This is the Week in Review edition for the seven days ending Friday May 21st. In a few minutes Terry Cutler, CEO of Montreal’s Cyology Labs will join me to discuss some of the news. But first a quick review of some headlines:
Has the Darkside really gone dark? Security analysts were surprised and skeptical when late last week the ransomware gang posted a note on its leak site saying goodbye. Terry and I will discuss the state of ransomware, how lucrative it is and what the future may hold.
The FBI’s annual report on internet crimes is out, and again it’s not pretty. Last year it received over 791,000 complaints with losses of $4.2 billion. About a third of them related to phishing, text and phone scams. There were lots of COVID-19 scams, scams aimed at getting COVID government support funds.
The biggest loss was to business email compromise scams, also called business executive compromise scams. That’s where employees are tricked into sending payments for things like invoices to a bank account controlled by criminals instead of the usual account payments go to. Those cost victims $1.8 billion in losses.
Among the complaints were more than 105,000 from victims over the age of 60 with total losses in excess of $966 million. They fell victim to a wide variety of romance, government impersonation, lottery, home repair and other scams. The problem is so big the FBI plans to release a report this year focusing on what it calls elder fraud.
The FBI also warned this week of a despicable scam targeting families of missing persons. The goal is to extort them for money, claiming a missing person is injured or ill and can’t contact the family. The crooks are using information families put on social media asking for help in finding their loved ones.
Finally, this week the annual RSA cybersecurity conference was held. There were great lessons for IT and business leaders from many of the presentations. Here’s one: Is cybersecurity at your firm treated as a business or an IT responsibility? If its only an IT responsibility, the organization is in trouble.
(The following is a condensed transcript)
Howard: I’m going to bring in Terry Cutler. We’ll start with ransomware. After attacking Colonial Pipeline in the U.S., Darkside said it had lost access to the public part of its blog, to its payment server and its content delivery server. And in addition, cryptocurrency funds were also taken by someone from the gang’s payment server, and that’s where victims made ransomware payments. And then it promised to release its decryption keys so that anybody hit by its ransomware could get their scrambled data back for free. And by the way, the release of those keys has not been verified. So my question is, is Darkside gone. And even if it is, does it matter?
Terry: Nobody knows for sure. I think what happened was they didn’t expect that chaotic mess with the pipeline [temporarily] going down. So I think they got way too much heat on them. And other gangs want to disassociate themselves, especially after the President [Biden] names them on national television. So they don’t want to be affiliated with that. What’s interesting is that a day after this happened the [President’s] executive order came out saying that they [the U.S.] are going to take this into their own hands and stop these cybercriminals. And then that’s when the servers went down and that money was taken … I think what’s going happen is that they [Darkside] are going to shut down that brand and just rebuild themselves.
Howard: How much has Darkside gotten in its young life?
Terry: [According to security firm Elliptic] they got $90 million in nine months … $75 million of that went to the affiliates and these guys brought in $15 million.
Howard: Another cybersecurity company called Emsisoft estimated that last year ransomware cost companies around the world, $42 billion in business interruption as well as ransomware payments. The other thing that was interesting was there was a report this week from a Canadian managed security provider called eSentire. It calculated that six ransomware groups hit 292 victims in the first four months of this year alone. If half of those paid an average ransom of about US$300,000, then those gangs would have pulled in $45 million. And again, that’s just more evidence of how lucrative ransomware can be.
This was a week that was full of ransomware reports. There was a report on the Bleeping Computer news site that the Mt Locker ransomware gang has a new version of its ransomware that takes advantage of a capability in Windows Active Directory so that its ransomware can spread across an organization’s it network. What it does is leverage an API, or an application programming interface, within Active Directory to collect information on everything on the network. And this is bad because Active Directory is a central place for all that information. That’s another reason why IT leaders have to make sure that Active Directory is protected from all kinds of attacks. How can IT protect Active Directory?
Terry: They have to learn to train their employees for credential monitoring on the dark web, because a lot of times cybercriminals are using passwords that have leaked onto the dark web and using what’s called credential stuffing attacks to sign in to the company. Once they have access, especially if it’s admin access, they can actually start deploying ransomware … The moment it can get into your environment, the first thing that’s going to do is try and find out the name of your systems, your domain controllers in your environment. And then it’s going to perform some searches against those systems to see the names of the computers that are in the environment. Once it has that list of computers it’s going to start passing off those credentials and start signing into those computers. And then once it’s in, it starts encrypting those computers.
Howard: Ever since the Ransomware Task Force a week or so ago issued a report the President [Biden], has said the United States wants to get more active in ransomware. There’s been a lot of pressure on countries to get together, to have their law enforcement agencies get together and go after ransomware gangs and their infrastructure. And that works: In January, for example, the Netwalker ransomware gang’s infrastructure was taken down with help from the RCMP in Canada, the FBI in the United States and European law enforcement agencies.
Terry: It really does work, but the problem is a lot of times when we deal with law, when we work with law enforcement a lot of times they’re understaffed, overworked, and it’s very hard to have all the attention and focus on taking these types of gangs down. But when, when it works, it really works.
Howard: I know in April there was a meeting of the cabinet ministers who were responsible for international policing in the Five Eyes countries. And that includes Canada, the United States, the United Kingdom, Australia, and New Zealand, and they signed a joint declaration promising to work harder together to go after ransomware gangs. So that’s a good sign.
Meanwhile just to reinforce that ransomware, isn’t going away here are some of the latest ransomware victims: A British online insurance broker, branches of the insurance company AXA, Ireland’s health service, a division of Toshiba. And I haven’t been able to confirm it, but a ransomware gang says it’s hit a Calgary distribution company. What are some of the best ways that organizations can protect against ransomware?
Terry: One of the ways is to make sure your backups are protected. Make sure you have multiple copies, especially offline copies. This way, if you are hit with ransomware you’ll be able to recover a lot quicker. Now, the challenge that’s going to happen here is that if cybercriminals have gotten into your environment and have stayed undetected for months there’s a good chance they may have copied your data. So even though you can recover from a ransomware attack with your backups, they may come back and extort you in order to not leak your data.
You need to have two-factor authentication [for extra login protection]. A lot of companies don’t have that properly implemented right now. Also, make sure you’re using a VPN [virtual private network] and also be careful with [Windows] RDP — remote desktop protocol.
Watch out who you give administrator access to: Only the administrators should have admin rights. Make sure you employ the principles of least privilege … Another thing companies aren’t doing a lot of is network segmentation … to prevent a, a full catastrophic failure should ransomware occur.
When we do audits we still see a lot of companies don’t have the basics down – like patching your systems correctly, or having users in the Active Directory that haven’t been with the company for years and years.
Train your users. Awareness training is key. That was one of the biggest ways in 2020 that cyber attacks were happening — through phishing. Train users what not to click on. We have problems with companies using antivirus software that don’t have the proper protection. So always go for the paid versions of this software. Look at your firewall, and for email filtering software that can control malicious attachments that come in.
Make sure you meet with your team as well to make sure that there is a business disaster recovery plan in place. So, should a disaster occur you know what to do, in what order and who to contact.
(To hear the full podcast play the recording)