Tag: ransomware

By Amritesh Anaand, practise lead for unified Communication at In2IT Technologies

Cybercrime is a growing threat to businesses globally, and South Africa is no exception. The country ranks third in the world for the highest number of users experiencing targeted ransomware attacks. No industries or sectors are immune, and a breach can cost companies millions in lost revenue, not to mention the cost (and time) to recover. Cyber insurance is a growing trend, aimed at helping mitigate the risk around cyber threats. However, while it can help businesses to handle some of the financial fallout from an attack, it is by no means a replacement for a comprehensive data management and protection strategy.

The rise of cyber insurance

The last decade has seen thousands of highly publicised and cost-heavy cyber incidents, which have impacted organisations across the globe as well as a range of industry sectors. Most recently in South Africa, the Department of Justice was hit by a ransomware attack in September, and the recovery from the attack is ongoing after several weeks. No company or industry is immune, and since businesses are heavily reliant on technology and data to operate, a successful ransomware attack can be devastating financially.

This is where cyber insurance comes in, helping the primary risks associated with cyber incidents, including network security and privacy liability, network business interruption, media liability, and errors and omissions. Cyber insurance is designed to provide first- and third-party coverage to mitigate risk exposure by offsetting the costs involved with the recovery of cyber losses.

Cyber insurance is not a security strategy

Coverage from cyber insurance may include losses from network security breaches, data and systems recovery costs, legal expenses and third-party indemnification related to data breaches, as well as business interruption costs. However, financial risk is only one element of the cost associated with a cyberattack. The reputational damage, which no insurance policy can mitigate, can be devastating after the fact. In this instance, as with many others, prevention is always better than cure.

Preventing a breach of your network and its systems requires protection against a variety of cyberattacks. For each attack, the appropriate countermeasure must be deployed/used to deter it from exploiting a vulnerability or weakness. The first line of defence for any organisation is to assess and implement security controls, through a multi-layered security approach that considers the following six elements.

1. Education and awareness

One of the most common ways cybercriminals gain access to your data is through your employees. They’ll send fraudulent emails impersonating someone in your organisation and will either ask for personal details or for access to certain files. Links often seem legitimate to an untrained eye and it’s easy to fall into the trap. This is why employee awareness is vital.

2. Frequent software and systems updates

Often, cyberattacks happen because your systems or software aren’t fully up to date, leaving weaknesses. Cybercriminals exploit these weaknesses to gain access to your network. Once they are in – it’s often too late to take preventative action.

3. Endpoint protection

Mobile devices, tablets and laptops that are connected to corporate networks give access paths to security threats. These paths need to be protected with specific endpoint protection software.

4. Data security

There are so many different types of sophisticated data breaches and new ones surface every day and even make comebacks. Putting your network behind a firewall is one of the most effective ways to defend yourself from any cyberattack. A firewall system will block any brute force attacks made on your network and/or systems before it can do any damage.

5. Identity and access

Physical access remains a critical element and having control over who can access your network is important. If somebody can simply walk into your office and plug in a USB key containing infected files into one of your computers, allowing them access to your entire network or infect it, then systems are not secure.

6. Strong password policies

Having the same password setup for everything can be dangerous. Once a hacker figures out your password, they now have access to everything in your system and any application you use. Having different passwords set up for every application you use is a real benefit to your security and changing them often will maintain a high level of protection against external and internal threats.

Insurance is the fallback

As with anything in life, insurance should be a last resort when all else has failed. It can help to mitigate some of the financial damage of an attack, but it cannot form the basis of a cybersecurity strategy, as this places businesses at risk for other areas, including compliance.

However, it can be difficult to know where to begin when it comes to protecting your business from cybercrime and cyberattacks. There is so much information out there that it can become overwhelming, especially when we have so much interrelated information. The right technology partner is essential to delivering a cybersecurity solution that works for a business and its employees.

 

Ransomware is now a one-delivery system

Sophos, a global leader in next-generation cybersecurity, has published the Sophos 2022 Threat Report, which shows how the gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system – with significant implications for IT security.

The report provides a unique multi-dimensional perspective on security threats and trends facing organisations in 2022.

The Sophos 2022 Threat Report analyses the following key trends:

1. Over the coming year, the ransomware landscape will become both more modular and more uniform, with attack “specialists” offering different elements of an attack “as-a-service” and providing playbooks with tools and techniques that enable different adversary groups to implement very similar attacks. According to Sophos researchers, attacks by single ransomware groups gave way to more ransomware-as-a-service (RaaS) offerings during 2021, with specialist ransomware developers focused on hiring out malicious code and infrastructure to third-party affiliates. Some of the most high profile ransomware attacks of the year involved RaaS, including an attack against Colonial Pipeline in the U.S. by a DarkSide affiliate. An affiliate of Conti ransomware leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.

Once they have the malware they need, RaaS affiliates and other ransomware operators can turn to Initial Access Brokers and malware delivery platforms to find and target potential victims. This is fuelling the second big trend anticipated by Sophos.

2. Established cyberthreats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers and other commodity malware; increasingly advanced, human-operated Initial Access Brokers; spam; and adware. In 2021, Sophos reported on Gootloader operating novel hybrid attacks that combined mass campaigns with careful filtering to pinpoint targets for specific malware bundles.

3. The use of multiple forms of extortion by ransomware attackers to pressure victims into paying the ransom is expected to continue and increase in range and intensity. In 2021, Sophos incident responders catalogued 10 different types of pressure tactics, from data theft and exposure, to threatening phone calls, distributed denial of service (DDoS) attacks, and more.

4. Cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious cryptomining, and Sophos expects the trend will continue until global cryptocurrencies are better regulated. During 2021, Sophos researchers uncovered cryptominers such as Lemon Duck and the less common, MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install cryptominers on computers and servers.

“Ransomware thrives because of its ability to adapt and innovate,” says Chester Wisniewski, principal research scientist at Sophos.

“For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators. They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies. This is distorting the cyberthreat landscape, and common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.

“It is no longer enough for organisations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks.”

Additional trends Sophos analysed include:

  • After the ProxyLogon and ProxyShell vulnerabilities were discovered (and patched) in 2021, the speed at which they were seized upon by attackers was such that Sophos expects to see continued attempts to mass-abuse IT administration tools and exploitable internet facing services by both sophisticated attackers and run-of-the-mill cybercriminals
  • Sophos also expects cybercriminals to increase their abuse of adversary simulation tools, such as Cobalt Strike Beacons, mimikatz and PowerSploit. Defenders should check every alert relating to abused legitimate tools or combination of tools, just as they would check a malicious detection, as it could indicate the presence of an intruder in the network
  • In 2021, Sophos researchers detailed a number of new threats targeting Linux systems and expect to see a growing interest in Linux-based systems during 2022, both in the cloud and on web and virtual servers
  • Mobile threats and social engineering scams, including Flubot and Joker, are expected to continue and diversify to target both individuals and organisations
  • The application of artificial intelligence to cybersecurity will continue and accelerate, as powerful machine learning models prove their worth in threat detection and alert prioritisation. At the same time, however, adversaries are expected to make increasing use of AI, progressing over the next few years from AI-enabled disinformation campaigns and spoof social media profiles to watering-hole attack web content, phishing emails and more as advanced deepfake video and voice synthesis technologies become available

Source: OFM

More than 40% of victims of ransomware attacks in South Africa pay the cybercriminals responsible to try to secure or recover their data. But in many cases, the crooks simply disappear with the money.

This is according to a new report from security firm Kaspersky, which said 42% of local ransomware victims coughed up money to recover their data.

Whether they paid or not, only 24% of victims were able to restore all their encrypted or blocked files following an attack. Sixty-one percent lost at least some files; 32% lost a significant amount; and 29% lost a small number of files. Meanwhile, 11% who did experience such an incident lost almost all their data, Kaspersky said.

According to TechCentral, Marina Titova, head of consumer product marketing at Kaspersky, said handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice. Kaspersky always recommends that those affected by ransomware should not pay as that money supports this scheme to thrive.

According to a recent MyBroadband article,  Telkom has fallen victim to the group behind the Sodinokibi ransomware, also known as REvil.

The group has claimed responsibility for the attack and has threatened to leak the Telkom client database on its the Dark Web blog.

The REvil / Sodinokibi group is one of several ransomware operators that steals sensitive data from victims and leaks it on the dark web if their targets don’t give in to their extortion demands.

The group has recruited a team of affiliates who carry out attacks on corporate networks.

According to speculation, the group may have tried to extort $1-million out of Telkom.

The company denied that its systems had been infected with ransomware.

Staff working remotely were unable to connect to servers or the Telkom virtual private network.

 

South Africa is under cyberattack

South Africa is facing one of the largest cyber attacks it has ever seen, with banks, ISPs, and the government being targeted.

In the last two months:

  • The City of Johannesburg fell victim to a cyberattack which led to its information systems becoming compromised, and its systems (including the website and billing) being such down. A ransom was demanded but the City is refusing to pay
  • The banking industry was hit by a wave of DDoS attacks targeting consumer-facing services
  • ISPs were hit by a number of DDoS attacks, as previously reported in My Tech News. In September, Cool Ideas and Atomic Access suffered an attack that severely affected their services; in October, Cybersmart was hit by a large DDoS attack which caused intermittent connectivity over two days; and recently Afrihost, Axxess, and Webafrica were hit by a very large DDoS attack which affected DSL and fibre subscribers

Parmi Natesan, CEO of the Institute of Directors in South Africa (IoDSA), told MyBroadband that “these attacks should serve as a wake-up call to companies” – who may not be taking adequate steps to protect themselves.

On Friday, doctors at Whipps Cross Hospital, east London, logged into their computers, but a strange red screen popped up. Next to a giant padlock, a message said the files on the computer had been encrypted, and would be lost forever unless $300 was sent to a Bitcoin account – a virtual currency that cannot be traced. The price doubled if the money wasn’t sent within six days. Digital clocks were counting down the time.

What happened?

It was soon revealed Barts Health Trust, which runs the hospital, had been hit by ransomware, a type of malicious software that hijacks computer systems until money is paid. It was one of 48 trusts in England and 13 in Scotland affected, as well as a handful of GP practices. News reports soon broke of companies in other countries hit. It affected 200,000 victims in 150 countries, according to Europol. This included the Russian Interior Ministry, Fedex, Nissan, Vodafone and Telefonica. It is thought to be the biggest outbreak of ransomware in history.

Trusts worked all through the weekend and are now back to business as usual. But the attack revealed how easy it is to bring a hospital to its knees. Patients are rightly questioning if their medical records are safe. Others fear hackers may strike again and attack other vital systems. Defence minister Michael Fallon was forced to confirm that the Trident nuclear submarines could not be hacked.

So how did this happen? The virus, called WannaCry or WannaDecrypt0r, was an old piece of ransomware that had gained a superpower. It had been combined with a tool called EternalBlue which was developed by US National Security Agency spies and dumped on the dark web by a criminal group called Shadow Brokers. Computers become infected with ransomware when somebody clicks on a dodgy link or downloads a booby-trapped PDF, but normally another person has to be fooled for it to harm a different computer. EternalBlue meant the virus could cascade between machines within a network. It could copy itself over and over, moving from one vulnerable computer to the next, spreading like the plague. Experts cannot trace who caused it, whether a criminal gang or just one person in their bedroom hitting “send”.

Like a real virus, it had to be quarantined. Trusts had to shut down computers and scan them to make sure they were bug-free. Doctors – not used to writing anything but their signature – had to go back to pen and paper. But no computers meant they couldn’t access appointments, referral letters, blood tests results or X-rays. In some hospitals computer systems controlled the phones and doors. Many declared a major incident, flagging up that they needed help. In Barts Health NHS Trust, ambulances were directed away from three A&E departments and non-urgent operations were cancelled.

The tragedy is that trusts had been warned of such an attack. Dr Krishna Chinthapalli, a junior doctor in London, wrote an eerily premonitory piece in the British Medical Journal just two days earlier telling hospitals they were vulnerable to ransomware hits.

How to avoid ransomware
Ransomware is a sophisticated piece of malware that blocks the victim’s access to their files, and the only way to regain access to the files is to pay a ransom.

Here are a few tips to avoid ransomware:

  1. Back up everything on the company network – create a sane, quiet backup system and use it daily.
  2. Don’t use Windows XP – it’s a little hard to believe but unsupported operating systems on office computers put data at risk. Consider an upgrade.
  3. Buy a hard drive and back up documents off-site – even if ransomware hits you overnight, you’ll have a few days’ data on this external backup. This will prevent the destruction of important records.
  4. Back up to the cloud – use an internet-based service like Google to store back ups.
  5. Ensure your network security is up-to-date. Install any patches provided by the security software you use.

Businesses often cite cost as a pain point when explaining why they don’t have back-ups or adequate security.
The ultimate question businesses need to ask themselves is: can your company afford to pay the ransom?

Sources: Madlen Davies for www.newstatesman.com; www.techcrunch.com

A new ransomware “super bug”, codenamed “Locky”, is on the lose. There have been 500 000 sessions of the virus crossing the globe in the last few weeks – and now it has arrived in South Africa.

Anti-virus coverage for this type of malware is very poor – only four out of 54 service providers detected it.

It is believed that there are 4 000 infections an hour now – 100 000 infections a day.

A hospital group in the US has had to shut its doors after the fee to purchase its own files was set at $3,6-million – to be paid in untraceable Bitcoin.

There are 499 000 other cases of Locky reported so far. The virus is spread via infected Word documents.

A click on the attachment and the unfortunate victims, unable to mitigate this threat, are given a ransom demand for their files.

And a subsequent visit to the referenced Locky payment portal site reveal multiple options for victims to pay – including payment plans.

How to stay Locky-free:

• Never download freeware or files from untrusted sources as it might be infected.
• Always scan removable devices before using them.
• Regularly scan your PC to detect .locky File Extension Ransomware as well as other related threats.
• Always keep Windows Operating System updated.
• Browser’s security settings should be activated and set to medium level.
• Avoid installation of ActiveX controls as it is somewhat prone to .locky File Extension Ransomware.
• Never install potentially unwanted program on your PC.
• Always carefully read “License and Agreement” before installing any freeware.
• Turn on firewall and other security settings for better PC protection.
• Do not click on suspicious links while surfing web.
• Avoid getting carried away by unrealistic deals and offers as it can be a trick used by .locky File Extension Ransomware.
• Never respond to unknown mails and messages.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top