Having your company’s operations halted due to a ransomware attack is pretty high up on the list of nightmare situations for any business owner. Depending on the severity of the attack and the state of your backups and business continuity plan, this could mean days of downtime while data is restored, and systems sanitized. In the case of a storied Illinois college, it took them months to restore services after a ransomware attack in December 2021, and by the time systems were brought back online, the downtime was enough to hammer the final nail in the coffin for Lincoln College, a 157-year old institution that was already financially reeling from the Covid pandemic.
What this means for you
It’s unclear from the small amount of information available on the incident on why it took so long to restore systems at the college, but if my time in the higher-education industry illuminated anything for me, it was that academic institutions aren’t always at the forefront of technology security or disaster recovery, mostly because of underfunded technology budgets. If I had to name one thing that always catches ransomware victims off-guard, it’s the misconception that their particular company or organization is not worthy of being targeted for these types of attacks. While cybercriminals are definitely targeting high-value organizations in a very specific and determined manner, there is a wider, more generalized “net casting” of ransomware attacks that are more opportunistic and seem to care not for the financial means of the victim. Lincoln College may have not been targeted specifically – someone with sufficient privileges to key systems may have inadvertently fallen into a widely-cast phishing net (a broadly targeted phishing campaign), and once the hook was set, the hackers moved in for the kill, not caring (or even knowing) that the college was already in dire financial straits. What most people don’t realize is that there is literally no financial disincentive for hackers to attack, hook and ransomware as many targets as possible. It costs them literally nothing to spread ransomware, and if the victim doesn’t pay, they just move on to the one that will. Unfortunately for victims without proper data backups and a business continuity plan, that random attack could shutter the business for good.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Don’t let down your guard yet, but it would seem that hackers are focusing their efforts on targets with deeper pockets than you or I. Sinclair Broadcasting is the latest infrastructure victim to have their operations significantly disrupted by a ransomware attack that took dozens of televisions stations completely offline for hours in various markets across the country. As one of the largest media companies in the US, Sinclair owns and operates nearly 300 stations in the US, and according to unverified reports from inside sources at Sinclair, many of the stations are connected via a common Active Directory structure that allowed attackers to jump from station to station, encrypting servers and paralyzing the the affected station’s ability to broadcast any of its regularly scheduled programming.
What this means for you
Sinclair doesn’t own any stations local to Southern California as far as I can tell, so most of us probably went about our weekend blissfully unaware that a ransomware attack locked down an undisclosed number of stations. Though they as of yet have not released specifics, it’s possible they are the latest victims to run afoul of a new RaaS (Ransomware as a service) called BlackMatter which, perhaps not coincidentally, has also shown up in a new advisory from CISA, the FBI and the NSA that warns of threat actors using the new platform to target critical infrastructure, including two recent attacks on agricultural targets in the US. While these attacks may not impact you or I directly, infrastructure attacks are definitely worthy of our attention as they can and will cause widespread disruption to activities and services we take for granted, and in some cases like hospitals or law enforcement agencies could actually be life-threatening. And here’s something you may not have considered – each of these attacks most likely started with and individual getting tricked into giving up a password that gives the hackers a toehold, and that is all they need. Unfortunately, in this increasingly complicated technology landscape it is becoming ever more difficult to keep passwords safe, mainly because we are always being asked for them. How many times a day are you confronted with a password request that makes you question it’s legitimacy? It’s a challenge to keep up with technology on a good day, but when the hackers have you on guard 24/7, you really can’t afford to not pay close attention.
Unfortunately, there isn’t any silver bullet or magical tip I can provide to help you here. It’s most important to know where and when a service might ask for a password, and how to recognize legitimate requests based upon having more than just a passing familiarity with applications and services that require passwords that protect sensitive data or privileged access. If anything, err on the side of not entering a password if you aren’t 100% certain. Additional protection will come from using multi-factor wherever it is made available to you, and of course, using unique, hard to guess passwords for all your important services.
With the recent ransomware attacks on large US companies like fuel distribution company Colonial Pipeline and now JBS, one of the world’s largest beef and pork suppliers, some of you might be thinking, “Oh good, they are focusing on the big fish now,” which gives us smaller companies a little breathing room. While this may make sense from purely predatory “Animal Kingdom” point of view, size matters naught on the internet. The difference in effort and cost to target a big company versus a small one isn’t large enough to deter them from pursuing both. In fact, due to the continually widening dark web market of Ransomware-as-a-Service (RaaS), targeting small companies is just as cost-effective as large ones. After all, 50 ransoms of $1000 is the same as one $50,000 score.
What does this mean for you?
Businesses large and small are starting to understand that it’s no longer “if” you will be attacked, but “when”, and in addition to tightening up their technology, they are also getting insurance to cover potential cyberattacks and ransomware demands, like the ones that Colonial faced (they paid, by the way) and what JBS is facing now. Because claims on these types of policies are on the rise and show no signs of slowing, the insurance providers are now asking for their potential cyber policy holders to batten down their hatches in preparation for the coming storm. Here are the things they are looking for:
- Does your company use two-factor authentication for all of its critical infrastructure? Not only email, but VPN/Remote access and administrator credentials for your company’s network as well.
- Is your company’s critical data backed up to an encrypted, offsite location that is protected by two-factor authentication?
- Are you running up to date malware protection on all devices that access company data and networks? The big gotcha here are all the personally-owned computers people have pressed into service during the pandemic.
- Are all devices that contain sensitive data encrypted? This includes mobile devices, and again, personally-owned equipment.
- Is your network protected by enterprise-grade firewalls and protocols?
Additionally, insurance providers might also be looking for these advanced security implementations that normally were only deployed by larger companies with dedicated technology and security staff, including:
- Dedicated network intrusion detection and active countermeasures.
- An information security policy in place for your company that governs how your company retains, protects and disposes of critical, confidential data.
- Regularly scheduled penetration testing of your company’s data networks.
- Regularly scheduled security audits of all company technology.
- Designated security officer/manager responsible for the company’s security.
- Regular training of all company staff on information security policy and practices.
When shopping for a cybersecurity policy, or expanding your current coverage to include it, you will be asked about some, if not all, of the above items, and your answers may determine the cost of your premium, or whether the insurance provider will underwrite you at all.
Image by Free stock photos from www.rupixen.com from Pixabay
Those of us who have been using computers for a few decades remember the days when getting a computer virus was more of a nuisance than today’s current nightmare, but back then computers and the internet played a much lesser role in our personal and professional lives. On top of this, the past purveyors of malware had a much different agenda (if they had one at all) than today’s anonymous blackmailers and ransomers. When money is the object, you can bet some very smart and unscrupulous people are going to find ways to pollute your ‘puter for profit, and sadly, email is big, red target on everyone’s back.
Why is email targeted?
- Everyone has an email account. As of this year, over half the planet uses email meaning there are literally billions of email accounts. Email extortion schemes are extremely profitable if only a very small percentage fall for the fake link or open the bogus attachment and then follow through with a ransom payment. The profitability of a ransomware campaign relies on how wide a net can be cast, and with billions of fish in the sea, lots of nets can be cast.
- The cost to send an email is microscopic. Even campaigns that send millions of phishing emails have incredible ROI if only a tiny percentage actually hook a victim. With the right infrastructure (typically hacked servers belonging to someone else), malware teams can push out millions of emails with a few hours of investment of time and minimal hardware costs. On average, ransom demands to small companies are now upwards of $13000 per incident. You don’t even need to do the math to see why this is happening.
- It’s incredibly easy to fool someone via email. Yes, you still get a ton of poorly spelled and grammatically awkward offers to share in the inheritance of foreign princes, but mixed among all the general pollution and real emails are fakes that are becoming increasingly hard to catch. Email scammers are upping their game daily, especially since it definitely leads to more victims getting tricked.
- Each of us gets too much email. I don’t know a single adult who would say otherwise. Even those of us who are really damn good at grinding that email box down to zero each day (not me) do so at great expense of time and energy. And, like any working adult who is pressed for time, this means we are more likely to cut corners (ie. security) and make hasty decisions that leads poor outcomes.
- Email technology has not advanced to match the growing sophistication of malware. Outlook is literally 22 years old and has not changed much in how we process email. SMTP, the primary delivery mechanism for internet email was first released in 1981, and while security and encryption has been tacked on in the intervening years, the core technology is essentially unchanged. Email technology needs its equivalent of the hybrid/electric car to change the industry, and seeing as how long it’s taken those types of cars to affect meaningful change, I don’t expect a quick change on the email side either.
- We are completely dependent on email. Even if we wanted to cut email out of our lives, too much relies on this system of communication to even consider how we would function without it.
Next week: how to bolster your email security perimeter.
Image by Gerd Altmann from Pixabay
Remember when there was nothing more innocent and incorruptible as a child’s teddy bear? For all the potential good the internet can bring, there are some things that should just not get connected, at least until we can secure data properly. The latest black eye for the “Internet of Things” (IoT) comes in the form of a line of stuffed animals that can record and relay messages back and forth between parent and child. While wholesome and lovely in theory, the whole implementation is undermined by poor security and what appears to be a non-trivial amount of carelessness, all the ingredients for a disastrous internet breach. Reports vary, but anywhere from 500k-800k “users” data was exposed to an unknowable number of unauthorized eyes. This data included both identifying information as well as the actual voice messages from both adults and children.
What this means for you:
If you happened to be the (no longer) proud owner of a CloudPet, you have the unenviable responsibility of trying to explain to your child why they can’t use the thing that made this toy special. Hopefully it won’t be traumatizing. While you may be able to enjoy some schadenfreude from the possibility that the company appears well on it’s way to failure, this also means that there will be no recourse or recompense for saddling you with a toy that violated your family’s privacy. Not a CloudPet user? Regardless if you are a parent, relative or even just a friend, think twice before giving a small child an internet-connected toy. Very clearly, we, and the internet, are not ready for such a thing.
In an extremely unusual occurrence, the operators/handlers of the infamous TeslaCrypt ransomware have announced they are discontinuing operations of their highly lucrative malware campaign for undisclosed reasons. Analysts speculate it could be anything from growing law enforcement attention, redirection of resources on even more virulent malware, to the unlikely scenario that the operators have made enough money and are feeling generous. Whatever the case may be, researchers from security company ESET contacted the “retiring” operators and asked them if they would publish TeslaCrypt’s master key, and to everyone’s astonishment, they obliged. Armed with this critical piece of data, ESET and others have built apps that have the capability of decrypting data that is being held captive by any number of TeslaCrypt variants dating back as far as early 2015.
What this means for you:
For one of my clients, a distant hope for this exact scenario finally paid off. Their data has been trapped in encryption for over a year, and as they didn’t have a viable backup at the time of the infection, they walked away from nearly a decade of data that was locked away even after paying the ransom. After our initial attempts to recover the data with what seemed to be a fake key, we put the data aside in the hopes that the master key would someday be recovered, possibly through law enforcement activities. Fast forward to this past weekend: after several hours of number crunching with tools provided by the brilliant folks at BleepingComputer.com and the master key secured by ESET, I was able to successfully decrypt nearly 200,000 files in what appears to be a full recovery of the “kidnapped” data.
If you happen to be among the unfortunate few who fall into this same ransomed data, backup-bereft category, your long-odds gamble may actually pay off like it did for my client. Counting on events like this unfolding for other variants of malware is still highly irrational. Last time I checked, there were still large portions of the world beset by malicious and criminal behavior, and it may never be revealed why the TeslaCrypt operators released the master key. Even if some hackers discovered compassion for their fellow humans and gave up their black-hat ways, there are ten others ready to take their place. Cybercrime continues to be a huge moneymaker for the criminal element. For this reason alone, you should continue to reinforce your technology defenses with a strong firewall, competent anti-malware and reliable offsite backups.
Image courtesy of renjith krishnanat FreeDigitalPhotos.net
Looking back over the past few weeks I realize I’ve fallen down on my job of terrifying you with news of the latest technology boogeyman. There’s a new ransomware in town and this one gets down to business in a hurry. Dubbed Petya by security company F-Secure, this vicious piece of malware works in a similar fashion to its brethren by encrypting data and holding it for ransom, with a twist: instead of encrypting just your documents, it will “kidnap” the entire disk by encrypting the master file table, and it can do so very quickly because the MFT is just the “index” of all the files on your drive. If you were to think of your drive as a book, this is the equivalent of putting a lock on the cover and holding the key for ransom.
What this means for you:
At minimum, any virus infection is going to result in a bad day even if you have a full backup of your important data. Before your data can be restored, you need to be certain the malware hasn’t spread to other machines and is waiting to pounce the moment you get the data restored. With previous versions of ransomware, the attack would leave affected machines more or less operational as the malware only encrypted documents and usually left applications and the operating system intact. Not so with Petya which locks out the entire disk. If this malware were to attack a server, it could paralyze an entire company within seconds. If you though recovering and cleaning up a workstation took a long time, double or triple the time needed to bring a server back online, and that’s only if you had full-disk backups and not just files. A malware attack is inevitable – no amount of money, time or paranoia can provide 100% protection. Your only hope for a recovery is proper data backups managed by an experienced professional. Are you ready to test your backup plan?
Image courtesy of Zdiviv at FreeDigitalPhotos.net
In a disturbing trend that bodes ill for everyone, multiple US healthcare institutions have been victimized this past month by highly effective ransomware attacks. In each instance, the malware infection has significantly disrupted operations and, in some cases, forced administrators to actually pay out thousands of dollars in ransoms to regain control of their data and IT systems. In the case of the Hollywood Presbyterian attack, the hackers initially demanded $3.6 million in bitcoin to release the data and systems their malware had encrypted, but settled for $17k. More hospitals in California, Kentucky and Maryland have also been hit and crippled by ransomware attacks, in some cases paying the ransom to regain control of their IT systems, and in other cases recovering systems and data through established data backup platforms and security protocols. And just to keep things interesting, toy-maker Mattel was also defrauded out of $3 million after falling victim to a carefully-planned an well-executed email scheme.
What this means for you:
Though some of the hospital attacks mentioned above are thought to have come from a documented server exploit known to exist in healthcare software platforms, analysts are reporting a surge in emails carrying viral payloads including new, highly-effective variants of ransomware, probably because of the highly-publicized ransom payment made by Hollywood Presbyterian. The harsh reality of this worrying trend is this: it costs criminals virtually nothing to start malware campaigns that are resulting in hundreds of millions in damages to organizations around the world, and it’s netting those same criminals an equivalent amount of money paid by desparate victims. Despite spending millions on security, businesses and individuals around the world still fall victim to this ploy because of the humble email. Previously I had written about ways to spot fake emails (and you can still spot them if you look hard enough), but given how many emails we receive, and how clever attackers are becoming, it’s only a matter of time before any of us get duped and it’s already too late after that second mouse-click. Or is it? Though the ransomware attacks managed to disrupt operations at the hospitals mentioned above, several of them were able to get back to work once the infections were cleaned out and data restored from backups. The temporary disruptions caused by the compromised systems were kept to a minimum, as was the damage to the wallet, by a tested (and now proven) disaster response and recovery/backup plan. How long could your business afford to be disrupted by a ransomware attack? Could your business survive the loss of critical data? What about the reputation damage resulting from disclosing the attack to customers? If you thought a backup platform was expensive, consider the alternative. In the case of Hollywood Presbyterian, $17k was just the down payment on a huge hit to the wallet.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
I am increasingly encountering a dangerous misconception about data backups that could lead to some serious “facepalm” moments. On at least three separate occassions while speaking with someone about data backups, the person I was with referred to DropBox as their primary data backup platform. In case you are unfamiliar with DropBox, it’s a cloud-based platform that can be used to sync files and folders between multiple computers, while also maintaining a copy of that data in the cloud as well. This cloud component is what many folks like to believe is their “offsite backup”. It’s true – if your local hard drive were to fail and you lost files that were being synced by DropBox, you could retrieve a copy from one of your other mirrors or the copy in the cloud. However, what if you or one of your employees who has access to the DropBox repository accidentally deleted some important files? DropBox doesn’t know you (or they) didn’t mean to delete those files, but it will make sure that change is reflected across your entire DropBox repository. What if you got hit with one of those nasty ransomware viruses which encrypts files, including the files in your DropBox repository? DropBox will dutifully overwrite your data with the encrypted copies, effectively destroying your “offsite backup”.
Let me ‘splain:
DropBox’s strength lies in easily establishing a set of files and folders that can easily be synced across multiple machines and locations, and it does this through a simple mechanism which essentially looks at each endpoint (and the cloud) and says, “Make all these the same.” This same strength is a resounding weakness when it comes to proper backup methodology. In a nutshell, your backups should keep track of your data across time, in set intervals, so that you can, in theory, go back to any one of those points in time and retrieve the data as it was at that moment. The reason this is important is for the two situations mentioned above (and many other scenarios as well). In both cases, mistakes were made. Our best course of action would be to go back in time to before those mistakes were made, but seeing as we can’t actually time travel yet, we use backups to accomplish nearly the same thing with our data. Even if the mistakes weren’t noticed for a period of time, as long as you have sufficient version depth in your backup strategy, you can look back to a time interval before the deletion and retrieve the files. This is something that DropBox can’t do, and probably shouldn’t, as it’s not meant to be a data backup platform. There are hundreds of viable backup solutions that range in price and complexity, and many of them are as easy to set up as DropBox. Don’t stop short of using a real backup solution just because you’ve got a copy of your files somewhere else. A good backup solution requires some thought and determination, but can pay back huge dividends when mistakes or disaster strikes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As if the mad rush to “web-ify” everything wasn’t bad enough, McAfee’s security blog now brings us a new, shining moment in Internet history: it is now possible to visit an easy-to-use website to host your own ransomware campaign for the low, low price of free. A group of cybercriminals have put together a service that will provide you with the malware that locks up your victim’s files, as well as the means to collect the ransom via bitcoin through their consolidated platform. The service even includes a dashboard that summarizes your criminal activity: number of computers infected, number of people who paid the ransom, and how much you’ve made so far. It all sounds like something the Onion.com would dream up, but sadly, it’s real. Would-be cyber-extortionists have to pay 20% of their take to the service owners, which could amount to some serious cash. Over the course of the past few years, experts estimated that tens of millions have been made on previous ransomware campaigns. Like any good money-making model, these enterprising individuals hope to amass a fortune on the backs of aspiring cybercriminals.
What this means for you:
As I’ve said in previous blogs, cybercrime is big business now. Though McAfee’s bright light of publicity may help shut down this particular iteration of mass-market ransomware services, you can bet dozens more will follow suit, if they aren’t already up, running, and better hidden. The internet has the ability to magnify anyone’s capabilities by an incredible degree, even more so when someone with savvy and no scruples turns their sights onto the vast, largely naive internet populace. The pitch for this particular service is that “anyone” can set up their own ransomware campaign, and you can bet they’ll do a booming business until the good guys shut them down. On a more reassuring note, this particular platform only provides the means to start and run a ransomware campaign. It would still be up to the would-be extortionists to actually target and distribute the malware to their victims, a task which is surprisingly hard to do in a way that won’t get you caught. However, is it so hard to imagine someone else setting up shop right next door to the ransomware folks, where, for a “small percentage of the take” they would provide those targets? Imagine if these enterprising criminals decided to form pyramid schemes on top of these “business models”. I imagine once attaining that level of vicious cannibalism, the whole thing might collapsed in on itself under the weight of sheer backstabbing and profiteering, but in the meantime, we might drown in a crushing wave of malware. Sadly, there’s no magic bullet, but there are three things you can do to better protect yourself against the coming storm: a good firewall on your perimeter, solid anti-malware on your computer, and an up-to-date offsite backup of your data. Those things plus constant vigilance (and a little paranoia!) will go a long way towards staying safer in these more dangerous times.