Category: Ransomware

How Canada’s Healthcare Overhaul Led to a 15% Increase in Security Breaches

In 2019, Canada’s healthcare system underwent an overhaul. Taking place in Canada’s most populated province Ontario, the changes have been described as the most significant health system update in 50 years.
Ontario was attempting to merge its health agencies to create local coordination organizations and maximize efficiencies. Combining the systems brought complications however and resulted in a 15% increase in the number of cybersecurity breaches. Hacker’s targeted three Ontario hospitals in October and paralyzed its operations using the Ryuk ransomware – now the most profitable ransomware family in the last six years. Ryuk is a common culprit known for shutting down local governments, school systems, and most recently, oil and gas facilities.
Ryuk Ransomware
Ransomware is commonly used in healthcare due to the sensitive and valuable nature of the information organizations hold. Hackers will often first use ransomware to gather information about a hospital’s finances, to figure out how large of a ransom to ask for. Then, hackers will use the ransomware to lock up a hospital’s information, effectively holding it hostage until a payment is given.
In October, the Canadian Centre for Cyber Security issued a nationwide alert for Ryuk ransomware. One security company stated that almost 50% of all breaches by the ransomware was targeted towards healthcare. One of its hospital clients reported over 3,200 exploit attempts in October alone.
Across healthcare, Ryuk isn’t limited to only Canadian hospitals. Last October, three Alabama hospitals had access to its patient lists blocked. Several hospitals in Australia also had a similar ransomware attack that crippled its systems.
Prevention is the best defense against ransomware
If ransomware has infected your organization’s systems, there’s a good chance that it won’t be easily removed. System administrators have attempted to reimage computers to reset them to their previous configurations before the attack, only to have the ransomware come right back shortly after the systems returned.
Rather than waiting until its too late and being forced to make the choice of paying a hefty ransom or not, a better approach is to start by taking preventative measures to protect your systems.
Typical points of entry for healthcare attacks
Here are a few common points of entry that hackers often try to exploit:

Endpoints via outdated or unpatched applications
Medical Internet of Things (IoT) devices
Unknowing users who click on malicious links on a webpage or in an email

Ways to help prevent ransomware attacks
To secure and manage your sensitive healthcare devices, data and applications, start by staying in control with a resilient connection to all your endpoints.

Block TCP port 3389 on the firewall if possible.
Employ content filtering and scanning on mail servers.
Scan incoming and outgoing emails for threats.
Educate employees on how to recognize suspicious links and attachments, even if it seems to be coming from someone they know.
Minimize the number of users with admin privileges who can install software.
Ensure systems and software are updated regularly with up-to-date patches.
Have daily backups of all critical systems with offline and offsite copies.
Disable Remote Desktop Services if not required.
Disable macros for documents received via email.
Respond to incidents quickly with automatic location and deletion of data when needed

In 2020, to stay ahead of hackers and ransomware attacks like Ryuk and others, endpoint resilience is increasingly important. Because you can’t secure what you can’t see, uncompromised visibility into every device, whether it’s on or off the network is the first step. And because security tools inevitably degrade and fail over time, as research has proven, you also need a persistent, self-healing connection that will alert you to potential problems.
To find out how Apria Healthcare uses Absolute to gain visibility into device location and activity, secure patient data and improve access to patient care in the field, check out the case study or read up on Absolute healthcare solutions.

Cybercriminals Take Aim at K-12

The school year is underway and millions of devices are now in the hands of students. More than 80 percent of today’s K-12 organizations provide computers to students and an estimated 70 percent of schools will be one-to-one by 2020.  With school-issued devices commonplace, schools have become easy targets for cyberattacks.
Since 2016, nearly 700 cyber incidents have hit K-12 organizations. And threats like ransomware have forced schools to close their doors, and even compelled Louisiana’s Governor to declare a state of emergency after several schools were wrecked by the Ryuk ransomware in the summer of 2019.
The K-12 attack surface has lured cybercriminals, but the technology itself has also become somewhat of a nightmare. In Absolute’s new study, Cybersecurity and Education: The State of the Digital District in 2020, we looked at 3.2 million devices across 1,200 schools and discovered over 6,400 unique Chrome extensions in-use, 319 security bypass apps (e.g. rogue VPN), and more than 130,000 app versions. The IT complexity is staggering.

Based on the new research, we see three key challenges facing today’s K-12 technology leaders – challenges no other industry faces.

Savvy students — more than five times as many tools for users to tunnel around security controls and policies than other sectors. (rogue apps were found in 42 percent of organizations)

Increased complexity — within five years, K-12 IT leaders have gone from managing a couple of operating systems, a handful of apps, and a few hundred devices to managing hundreds of versions of operating systems, apps, extensions, and thousands of devices. (93 percent of common apps are outdated)

Increased endpoint risk — as complexity expands, so does risk, leaving both students and schools increasingly vulnerable to cyberattacks. Case in point: schools have become the second-largest pool of ransomware victims, slightly behind local governments and closely followed by healthcare organizations. (56 percent of patch agents fail)

It is no surprise then, that 68 percent of K-12 IT leaders say cybersecurity is their top priority, and nearly half (47 percent) say their primary investment will be security controls and tools. But K-12 IT leaders must carefully consider their plans for more security spend and take aim at cyber resilience above all else.
School districts are saddled with the expectation to demonstrate ROI (the effects of the one-to-one program) but on the other hand, they need to keep tabs on security and inventory gaps in a quickly growing endpoint population. Read: Quantifying K-12 Device Use with Absolute.
How do you solve the riddle? Resilience is the key.
Winning the Battle Against Cyber Threats
It is increasingly critical school districts work to reduce IT complexity and improve endpoint resiliency by gaining visibility to every device everywhere. Then, IT leaders can identify use patterns, justify tech spend for maximum ROI, and discover device use patterns and rogue apps, how often devices are used, and what risks students are creating. K-12 IT leaders can rely on Absolute to unmask complexity risks and automate endpoint security—restoring fragile security controls, apps, and agents—to safeguard digital learning for the next generation.
To learn more about the cyber risks facing today’s K-12 schools, download the full report Cybersecurity and Education: The State of the Digital District in 2020.

3 Ways to Bolster Endpoint Resilience in the Face of Ransomware

This article originally appeared in ITProPortal. 
This June, two municipalities in Florida were the victims of dreaded ransomware attacks, and both agreed to resolve their nightmare by paying the cybercriminals to recover their systems and files.
According to the FBI, billions of dollars are lost every year restoring systems hit by such attacks, but the agency still does not support paying the ransom in response to attacks; for starters, it doesn’t guarantee an organisation will get its data back. So, when attacks like this hit, victims are left with the question of whether to comply with hackers’ demands or be left out of commission for an undetermined amount of time and a nebulous view of the damage incurred.
Since no organisation wishes to confront such decisions, it’s imperative that they are as prepared as possible. Adding resilience to an organisation’s security strategy is one way to contain a ransomware outbreak. To minimise risk, IT teams need increased visibility into all their devices for information about the presence and health of patch management and other endpoint security applications. Today’s technology allows for much of this to be automated, ensuring that security solutions are properly installed and effective.
Three Steps to Better Protection
Small steps can have a tremendous impact and can help increase resilience and ensure better protection in the face of ransomware criminals.

Increase visibility

Visibility into the health and efficacy of endpoints is a key element in building a solid security strategy. By identifying all endpoints and maintaining clear visibility into them, including those that are inactive and often easily forgotten, one can both ensure compliance with federal regulations and be better prepared for hackers who target weak links. Though most organisations assume that more than 95 per cent of endpoints are compliant with required applications and patches, the reality is that 28 per cent of endpoints are unprotected at any given time. Constant visibility over endpoint devices, data and applications — whether they’re on or off the network – ensures that administrators can easily identify which devices may still be vulnerable to attack and take appropriate remedial actions.
Devices are regularly being re-imaged, and critical applications are often disabled or in a state of disrepair. These ‘dark’ devices remain outside the control of IT and without the protection of the network, which ultimately poses a significant threat to data security. In the event of a security incident, these devices may no longer have the security controls needed to prevent an incident from escalating to a full-scale data breach. Endpoints – and in particular, ‘dark’ endpoints – are an ever-present danger to organisations. Total visibility and situational awareness are crucial to combating this threat, and lead to preparedness and better protection.
2. Patch continuously
According to the Ponemon Institute, the average time it takes organisations to patch is 102 days. At a time when zero-day attacks are four times more likely to compromise organisations, patching agents have quickly become one of the most vital protection mechanisms.  However, research finds that 75 per cent of patching agents report at least two repair events in one month, and 50 per cent report three or more repair events in the same period. Additionally, five per cent could be considered “chronically ill,” with 80 or more repair events in the same one-month period.
As complexity multiplies, emerging technology is essential. Artificial intelligence (AI) has transformed patching into a continuous and ongoing process that requires less maintenance but significantly broader coverage. When 19 per cent of endpoints require at least one repair within 30 days, a continuous patching strategy proves invaluable. Continuous patching ensures the maintenance of all endpoints, even those that have become dark.
3. Ensure endpoint control
Implementing additional data security measures that are unique to the network can increase control over all endpoints. By implementing an approach that is unique and tailored to the higher education industry, Wichita State University (WSU) has been able to remove blind spots and track school-owned devices, even after those devices leave the secured school network. By doing so, WSU has been able to increase their visibility and gain more all-encompassing control of these endpoints.
Strategies like these, when combined with more complex capabilities like persistence technology, provide a single source of truth into all endpoints and therefore drive a more dynamic cybersecurity approach in the face of ransomware attacks. Persistence technology ensures the ability of an endpoint to self-heal if a user tampers with the security agent on a device and increases visibility into exactly who is accessing a device and when. Not only does this strengthen cybersecurity preparedness, it also has an impact that can be more widely felt. The ability to deploy and confirm full disk encryption, track and lock devices, or freeze and wipe the data – combined with the ability to manage and secure the endpoint population – has helped organisations gain and maintain ongoing compliance with HIPAA, PCI-DSS, FERPA and other requirements.
While we may debate the pros and cons of paying ransom, it’s impossible to debate the importance of resilience. Although organisations may feel unprepared in the face of a ransomware attack, there are quick actions to take that can deter criminals’ efforts and alter the ending of the story. In today’s climate, increased visibility, continuous patching and endpoint resilience are no longer security bonuses, they are requirements that may be the difference between a successful crime and a thwarted attempt at paralysing an organisation.
For more information on top endpoint security threats, download the 2019 Endpoint Security Trends report.

Most Devastating Cyber-Attacks at the Endpoint

Two years ago this month, WannaCry shut down computers across the globe in a matter of hours. Hackers ransomed hundreds of thousands of machines across 150 countries and demanded cryptocurrency to unlock them. On the anniversary of one of the world’s most devastating cyber-attacks, there are big lessons to be learned from the whirlwind that was WannaCry and other damaging global cyber threats.
WannaCry Then and Now
WannaCry was one of several highly classified hacking tools developed by and then stolen from the National Security Agency (NSA) in 2017. Hackers published the ransomware online for anyone to use. Microsoft, already aware of the theft, pushed out a patch that would protect systems from WannaCry; however, those slow to make the fix had to be reminded – the hard way – of the importance of timely patching.
WannaCry was unique in several ways but perhaps most notably, the wild-fire speed at which it spread. In a few hours, WannaCry created billions of dollars in damage. No industry was immune – hospitals, governments, private companies and others were all hit. Even now, two years later, WannaCry variants continue to be a threat despite the availability of patches. New reports say Eastern countries, namely India, have the highest detection rates.
Nearly as old as common-use of the Internet, ransomware is said to have started in 1989 when the World Health Organization fell victim to the AIDS Trojan. The hacker demanded users cough up $189 to regain access. Beyond ransomware, cyber criminals also have countless other exploit possibilities to secure financial gain.
Attack Types on the Rise
A new report from Booz Allen predicts organizations will face growing cyber-attacks across eight categories in 2019:

Government-run information warfare campaigns
IoT device hacks
‘Chip and Pin’ weaknesses
Weaponization of adware networks
Use of AI in information warfare
Expansion of wireless attack surface
State-sponsored threat actors
Water utility targeting

While all scary predictions, these are layered on top of the now-standard attack types every organization faces almost daily: phishing tactics, denial of service attacks, web-based malware and many others.
For more information on top cyber threats, we’ve highlighted a few of our favorites in our next episode of Cybersecurity Insights, including: MafiaBoy’s Denial of Service, Conficker, Jonathan James and the US Department of Defense, Shamoon and the Melissa virus. Watch the video below for more our top 5 cyber-attacks and how to prevent them. While you’re at it, subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Today, let’s take a look at some recently successful cyber attacks. Some of these no one saw coming.
To be sure, attacks can be successful or extinguished from the very start. But the iron-clad rule of cyberattacks is that they come in many forms, from all directions, and from incredibly different sources.
Let’s count down some of the interesting ones…
Number 5: Mafiaboy’s Denial of Service.
Michael Kals, aka Mafiaboy, then 15 years old, claimed that he had unknowingly input several widely known IP addresses into a security tool that he had downloaded from the web. Being a teenager, Kals went off to school and returned home to find his exploits were plastered all over the news.
Denial of service attacks, like Mafiaboy, flood a site with traffic, disabling its ability to serve legitimate users. Yahoo, which, at the time, was the world’s most used search engine, collapsed., eBay, CNN, and Amazon were all brought down for several hours, costing billions in the aftermath.
Number 4: Conficker
In 2008, the worm exploited a number of Windows operating systems. It, then, linked computers together into a massive botnet (which was a new idea at the time).
Conficker had several spoils of victory, including the creation of a whole class of threats and leaving many world leaders with no choice but to call in favors from other nations to mitigate the attack.
Number 3: Jonathan James (1999)
James breaches the US Department of Defense in 1999, stealing passwords, confidential messages, and software designed for space exploration and the US military.
In the 1960s John F. Kennedy had famously urged the US to “Go to the moon…not because it is easy, but because it is hard”. Mission accomplished.
But 30 years later, NASA had to shut down its entire network for three weeks, costing millions in response to James’s brute force attack.
Number 2: Sony Pictures
The Guardians of Peace (GOP) fessed up to the crime by releasing a trove of sensitive data, including: personal information, messages and correspondence, executive salaries, and even snatching several of Sony’s films.
The group used a modified Shamoon malware with a mechanism to wipe hard drives. Unlike the typical goal of stealing data, this malware hurts victims by completely eliminating valuable information.
And Number 1:  Melissa
David Smith is (perhaps) the discoverer of phishing attacks.
Taking to an America Online chat group, Smith posted a document claiming to have credentials to several websites, but whose true content was the Melissa virus.
Melissa, then went viral: spawning itself across global email servers.
Several tech-savvy companies (Microsoft, Intel, Lockheed Martin) were forced to shut down their email services, after Melissa caused over $80 million in damages.
Attacks are inevitable. Successful attacks are not. But when we lock our focus on cyber RESILIENCE, we can withstand the unending parade of attacks.
By PERSISTING our security posture and maintaining line-of-sight, the attack surface is compressed and becomes an inhospitable place
for attackers to win.
What are your top 5? Drop them in the comments section below. I can’t wait to see who’s on your list.

Phishing Scams and Malware: What You Need to Know this Tax Deadline

Filing your taxes each year can be a painful process and sadly, cyber criminals continue to amplify the confusion. Phishing scams and malware again topped this year’s “dirty dozen” list of prevalent tax scams published by the Internal Revenue Service (IRS).
What are Phishing Scams?
Phishing scams are fake emails, text messages and websites set up by online scammers as a way to steal personal information and gain access to your system, and lets malware loose to wreak havoc.
Tax Fraud and Identity Theft
Inevitably, Tax Day brings phishing scams and malware. In a warning to tax payers last month, the IRS said phishing scams, or messages that look like they are coming from the IRS or other legitimate tax service companies, commonly lead to both tax-related fraud and identity theft. With more than 135 million Americans filing their taxes electronically last year, it’s easy to understand why the annual event is such a lucrative target for cyber criminals.
Phishing emails are step one into a larger, nefarious effort. The messages may contain links to malicious websites set up by crooks to steal your data. One cybersecurity firm discovered more than 100 such sites this year alone – all designed to make the user think they were using a legitimate website. In reality though, the site only existed to steal login information for the actual, legitimate site it was impersonating and/or personal details such as social security numbers or even passport numbers.
Read Top Cybersecurity Threats of 2018 Revealed
Other phishing emails are designed to coax you into downloading malicious software, or malware. This year, some of the more common malware downloads stemmed from phishing messages that appear to come from Intuit, the makers of Quickbooks and TurboTax. Others target businesses and look as if they have been sent from accounting or payroll service companies like ADP. These messages include an Excel file attachment that, once opened, is programmed to install a Trojan on your computer for further data pilfering.
TrickBot Banking Trojan
A Trojan is a program that claims to perform one function but actually does something else entirely. One popular Trojan for this year’s tax filing deadline is TrickBot. It targets Windows users through a malicious Excel document and once infected, the malware combs for passwords, banking information and other credentials to send back to the attacker. The information can then be used to steal funds and in some cases, file fraudulent end-of-year tax forms for further financial gain.
Tax Day is a popular event for cyber criminals to lean in on, and there are many others. Black Friday and Cyber Monday are two other national events that call for added caution and so are more personal events in your life such as home buying. Cyber criminals’ methods continue to grow increasingly sophisticated. The best thing you can do is educate yourself, and your users, on their tactics.
If you’d like more information on the more common attack types such as phishing, trojans and even ransomware which has been a significant issue for many in recent years, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Hello again, Josh here from Absolute. In the last episode, we saw how threats come in many forms. In this episode, we’ll explore a couple of ways those threats use to get to the goods.
Let’s look at phishing, the most common tool cybercriminals use to get access to our systems.   We’ve all seen it; the email from your bank or a company you patron asking you for information. ‘Please, update your account (or profile or membership or…)
Logos and font styles look real.   There’s the button, staring back at you. What is it about people and buttons? There is an unmistakable urge to click!
Now that you’ve scratched the itch to click, the attacker gets a toehold to push malware, ransomware, or even grab control over the device.   Phishing is the most widely used weapon for cyber-attacks for one, single, very important reason. It works.
It exploits our most basic instincts: curiosity, cooperation, trust, and willingness to share and help.
When we fall for these deceptions, we’re likely to play host to some unwelcome guests in our IT environment: malware.
Malware is a smashed word coming from malevolent (meaning, bad) and software. Malware tends to come in four forms:

Hostage-takers (aka Ransomware)

Viruses are aptly named, they infect the system and interact with the normal processes to either get the user to do something that gives access, or disable the system so that it is unusable.
Worms are designed with the expressed intent to replicate and spread to other systems. Much like viruses, these pesky malwares corrupt the host system, but are tailored for reproduction and thus are more damaging.
Compounding the sadism, we have trojans. These malwares look like approved apps and software (like a printer driver) so they’re not as easily detected by anti-virus apps. Once installed, they replicate and forge onward to other resources playing the same trick.
By now, most of us have heard about the last of these weapons: ransomware. The malware designed to lock your files and data until you pay a fee – usually in a cryptocurrency so it can’t be traced.
The good news, of course, is that no phishing scam or malware is effective without an existing vulnerability.
Once again, we see why having persistent visibility and control is so essential. Unless we can see our trouble-spots and quickly remove the risk, we are bound to fall victim to these attack vehicles.
In our next episode, we’ll look at the growing threat of botnets. Be sure to subscribe and leave your comments below. I’ll see you next time.

The Criticality of Strong Cyber Hygiene

The more connected we become, the more at risk we are to cyber criminals who are busy looking for a chance to capitalize on our technology dependency. Unfortunately, we’ve seen this breakdown many times – in our hospitals when WannaCry ransomware forced medical personnel to turn away patients and in our local governments when ransomware used by the SamSam group rendered the city of Atlanta incapable of validating arrest warrants or accepting bill payments from residents. These are but two recent examples.
With countless attack possibilities and an ever expanding threat surface area driven by the explosion of apps, IoT and mobile users, savvy organizations today consider a breach a matter of when, not if. But there are practical steps you can take that will make a successful attack harder which might just be enough to cause your would-be attacker to move on to lower hanging fruit for a faster, easier score.
As your organization works to become more effective and efficient through innovative technology, a security mindset must be baked in from the very beginning. This mindset is best shaped by the goal of strong cyber hygiene which includes covering off on these basic areas:

Fortifying data
Probing for sensitive info
Blocking unauthorized software
Monitoring hygiene
Educating users

Allowing the protection of your service offerings to become an afterthought could be a costly mistake. Thankfully, the NIST Cybersecurity Framework (NIST CSF) was created to help us advance along the continuum of good cyber hygiene. It was designed to help IT security pros everywhere, regardless of industry, categorically safeguard their devices, data, apps and users with a set of 5 broad practices: identify, protect, detect, respond and recover.
If you are looking for more information on how NIST CSF can help your organization, we created a series of short videos on the framework and other essential cybersecurity tips. For more on cyber hygiene, watch this video below, which is a look at NIST CSF’s second pillar, Protect. And you while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.
NIST Cybersecurity Framework
Video Transcript
Hey! It’s me again, Josh from Absolute.
This week’s episode is fully dedicated to the “Protect” pillar of the NIST Cybersecurity Framework.
Although everyone wants to describe their data devices apps and users as safe, the label is only true when we take deliberate steps to make it that way. Which is why the NIST Cybersecurity Framework focuses on those actions we can take to have safe devices, safe data, safe apps, and safe users.
The second law of thermodynamics tells us that everything in our universe, everything, goes from order to disorder, unless something (or someone) acts to reverse the drag of entropy. Without action, devices and data will naturally lead to disorder. They’ll degrade and fall to shipwreck.
But the NIST “Protect” pillar gives us guidance for VPN access, blocking cloud storage apps, persisting endpoint visibility, and regenerating security apps like encryption or anti-malware: all hallmarks of good cyber hygiene.
With a keen eye on endpoint hygiene, you can bolster the entire device population. All put into service to protect data. These attributes can be measured with a unique score: The Endpoint Hygiene Coefficient.
When no single device aligns with my picture of hygiene, my Endpoint Hygiene Coefficient is “0”.
This is rare. So rare, that we can rule it out. But just as rare is an Endpoint Hygiene Coefficient of “1”. If only our devices remained that pristine. So imagine an Endpoint Hygiene Coefficient of “0.81”. This means that some, if not all, devices are pulling us away, to some degree, from where they need to be.
Some devices are unencrypted, others are encrypted but have sensitive data in cloud storage apps. Still others have outdated AV tools. The reasons can vary, but by examining the device population AND quantifying the drift, you can get ahead of mishaps that put data at-risk.
We all have data to protect. But when you fortify data and avoid unwitting user hazards by probing for sensitive information, blocking unauthorized software, monitoring hygiene and recruiting your users to join your epic quest you can safeguard our most valuable raw material: information.
The world is far from perfect. But in the next episode, we’ll accept that reality that we don’t live in a Utopia, and explore the techniques for finding trouble.
So make sure you subscribe, and we’ll see you next time!

Should You Pay Ransomware Demands?

The fact that the Indiana hospital system, Hancock Health was hacked recently isn’t big news these days. Sadly, healthcare security breaches happen all too frequently. What is surprising however is what the health network elected to do about it – they paid the hackers’ ransom demand of four Bitcoin, equal to approximately $50,000 at the time, and then, for reasons we can’t really know, they told people about it.
In subsequent interviews with local media, Hancock Health officials said they decided, after lengthy debate, to pay the ransom that would unlock about 1,400 patient files from unidentified hacker control despite having data back-ups. Rather than wait weeks for a proper system reboot, administrators made the decision to pay to “expedite return to full operations.” A type of ransomware called SamSam was reportedly used and Hancock Health was given 7 days to pay via Bitcoin. “These folks have an interesting business model,” CEO Steve Long said. “They make it just easy enough to pay the ransom; they price it right.”
Ransomware attacks around the globe are on the rise. According to the 2017 Verizon Data Breach Incident Report, ransomware rose 51%. A Google study presented in July, 2017 showed more than $25 million was paid out in ransom over the last two years. Cryptocurrency payment has been the most popular demand although it’s interesting to note even ransomware cybercriminals are seemingly moving away from Bitcoin payments right now given the cryptocurrency’s volatility. Like any other business, they are in it for maximum profit.
Because ransomware isn’t likely going away anytime soon, the question for many organizations is should you pay? Or shouldn’t you? Here are some things to consider:
To Pay or Not to Pay the Ransom
Locked patient files are of course a real problem. In the case of Hancock Health, doctors and nurses were forced to use pen and paper to keep track of medical records. Paying the ransom may be the quickest and most pragmatic solution in the face of chaos. If critical systems are down and your most important task is getting them back up, you just may not have another option.
Then again, if essential files or data are held hostage, and there are no back-ups available, will paying the ransom get you those files back? Unfortunately, payment doesn’t guarantee you will regain access to your information.
Paying ransom demands is actually very similar to a small business having to pay protection money to their local organized crime outfit. By feeding the disease, you are guaranteeing its continued spread. If no one paid ransom anymore, ransomware would rapidly cease to exist… after all, cyber criminals are in it for the cash. This is the line of thinking the FBI takes. The U.S. government doesn’t support paying a ransom or negotiating in any way.
3 Tips to Fight Ransomware
Of course, the best case scenario is you don’t get hit with ransomware at all. Not having to choose between pay or not pay is the best choice. Here are few quick tips to lessen your chances of getting socked with a ransom demand:

Gain visibility – You can’t protect what you can’t see. It’s important to monitor and control rogue or dark endpoints, whether they’re on or off the network. When you have a good handle on your assets and their current status, you can respond swiftly and effectively.

Patch all and often – Many ransomware attacks rely on known vulnerabilities. Last year’s WannaCry is but one recent example. Patch all of your endpoints in a timely manner and you’ll head off many attacks before they can even start and improve your overall security posture.

Containment – Segregate infected devices from the corporate domain and regularly monitor firewall rules to prevent further spread. This way, in the event there is even a whiff of something going wrong, you can prevent a security incident from becoming a company catastrophe.

For more information on the rise of ransomware, strategies for preventing it and recovering from it, take a look at the report Ransomware Protection: Five Best Practices.

Looking Ahead: 2018 Cybersecurity Forecast

From the WannaCry cyberattack on the operations of major multinational corporations, to the Equifax data breach that impacted 145.5 million customers in the U.S. and Canada, 2017 marked a shift in the cybersecurity landscape. Hackers upped their game—exploiting new vulnerabilities, leaking spy tools from U.S. intelligence agencies, and hacking political campaigns. As hackers gear up to unleash new and improved attacks in 2018, enterprises will need to be more proactive and reevaluate where they are dedicating resources. Here are my top ten predictions for what we can expect to see in 2018: 

‘Hacking back’ policy will be an increasing concern. Two members of the U.S. House of Representatives introduced a bill earlier this year that allows victims to hack their hackers. The trouble is, we already know that real, definitive attribution is incredibly difficult. So, how can we ever be sure that we’re attacking the real source of an attack? What will happen when the source of an attack is another company that suffered its own breach and is being used as an intermediary? Will that company then be forced to “hack back” the hacking hackers? The situation could quickly devolve into chaos if organizations are allowed to build red teams with the sole purpose of going on the offensive. 
GDPR will levy its first fine, and it will be painful. This is a very real threat to the many organizations who have not taken it seriously or have not done any preparation for it. We can expect to see at least one major fine levied against an organization who has made the conscious decision to play fast and loose with GDPR and abuse or lose EU citizen data. If I were a CISO in an organization that isn’t ready for GDPR? I’d start dusting off the resume and look to get far, far, away.
 North Korean-sponsored groups will become a bigger threat. I think companies in the Western world need to be especially concerned about the impact of North Korean-sponsored groups. They have shown themselves to be highly skilled and capable of breaching and damaging their attack targets. Their intentions are multifaceted: they are combing the internet looking for ways to financially benefit, and they are equally interested in compromising targets that are politically beneficial to their leadership. Whatever they lack in skill, they make up with intensity and willingness to cause great damage to systems, which should concern executives everywhere.
The effects of the Equifax breach will linger for years. The Equifax breach and the colossal amount of personal information that was stolen will make things really difficult for defenders and those dealing with identity theft for years to come. Companies that rely on knowledge-based questions as part of their authentication measures (i.e. What street did you grow up on? Who did you have a car loan with in 2014?) will need to toss out those questions and embrace new methods to authenticate customers. I expect to see a surge in financial and identity theft for the next two years as a result of the Equifax hack.
The Shadow Brokers won’t go away anytime soon. I expect the Shadow Brokers to continue to attempt to profit off their pilfered exploits, and perhaps leak more exploits throughout 2018. I hope NSA officials will be able to determine everything the Shadow Brokers stole, and that they are working behind the scenes with technology vendors to rapidly fix the vulnerabilities that will certainly come to light.
 API-based attacks will become a bigger deal. There is a lot of backend traffic flying around the internet— things the average consumer can’t see. Many API-based solutions are not regularly monitored, and some of them use outdated security methods, making them ripe for pilfering. I would be shocked if there wasn’t at least one massive breach in 2018 that involved the exfiltration of large data sets of sensitive information through this method.
DDoS will continue to sucker punch assets online. As more and more devices come online, especially ‘smart’ IoT devices, attackers will find new ways to zombie them and use them in their massive DDoS armies. Further, as the volume of DDoS attacks increases, demand for mitigation services will begin to increase exponentially. With the explosion of the deployment of IoT devices in the marketplace, and the lack of a better default security within these devices, it is entirely possible that DDoS will take over from ransomware as a dominant risk to organizations worldwide.
Security budgets will increase. There is no evidence to suggest the share of IT budgets allowed to security will decrease in 2018. The massive security incident at Equifax and the catastrophic impact of WannaCry and Petya/Not Petya on organizations around the globe spurred many companies, both small and large, to re-evaluate their spending and the allocation of their security dollars.
Use of ransomware will expand. The ransomware scourge won’t go away anytime soon. While it seems as though fewer individuals are paying out, the ROI for cybercriminals is still massive, and it keeps getting easier for them to spin up ransomware backend infrastructure to launch massive attacks. Crimeware-as-a-Service will keep enabling less-skilled attackers to launch attacks in the hopes of finding riches.
Companies will increase their focus on detection and response. Enterprises will put a significant share of their security dollars toward endpoint detection and response (EDR) technologies. Malicious and non-malicious insider incidents continue to wreak havoc on networks, and shoring up defenses at the endpoint can go a long way toward mitigating those threats. The tide has started to shift from focusing on prevention to immediate detection and response to incidents. Uncovering dark corners and hard-to-manage endpoints will be essential to delivering the rapid response capabilities needed to remediate devices in the critical moments after a security incident happens.

Like many things in our lives, threat actors evolve. They learn new and novel ways of committing cyber crime, and interesting ways to break into targets. Today’s highly sophisticated attacks become tomorrow’s exploit kit fodder and script kiddie toolbox. It’s the nature of the business. Threat actors today have become so adept at immediately taking advantage of new vulnerabilities that it’s incredibly hard for defenders and security vendors to protect against every single crack in the dike. As 2017 has shown us, no one is immune from cyber attacks. Consumers and enterprises alike will need to stay just as vigilant in 2018, if not more, to protect their assets from constantly evolving cyber threats.

Detect and Respond to Malware Attacks

2017 has been a record-setting year for malware. Organizations and individuals around the world have been repeatedly under attack by aggressive, pervasive strains of malware, from WannaCry, Mamba and Petya to the most recent Locky strain, already pegged as the largest malware campaign of 2017, with over 23 million messages sent out in 24 hours on August 28, spiking just as US workers arrived at their offices to start the week.
Not to be outdone, Locky was chased by Ursnif, spread by a massive spambot to over 711 million email and server accounts. Ursnif drops component files onto an infected system to create auto start registries, infecting files and grabbing system information and sending it to a Control and Command server.
Reports have also indicated malware in general is on the rise. Mac malware has gone up 220% in 2017,  Google Play just removed 500+ apps hit by malware that could have been used to spy on users. We could go on. Security experts the world over agree: it’s no longer just about prevention, it’s also about detection and rapid response capabilities.
3 Steps to Boost Your Malware Defences
The key to spotting and containing the spread of malware is already embedded in most endpoints via Absolute’s Persistence technology. Our solution, which is in more than 1 billion popular PC and mobile devices at the firmware level, gives IT departments visibility and control of those devices, on and off the network. Here’s how that’s important:

Early Detection – with Absolute, you are able to see and control rogue or dark endpoints, whether they’re on or off the network. Spot and retire “out of support systems”, remove sensitive data, and monitor OS patches for compliance.
Self-Healing Response – with the power of Application Persistence, you can ensure your entire endpoint security system (made up of patch management tools and other endpoint security agents) is operating at optimal health and efficacy. If attempts are made to disable, disarm, corrupt or delete any of these applications or even the whole OS, our self-healing technology will automatically return devices to a healthy and protected state
Containment – Absolute’s containment capabilities allow an organization to segregate infected devices from the corporate domain to prevent further spread. Our Containment services interact with a company’s firewall to block web traffic to and from devices faster than manual efforts. Firewall rules are also constantly monitored and are re-created or repaired if a user tries to modify them.

The way to contain the damage is ultimately greater awareness, automation, a strong IT asset management program, and a more resilient defense-in-depth architecture. Absolute technology allows security teams to maintain absolute visibility and contain malware-infected devices faster. If you have questions or concerns regarding Locky, WannaCry or other security issues in your organization, please contact our security experts in North America or the UK.

Are Hacked Medical IoT Devices Ransomware’s Next Target?

Shortly after IoT became a mainstream topic, the idea of device access-control falling into the wrong hands also grabbed headlines. Was it possible? What would happen? These are particularly concerning questions for healthcare organizations who deal in life-saving devices. But the notion of hacked medical devices such as defibrillators, pacemakers and insulin machines seemed more science fiction than real risk – a few years ago. Today, we know hacked medical devices are reality.
Last week, Abbott Laboratories mailed notices to 456,000 people in the US urging them to update the firmware that runs their pacemakers. Without it, pacemaker recipients could fall victim to a potentially fatal attack whereby the malicious attacker could alter device settings or otherwise impact functionality. You can read the full FDA cybersecurity notice here but the short of it is this is some pretty serious stuff.
The thought of a cybercriminal being able to exert some measure of control over a patient’s most critical medical devices is unsettling at best, but surprisingly enough, that shouldn’t be our only concern. Hacking medical IoT devices to physically harm someone may still feel far-fetched but not because it isn’t possible, rather it isn’t in line with the majority of money-seeking hackers out there. Much more likely is the threat of harming people to get a ransom paid. We still have to remind ourselves that most cybercriminals are plying their wares to enrich themselves. Sure, there are still a small number of hackers out there “doing it for the lulz”, but it’s hard to picture a mischievous hacker like that intentionally causing physical harm to people.
Ransomware has already hit the healthcare industry hard – the 2017 Verizon Data Breach Incident Report (DBIR) ranks ransomware as the fifth most common attack type in healthcare and 72% of all healthcare malware attacks last year were ransomware. There is little reason to believe ransomware attacks will slow, only evolve, which is what we are seeing now.
Ransomware 2.0
Ransomware is most commonly spread through email and malicious advertising. “Ransomware 2.0” is the evolution of that malware to also include network and server-side vulnerabilities and self-replication. While ransomware ups its technical game, the criminals behind it are also constantly evolving. For maximum monetization, they often use the ‘spray and pray’ method when looking for new, easy targets. Given better malware and the lack of sufficient protections that we know are common in medical IoT, this is one area they are sure to continue to use.
As of right now, the many players involved in healthcare aren’t making this process any easier. Medical device manufacturers make the device, medical teams implant them and patients rely on them. Only the device manufacturer really understands the device firmware so it’s up to them to maintain those devices and patch any vulnerabilities. But as WannaCry and other attacks recently called out, those updates don’t always get made at the manufacturing layer, let alone get passed along to healthcare providers or patients who rely on those devices. But the hopeful silver lining is that it appears a lot of device manufacturers are now acutely aware of cybersecurity issues and are taking the much needed engineering and development steps to provide quick responses to found issues… and delivering future products that are easier to fix when the need arises.
What can be done until then? Obviously the critical step for those on the front lines is to deploy any available security updates as quickly as possible. If you are a medical device manufacturer or other healthcare organization, maintaining a strong security posture across your network and all of your endpoints could save you a lot of money in ransom. For your company, it could save you millions in regulatory and legal penalties. For your patient, as scary as it may sound… it could mean the difference between life and death.