PC PORTAL

Experienced. Trusted. Solutions.

Threat Lab

By

Maze Ransomware is Dead. Or is it?

“It’s definitely dead,” says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. “At least,” he amends, “for now.”

Maze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines throughout the last year), was officially shut down in November of 2020. The ransomware group behind it issued a kind of press release, announcing the shutdown and that they had no partners or successors who would be taking up the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze accounted for an estimated 12% of all successful ransomware attacks. So why did they shut down?

I sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone.

Why do you think Maze was so successful?

Maze had a great business model. They were the group that popularized the breach leak/auction website. So, they didn’t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or even sell it at auction.

Why was this shift so revolutionary?

The Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big are likely to have decent backups, so just taking the data and holding it for ransom isn’t much of an incentive.

Now think about this: those huge businesses also would’ve been subject to pricey fines for data breaches because of regulations like GDPR; and they’re also more likely to have big budgets to pay a ransom. So, instead of simply saying, “we have your data, pay up,” they said, “we have your data and if you don’t pay, we’ll expose it to the world – which includes the regulators and your customers.” Most of the time, paying the ransom is going to be the more cost effective (and less embarrassing) option. We don’t know if the Maze group invented this tactic, but they definitely set the trend, and a bunch of other ransomware groups started following it.

Other than the leak sites, did they do anything else noteworthy or different from other groups?

One of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the infection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a huge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam campaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop.

Do you think the move to remote work during the pandemic contributed to their success?

Absolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up when people started working from home. Home networks and personal devices are generally much less secure than corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain.

If Maze was doing so well, why did they shut down?

Probably because they’d gotten too much attention. The more notoriety you get, the harder it is to operate. We see this with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just spend the money they’ve gotten from their payouts and enjoy life. Or, sometimes, they don’t lie low at all but just rebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant called Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under the same group name.

How can you tell when an old group has rebranded?

Unless they announce it in some way, the only way to really tell is if you can get a sample of the malware and reverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and discovered it had “GandCrab version 6” in its code. So, that’s an example of a rebrand, but it can be hard to spot.

Do you think Maze is done for good?

Not a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller businesses who are less likely to have strong enough security measures. Even the ones that targeted larger corporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group can relax and take a lavish vacation with all the money they got. But I’d be pretty shocked if they just abandoned such a winning business model entirely.

The verdict: Maze may be gone for now, but experts are fairly certain we haven’t seen the last of this virulent and highly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an opportunity to batten down their cyber resilience strategies by implementing layered security measures, locking down RDP, and educating employees on cybersecurity and risk avoidance.

Stay tuned for more ransomware developments right here on the Webroot blog.

The post Maze Ransomware is Dead. Or is it? appeared first on Webroot Blog.

By

False Confidence is the Opposite of Cyber Resilience

Reading Time: ~ 4 min.

Have you ever met a person who thinks they know it all? Or maybe you’ve occasionally been that person in your own life? No shame and no shade intended – it’s great (and important) to be confident about your skills. And in cases where you know your stuff, we encourage you to keep using your knowledge to help enhance the lives and experiences of the people around you.

But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.

Overconfidence by the Numbers

Approximately 3 in 5 people (59%) worldwide think they know enough to stay safe online.

You may think 59% doesn’t sound high enough to earn the label of “false confidence”. But there were two outliers in our survey who dragged the average down significantly (France and Japan, with only 44% and 26% confidence, respectively). If you only take the average of the five other countries surveyed (the US, UK, Australia/New Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK respondents had the highest level of confidence out of all seven regions surveyed with 75%.

8 in 10 people say they take steps to determine if an email message is malicious.

Yet 3 in 4 open emails and click links from unknown senders.

When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.

Individualism

According to Dr. Rajivan, it’s important to note that Japan had the lowest level of confidence about their cybersecurity know-how (only 26%), but the survey showed they also had the lowest rate of falling victim to phishing (16%). He pointed out that countries with more individualistic cultures seem to align with countries who ranked themselves highly on their ability to keep themselves and their data safe.

“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”

– Prashanth Rajivan, Ph.D.

The Dunning-Kruger Effect

Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.

How These Numbers Affect Businesses

Only 14% of workers feel that a company’s cyber resilience is a responsibility all employees share.

The correlations between overconfidence and individualism may also translate into a mentality that workers are not responsible for their own cybersecurity during work hours. While 63% of workers surveyed agree that a cyber resilience strategy that includes both security tools and employee education should be a top priority for any business, only 14% felt that cyber resilience was a shared responsibility for all employees.

How to Create a Cyber Aware Culture

The short answer: a strong combination of employee training and tools.

The long answer: when asked what would help them feel better prepared to avoid phishing and prevent cyberattacks, workers worldwide agreed that their employers need to invest more heavily in training and education, in addition to strong cybersecurity tools. Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Additionally, he tells us, “Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences PLUS appropriate feedback that incentivizes good behavior.”

Ultimately, the importance of training can’t be emphasized enough. According to real-world data from customers using Webroot® Security Awareness Training, which provides both training courses and easy-to-run, customizable phishing simulations, consistent training can reduce click rates on phishing scams by up to 86.5%.

It’s clear a little training can go a long way. If you want to increase cyber resilience, you have to minimize dangerous false confidence. And to do that, you need to empower your workforce with the tools and training they need to confidently (and correctly) make strong, secure decisions about what they do and don’t click online.

Learn more about Security Awareness Training programs.

The post False Confidence is the Opposite of Cyber Resilience appeared first on Webroot Blog.

By

Shoring Up Your Network and Security Policies: Least Privilege Models

Reading Time: ~ 3 min.

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan. 

Appropriate privilege

When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.

If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.

Listen to the podcast: Episode 6 | Shoring Up Your Network Security with Strong Policies to learn more about implementing the Principle of Least Privilege and other network security best practices.

Navigating the difficult conversations around access control

It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.

Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.

Firewalls and antivirus aren’t enough 

There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.

Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.

Cyberattacks like phishingransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.

Tips to achieve least privilege

When it comes to implementing POLP in your business, here are some tips for getting started:

  • Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
  • Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
  • Create separate admin accounts that limit access. 
    • Superuser accounts should be used for administration or specialized IT employees who need unlimited system access. 
    • Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
  • Implement expiring privileges and one-time-use credentials.
  • Create a guest network leveraging a VPN for employees and guests.
  • Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
  • Regularly review updated employee access controls, permissions, and privileges.
  • Upgrade your firewalls and ensure they are configured correctly.
  • Add other forms of network monitoring, like automated detection and response.

The post Shoring Up Your Network and Security Policies: Least Privilege Models appeared first on Webroot Blog.

By

The Truth about Phishing & the Psychology of Why We Click

Reading Time: ~ 5 min.

“Phishing” may have been a relatively obscure term, but pretty much everyone has heard of it by now. In fact, recent statistics indicate a high likelihood that you—or someone you know—have been the victim of a phishing attack at least once. 

Now, if you remember the classic Nigerian Prince scams from back in the day, you might be asking yourself how the stats could be so high. After all, it seems pretty unlikely that an otherwise cautious person would fall for something like that, right? And in today’s cyber-climate, where the news is filled with headlines about major hacks and malware infections that spread like wildfire, why would anyone click on links from unknown senders or hand over their sensitive, personal information (think SSNs, etc.) without verifying the authenticity of the request? It turns out, there are a lot of subconscious influences at play, and the thing that makes phishing attacks so successful is the way they take advantage of our trust, curiosity, fear, greed, and even desire to do a good job at work.

Understanding the factors that drive a successful phishing attack is fundamental to preventing them in the future. That’s why Webroot partnered with Dr. Cleotilde Gonzalez, research professor at Carnegie Mellon University, to take a deep dive into the psychology of phishing. 

Read our full report, Hook, Line, and Sinker: Why Phishing Attacks Work, for more information on the psychology behind phishing attacks.

Tip #1: Maintain strong, unique passwords. Using individual passwords for each of your accounts will help prevent fraud, identity theft, and other malicious activity. Consider using a secure password manager, and enable two-factor authentication wherever possible.

What kind of person clicks a phishing link, anyway?

The truth? We all do it. While 86% of Americans believe they can distinguish a phishing message from a genuine one, 62% have had their personal information compromised as part of a breach. So what’s the deal here?

“People are generally overconfident about their ability to spot the fakes. Overconfidence is a big problem in many human actions. In this case, this probably happens because the ratio of phishing emails to regular emails feels low, so our mind underestimates the probability of receiving a phishing email, and in turn, overestimates our ability to identify one if we do.” – Cleotilde Gonzalez, Ph. D.

Tip #2: Stay on your toes. The more overconfident and complacent you are about your security, the easier it is for you to be phished. Don’t play into a cybercriminal’s hands. Maintaining a healthy level of suspicion about all links and attachments in messages may make all the difference during an attempted breach.

How are phishers using psychology against us?

By tapping into our own personal sense of urgency, cybercriminals are able to manipulate us in subtle ways that we may not realize until it is too late. Hackers often use cleverly disguised email handles and targeted messaging, known as “spear phishing,” to create a sense of trust and familiarity. This makes links appear more legitimate, and makes us perceive the click as less risky.

“Ultimately, urgency, familiarity, and context have a strong impact on decision making. If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing.” – Cleotilde Gonzalez, Ph. D.

What are the most convincing ways for a phisher to tap into your sense of urgency to get you to open their email? 

  • 65% of Americans prioritize emails from their boss 
  • 54% prioritize emails from family or friends 
  • 33% prioritize emails to confirm bank transactions 

That means you shouldn’t feel weird or guilty for verifying odd requests from bosses, family, or friends. If your boss sends you an email asking for out-of-the-ordinary action, don’t hesitate to call them up and ask them for details. (Do this instead of replying to the email.) Same with links, downloads, and requests for information from family and friends. It never hurts to double-check.

Practicing phishing mindfulness, even when clicking links from seemingly trustworthy sources, cuts down significantly of the efficacy of spear phishing attacks. Pay close attention to sender addresses and handles, as well as signatures. If you get an email from your bank, financial institution, or even a regular website for which you have a login, navigate to their official website independently instead of clicking through on that potentially risky email.

Tip #3: Back everything up and do it regularly. All of your important data and files should be regularly backed up to a secure hard drive or cloud storage. When using a physical hard drive, only connect it while backing up. This will help prevent the drive from being affected by an infection.

Why are we still clicking?

Here’s the thing: 76% of Americans know they have received a phishing email, and yet still 56% of people would feel comfortable clicking on a link or attachment from an unknown source on their personal devices. So why are so many of us still willing to jeopardize our safety for an unknown link?

“Risk and under-weighed probability are linked. Risks sometimes come with rewards, right? So if the risk seems low and the reward seems high, you’ll make riskier decisions. It’s like gambling; our minds explore different gain/loss experiences, then respond with risk-taking or risk-averse actions.” – Cleotilde Gonzalez, Ph. D.

Tip #4: Always keep your software up-to-date. Hackers are known to regularly exploit security holes in outdated software and operating systems. By installing software updates when prompted, you can stop many cybercriminals in their tracks. 

What if you’ve been phished? Now what?

With 62% of those surveyed reporting some type of data breach, it’s important to know what to do in the event of a breach that can help keep the damage to a minimum. George Anderson, Product Marketing Director at Webroot, recommends the following steps:

  1. Change your account passwords immediately! That includes accounts you don’t believe were breached, but are using the same or a similar password.
  2. Set up alerts with your credit agency. 
  3. Void existing credit cards and order new ones. 
  4. Engage a credit security service. 
  5. Notify law enforcement or the appropriate government agency

While some of these steps may seem obvious to you, they clearly need to be repeated; of people whose information was stolen or exposed, a baffling 32% didn’t bother to change their account passwords afterward. 

Dr. Gonzales shared her thoughts on what can be done to combat this type of complacency.

“These findings illuminate the fact that what we really need here is a mindset makeover,” she says. “The longer-term reward of security needs to be highlighted, front and center, not placed on the backburner. To do that, we’re going to have to shift the way that people think about security and prioritize their responsibilities. We have to allow the time and brain space for security-related considerations.”

What can we all do going forward?

You can nurture the type of security mindset shift Dr. Gonzalez references by taking small steps. First, you know those software and security updates you (like many people) are probably putting off? Just do them. Enable two-factor authentication wherever possible, especially on important online accounts like your banking and credit institution websites. 

You may even find that your heightened security practices influence those around you to make stronger choices. After all, seeing a person you know being on top of their game can be very motivating to start making personal changes! 

Remember, the most important thing you can do is avoid overconfidence. Don’t underestimate the risk of a phishing attack. Doing that is exactly what will make you a prime target for criminals.

“It’s a classic case of underweighting probabilities, but explicit numbers speak for themselves. Providing this information might help people calibrate the risk and confidence more accurately.” – Cleotilde Gonzalez, Ph. D.

The post The Truth about Phishing & the Psychology of Why We Click appeared first on Webroot Blog.

By

Cyber News Rundown: MedusaLocker Ransomware

Reading Time: ~ 2 min.

MedusaLocker Ransomware Spotted Worldwide

While it’s still unclear how MedusaLocker is spreading, the victims have been confirmed around the world in just the last month. By starting with a preparation phase, this variant can ensure that local networking functionality is active and maintain access to network drives. After shutting down security software and deleting Shadow Volume copies, it begins encrypting files while setting up self-preservation tasks.

Bargain Website Server Exposes Customer Data

Several websites used by UK customers to find bargains have left a database filled with customer data belonging to nearly 3.5 million users completely unprotected and connected to the internet. Along with the names and addresses of customers, the database also included banking details and other sensitive information that could be used to commit identity fraud. The researchers who initially discovered the breach notified the site owners, but received no response or any indication the leak would be resolved until nearly six weeks after the database was left exposed.

Arrests Made Following Major BEC Scam

At least three individuals have been arrested in Spain for their connection to a business email compromise (BEC) scam that netted over 10 million euros and affected 12 companies across 10 countries. It appears the operation began in 2016 and involved the cooperation of multiple law enforcement agencies. By creating a web of fake companies and bank accounts, the group was able to successfully launder money into various investments, including real estate, in an attempt to remain undetected.

LA Court System Hacked

The perpetrator of a 2017 spear phishing attack on the LA court system was sentenced to 145 months in prison following convictions on charges of wire fraud, unauthorized access to a computer, and identity theft. The individual was able to compromise employee email accounts and use them to launch a malspam campaign that distributed over 2 million emails.

Pennsylvania School District Hacked

Multiple students are being questioned after school district officials noticed unauthorized access to the student assistance site Naviance, a hack which appears to have been an attempt “to gain a competitive edge in a high-stakes water gun fight.” Access to the site would have also given them access to other student’s personal data, though no financial or social security information is stored on the site. District officials determined the security practices for the site lacking but have not currently released plans for improvement.

The post Cyber News Rundown: MedusaLocker Ransomware appeared first on Webroot Blog.