what extent.

Millions of Social Media Profiles Exposed

More than 235 million social media profiles belonging to several major platforms, which contained personally identifiable information including names, locations and contact data, were publicly exposed due to a misconfigured database. Social Data, an online data marketing broker, seems to be the owner of the data, though it is unclear how they obtained it since data scraping for profit is generally not tolerated by Facebook or other platforms. According to Social Data, the database was exposed for up to three hours after initially spotted. It remains unknown how long the data was accessible without authentication.

Wine and Spirits Conglomerate Suffers Ransomware Attack

Brown-Forman, the parent company of many major liquor brands, recently fell victim to a ransomware attack that appears to be the work of the REvil ransomware authors. While the company was able to detect and thwart the attack before encryption, upwards of 1TB of highly sensitive internal information on employees, clients, and financial statements was stolen. Though no formal ransom was delivered, the attackers are likely to auction the data imminently.

File-less Worms Creates Linux Crypto-mining Botnet

Linux systems are on the lookout for a new infection that has been silently creating a botnet to employ ­­target machines as crypto miners. Since the start of the year, over 500 SSH servers have been infected around the world by a worm creating additional backdoors to allow attackers to return to the systems later. Due to the file-less nature of this infection, a simple reboot of the system can temporarily remove the malicious processes, but because the login credentials have already been exported the system can be quickly re-infected.

Canadian COVID-19 Relief Sites Breached

Several Canadian government websites connected to healthcare relief funds were breached with the intent to steal COVID-19 relief fund payments. Though only a small portion of the 12 million total accounts, 9,000 GCKey accounts were directly affected after being breached via credential-stuffing. Credential-stuffing uses brute force attacks with employs previously leaked credentials in the hopes victims use the same login info for multiple sites. Since the websites affected don’t use multi-factor authentication, the odds of a successful credential-related attack were increased.

The post Cyber News Rundown: Ransomware Targets Major Cruise Line appeared first on Webroot Blog.