Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday April 2nd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
My guest this week is Dinah Davis, vice-president of research and development at managed security services provider Arctic Wolf. We’ll be talking in a few minutes about ransomware. But first a quick look at some of the top stories from the past seven days:
Ransomware attacks are growing significantly. That’s no surprise considering all the reporting going on. But a report from Check Point Software put some numbers on it. In the last six months the company has seen almost a 60 per cent increase in the number of organizations affected by ransomware around the world. It’s been going up at nine per cent a month.
Among the victims reported this week were the Harris Federation, which runs 50 primary and secondary schools in Britain, and a ransomware group begun publishing screenshots of documents it says were copied from several American universities. of California.
Cybersecurity researchers are being warned again to beware of downloading files from companies they’ve never heard of. Google revealed it had discovered another hacking campaign trying to trick researchers through websites claiming to be companies offering security products. The campaign includes fake social media profiles of people supposedly working for real software companies. Google suspects a North Korean-backed government group is behind this scheme.
A United Nations committee of 193 countries came to a consensus on respecting norms of behaviour on the internet. Those norms, like not interfering with critical infrastructure, are voluntary. Experts I talked to this week admit skillful countries may still launch cyberattacks they think can’t be attributed to them. However, observers believe it’s a start on convincing most nations that there may be a line that can’t be crossed. I’ve written a long piece on this on ITWorldCanada.com.
Perhaps the agreement will stop attacks on the healthcare sector, like one detailed this week by cyber researchers at Proofpoint. Detected late last year, the campaign was aimed at stealing passwords of senior medical people doing research into genetics, neurology and oncology in the United States and Israel. The group behind the campaign is linked to Iran’s Revolutionary Guard. Groups linked to other countries have been caught going after COVID research.
Toronto’s Ryerson University launched a free cybersecurity e-course for managers of small and medium-sized Canadian businesses. The modules cover cybersecurity risk, common cybersecurity threats, privacy and regulatory compliance and business continuity planning.
(The following is an edited transcript of my talk with Dinah Davis of Arctic Wolf)
Howard: This week I want to talk about ransomware. We can probably talk every week about, ransomware attacks on organizations. Big and small firms are being hit. But what caught my eye was a report this week from Check Point Software, which estimated that globally 3,868 organizations have been affected with ransomware in the last several months alone. One incident that caught people’s attention was the recent attack on computer manufacturer Acer. It faced a demand for $50 million for the data decryption keys, or stolen data would be publicly released. If you’re willing to pay, usually a ransom demand can be negotiated down, but even still $50 million that’s one heck of a chunk. What can you tell me about the gang taking credit for the Acer attack?
Dinah: This looks like it’s another hit by REvil, and that’s spelled R E V I L. It’s a ransomware-as-a service operation and it’s extorted large amounts of money from organizations worldwide over the past year. It stands for “ransomware evil,” and that name was inspired by the Resident Evil movie series. Sometimes you’ll also hear them called Sodinokibi so you can look out for that, too. They first appeared in April of 2019 and rose to prominence after another ransomware-as-a-service gang called GandCrab shut down at service. They like sent out a big retirement message saying, ‘We’ve made millions and now we’re going to just go and retire.’
There’s research done by Malwarebytes that found that it’s very likely that the REvil team actually picked up and maybe bought the software from GandCrab that helped them like jump into the market. REvil might earn about 20 to 30 per cent of the illegal proceeds of each ransomware [attack]. It’s like a software-as-a-service, just like everything else that we use, like our Microsoft 365. Criminals who are looking at how to get into companies use REvil as their platform to do the ransom and get the payment
There was an IBM Security X-Force incident report from September which indicated that one in four cybersecurity incidents in the previous 12 months was ransomware, and of those one in three were REvil. So they’re pretty prolific out there right now. IBM estimates a third of the victims paid and about one in 10 had their sensitive information auctioned off on the dark web. Another interesting point with REvil is that they have a blog on the dark web called Happy Blog, where they auction off the data that they copied from victims. And if you were to go there in the last week, you would see a post about Acer.
So let’s talk a little bit more about the Acer hack itself. A Malwarebytes researcher discovered they’d been hacked because he noticed it was on the Happy Blog. He went digging a little bit deeper and tracked down the web portal REvil uses to facilitate payments for the victims. And that’s where he saw that the amount was $50 million. That is the largest known ransomware ransom to date. Along with this, he found a copy of the chat between Acer and the ransomware game where appears that negotiations [to lower the ransom] had stalled. I don’t know if they ended up paying or not.
Q— Who are some of the other high-profile victims of REvil?
Dinah: In 2020 there was a money transfer service called Travelex. Honda was targeted, [distiller] Jack Daniel’s, and a law firm which represents major figures like former President Donald Trump, Rod Stewart and Lady Gaga. It’s unclear whether the organizations attacked paid the ransom, but Atlas VPN reported that Travelex did end up paying about $2.3 million.
Q: The fact that REvil was demanding $50 million reminds me of a news story that came up this week. A ransomware gang called Cont, which compromised a Florida school board, has demanded $40 million for the decryption key. I think the gang is betting that if the victim has very sensitive information, like a school board would have student information, they’re betting that perhaps the school board would get desperate. Now, the fact is Conti and the school board started to talk a little and, and eventually Conti reduced the demand to merely $10 million, which shows that you can negotiate with crooks. But eventually the board gave up. Perhaps part of the reason why is they claim that while the data of the school board was scrambled, there was no evidence that data had been copied. And so as far as, as far as I know from news stories, the school board has just said to hell with this. We’re not paying.
Dinah: That happens. And they’ll just rebuild their databases. That’s what you gotta do.
Q: If you have good backups, then you can do that. And it’ll cost money, it’ll cost, time and money. You may have to throw away some of your desktop and servers, but you can do it.
The other thing that talking about ransomware-a- a-service made me think is there are a couple of groups in the past several months that have listed Canadian companies as victims. A number of these are small companies. They’re not publicly traded. And it got me thinking that either there’s some group in Canada or there’s a group offshore that has decided that they are going to specialize in going after Canadian targets.
Dinah: It could be. Something I just read about recently this week was that if you have cyber insurance, you’re actually more likely to get ransomed. What’s happening is a lot of these gangs are going after the insurance companies to get the list of clients that they have, and then try to ransom those clients, because they figure that if you’ve got ransomware insurance then you’re more likely to pay.
Q: A week ago there was a big American insurance company called CNA was hacked and there was speculation that the hackers would try to find the list of customers that had paid for cyber insurance. Although one expert who I saw on the internet said, it’s not very likely in his opinion that a hacking group would take the time and the trouble to go through an insurance company’s list and try to figure out who was getting cyber insurance. We’ll get back to cyber insurance in a minute.
What I wanted to mention also is that ransomware gangs usually exploit vulnerabilities in Windows, but there are reports that they’re also exploiting the recently discovered vulnerabilities in on-premise installations of Microsoft Exchange.
Dinah: That’s a big open hole if you don’t have that patched. You’ve got to get on that ASAP. Because basically it allows for remote access and they can load anything they want onto those machines. Some of the reasons that some [organizations] are slow to update is because they’re on really old machines running old software and they can’t actually upgrade. You know, we’ve been working with our clients very tightly to get them all upgraded if they were exposed.
Q: Another thing that I noticed from the Check Point Software report is that researchers are seeing a jump in infections from the WannaCry ransomware. It exploits older version of Windows. And the thing is patches for the vulnerabilities that WannaCry takes advantage of were issued four years ago. No one who regularly patches Windows should be hit by this, first of all. And second, the only computers that would be hit would be running Windows 7 and older. I would hope that all of our listeners know by now they should be on Windows version 10 or version 8.
Dinah: I would wonder how many of those Windows seven machines are stolen software. So they can’t actually get the updated because they ripped off the software.
Q: IT leaders who are listening should be reminded that ransomware attacks often start with someone falling for a phishing email and clicking on a link to a bad website or a compromised document. That’s one of the reasons why better employee security awareness training is so important as one of the aids to stopping ransomware. Another common tactic is a brute force password attack on software that allows remote desktop access. and that includes virtual private network appliances.
Dinah: You want to make sure you just close any remote ports and any time you want to access them, you do it behind a VPN. That’ll really stop them from trying to do a credential stuffing attack on your open RDP, port.
Q: Is having cyber insurance an advantage / disadvantage in ransomware?
Dinah: It can be an advantage. If they help you negotiate with the criminals, and help you with the money to recover. But like I said earlier, it might also make you a target. I personally would probably spend my money on securing my systems better, hiring a security team or a company to do it for me than paying for the cyber insurance. That’s just one person.
Q: Certainly the purpose of cyber insurance is to help pay for incident response costs like buying new servers, buying new desktops hiring consultants.
We’re drawing to the end here and I want to ask you about tips for stopping ransomware.
Dinah: One, awareness training: Huge for your company. You want to look at the risk of your entire network – what’s the risk, what do you need to have in place? Make sure there are good firewalls there. Phishing is one of the highest reasons why ransomware happens, so even if you just add to the subject line of emails that are coming in from outside of your organization – External – it immediately gives your employees a heads up that I should be a little bit more careful with this email.
Q: And backing up your data … Having secure backup is tremendously important to fight ransomware. And you’ve got to make sure that you test your backup and your backup procedures because you’ve got to make sure that your staff are familiar with how to backup.
Dinah: That’s where also running a lot of disaster recovery scenarios can help a lot.
Q: And finally, I can’t stop without mentioning the importance of adopting multi-factor authentication in support of your log-ins. You can’t have staff only log in with a username and password.