Foiling RaaS attacks via active threat hunting

In this Help Net Security podcast, Jon DiMaggio, Chief Security Strategist at Analyst1, talks about the characteristic of attacks launched by Ransomware-as-a-Service (RaaS) gangs and how organizations can prevent them from succeeding.

RaaS attacks

[embedded content]

To make things interesting, Jon’s nine-year-old son is hosting the interview. Below is a transcript for your convenience.

Damien: Hi, I’m Damien DiMaggio, and today I am interviewing Jon DiMaggio, Chief Security Strategist at Analyst1.

Jon: Hi Damien. Thanks for talking with me today.

Today we are talking to Jon about Ransomware-as-a-Service and some of the bad guys behind it. Jon, can you tell us what Ransomware-as-a-Service is?

Jon: Sure, Damien, that’s a great question. So, one of the biggest issues organizations have today is ransomware attacks. Traditionally enterprise ransomware attackers will find a way to initially breach an environment. They’ll “live” in that environment anywhere from days to weeks. We’ve seen as short as three days and as long as two weeks, where the attacker will spend time in the environment using legitimate tools that are already present (“living off the land”), using dual use tools and enumerating and gaining privileges during that time.

Then they use those privileges to turn off and disable security services. This allows the adversary to stage the environment so that when they do execute the ransom payload, it’ll have the most success in encrypting and removing access to customer data. Ransomware-as-a-Service takes this one step further.

Basically, what they do is they sell access to their attacks. So they advertise on dark net forums and marketplaces. And what they do is, you can buy into the service and you can take part in the profit sharing when you help to expose a victim’s environment and they actually pay money.

So, the biggest differentiator here is you have a higher volume of attacks, you have more people involved, you have greater volumes of attacks and shorter timeframes, therefore you bring in a greater amount of profit and by sharing this profit, it’s very appealing and lucrative to cyber criminals.

Interesting. How do these groups differ from traditional ransomware bad guys?

Jon: Well, you know, it’s in the tactics that they use, Damien. One of the tactics that really stands out, and they’re not the only attackers to do it, but they are one of the first to do it, is actually making a copy and stealing the victim’s data prior to the ransomware payload execution.

The benefit that the attacker gets from this is they can now leverage this for additional income. What they do is they threaten the victim to post sensitive information or customer data publicly. And this is just another element of a way to further extort the victim and to increase the amount of money that they can ask for. And now you have these victims that have to worry about not only having all their data taken from them, but actual public exposure.

It’s becoming a really big problem, but those sorts of tactics – as well as using social media to taunt the victim and hosting their own infrastructure to store and post data – all of those things are elements that prior to seeing it used with Ransomware-as-a Service, were not widely seen in traditional enterprise ransomware attacks.

What do they do with the data once they have it?

Jon: The first thing that they do is they go through, and they find some element of it that’s sensitive. Now that could be sensitive email communications, or it could be some sort of secret “sauce” to something that the victim organization provides or does, or it could be sensitive customer information that you wouldn’t want exposed. And they’ll take a small piece of that to dangle in front of the victim to let them know that they’re serious, and they will post it publicly.

They’ll use Twitter to “socialize” the fact that they have this data, they’ll post to text hosting sites, such as Pastebin, or they’ll take screenshots of emails or documents and post to image hosting sites like 4Chan. It’s almost like a propaganda-driven campaign where they’ll really try to put out the message and spread the word that they have access to this organization’s critical information and customer data in order to entice the victim to pay. They want to make sure customers know, they specifically will reach out to customers of some of these organizations in order to increase the pressure and have the victim pay.

So, everything’s about gaining as much money and profit with Ransomware-as-a-Service groups, and they’ve just found different ways to implement and exploit victims outside and beyond traditional ransomware encryption techniques.

Should the victims pay the ransom? And if they do, does the bad guy hold up their end of the deal?

Jon: That’s a good question also. It’s really difficult… You can’t judge a victim by whether or not they pay or not. We always tell people you shouldn’t pay a ransom. If no one paid ransom, you wouldn’t keep having attackers continue these types of attacks. It takes them time, days to weeks, as I mentioned, that they have to spend doing this work in order to get a payout. So if they spent all that time and no one paid for these guys to make additional money, so…

You can’t trust that paying them is going to keep you protected. Organizations are in a bad spot when this happens, and they’ll have to make those decisions on whether it’s worth paying. But traditionally, it’s always best to not get compromised in the first place, which obviously doesn’t help an organization once that’s already happened. But just understand, just because you pay the ransom doesn’t mean that you’re going to get your data back or that it’s not going to be posted publicly later on down the road.

What can companies do to protect themselves from these types of attacks?

Jon: The best time to stop the attack is before the ransomware payload is executed. So, during that time period, those days to weeks where the adversary is staging the environment, that provides an opportunity to detect them. So, when the adversary is using legitimate administrative tools in order to further gain a foothold, that’s the time for defenders to identify it.

So, looking at administrative tool use, looking at who’s using it, looking at the times that they’re using it, looking at what they’re doing with it, all of those are things where there’s an opportunity to prevent that from happening. And we have seen defenders that actually do this well, and they do identify that there is an attack taking place, and they have successfully stopped these ransomware attackers.

But it’s all about the mindset of having very active threat hunting take place, and just not relying on tools and applications to flash red and tell you that something nefarious is going on in your organization. It’s a very proactive approach, and it’s not just looking at the bad stuff, but also looking at the good stuff that organizations need to do, the legitimate tool use.

Damien: Thanks, Jon, it’s been very informative, great job.

Jon: Thank you, Damien.

Pandemic thinking: What if there were a vaccine for OT ransomware?

The year 2020 has been defined globally by the COVID-19 pandemic. One of few silver linings for this difficult set of circumstances is innovation – redesigning normal processes so that life can carry on with some degree of regularity and reliability.

OT ransomware

Pre-COVID, we all took certain risks routinely, and the consequences were minor. Now the consequences are much more serious and we respond to these risks by very carefully deciding how we expose ourselves to the coronavirus. Whether sheltering in place, social distancing, or in full government lock-down, we have all felt the fatigue of being under the siege of an invisible threat.

The good news is there is hope at the end of the tunnel – in a matter of months, medical science will catch up to the threat and normal life will resume.

The cyber pandemic

The pandemic has digital consequences as well, for both enterprise networks and OT networks. Not only has the pandemic brought us more online, and forced us into doing nearly everything remotely, macro trends continue as well.

Computers are getting cheaper and CPUs are more ubiquitous than ever before – which means there are more targets for cyber attacks than ever before. Communications is getting cheaper, faster and more universal, and all this connectivity means steadily-increasing opportunities to attack the steadily-increasing number of targets.

The trend towards remote work is not likely to reverse very much post-pandemic, and the macro trends certainly will not reverse – no amount of social distancing will slow down cyber breaches, targeted attacks or targeted ransomware.

Unfortunately, many conventional IT security defenses that we deploy to protect against these threats are porous and hackable. Firewalls, IDS, security updates, VPNs are all software, with inevitable bugs and security holes, which means that all these defenses can be compromised. This is especially troubling in a world of physical, industrial operations that are increasingly dependent on these software-based protections for safe and reliable operation.

Worse, the industrial equivalent of “lock-down”, which is air-gapping, is folklore of the past; air-gapping defeats modern efficiency initiatives and so is either consciously avoided as a modern security strategy, or is implemented badly, resulting in residual connectivity and associated cyber risks.

To operate efficiently, industrial operations nearly always must share data with enterprise and customer systems, and – just as in a global pandemic – the risks and consequences of such contact through cyber connections must be weighed very carefully.

What if there were a vaccine for cyber?

Every pandemic begs a vaccine. What if there were a vaccine for the cyber pandemic? What if there were a vaccine that could prevent OT attacks and the OT ransomware that has shut down hundreds of industrial sites in 2020? Targeted ransomware is one of today’s biggest and nastiest cyber threats.

These targeted attacks defeat conventional defenses at heavily-defended industrial sites. In a sense this is no surprise – many of today’s targeted ransomware groups use attack tools and techniques that were once the sole province of nation-states. A cyber vaccine is needed, urgently.

Unidirectional Security Gateways

The good news – future-proofing our most important services and industries from the cyber pandemic is not as difficult as a COVID vaccine. Today’s hardware-enforced unidirectional gateways stop targeted ransomware and other targeted, remote-control attacks from reaching into industrial networks.

The physical security embedded in the unidirectional hardware does not protect the information, but rather protects the industrial networks from information, more specifically from attacks that may be embedded in information that enters industrial networks.

And unlike air gaps, unidirectional gateways enable seamless flows of operations information from industrial operations out into the enterprise or even out into the Internet beyond the enterprise.

Unidirectional hardware prevents attacks from entering industrial networks, while unidirectional gateway software makes copies of databases and other servers from industrial networks to external networks.

Enterprise and other users simply access the industrial data in the external replica databases. Unidirectional gateways “vaccinate” industrial networks against online attacks, while providing the kind of seamless access to industrial data that modern, efficient enterprises rely on.

There are indeed lessons from the pandemic that we can apply to our industrial networks. Using only software protections means making difficult risk decisions on a regular basis, just as we do with social distancing and lock-downs.

We all look forward to the day of the COVID19 vaccine, when these difficult decisions and risks will disappear. The good news on the cyber side is that the vaccine for OT networks is already available, in the form of Waterfall’s Unidirectional Security Gateways.

Cyber insurance claims on the rise

External attacks on companies result in the most expensive cyber insurance losses, but it is employee mistakes and technical problems that are the most frequent generator of claims by number, according to a report from Allianz Global Corporate & Specialty (AGCS).

cyber insurance claims

The study analyzes 1,736 cyber-related insurance claims worth EUR 660mn (US$ 770mn) involving AGCS and other insurers from 2015 to 2020.

“Losses from incidents such as distributed denial of service (DDoS) attacks or phishing and ransomware campaigns account for a significant majority of the value of cyber claims today,” says Catharina Richter, Global Head of the Allianz Cyber Center of Competence, a part of AGCS.

“But although cyber crime generates the headlines, everyday systems failures, IT outages and human error incidents can also cause problems for companies, even if their financial impact is not, on average as severe. Employers and employees must work together to raise awareness and increase cyber resilience.”

Growth of the global cyber insurance market fueling cyber insurance claims

The number of cyber insurance claims has steadily risen over the last few years, up from 77 in 2016, when cyber was a relatively new line of insurance, to 809 in 2019. In 2020, there were already 770 claims in the first three quarters. This steady increase in claims has been driven, in part, by the growth of the global cyber insurance market which is currently estimated to be worth $7bn according to Munich Re.

The report also highlights that there has been a 70%+ increase in the average cost of a cybercrime to an organization over five years to $13mn and a 60%+ increase in the average number of security breaches.

Losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims analyzed according to the report, followed by malicious internal actions (9%) – which are infrequent but can be costly.

Accidental internal incidents, such as employee errors while undertaking daily responsibilities, IT or platform outages, systems and software migration problems or loss of data account for 54% of cyber claims analyzed by number but, often, the financial impact of these is limited compared with cyber crime. However, losses can quickly escalate in the case of more serious incidents.

Business interruption, the main cost driver behind cyber losses

Business interruption is the main cost driver behind cyber losses, accounting for around 60% of the value of all claims analyzed, followed by costs involved with dealing with data breaches.

Businesses and insurers are facing a number of challenges such as the prospect of more expensive business interruptions, the rising frequency of ransomware incidents, more costly consequences of larger data breaches given more robust regulation and litigation, as well as the impact from the playing out of political differences in cyber space through state-sponsored attacks.

The huge rise in remote working due to the coronavirus pandemic is also an issue. Displaced workforces create new opportunities for cyber criminals to gain access to networks and sensitive information.

Malware and ransomware incidents are already reported to have increased by more than a third since the start of 2020, while coronavirus-themed online scams and phishing campaigns about the pandemic continue. At the same time the potential impact from human error or technical failure incidents may also be heightened.

Ransomware threats surge

Already high in frequency, ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands.

There were nearly half a million ransomware incidents reported globally last year, costing organizations at least $6.3bn in ransom demands alone. Total costs associated with dealing with these incidents are estimated to be well in excess of $100bn.

“High-end hacking tools are more widely available driven by the growing ‘commercialization of cyber-hacks’. Increasingly, criminals are selling malware to other attackers who then target businesses demanding ransom payments,” says Marek Stanislawski, Global Cyber Underwriting Lead at AGCS.

“However, extortion demands are just one part of the picture. Business interruption can bring the most severe losses – with downtimes becoming longer – while systems and data restoration costs can quickly escalate.”

Business interruption and digital supply chain vulnerability growing

“Whether due to ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy,” says Joerg Ahrens, Global Head of Long-Tail Claims at AGCS.

“The inability to access data for an extended period of time can have a significant impact on revenues – for example, if a company is unable to take orders. Similarly, if an online platform is unavailable due to a technical glitch or cyber event, it could bring large losses for companies that rely on it, particularly given today’s increasing reliance on online sales or digital supply chains.”

Data breaches and state-sponsored attacks

The cost of dealing with a large data breach is rising as IT systems and cyber events become more complex, and with the growth in cloud and third-party services. Data privacy regulation, which has recently been tightened in many countries, is also a key factor driving cost, as is growing third-party liability and the prospect of class action litigation.

So-called mega data breaches (involving more than one million records) are more frequent and expensive, now costing $50mn on average, up 20% over 2019.

In addition, the impact of the increasing involvement of nation states in cyber-attacks is a growing concern. Major events like elections and COVID-19 present significant opportunities.

During 2020 Google said it has had to block over 11,000 government-sponsored potential cyber-attacks per quarter. Recent years have seen critical infrastructure, such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns.

The ransomware plague cost the world over $1 billion

Group-IB has presented a report which examines key shifts in the cybercrime world internationally between H2 2019 and H1 2020 and gives forecasts for the coming year. The most severe financial damage has occurred as a result of ransomware activity.

ransomware cost 2020

The past year — a harrowing period for the world economy — culminated in the spike of cybercrime. It was also marked by the rise of the underground market for selling access to corporate networks and an over two-fold growth of the carding market. The stand-off between various pro-government hacker groups saw new players come onto the scene, while some previously known groups resumed their operations.

The report examines various aspects of cybercrime industry operations and predicts changes to the threat landscape for various sectors, namely the financial industry, telecommunications, retail, manufacturing, and the energy sector. The authors also analyze campaigns targeting critical infrastructure facilities, which are an increasingly frequent target of intelligence services worldwide.

Forecasts and recommendations set out seek to prevent financial damage and manufacturing downtimes. Its purpose is also to help companies adopt preventive measures for counteracting targeted attacks, cyber espionage, and cyberterrorist operations.

The cost of ransomware

Late 2019 and all of 2020 were marked by an unprecedented surge in ransomware attacks. Neither private sector companies nor government agencies turned out to be immune to the ransomware plague.

Over the reporting period, more than 500 successful ransomware attacks in more than 45 countries were reported. Since attackers are motivated by financial gain alone, any company regardless of size and industry could fall victim to ransomware attacks.

Meanwhile, if the necessary technical toolsets and data restoring capabilities are not in place, ransomware attacks could not only cause downtime in manufacturing but also bring operations to a standstill.

According to conservative estimates, the total financial damage from ransomware operations amounted to over $1 billion ($1,005,186,000), but the actual damage is likely to be much higher. Victims often remain silent about incidents and pay ransoms quietly, while attackers do not always publish data from compromised networks.

A major ransomware outbreak was detected in the United States, with the country accounting for about 60% of all known incidents. The US is followed by European countries (mainly the UK, France, and Germany), which together make up roughly 20% of all ransomware attacks.

Countries of North and South America (excluding the US) are at 10% and Asian states are at 7%. The top five most frequently attacked industries include manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).

Maze and REvil are considered to have the largest appetite: the operators of these two strains are believed to be behind more than half of all successful attacks. Ryuk, NetWalker, and DoppelPaymer come second.

The ransomware pandemic was triggered by an active development of private and public affiliate programs that bring together ransomware operators and cybercriminals involved in compromising corporate networks.

Another reason for an increase in ransomware attacks is that traditional security solutions, still widely used by a lot of companies on the market, very often fail to detect and block ransomware activity at early stages.

Ransomware operators buy access and then encrypt devices on the network. After receiving the ransom from the victim, they pay a fixed rate to their partners under the affiliate program.

The main ways to gain access to corporate networks include brute-force attacks on remote access interfaces (RDP, SSH, VPN), malware (e.g., downloaders), and new types of botnets (brute-force botnets). The latter are used for distributed brute-force attacks from a large number of infected devices, including servers.

In late 2019, ransomware operators adopted a new technique. They began downloading all the information from victim organizations and then blackmailed them to increase the chances of the ransom being paid.

Maze (who allegedly called it quits not long ago) pioneered the tactic of publishing sensitive data as leverage to extort money. If a victim refuses to pay the ransom, they risk not only losing all their data but also having it leaked. In June 2020, REvil started auctioning stolen data.

Seven new APT groups joined the global intelligence service stand-off

Military operations conducted by various intelligence services are becoming increasingly common. A continuing trend was identified, where physical destruction of infrastructure is replacing espionage. Attacker toolkits are being updated with instruments intended for attacks on air-gapped networks.

The nuclear industry is turning into the number one target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.

A blatant attack was attempted in Israel, where threat actors gained access to some of Israel’s water treatment systems and tried altering water chlorine levels. Had it been successful, the attack would have led to water shortages or even civilian casualties.

State-sponsored APT groups are not losing interest in the telecommunications sector. Over the review period, it was targeted by at least 11 groups affiliated with intelligence services. Threat actors’ main goals remain spying on telecommunications operators or attempts to disable infrastructure.

Threat actors have also set a new record in DDoS attack power: 2.3 Tb per second and 809 million packets per second. BGP hijacking and route leaks remain a serious problem as well. Over the past year, nine significant cases have been made public.

Most state-sponsored threat actors originate from China (23), followed by Iran (8 APT groups), North Korea and Russia (4 APT groups each), India (3), and Pakistan and Gaza (2 each). South Korea, Turkey, and Vietnam are reported to have only one APT group each.

According to data analyzed, Asia-Pacific became the most actively attacked region by state-sponsored threat actors. A total of 34 campaigns were carried out in this region, and APT groups from China, North Korea, Iran, and Pakistan were the most active.

At least 22 campaigns were recorded on the European continent, with attacks carried out by APT groups from China, Pakistan, Russia, and Iran. Middle East and Africa were the scene of 18 campaigns conducted by pro-government attackers from Iran, Pakistan, Turkey, China, and Gaza.

Cybersecurity researchers have also detected seven previously unknown APT groups, namely Tortoiseshell (Iran),Poison Carp (China), Higaisa (South Korea), AVIVORE (China), Nuo Chong Lions (Saudi Arabia), as well as Chimera and WildPressure, whose geographical affiliation remains unknown. In addition, six known groups that remained unnoticed in recent years resumed their operations.

Sales of access to compromised corporate networks grow four-fold

Sales of access to compromised corporate networks have been increasing from year to year and peaked in 2020. It is difficult to assess the size of the market for selling access, however, as offers published on underground forums often do not include the price, while some deals are cut in private.

Nevertheless, technologies for monitoring underground forums (which make it possible to see deleted and hidden posts) helped the experts assess the total market size for access sold in the review period (H2 2019 to H1 2020): $6.2 million. This is a four-fold increase compared to the previous review period (H2 2018 to H1 2019), when it totaled $1.6 million.

Surprisingly, state-sponsored attackers joined this segment of the cybercriminal market seeking additional revenue. As such, in the summer of 2020, on an underground forum a seller offered access to several networks, including some belonging to US government departments, defense contractors (Airbus, Boeing, etc.), IT giants, and media companies. The cost of the access to the companies listed was close to $5 million.

In H1 2020 alone, 277 offers of access to corporate networks were put up for sale on underground forums. The number of sellers has also grown. During that period, 63 sellers were active, and 52 of them began selling access in 2020.

For comparison, during all of 2018, only 37 access sellers were active, while in 2019 there were 50 sellers who offered access to 130 corporate networks. In total, the sales of corporate network access grew by 162% compared to the previous period (138 offers against 362).

After analyzing offers of access to corporate networks, experts found correlations with ransomware attacks: most threat actors offered access to US companies (27%), while manufacturing was the most frequently attacked industry in 2019 (10.5%). In 2020, access to state agency networks (10.5%), educational institutions (10.5%), and IT companies (9%) was high in demand.

It should be noted that sellers of access to corporate networks increasingly rarely mention company names, their geographical location and industry, which makes it almost impossible to identify the victim without contacting the attackers.

Selling access to a company’s network is usually only one stage of the attack: the privileges gained might be used for both launching ransomware and stealing data, with the aim of later selling it on underground forums or spying.

Market of stolen credit card data reached almost $2 billion

Over the review period, the carding market grew by 116%, from $880 million to $1.9 billion. The quick growth applies to both textual data (bank card numbers, expiration dates, holder names, addresses, CVVs) and dumps (magnetic stripe data). The amount of textual data offered for sale increased by 133%, from 12.5 to 28.3 million cards, while dumps surged by 55%, from 41 to 63.7 million. The maximum price for card textual data is $150 and $500 for a dump.

Dumps are mainly obtained by infecting computers with connected POS terminals with special Trojans and thereby collecting data from random-access memory. Over the review period, 14 Trojans used for collecting dumps were found to be active.

Cybercriminals seek to obtain data relating to credit and debit cards issued by US banks: these account for over 92% of all compromised bank cards. Bank card data of bank customers in India and South Korea are the second and third most desirable targets for cybercriminals. Over the review period, the total price of all the bank card dumps offered for sale amounted to $1.5 billion, while textual data – to $361.7 million.

Textual data is collected through phishing websites and PC/Android banking Trojans, by compromising e-commerce websites, and by using JS sniffers. The latter were one of the main instruments for stealing large amounts of payment data over the past year. JS sniffers also became more popular in light of the trend of reselling access to various websites and organizations on underground forums.

Group-IB is currently monitoring the activities of 96 JS sniffer families. This is a 2.5-fold increase compared to the previous reporting period, during which there were 38 families on the company’s radar. According to the findings, over the past year nearly 460,000 bank cards were compromised using JS sniffers.

The threat of bank card data leaks is most acute for retail companies that have online sales channels, e-commerce companies that offer goods and services online, and banks that unwittingly become involved in incidents.

The main scenarios for illegally harvesting bank card data and most frequently attacked countries (the United States, India, South Korea) will remain the same. Latin America might become an increasingly attractive target for carders since it already has mature hacker community experienced in using Trojans for this purpose.

Phishing grows by 118%

Between H2 2019 and H1 2020, the number of phishing web resources found and blocked rose by 118% compared to the previous reporting period. Analysts mention the global pandemic and lockdowns as the main reasons: web-phishing, which is one of the simplest ways to earn money in the cybercriminal industry, attracted those who lost their incomes.

The increased demand for online purchases created a favorable environment for phishers. They quickly adapted to this trend and began carrying out phishing attacks on services and individual brands that previously did not have much financial appeal to them.

Scammers also changed their tactics. In previous years, attackers ended their campaigns after fraudulent websites were taken down and quickly switched to other brands. Today, they are automating their attacks instead and replacing the blocked pages with new ones.

Since the start of the year, there has been a rise in advanced social engineering, namely when multi-stage scenarios are used in phishing attacks. As part of such increasingly popular phishing schemes, threat actors first stake out the victim. They establish contact with the targeted individual (e.g., through a messenger), create an atmosphere of trust, and only then do they direct the victim to a phishing page.

One-time links turned out to be another phishing trend of the past year. After a user receives a link and clicks on it at least once, it will not be possible to obtain the same content again in order to collect evidence. This significantly complicates the process of taking down phishing resources.

Most web-phishing pages mimicked online services (39.6%). Phishers in particular gathered login credentials from user accounts on Microsoft, Netflix, Amazon, eBay, Valve Steam, etc. Online services were followed by email service providers (15.6%), financial organizations (15%), cloud storage systems (14.5%), payment services (6.6%), and bookmakers (2.2%).

On That Dusseldorf Hospital Ransomware Attack and the Resultant Death

Wired has a detailed story about the ransomware attack on a Dusseldorf hospital, the one that resulted in an ambulance being redirected to a more distant hospital and the patient dying. The police wanted to prosecute the ransomware attackers for negligent homicide, but the details were more complicated:

After a detailed investigation involving consultations with medical professionals, an autopsy, and a minute-by-minute breakdown of events, Hartmann believes that the severity of the victim’s medical diagnosis at the time she was picked up was such that she would have died regardless of which hospital she had been admitted to. “The delay was of no relevance to the final outcome,” Hartmann says. “The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack.” He likens it to hitting a dead body while driving: while you might be breaking the speed limit, you’re not responsible for the death.

So while this might not be an example of death by cyberattack, the article correctly notes that it’s only a matter of time:

But it’s only a matter of time, Hartmann believes, before ransomware does directly cause a death. “Where the patient is suffering from a slightly less severe condition, the attack could certainly be a decisive factor,” he says. “This is because the inability to receive treatment can have severe implications for those who require emergency services.” Success at bringing a charge might set an important precedent for future cases, thereby deepening the toolkit of prosecutors beyond the typical cybercrime statutes.

“The main hurdle will be one of proof,” Urban says. “Legal causation will be there as soon as the prosecution can prove that the person died earlier, even if it’s only a few hours, because of the hack, but this is never easy to prove.” With the Düsseldorf attack, it was not possible to establish that the victim could have survived much longer, but in general it’s “absolutely possible” that hackers could be found guilty of manslaughter, Urban argues.

And where causation is established, Hartmann points out that exposure for criminal prosecution stretches beyond the hackers. Instead, anyone who can be shown to have contributed to the hack may also be prosecuted, he says. In the Düsseldorf case, for example, his team was preparing to consider the culpability of the hospital’s IT staff. Could they have better defended the hospital by monitoring the network more closely, for instance?

QakBot operators abandon ProLock for Egregor ransomware

Group-IB has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at $4 million worth of BTC.

Egregor ransomware

During recent incident response engagements Group-IB DFIR (Digital Forensics and Incident Response) team has noticed a significant change in QakBot operators’ tactics, the gang started to deploy a new Egregor ransomware family.

This ransomware strain emerged in September 2020, but the threat actors behind already managed to lock quite big companies, such as game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators, whose campaigns have been described in Group-IB blog post in May.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock.

Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe. Hence, all of the above considered, Group-IB experts assess it’s very likely that QakBot operators have switched from ProLock to Egregor ransomware.

Geography and victims

The gang behind Egregor followed in Maze’s footsteps, who called it quits not long ago. Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand registered by the Group-IB team so far was at $4 million worth of BTC.

In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Inside Egregor

While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker. Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

“Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting operations,” said Oleg Skulkin, senior DFIR analyst at Group-IB.

“At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates”.

56% of organizations faced a ransomware attack, many paid the ransom

There’s a continued proliferation of ransomware, heightened concerns around nation-state actors, and the need for acceleration of both digital and security transformation, a CrowdStrike survey reveals.

faced ransomware attack

Proliferation of ransomware leads to more frequent payouts, costing millions

Survey data indicates ransomware attacks have proven to be especially effective, as 56% of organizations surveyed have suffered a ransomware attack in the last year. The COVID-19 pandemic catalyzed increasing concerns around ransomware attacks, with many organizations resorting to paying the ransom.

The global attitude shifts from a question of if an organization will experience a ransomware attack to a matter of when an organization will inevitably pay a ransom. Notable findings include:

  • Concern around ransomware attacks continues to increase, with the stark increase in this year’s findings (54%) compared to 2019 (42%) and 2018 (46%).
  • 71% of cybersecurity experts globally are more worried about ransomware attacks due to COVID-19.
  • Among those hit by ransomware, 27% chose to pay the ransom, costing organizations on average $1.1 million USD owed to hackers.
  • The APAC region is suffering the most when paying the ransom with the highest average payout at $1.18 million USD, followed by EMEA at $1.06 million and the U.S. at $0.99 million.

Fear of nation-state cyberattacks can stifle business growth in post COVID-19 world

Nation-state activity continues to weigh heavily on IT decision makers, as 87% of respondents agree that nation-state sponsored cyberattacks are far more common than people think.

As growing international tensions and the global election year have created a nesting ground for increased nation-state activity, organizations are under increased pressure to resume operations despite the increased value of intellectual property and vulnerabilities caused by COVID-19. Key highlights include:

  • Even with the massive rise in eCrime over the course of 2020, 73% believe nation-state sponsored cyberattacks will pose the single biggest threat to organizations like theirs in 2021. In fact, concerns around nation-states have steadily increased, as 63% of cybersecurity experts view nation-states as one of the cyber criminals most likely to cause concern, consistently rising from 2018 (54%) and 2019 (59%).
  • 89% are fearful that growing international tensions (e.g. U.S.-China trade war) are likely to result in a considerable increase in cyber threats for organizations.
  • Approximately two in five IT security professionals believe a nation-state cyberattack on their organization would be motivated by intelligence (44%) or to take advantage of vulnerabilities caused by COVID-19 (47%).

Digital and security transformation accelerated as business priority

In the wake of these threats, cybersecurity experts have accelerated their digital and security transformation efforts to address the growing activity from eCrime and nation-state actors.

While spend on digital transformation continues to trend upward, the COVID-19 pandemic accelerated the timeline for many organizations, costing additional investment to rapidly modernize security tools for the remote workforce. Security transformation rollout findings include:

  • 61% of respondents’ organizations have spent more than $1 million on digital transformation over the past three years.
  • 90% of respondents’ organizations have spent a minimum of $100,000 to adapt to the COVID-19 pandemic.
  • 66% of respondents have modernized their security tools and/or increased the rollout of cloud technologies as employees have moved to work remotely.
  • 78% of respondents have a more positive outlook on their organization’s overarching security strategy and architecture over the next 12 months.

“This year has been especially challenging for organizations of all sizes around the world, with both the proliferation of ransomware and growing tensions from nation-state actors posing a massive threat to regions worldwide,” said Michael Sentonas, CTO, CrowdStrike.

“Now more than ever, organizations are finding ways to rapidly undergo digital transformation to bring their security to the cloud in order to keep pace with modern-day threats and secure their ‘work from anywhere’ operations.

Cybersecurity teams around the globe are making strides in improving their security posture by moving their security infrastructure to the cloud and remaining diligent in their incident detection, response and remediation practices.”

Attacks on biotech and pharmaceutical industry escalate

Attacks on the biotech and pharmaceutical industry had increased by 50% between 2019 and 2020, according to a BlueVoyant report.

attacks biotech

The report highlighted that nation-states are ramping up cyber attacks on companies that are developing vaccines, and this is likely to increase as production and distribution gets underway.

The analysis examined open source records of 25 publicly reported attacks that have taken place in the last four years. It set out to define key risks and how COVID-19 has changed the threat landscape.

Establishing that ransomware is still the number one threat vector for this industry, the report identifies the key risks that companies face and the steps they need to take to mitigate these.

Key findings

  • The number one emerging threat in 2020 is nation-state espionage aimed at stealing COVID-19 vaccine research data. That said, the top threat overall is still ransomware.
  • COVID-19 vaccines are the crown jewels in 2020 with eight of the most prominent companies in the race for a vaccine facing high volumes of targeted malicious attacks. These are often out of proportion to their size and larger attack volumes than well-known pharmaceutical giants.
  • Biotech and pharmaceutical companies are under daily attacks which include brute force, phishing attempts, and targeting of vulnerable web applications.
  • Attacks are escalating. Of the 25 attacks reported to the media since 2017, 10 (40%) took place in 2020.
  • Key defenses against such attacks such as securing open remote desktop access ports and phishing security had not been implemented across most of the observed companies.
  • 80% of the 20 companies analyzed showed signs of more targeted attack activity.

Commenting on the research, Jim Penrose, COO, BlueVoyant said: “Pharmaceutical companies develop highly lucrative IP, they handle large amounts of patient and healthcare data and as such are a prime target for criminals looking to compromise, steal and exploit information. Now they face an even more elevated risk environment in the current pandemic as well-resourced nation-state actors mount aggressive and focused campaigns.

“Most organizations in this sector are significantly scaling up their digital platforms but cyber posture lags. They need to continuously monitor new attack vectors. Importantly, once they have secured their own systems, they need to look outward to supply chain cybersecurity because this sector, more than most industries, has interconnected digital business ecosystems with many supply chain dependencies. Supply chain cybersecurity is a critical step in ensuring against third-party cyber risk.”

Key implications

  • First, 80% of companies targeted experienced malicious, intentional and focused efforts. Even more troubling, 7 out of 20 showed signs of compromise.
  • Second, attackers used automated tools and infrastructure and three quarters used programmatic brute force attacks, meaning they had acquired a credential database and then bought an automated program to target specific companies.
  • Third, these incidents occurred without regard to company size, area of focus or geography. The wide distribution of attacks did not follow a clear pattern, which means that organizations were under attack from sophisticated and knowledgeable cyber actors.

Jim Rosenthal, CEO, BlueVoyant, concludes: “The ongoing effort to find a vaccine and cure for COVID-19 is an endeavor we all want to succeed. The high level of cyber risk associated with the firms working on this critical mission ought to be a call for action to take immediate measures to drive down cyber risk.

“Around the globe all citizens want peace of mind that these firms will guarantee confidentiality, integrity, and availability in their research, development, manufacturing, and data management activities as they race against the clock to deliver life-saving breakthroughs.

“We have recently seen the first death of a patient in Germany attributed to ransomware paralysing a hospital’s networks. We need to ensure that the growing surge of attacks against the pharmaceutical sector does not disrupt the delivery of healthcare, and the production and distribution of COVID- 19 vaccines in 2021.”

A perspective on security threats and trends, from inception to impact

Sophos published a report which flags how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the threat landscape and IT security in 2021.

security threats and trends

Increased gap between ransomware operators

The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands.

In 2020, such families included Ryuk and RagnarLocker. At the other end of the spectrum, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.

Another ransomware trend is “secondary extortion,” where alongside the data encryption the attackers steal and threaten to publish sensitive or confidential information, if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.

“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels,’” said Chester Wisniewski, principal research scientist, Sophos.

“Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor. The cyberthreat landscape abhors a vacuum. If one threat disappears another one will quickly take its place.

“In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in Sophos’ threat report this year are likely to continue into 2021.”

Everyday threats demand serious security attention

Everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention. Such threats can seem like low level malware noise, but they are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network that will provide further instructions.

If human operators are behind these types of threats, they’ll review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation. For instance, in 2020, Ryuk used Buer Loader to deliver its ransomware.

“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system. From what Sophos analyzed, it is clear that defenders need to take these attacks seriously, because of where they might lead.

“Any infection can lead to every infection. Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented,” said Wisniewski.

“They may not realize that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend. Underestimating ‘minor’ infections could prove very costly.”

Adversaries evading detection and security measures

All ranks of adversaries will increasingly abuse legitimate tools, well known utilities and common network destinations to evade detection and security measures and thwart analysis and attribution.

The abuse of legitimate tools enables adversaries to stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware.

For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder. In 2020, Sophos reported on the wide range of standard attack tools now being used by adversaries.

“The abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ review of the threat landscape during 2020. This technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag. This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own,” said Wisniewski.

“Human experts know the subtle anomalies and traces to look for, such as a legitimate tool being used at the wrong time or in the wrong place. To trained threat hunters or IT managers using endpoint detection and response (EDR) features, these signs are valuable tripwires that can alert security teams to a potential intruder and an attack underway.”

Additional trends

  • Attacks on servers: adversaries have targeted server platforms running both Windows and Linux, and leveraged these platforms to attack organizations from within
  • The impact of the COVID-19 pandemic on IT security, such as the security challenges of working from home using personal networks protected by widely varying levels of security
  • The security challenges facing cloud environments: cloud computing has successfully borne the brunt of a lot of the enterprise needs for secure computing environments, but faces challenges different to those of a traditional enterprise network
  • Common services like RDP and VPN concentrators, which remain a focus for attacks on the network perimeter. Attackers also use RDP to move laterally within breached networks
  • Software applications traditionally flagged as “potentially unwanted” because they delivered a plethora of advertisements, but engaged in tactics that are increasingly indistinguishable from overt malware
  • The surprising reappearance of an old bug, VelvetSweatshop – a default password feature for earlier versions of Microsoft Excel – used to conceal macros or other malicious content in documents and evade advanced threat detection
  • The need to apply approaches from epidemiology to quantify unseen, undetected and unknown cyberthreats in order to better bridge gaps in detection, assess risk and define priorities

Multi-cloud environments leaving businesses at risk

Businesses around the globe are facing challenges as they try to protect data stored in complex hybrid multi-cloud environments, from the growing threat of ransomware, according to a Veritas Technologies survey.

multi-cloud environments risk

Only 36% of respondents said their security has kept pace with their IT complexity, underscoring the need for greater use of data protection solutions that can protect against ransomware across the entirety of increasingly heterogenous environments.

Need to pay ransoms

Typically, if businesses fall foul to ransomware and are not able to restore their data from a backup copy of their files, they may look to pay the hackers responsible for the attack to return their information.

The research showed companies with greater complexity in their multi-cloud infrastructure were more likely to make these payments. The mean number of clouds deployed by those organizations who paid a ransom in full was 14.06. This dropped to 12.61 for those who paid only part of the ransom and went as low as 7.22 for businesses who didn’t pay at all.

In fact, only 20% of businesses with fewer than five clouds paid a ransom in full, 44% for those with more than 20. This compares with 57% of the under-fives paying nothing to their hackers and just 17% of the over-20s.

Slow recovery times

Complexity in cloud architectures was also shown to have a significant impact on a business’s ability to recover following a ransomware attack. While 43% of those businesses with fewer than five cloud providers in their infrastructure saw their business operations disrupted by less than one day, only 18% of those with more than 20 were as fast to return to normal.

Moreover, 39% of the over-20s took 5-10 days to get back on track, with just 16% of the under-fives having to wait so long.

Inability to restore data

Furthermore, according to the findings of the research, greater complexity in an organization’s cloud infrastructure, also made it slightly less likely that they would ever be able to restore their data in the event of a ransomware attack.

While 44% of businesses with fewer than five cloud providers were able to restore 90% or more of their data, just 40% of enterprises building their infrastructure on more than 20 cloud services were able to say the same.

John Abel, SVP and CIO at Veritas said: “The benefits of hybrid multi-cloud are increasingly being recognised in businesses around the world. In order to drive the best experience, at the best price, organizations are choosing best-of-breed cloud solutions in their production environments, and the average company today is now using nearly 12 different cloud providers to drive their digital transformation.

“However, our research shows many businesses’ data protection strategies aren’t keeping pace with the levels of complexity they’re introducing and, as a result, they’re feeling the impact of ransomware more acutely.

“In order to insulate themselves from the financial and reputational damage of ransomware, organizations need to look to data protection solutions that can span their increasingly heterogenous infrastructures, no matter how complex they may be.”

Businesses recognize the challenge

The research revealed that many businesses are aware of the challenge they face, with just 36% of respondents believing their security had kept pace with the complexity in their infrastructure.

The top concern as a result of this complexity, as stated by businesses, was the increased risk of external attack, cited by 37% of all participants in the research.

Abel continued: “We’ve heard from our customers that, as part of their response to COVID, they rapidly accelerated their journey to the cloud. Many organizations needed to empower homeworking across a wider portfolio of applications than ever before and, with limited access to their on-premise IT infrastructure, turned to cloud deployments to meet their needs.

“We’re seeing a lag between the high-velocity expansion of the threat surface that comes with increased multi-cloud adoption, and the deployment of data protection solutions needed to secure them. Our research shows some businesses are investing to close that resiliency gap – but unless this is done at greater speed, companies will remain vulnerable.”

Need for investment

46% of businesses shared they had increased their budgets for security since the advent of the COVID-19 pandemic. There was a correlation between this elevated level of investment and the ability to restore data in the wake of an attack: 47% of those spending more since the Coronavirus outbreak were able to restore 90% or more of their data, compared with just 36% of those spending less.

The results suggest there is more to be done though, with the average business being able to restore only 80% of its data.

Back to basics

While the research indicates organizations need to more comprehensively protect data in their complex cloud infrastructures, the survey also highlighted the need to get the basics of data protection right too.

Only 55% of respondents could claim they have offline backups in place, even though those who do are more likely to be able to restore more than 90% of their data. Those with multiple copies of data were also better able to restore the lion’s share of their data.

Forty-nine percent of those with three or more copies of their files were able to restore 90% or more of their information, compared with just 37% of those with only two.

The three most common data protection tools to have been deployed amongst respondents who had avoided paying ransoms were: anti-virus, backup and security monitoring, in that order.

Global trends

The safest countries to be in to avoid ransomware attacks, the research revealed, were Poland and Hungary. Just 24% of businesses in Poland had been on the receiving end of a ransomware attack, and the average company in Hungary had only experienced 0.52 attacks ever.

The highest incident of attack was in India, where 77% of businesses had succumbed to ransomware, and the average organization had been hit by 5.27 attacks.

Ransomware still the most common cyber threat to SMBs

Ransomware still remains the most common cyber threat to SMBs, with 60% of MSPs reporting that their SMB clients have been hit as of Q3 2020, Datto reveals.

ransomware SMBs

More than 1,000 MSPs weighed in on the impact COVID-19 has had on the security posture of SMBs, along with other notable trends driving ransomware breaches.

The impact of such attacks keeps growing: the average cost of downtime is now 94% greater than in 2019, and nearly six times higher than it was in 2018 increasing from $46,800 to $274,200 over the past two years, according to Datto’s research. Phishing, poor user practices, and lack of end user security training continue to be the main causes of successful ransomware attacks.

The survey also revealed the following:

  • MSPs a target: 95% of MSPs state their own businesses are more at risk. Likely due to increasing sophistication and complexity of ransomware attacks, almost half (46%) of MSPs now partner with specialized Managed Security Service Providers (MSSPs) for IT security assistance – to protect both their clients and their own businesses.
  • SMBs spend more on security: 50% of MSPs said their clients had increased their budgets for IT security in 2020, perhaps indicating awareness of the ransomware threat is growing.
  • Average cost of downtime continues to overshadow actual ransom amount: Downtime costs related to ransomware are now nearly 50X greater than the ransom requested.
  • Business continuity and disaster recovery (BCDR) remains the number one solution for combating ransomware, with 91% of MSPs reporting that clients with BCDR solutions in place are less likely to experience significant downtime during an attack. Employee training and endpoint detection and response platforms ranked second and third in tackling ransomware.

The impact of COVID-19 on ransomware and the cost of security disruptions

During the pandemic, the move to remote working and the accelerated adoption of cloud applications have increased security risks for businesses. More than half (59%) of MSPs said remote work due to COVID-19 resulted in increased ransomware attacks, and 52% of MSPs reported that shifting client workloads to the cloud increased security vulnerabilities.

As a result, SMBs need to take precautions to avoid the costly disruptions that occur in the aftermath of an attack. The survey also determined that healthcare was the most vulnerable industry during the pandemic (59%).

“Now more than ever organizations need to be vigilant in their approach to cybersecurity, especially in the healthcare industry as it’s managing and handling the most sensitive (and for criminals the most valuable) private data,” said Travis Lass, President of XLCON.

“The majority of our clients are small healthcare clinics, with no in-house IT. As ransomware attacks continue to increase, it’s critical we do everything we can to support them by arming them with best-in-class technology that will fend off malicious attackers looking to take advantage of the already fragile state of the healthcare industry.”

Top three ways ransomware is attacking entities

  • Phishing emails. 54% of MSPs report these as the most successful ransomware attack vector. The social engineering tactics used to deceive victims have become very sophisticated, making it vital for SMBs to offer extensive and consistent end user security education that goes beyond the basics of identifying phishing attacks.
  • Software-as-a-Service (SaaS) applications. Nearly one in four MSPs reported ransomware attacks on clients’ SaaS applications, with Microsoft being hit the hardest at 64%. These attacks mean that SMBs must consider the vulnerability of their cloud applications when planning their IT security measures and budgets.
  • Windows endpoint systems applications. These are the most targeted by hackers, with 91% of ransomware attacks targeting Windows PCs this year.

“The COVID-19 pandemic has accelerated the need for stronger security measures as remote working and cloud applications increase in prevalence,” remarked Ryan Weeks, CISO at Datto.

“Reducing the risk of cyberattacks requires a multi-layered approach rather than a single product – awareness, education, expertise, and purpose-built solutions all play a key role.

“The survey highlights how MSPs are taking the extra step to partner with MSSPs that can offer more security-focused experience, along with a more widespread use of security measures like SSO and 2FA – these are critical strategies businesses and municipalities need to adopt to protect themselves from cyber threats now and in the future.”

Malware activity spikes 128%, Office document phishing skyrockets

Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures (TTPs) throughout Q3 2020, with additional insight from Recorded Future.

malware activity q3 2020

Threat actors becoming even more ruthless

The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.

“We continue to see attackers use newsjacking and typosquatting techniques to attack organizations with ransomware, especially this quarter with the Presidential election and schools moving to a virtual learning model,” said John Ayers, Nuspire Chief Strategy Product Officer.

“It’s important for organizations to understand the latest threat landscape is changing so they can better prepare for current themes and better understand their risk.”

Increase in malware activity

There has been a significant increase in malware activity over the course of Q3 2020; the 128% increase from Q2 represents more than 43,000 malware variants detected a day.

As Emotet made a significant appearance, new features in Emotet modules were discovered, implying the group will likely continue operations throughout the remainder of the next quarter to successfully gauge the viability of these new features.

“Intelligence is key to identifying these top threats like Emotet,” said Greg Lesnewich, Senior Intelligence Analyst, Recorded Future.

“Keeping a vigilant eye on how threats evolve, grow and adapt over time helps us understand how threat actors have been retooling their tactics. It’s more important than ever to consistently have visibility into the threat landscape.”

Additional findings

  • The ZeroAccess botnet made another big appearance in Q3. It resurged in Q2, coming in second for most used botnet, but then went quiet towards the end of Q2, coming back up in Q3.
  • Office document phishing skyrocketed during the second half of Q3, which could be due to the upcoming election, or because attackers have just finished retooling.
  • Ransomware attack on the automotive industry is on the rise. At the end of Q3 2020, references have already surpassed the 2019 total at 18,307, an increase of 79.15% with Q4 still remaining.
  • H-Worm Botnet, also known as Houdini, Dunihi, njRAT, NJw0rm, Wshrat, and Kognito, surged to the top of witnessed Botnet traffic for Q3 from the actors behind the botnet by deploying instances of Remote Access Trojans (RATs) using COVID-19 phishing lures and executable names.

Ransomware Group Turns to Facebook Ads

It’s bad enough that many ransomware gangs now have blogs where they publish data stolen from companies that refuse to make an extortion payment. Now, one crime group has started using hacked Facebook accounts to run ads publicly pressuring their ransomware victims into paying up.

On the evening of Monday, Nov. 9, an ad campaign apparently taken out by the Ragnar Locker Team began appearing on Facebook. The ad was designed to turn the screws to the Italian beverage vendor Campari Group, which acknowledged on Nov. 3 that its computer systems had been sidelined by a malware attack.

On Nov. 6, Campari issued a follow-up statement saying “at this stage, we cannot completely exclude that some personal and business data has been taken.”

“This is ridiculous and looks like a big fat lie,” reads the Facebook ad campaign from the Ragnar crime group. “We can confirm that confidential data was stolen and we talking about huge volume of data.”

The ad went on to say Ragnar Locker Team had offloaded two terabytes of information and would give the Italian firm until 6 p.m. EST today (Nov. 10) to negotiate an extortion payment in exchange for a promise not to publish the stolen files.

The Facebook ad blitz was paid for by Hodson Event Entertainment, an account tied to Chris Hodson, a deejay based in Chicago. Contacted by KrebsOnSecurity, Hodson said his Facebook account indeed was hacked, and that the attackers had budgeted $500 for the entire campaign.

“I thought I had two-step verification turned on for all my accounts, but now it looks like the only one I didn’t have it set for was Facebook,” Hodson said.

Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents. Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.

The results of the unauthorized Facebook ad campaign. Image: Chris Hodson.

It’s not clear whether this was an isolated incident, or whether the fraudsters also ran ads using other hacked Facebook accounts. A spokesperson for Facebook said the company is still investigating the incident. A request for comment sent via email to Campari’s media relations team was returned as undeliverable.

But it seems likely we will continue to see more of this and other mainstream advertising efforts by ransomware groups going forward, even if victims really have no expectation that paying an extortion demand will result in criminals actually deleting or not otherwise using stolen data.

Fabian Wosar, chief technology officer at computer security firm Emsisoft, said some ransomware groups have become especially aggressive of late in pressuring their victims to pay up.

“They have also started to call victims,” Wosar said. “They’re outsourcing to Indian call centers, who call victims asking when they are going to pay or have their data leaked.”

Paying a ransom to prevent leaking of stolen data is a risky gamble

Ransomware groups have realized that their tactics are also very effective for targeting larger enterprises, and this resulted in a 31% increase of the average ransom payment in Q3 2020 (reaching $233,817), ransomware IR provider Coveware shared in a recently released report.

They also warned that cases where the attackers exfiltrated data and asked for an additional ransom to delete it have doubled in the same period, but that paying up is a definite gamble.

“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data,” they noted.

The data cannot be credibly deleted, it’s not secured and is often shared with other parties, they said. Various ransomware groups have posted the stolen data online despite having been paid to not release it or have demanded another payment at a later date.

ransom payment

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future,” the company said.

“The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”

Other findings

Coveware’s analyst also found that improperly secured Remote Desktop Protocol (RDP) connections and compromised RDP credentials are the most prevalent way in for ransomware gangs, followed by email phishing and software vulnerabilities.

ransom payment

What’s interesting is that the “popularity” of RDP as an attack vector declines as the size of the target companies increases, bacuse larger companies are typically wise enough to secure it. The attackers must then switch to using more pricy means: RDP credentials can be purchased for less than $50, but email phishing campaigns and vulnerability exploits require more effort and time/money – even if they are performed by another attacker who then sells the access to the gang.

“The foothold created by the phishing email or CVE exploit is used to escalate privileges until the attacker can command a domain controller with senior administrative privileges. Once that occurs, the company is fully compromised and data exfiltration + ransomware are likely to transpire within hours or days,” they explained.

Companies/organizations in every industry can be a target, but attackers seem to prefer those in the professional services industry, healthcare and the public sector:

ransom payment

Why Paying to Delete Stolen Data is Bonkers

Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway.

The findings come in a report today from Coveware, a company that specializes in helping firms recover from ransomware attacks. Coveware says nearly half of all ransomware cases now include the threat to release exfiltrated data.

“Previously, when a victim of ransomware had adequate backups, they would just restore and go on with life; there was zero reason to even engage with the threat actor,” the report observes. “Now, when a threat actor steals data, a company with perfectly restorable backups is often compelled to at least engage with the threat actor to determine what data was taken.”

Coveware said it has seen ample evidence of victims seeing some or all of their stolen data published after paying to have it deleted; in other cases, the data gets published online before the victim is even given a chance to negotiate a data deletion agreement.

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” the report continues. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting.”

Image: Coveware Q3 2020 report.

The company said it advises clients never to pay a data deletion ransom, but rather to engage competent privacy attorneys, perform an investigation into what data was stolen, and notify any affected customers according to the advice of counsel and application data breach notification laws.

Fabian Wosar, chief technology officer at computer security firm Emsisoft, said ransomware victims often acquiesce to data publication extortion demands when they are trying to prevent the public from learning about the breach.

“The bottom line is, ransomware is a business of hope,” Wosar said. “The company doesn’t want the data to be dumped or sold. So they pay for it hoping the threat actor deletes the data. Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated.”

Ransomware victims who pay for a digital key to unlock servers and desktop systems encrypted by the malware also are relying on hope, Wosar said, because it’s also not uncommon that a decryption key fails to unlock some or all of the infected machines.

“When you look at a lot of ransom notes, you can actually see groups address this very directly and have texts that say stuff along the lines of, Yeah, you are fucked now. But if you pay us, everything can go back to before we fucked you.’”

Ryuk ransomware behind one third of all ransomware attacks in 2020

There’s a growing use of ransomware, encrypted threats and attacks among cybercriminals leveraging non-standard ports, while overall malware volume declined for the third consecutive quarter, SonicWall reveals.

ryuk ransomware

“For most of us, 2020 has been the year where we’ve seen economies almost stop, morning commutes end and traditional offices disappear,” said Bill Conner, President and CEO, SonicWall.

“However, the overnight emergence of remote workforces and virtual offices has given cybercriminals new and attractive vectors to exploit. These findings show their relentless pursuit to obtain what is not rightfully theirs for monetary gain, economic dominance and global recognition.”

Key findings include:

  • 39% decline in malware (4.4 billion YTD); volume down for third consecutive quarter
  • 40% surge in global ransomware (199.7 million)
  • 19% increase in intrusion attempts (3.5 trillion)
  • 30% rise in IoT malware (32.4 million)
  • 3% growth of encrypted threats (3.2 million)
  • 2% increase in cryptojacking (57.9 million)

Malware volume dipping as attacks more targeted, diversified

While malware authors and cybercriminals are still busy working to launch sophisticated cyberattacks, the research concludes that overall global malware volume continues steadily decline in 2020. In a year-over-year comparison through the third quarter, researchers recorded 4.4 billion malware attacks — a 39% drop worldwide.

Regional comparisons show India (-68%) and Germany (-64%) have once again seen a considerable drop-rate percentage, as well as the United States (-33%) and the United Kingdom (-44%). Lower numbers of malware do not mean it is going away entirely. Rather, this is part of a cyclical downturn that can very easily right itself in a short amount of time.

Ransomware erupts, Ryuk responsible for third of all attacks

Ransomware attacks are making daily headlines as they wreak havoc on enterprises, municipalities, healthcare organizations and educational institutions. Researchers tracked aggressive growth during each month of Q3, including a massive spike in September.

While sensors in India (-29%), the U.K. (-32%) and Germany (-86%) recorded decreases, the U.S. saw a staggering 145.2 million ransomware hits — a 139% YoY increase.

Notably, researchers observed a significant increase in Ryuk ransomware detections in 2020. Through Q3 2019, just 5,123 Ryuk attacks were detected. Through Q3 2020, 67.3 million Ryuk attacks were detected — 33.7% of all ransomware attacks this year.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020,” said SonicWall VP, Platform Architecture, Dmitriy Ayrapetov.

“The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organization has Ryuk, it’s a pretty good indication that its infested with several types of malware.”

IoT dependency grows along with threats

COVID-19 led to an unexpected flood of devices on networks, resulting in an increase of potential threats to companies fighting to remain operational during the pandemic. A 30% increase in IoT malware attacks was found, a total of 32.4 million world-wide.

Most IoT devices — including voice-activated smart devices, door chimes, TV cameras and appliances — were not designed with security as a top priority, making them susceptible to attack and supplying perpetrators with numerous entry points.

“Employees used to rely upon the safety office networks provided, but the growth of remote and mobile workforces has extended distributed networks that serve both the house and home office,” said Conner.

“Consumers need to stop and think if devices such as AC controls, home alarm systems or baby monitors are safely deployed. For optimum protection, professionals using virtual home offices, especially those operating in the C-suite, should consider segmenting home networks.”

Threat intelligence data also concluded that while cryptojacking (57.9 million), intrusion attempts (3.5 trillion) and IoT malware threats (32.4 million) are trending with first-half volume reports, they continue to pose a threat and remain a source of opportunity for cybercriminals.

Top tasks IT professionals are spending more time on

LogMeIn released a report that reveals the current state of IT in the new era of remote work. The report quantifies the impact of COVID-19 on IT roles and priorities for small to medium-sized businesses.

top tasks IT professionals

The study reveals the massive shift in the day-to-day work of IT professionals, and the broader impact of the transition to remote work for the majority of businesses.

The report uncovers how the budgets, priorities, and functions of IT teams at small and medium-sized businesses continue to be shaped by ongoing global upheaval and uncertainty and provides insights into how IT professionals are adapting their roles and teams to these challenges.

Virtual tasks and security concerns demand more IT time

With the onset of COVID-19, the types of tasks that filled a typical IT team member’s day changed significantly. The research found that 67 percent of respondents said they spend more time on virtual tasks like team web meetings, remotely accessing employee devices (66 percent) and customer web meetings (52 percent).

Security also gained increased focus, with 54 percent spending more time managing IT security threats and 54 percent developing new security protocols. 47 percent of IT professionals are spending 5 to 8 hours per day on IT security, compared to 35% in 2019.

The increased complexities of BYOD and BYOA (Bring-Your-Own-Devices and Access) work environments combined with advancements in cyberattacks have increasingly monopolized the focus of IT professionals.

IT is most worried about a breach

The top IT security concerns continue to be data breaches (cloud, internal, and external), malware, employee behavior, and ransomware. With cloud technology and adoption skyrocketing over the years, fear of a cloud data security breach has increased significantly just in the past two years, with 40% of IT professionals expressing concern in 2018 and 53% citing it as a top security concern in 2020.

Another higher priority concern in 2020 compared to previous years is ‘Rapidly evolving business technology practices’ with 29 percent of IT professionals stating it’s a top security concern in 2020, compared to only 20 percent in 2019.

Lack of budget is the greatest barrier to keeping up with trends in IT

35 percent of IT professionals agree that a lack of budget is the biggest challenge their company is facing in trying to keep up with IT trends. IT training, lack of IT staff, lack of control over a remote workforce, and IT staff resistance to change are all seen as the most common reasons IT teams are struggling to adapt to changes in their field.

With limited budget, IT teams must implement solutions that enable them to do more with less and prioritize implementing tools with security, automation, and monitoring functionality.

Software facilitating remote collaboration and management proved most valuable to IT

Given that it was no longer possible to stop by an employee’s desk to address any issues, 38 percent of IT teams prioritized remote access software first during the COVID-19 pandemic.

With employees working from home, having a way to collaborate with colleagues became mission-critical, so it’s not surprising that one third of IT respondents prioritized meeting and communications software.

“Despite the impact many teams experienced from COVID-19 – from budget, to resource allocation, to project priorities – many teams are now more prepared,” said Ian Pitt, CIO at LogMeIn.

“This data shows that the pandemic has led to improved training for IT and employees, ensuring all employees have the appropriate hardware and software, and even installed multifactor authentication for improved security.”

Breaches down 51%, exposed records set new record with 36 billion so far

The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.

records exposed 2020

“The quagmire that formed in the breach landscape this Spring has continued through the third quarter of the year,” commented Inga Goddijn, Executive VP at Risk Based Security.

“Breach disclosures continue to be well below the high water mark established just last year despite other research indicating the number of attacks are on the rise. How do we square these two competing views into the digital threat landscape?”

Factors contributing to the decline in publicly reported breaches

The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.

“We believe that the pivot by malicious actors to more lucrative ransomware attacks is another factor,” Goddijn commented.

“While many of these attacks are now clearly breach events, the nature of the data compromised can give some victim organizations a reprieve from reporting the incident to regulators and the public.

records exposed 2020

“After all, while the compromised data may be sensitive to the target organization, unless it contains a sufficient amount of personal data to trigger a notification obligation the event can go unreported.”

The Risk Based Security report covers the data breaches reported between January 1, 2020 and September 30, 2020. In addition to the latest breach data research, the report also dissects alarming trends involving the coming November election, where several US voter databases have been shared and discussed on both Russian and English speaking hacking forums.

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

The agencies said they were sharing the information “to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The warning came less than two days after this author received a tip from Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security. Holden said he saw online communications this week between cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.

One participant on the government conference call today said the agencies offered few concrete details of how healthcare organizations might better protect themselves against this threat actor or purported malware campaign.

“They didn’t share any IoCs [indicators of compromise], so it’s just been ‘patch your systems and report anything suspicious’,” said a healthcare industry veteran who sat in on the discussion.

However, others on the call said IoCs may be of little help for hospitals that have already been infiltrated by Ryuk. That’s because the malware infrastructure used by the Ryuk gang is often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called “command and control” servers used to transmit data between and among compromised systems.

Nevertheless, cybersecurity incident response firm Mandiant today released a list of domains and Internet addresses used by Ryuk in previous attacks throughout 2020 and up to the present day. Mandiant refers to the group by the threat actor classification “UNC1878,” and aired a webcast today detailing some of Ryuk’s latest exploitation tactics.

Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.

“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline,” Carmakal said.

One health industry veteran who participated in the call today and who spoke with KrebsOnSecurity on condition of anonymity said if there truly are hundreds of medical facilities at imminent risk here, that would seem to go beyond the scope of any one hospital group and may implicate some kind of electronic health record provider that integrates with many care facilities.

So far, however, nothing like hundreds of facilities have publicly reported ransomware incidents. But there have been a handful of hospitals dealing with ransomware attacks in the past few days.

Becker’s Hospital Review reported today that a ransomware attack hit Klamath Falls, Ore.-based Sky Lakes Medical Center’s computer systems.

WWNY’s Channel 7 News in New York reported yesterday that a Ryuk ransomware attack on St. Lawrence Health System led to computer infections at Caton-Potsdam, Messena and Gouverneur hospitals.

SWNewsMedia.com on Monday reported on “unidentified network activity” that caused disruption to certain operations at Ridgeview Medical Center in Waconia, Minn. SWNews says Ridgeview’s system includes Chaska’s Two Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites around the metro area.

NBC5 reports The University of Vermont Health Network is dealing with a “significant and ongoing system-wide network issue” that could be a malicious cyber attack.

This is a developing story. Stay tuned for further updates.

Update, 10:11 p.m. ET: The FBI, DHS and HHS just jointly issued an alert about this, available here.

Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems.

The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually.

Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company’s internal network remotely.

Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Earlier this week, Swedish news agency Dagens Nyheter confirmed that hackers recently published online at least 38,000 documents stolen from Gunnebo’s network. Linus Larsson, the journalist who broke the story, says the hacked material was uploaded to a public server during the second half of September, and it is not known how many people may have gained access to it.

Larsson quotes Gunnebo CEO Stefan Syrén saying the company never considered paying the ransom the attackers demanded in exchange for not publishing its internal documents. What’s more, Syrén seemed to downplay the severity of the exposure.

“I understand that you can see drawings as sensitive, but we do not consider them as sensitive automatically,” the CEO reportedly said. “When it comes to cameras in a public environment, for example, half the point is that they should be visible, therefore a drawing with camera placements in itself is not very sensitive.”

It remains unclear whether the stolen RDP credentials were a factor in this incident. But the password to the Gunnebo RDP account — “password01” — suggests the security of its IT systems may have been lacking in other areas as well.

After this author posted a request for contact from Gunnebo on Twitter, KrebsOnSecurity heard from Rasmus Jansson, an account manager at Gunnebo who specializes in protecting client systems from electromagnetic pulse (EMP) attacks or disruption, short bursts of energy that can damage electrical equipment.

Jansson said he relayed the stolen credentials to the company’s IT specialists, but that he does not know what actions the company took in response. Reached by phone today, Jansson said he quit the company in August, right around the time Gunnebo disclosed the thwarted ransomware attack. He declined to comment on the particulars of the extortion incident.

Ransomware attackers often spend weeks or months inside of a target’s network before attempting to deploy malware across the network that encrypts servers and desktop systems unless and until a ransom demand is met.

That’s because gaining the initial foothold is rarely the difficult part of the attack. In fact, many ransomware groups now have such an embarrassment of riches in this regard that they’ve taken to hiring external penetration testers to carry out the grunt work of escalating that initial foothold into complete control over the victim’s network and any data backup systems  — a process that can be hugely time consuming.

But prior to launching their ransomware, it has become common practice for these extortionists to offload as much sensitive and proprietary data as possible. In some cases, this allows the intruders to profit even if their malware somehow fails to do its job. In other instances, victims are asked to pay two extortion demands: One for a digital key to unlock encrypted systems, and another in exchange for a promise not to publish, auction or otherwise trade any stolen data.

While it may seem ironic when a physical security firm ends up having all of its secrets published online, the reality is that some of the biggest targets of ransomware groups continue to be companies which may not consider cybersecurity or information systems as their primary concern or business — regardless of how much may be riding on that technology.

Indeed, companies that persist in viewing cyber and physical security as somehow separate seem to be among the favorite targets of ransomware actors. Last week, a Russian journalist published a video on Youtube claiming to be an interview with the cybercriminals behind the REvil/Sodinokibi ransomware strain, which is the handiwork of a particularly aggressive criminal group that’s been behind some of the biggest and most costly ransom attacks in recent years.

In the video, the REvil representative stated that the most desirable targets for the group were agriculture companies, manufacturers, insurance firms, and law firms. The REvil actor claimed that on average roughly one in three of its victims agrees to pay an extortion fee.

Mark Arena, CEO of cybersecurity threat intelligence firm Intel 471, said while it might be tempting to believe that firms which specialize in information security typically have better cybersecurity practices than physical security firms, few organizations have a deep understanding of their adversaries. Intel 471 has published an analysis of the video here.

Arena said this is a particularly acute shortcoming with many managed service providers (MSPs), companies that provide outsourced security services to hundreds or thousands of clients who might not otherwise be able to afford to hire cybersecurity professionals.

“The harsh and unfortunate reality is the security of a number of security companies is shit,” Arena said. “Most companies tend to have a lack of ongoing and up to date understanding of the threat actors they face.”

Organizations struggle to obtain quality threat data to guide key security decisions

Organizations are often forced to make critical security decisions based on threat data that is not accurate, relevant and fresh, a Neustar report reveals.

security threat data

Just 60% of cybersecurity professionals surveyed indicate that the threat data they receive is both timely and actionable, and only 29% say the data they receive is both extremely accurate and relevant to the threats their organization is facing at that moment.

Few orgs basing decisions on near real-time data

With regard to the timeliness of threat data, only 27% of organizations are able to base their security decisions on near real-time data, while 25% say they receive updates hourly and another 24% receive updates several times per day.

“With the pandemic exacerbating the sheer volume of threats and the nature of remote workforces creating a broader range of vulnerabilities, it is more critical than ever that organizations have access to actionable, contextualized, near real-time threat data to power the network and application security tools they use to detect and block malicious actors,” said Rodney Joffe, Senior VP, Security CTO, Fellow at Neustar.

“A timely, actionable and highly relevant security threat data feed can help deliver curated insights to security teams, allowing them to better identify and mitigate risks such as malicious domain generation algorithms, suspicious DNS tunneling attempts, sudden activity by domains with little or no history, and hijacked or spoofed domains.”

Greatest concerns for security pros

According to the report, 37% of organizations state that they have been the victim of a successful domain spoofing attempt or domain hacking attempt (31%) within the last 12 months.

Findings from the latest NISC research also highlighted a 12.4-point year-on-year increase in the International Cyber Benchmarks Index. Calculated based on the changing level of threats and impact of cyberattacks, the index has maintained an upward trend since May 2017.

During July and August 2020, system compromise and distributed denial-of-service attacks (both 21%) were ranked as the greatest concerns for security professionals, followed by ransomware (20%) and theft of intellectual property (17%).

During this period, targeted hacking (63%) was most likely to be perceived as an increasing threat to organizations, followed by ransomware and DDoS attacks (both 62%). In this round of the survey, 72% of participating enterprises indicated that they had been on the receiving end of a DDoS attack at some point, compared to an average of 52% over the 20 survey rounds.