PC PORTAL

Experienced. Trusted. Solutions.

ransomware

By

Cyber News Rundown: Major Spike in Magecart Attacks

Reading Time: ~ 2 min.

Magecart Attacks See Spike in Automation

The latest attack in the long string of Magecart breaches has apparently affected over 900 e-commerce sites in under 24 hours. This increase over the previous attack, which affected 700 sites, suggests that its authors are working on improving the automation of these information-stealing attacks. The results of these types of attacks can be seen in the latest major fines being issued under GDPR, including one to Marriott for $123 million and another to British Airways for a whopping $230.5 million.

Agent Smith Android Malvertiser Spotted

Researchers have been tracking the resurgence of an Android-based malware campaign that disguises itself as any number of legitimate applications to deliver spam advertisements. After being installed from a third-party app store, the malware checks both a hardcoded list and the command-and-control server for available apps to swap out for malicious copies, without alerting the device owner. The majority of targeted devices have been located in southwestern Asia, with other attacks showing up in both Europe and North America.

Third Florida City Faces Ransomware Attack

Almost exactly one month after the ransomware attack on Lake City, Florida, a third Florida city is being faced a hefty Bitcoin ransom to restore their systems after discovering a variant of the Ryuk ransomware. Similar to the prior two attacks, this one began with an employee opening a malicious link from an email, allowing the malware to spread through connected systems. It is still unclear if the city will follow the others and pay the ransom.

British Airways Receives Record GDPR Fine

Following a data breach last year that affected over 500,000 customers, British Airways has been hit with a total fine amount of $230.5 million. The amount is being seen as a warning to other companies regarding the severity of not keeping customer data safe, though it’s still much less than the maximum fine amount of up to 4% of the company’s annual turnover.

Georgia Court System Narrowly Avoids Ransomware Attack

Thanks to the quick work of the IT team from Georgia’s Administrative Office of the Courts (AOC), a ransomware attack that hit their systems was swiftly isolated, leading to minimal damage. Even more fortunate for the AOC, the only server that was affected was an applications server used by some courts but which shouldn’t disrupt normal court proceedings. Just days after the initial attack, the IT teams (aided by multiple law enforcement agencies) were already in the process of returning to normal operations without paying a ransom.

The post Cyber News Rundown: Major Spike in Magecart Attacks appeared first on Webroot Blog.

By

Cyber News Rundown: Second Florida Ransomware Attack

Reading Time: ~ 2 min.

Second Florida City Pays Ransom

Following the news that Riviera Beach, FL would pay the ransom demanded by cyberattackers, the mayor of Lake City, FL has announced that the city will be paying the demanded ransom of $460,000 to restore access to their email and internal system servers. While law enforcement agencies strongly recommend against paying the ransom and suggest that victims instead attempt to recover encrypted files through backups or other offline methods, many companies who fall prey to ransomware attacks do not keep complete backups of their systems, so they may have no choice but to pay.

Group Arrested in Domain Spoofing Scam

Several individuals were recently arrested for creating a spoof domain for Blockchain.com, a site that allows users to access their cryptocurrency wallets. The individuals in question successfully stole over $27 million’ worth of various currencies from roughly 4,000 victims by using their spoofed site to steal wallet credentials. The group was captured in two separate countries after more than a year of investigation.

Database for Insurance Marketing Site Exposed

A database belonging to MedicareSupplement.com, an insurance marketing site, was found to be publicly accessible, exposing the records of over 5 million customers. While it is unclear how long the database had been improperly secured, the researcher who discovered it in mid-May promptly reported it to the database owner. Amongst data exposed were nearly a quarter million records that indicated specific insurance categories.

Report Reveals Countries Most Targeted by Ransomware

A new report has run the numbers to uncover the top five countries most targeted by ransomware. So far in 2019, the list includes the USA, Brazil, India, Vietnam, and Turkey. During the first quarter of this year alone, the USA took 11% of the attacks, with Brazil coming in right behind with 10% of the total number of attacks. Even more concerning: the average ransom demand has nearly doubled since this time last year, jumping from around $6,700 to ca. $12,700.

IoT Malware Bricks Devices

Researchers have just found a new type of malware, dubbed Silex, that focuses on IoT devices running with default credentials. The malware then bricks—i.e., breaks in an irreparable or unrecoverable fashion—the entire device. The Silex authors claim to have distributed it with the specific intention of rendering devices unusable to prevent lower level scripters from adding the devices to their botnets. Fortunately, the authors did shut down the malware’s command servers, though the already-distributed samples will continue their operations until they have been removed by security.

The post Cyber News Rundown: Second Florida Ransomware Attack appeared first on Webroot Blog.

By

Cyber News Rundown: Radiohead Hit by Ransomware Hack

Reading Time: ~ 2 min.

Radiohead Refuses Ransom, Releases Stolen Tracks

The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”

US Border Protection Breached by Contractor

A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.

Billions of Spam Emails Sent Everyday

The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.

Ransomware Hits Washington Food Bank

The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.

Retro Game Site Breached

The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.

The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.

By

Security roundup: June 2019

Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.

If you notice this notice…

If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.

But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.

The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.

  • Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
  • Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
  • Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).

AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.

The cost of cybercrime, updated

Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.

The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.

Ross Anderson, professor of security engineering at Cambridge University and a contributor to the research, has written a short summary. The full 32-page study is free to download as a PDF here.

Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.

Ransom-go-round

Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.

Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.

This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.

Links we liked

Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.

If you confuse them, you lose them: a post about clear security communication. MORE

This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE

Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE

A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE

Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE

The hacker and pentester Tinker shares his experience in a revealing interview. MORE

So it turns out most hackers for hire are just scammers. MORE

The cybersecurity landscape and the role of the military. MORE

What are you doing this afternoon? Just deleting my private information from the web. MORE

The post Security roundup: June 2019 appeared first on BH Consulting.

By

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.