Category: Ransomware

The Criticality of Strong Cyber Hygiene

The more connected we become, the more at risk we are to cyber criminals who are busy looking for a chance to capitalize on our technology dependency. Unfortunately, we’ve seen this breakdown many times – in our hospitals when WannaCry ransomware forced medical personnel to turn away patients and in our local governments when ransomware used by the SamSam group rendered the city of Atlanta incapable of validating arrest warrants or accepting bill payments from residents. These are but two recent examples.
With countless attack possibilities and an ever expanding threat surface area driven by the explosion of apps, IoT and mobile users, savvy organizations today consider a breach a matter of when, not if. But there are practical steps you can take that will make a successful attack harder which might just be enough to cause your would-be attacker to move on to lower hanging fruit for a faster, easier score.
As your organization works to become more effective and efficient through innovative technology, a security mindset must be baked in from the very beginning. This mindset is best shaped by the goal of strong cyber hygiene which includes covering off on these basic areas:

Fortifying data
Probing for sensitive info
Blocking unauthorized software
Monitoring hygiene
Educating users

Allowing the protection of your service offerings to become an afterthought could be a costly mistake. Thankfully, the NIST Cybersecurity Framework (NIST CSF) was created to help us advance along the continuum of good cyber hygiene. It was designed to help IT security pros everywhere, regardless of industry, categorically safeguard their devices, data, apps and users with a set of 5 broad practices: identify, protect, detect, respond and recover.
If you are looking for more information on how NIST CSF can help your organization, we created a series of short videos on the framework and other essential cybersecurity tips. For more on cyber hygiene, watch this video below, which is a look at NIST CSF’s second pillar, Protect. And you while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.
 
NIST Cybersecurity Framework
 
Video Transcript
Hey! It’s me again, Josh from Absolute.
This week’s episode is fully dedicated to the “Protect” pillar of the NIST Cybersecurity Framework.
Although everyone wants to describe their data devices apps and users as safe, the label is only true when we take deliberate steps to make it that way. Which is why the NIST Cybersecurity Framework focuses on those actions we can take to have safe devices, safe data, safe apps, and safe users.
The second law of thermodynamics tells us that everything in our universe, everything, goes from order to disorder, unless something (or someone) acts to reverse the drag of entropy. Without action, devices and data will naturally lead to disorder. They’ll degrade and fall to shipwreck.
But the NIST “Protect” pillar gives us guidance for VPN access, blocking cloud storage apps, persisting endpoint visibility, and regenerating security apps like encryption or anti-malware: all hallmarks of good cyber hygiene.
With a keen eye on endpoint hygiene, you can bolster the entire device population. All put into service to protect data. These attributes can be measured with a unique score: The Endpoint Hygiene Coefficient.
When no single device aligns with my picture of hygiene, my Endpoint Hygiene Coefficient is “0”.
This is rare. So rare, that we can rule it out. But just as rare is an Endpoint Hygiene Coefficient of “1”. If only our devices remained that pristine. So imagine an Endpoint Hygiene Coefficient of “0.81”. This means that some, if not all, devices are pulling us away, to some degree, from where they need to be.
Some devices are unencrypted, others are encrypted but have sensitive data in cloud storage apps. Still others have outdated AV tools. The reasons can vary, but by examining the device population AND quantifying the drift, you can get ahead of mishaps that put data at-risk.
We all have data to protect. But when you fortify data and avoid unwitting user hazards by probing for sensitive information, blocking unauthorized software, monitoring hygiene and recruiting your users to join your epic quest you can safeguard our most valuable raw material: information.
The world is far from perfect. But in the next episode, we’ll accept that reality that we don’t live in a Utopia, and explore the techniques for finding trouble.
So make sure you subscribe, and we’ll see you next time!

Should You Pay Ransomware Demands?

The fact that the Indiana hospital system, Hancock Health was hacked recently isn’t big news these days. Sadly, healthcare security breaches happen all too frequently. What is surprising however is what the health network elected to do about it – they paid the hackers’ ransom demand of four Bitcoin, equal to approximately $50,000 at the time, and then, for reasons we can’t really know, they told people about it.
In subsequent interviews with local media, Hancock Health officials said they decided, after lengthy debate, to pay the ransom that would unlock about 1,400 patient files from unidentified hacker control despite having data back-ups. Rather than wait weeks for a proper system reboot, administrators made the decision to pay to “expedite return to full operations.” A type of ransomware called SamSam was reportedly used and Hancock Health was given 7 days to pay via Bitcoin. “These folks have an interesting business model,” CEO Steve Long said. “They make it just easy enough to pay the ransom; they price it right.”
Ransomware attacks around the globe are on the rise. According to the 2017 Verizon Data Breach Incident Report, ransomware rose 51%. A Google study presented in July, 2017 showed more than $25 million was paid out in ransom over the last two years. Cryptocurrency payment has been the most popular demand although it’s interesting to note even ransomware cybercriminals are seemingly moving away from Bitcoin payments right now given the cryptocurrency’s volatility. Like any other business, they are in it for maximum profit.
Because ransomware isn’t likely going away anytime soon, the question for many organizations is should you pay? Or shouldn’t you? Here are some things to consider:
To Pay or Not to Pay the Ransom
Locked patient files are of course a real problem. In the case of Hancock Health, doctors and nurses were forced to use pen and paper to keep track of medical records. Paying the ransom may be the quickest and most pragmatic solution in the face of chaos. If critical systems are down and your most important task is getting them back up, you just may not have another option.
Then again, if essential files or data are held hostage, and there are no back-ups available, will paying the ransom get you those files back? Unfortunately, payment doesn’t guarantee you will regain access to your information.
Paying ransom demands is actually very similar to a small business having to pay protection money to their local organized crime outfit. By feeding the disease, you are guaranteeing its continued spread. If no one paid ransom anymore, ransomware would rapidly cease to exist… after all, cyber criminals are in it for the cash. This is the line of thinking the FBI takes. The U.S. government doesn’t support paying a ransom or negotiating in any way.
3 Tips to Fight Ransomware
Of course, the best case scenario is you don’t get hit with ransomware at all. Not having to choose between pay or not pay is the best choice. Here are few quick tips to lessen your chances of getting socked with a ransom demand:

Gain visibility – You can’t protect what you can’t see. It’s important to monitor and control rogue or dark endpoints, whether they’re on or off the network. When you have a good handle on your assets and their current status, you can respond swiftly and effectively.

Patch all and often – Many ransomware attacks rely on known vulnerabilities. Last year’s WannaCry is but one recent example. Patch all of your endpoints in a timely manner and you’ll head off many attacks before they can even start and improve your overall security posture.

Containment – Segregate infected devices from the corporate domain and regularly monitor firewall rules to prevent further spread. This way, in the event there is even a whiff of something going wrong, you can prevent a security incident from becoming a company catastrophe.

For more information on the rise of ransomware, strategies for preventing it and recovering from it, take a look at the report Ransomware Protection: Five Best Practices.

Looking Ahead: 2018 Cybersecurity Forecast

From the WannaCry cyberattack on the operations of major multinational corporations, to the Equifax data breach that impacted 145.5 million customers in the U.S. and Canada, 2017 marked a shift in the cybersecurity landscape. Hackers upped their game—exploiting new vulnerabilities, leaking spy tools from U.S. intelligence agencies, and hacking political campaigns. As hackers gear up to unleash new and improved attacks in 2018, enterprises will need to be more proactive and reevaluate where they are dedicating resources. Here are my top ten predictions for what we can expect to see in 2018: 

‘Hacking back’ policy will be an increasing concern. Two members of the U.S. House of Representatives introduced a bill earlier this year that allows victims to hack their hackers. The trouble is, we already know that real, definitive attribution is incredibly difficult. So, how can we ever be sure that we’re attacking the real source of an attack? What will happen when the source of an attack is another company that suffered its own breach and is being used as an intermediary? Will that company then be forced to “hack back” the hacking hackers? The situation could quickly devolve into chaos if organizations are allowed to build red teams with the sole purpose of going on the offensive. 
GDPR will levy its first fine, and it will be painful. This is a very real threat to the many organizations who have not taken it seriously or have not done any preparation for it. We can expect to see at least one major fine levied against an organization who has made the conscious decision to play fast and loose with GDPR and abuse or lose EU citizen data. If I were a CISO in an organization that isn’t ready for GDPR? I’d start dusting off the resume and look to get far, far, away.
 North Korean-sponsored groups will become a bigger threat. I think companies in the Western world need to be especially concerned about the impact of North Korean-sponsored groups. They have shown themselves to be highly skilled and capable of breaching and damaging their attack targets. Their intentions are multifaceted: they are combing the internet looking for ways to financially benefit, and they are equally interested in compromising targets that are politically beneficial to their leadership. Whatever they lack in skill, they make up with intensity and willingness to cause great damage to systems, which should concern executives everywhere.
The effects of the Equifax breach will linger for years. The Equifax breach and the colossal amount of personal information that was stolen will make things really difficult for defenders and those dealing with identity theft for years to come. Companies that rely on knowledge-based questions as part of their authentication measures (i.e. What street did you grow up on? Who did you have a car loan with in 2014?) will need to toss out those questions and embrace new methods to authenticate customers. I expect to see a surge in financial and identity theft for the next two years as a result of the Equifax hack.
The Shadow Brokers won’t go away anytime soon. I expect the Shadow Brokers to continue to attempt to profit off their pilfered exploits, and perhaps leak more exploits throughout 2018. I hope NSA officials will be able to determine everything the Shadow Brokers stole, and that they are working behind the scenes with technology vendors to rapidly fix the vulnerabilities that will certainly come to light.
 API-based attacks will become a bigger deal. There is a lot of backend traffic flying around the internet— things the average consumer can’t see. Many API-based solutions are not regularly monitored, and some of them use outdated security methods, making them ripe for pilfering. I would be shocked if there wasn’t at least one massive breach in 2018 that involved the exfiltration of large data sets of sensitive information through this method.
DDoS will continue to sucker punch assets online. As more and more devices come online, especially ‘smart’ IoT devices, attackers will find new ways to zombie them and use them in their massive DDoS armies. Further, as the volume of DDoS attacks increases, demand for mitigation services will begin to increase exponentially. With the explosion of the deployment of IoT devices in the marketplace, and the lack of a better default security within these devices, it is entirely possible that DDoS will take over from ransomware as a dominant risk to organizations worldwide.
Security budgets will increase. There is no evidence to suggest the share of IT budgets allowed to security will decrease in 2018. The massive security incident at Equifax and the catastrophic impact of WannaCry and Petya/Not Petya on organizations around the globe spurred many companies, both small and large, to re-evaluate their spending and the allocation of their security dollars.
Use of ransomware will expand. The ransomware scourge won’t go away anytime soon. While it seems as though fewer individuals are paying out, the ROI for cybercriminals is still massive, and it keeps getting easier for them to spin up ransomware backend infrastructure to launch massive attacks. Crimeware-as-a-Service will keep enabling less-skilled attackers to launch attacks in the hopes of finding riches.
Companies will increase their focus on detection and response. Enterprises will put a significant share of their security dollars toward endpoint detection and response (EDR) technologies. Malicious and non-malicious insider incidents continue to wreak havoc on networks, and shoring up defenses at the endpoint can go a long way toward mitigating those threats. The tide has started to shift from focusing on prevention to immediate detection and response to incidents. Uncovering dark corners and hard-to-manage endpoints will be essential to delivering the rapid response capabilities needed to remediate devices in the critical moments after a security incident happens.

Like many things in our lives, threat actors evolve. They learn new and novel ways of committing cyber crime, and interesting ways to break into targets. Today’s highly sophisticated attacks become tomorrow’s exploit kit fodder and script kiddie toolbox. It’s the nature of the business. Threat actors today have become so adept at immediately taking advantage of new vulnerabilities that it’s incredibly hard for defenders and security vendors to protect against every single crack in the dike. As 2017 has shown us, no one is immune from cyber attacks. Consumers and enterprises alike will need to stay just as vigilant in 2018, if not more, to protect their assets from constantly evolving cyber threats.

Detect and Respond to Malware Attacks

2017 has been a record-setting year for malware. Organizations and individuals around the world have been repeatedly under attack by aggressive, pervasive strains of malware, from WannaCry, Mamba and Petya to the most recent Locky strain, already pegged as the largest malware campaign of 2017, with over 23 million messages sent out in 24 hours on August 28, spiking just as US workers arrived at their offices to start the week.
Not to be outdone, Locky was chased by Ursnif, spread by a massive spambot to over 711 million email and server accounts. Ursnif drops component files onto an infected system to create auto start registries, infecting files and grabbing system information and sending it to a Control and Command server.
Reports have also indicated malware in general is on the rise. Mac malware has gone up 220% in 2017,  Google Play just removed 500+ apps hit by malware that could have been used to spy on users. We could go on. Security experts the world over agree: it’s no longer just about prevention, it’s also about detection and rapid response capabilities.
3 Steps to Boost Your Malware Defences
The key to spotting and containing the spread of malware is already embedded in most endpoints via Absolute’s Persistence technology. Our solution, which is in more than 1 billion popular PC and mobile devices at the firmware level, gives IT departments visibility and control of those devices, on and off the network. Here’s how that’s important:

Early Detection – with Absolute, you are able to see and control rogue or dark endpoints, whether they’re on or off the network. Spot and retire “out of support systems”, remove sensitive data, and monitor OS patches for compliance.
Self-Healing Response – with the power of Application Persistence, you can ensure your entire endpoint security system (made up of patch management tools and other endpoint security agents) is operating at optimal health and efficacy. If attempts are made to disable, disarm, corrupt or delete any of these applications or even the whole OS, our self-healing technology will automatically return devices to a healthy and protected state
Containment – Absolute’s containment capabilities allow an organization to segregate infected devices from the corporate domain to prevent further spread. Our Containment services interact with a company’s firewall to block web traffic to and from devices faster than manual efforts. Firewall rules are also constantly monitored and are re-created or repaired if a user tries to modify them.

The way to contain the damage is ultimately greater awareness, automation, a strong IT asset management program, and a more resilient defense-in-depth architecture. Absolute technology allows security teams to maintain absolute visibility and contain malware-infected devices faster. If you have questions or concerns regarding Locky, WannaCry or other security issues in your organization, please contact our security experts in North America or the UK.

Are Hacked Medical IoT Devices Ransomware’s Next Target?

Shortly after IoT became a mainstream topic, the idea of device access-control falling into the wrong hands also grabbed headlines. Was it possible? What would happen? These are particularly concerning questions for healthcare organizations who deal in life-saving devices. But the notion of hacked medical devices such as defibrillators, pacemakers and insulin machines seemed more science fiction than real risk – a few years ago. Today, we know hacked medical devices are reality.
Last week, Abbott Laboratories mailed notices to 456,000 people in the US urging them to update the firmware that runs their pacemakers. Without it, pacemaker recipients could fall victim to a potentially fatal attack whereby the malicious attacker could alter device settings or otherwise impact functionality. You can read the full FDA cybersecurity notice here but the short of it is this is some pretty serious stuff.
The thought of a cybercriminal being able to exert some measure of control over a patient’s most critical medical devices is unsettling at best, but surprisingly enough, that shouldn’t be our only concern. Hacking medical IoT devices to physically harm someone may still feel far-fetched but not because it isn’t possible, rather it isn’t in line with the majority of money-seeking hackers out there. Much more likely is the threat of harming people to get a ransom paid. We still have to remind ourselves that most cybercriminals are plying their wares to enrich themselves. Sure, there are still a small number of hackers out there “doing it for the lulz”, but it’s hard to picture a mischievous hacker like that intentionally causing physical harm to people.
Ransomware has already hit the healthcare industry hard – the 2017 Verizon Data Breach Incident Report (DBIR) ranks ransomware as the fifth most common attack type in healthcare and 72% of all healthcare malware attacks last year were ransomware. There is little reason to believe ransomware attacks will slow, only evolve, which is what we are seeing now.
Ransomware 2.0
Ransomware is most commonly spread through email and malicious advertising. “Ransomware 2.0” is the evolution of that malware to also include network and server-side vulnerabilities and self-replication. While ransomware ups its technical game, the criminals behind it are also constantly evolving. For maximum monetization, they often use the ‘spray and pray’ method when looking for new, easy targets. Given better malware and the lack of sufficient protections that we know are common in medical IoT, this is one area they are sure to continue to use.
As of right now, the many players involved in healthcare aren’t making this process any easier. Medical device manufacturers make the device, medical teams implant them and patients rely on them. Only the device manufacturer really understands the device firmware so it’s up to them to maintain those devices and patch any vulnerabilities. But as WannaCry and other attacks recently called out, those updates don’t always get made at the manufacturing layer, let alone get passed along to healthcare providers or patients who rely on those devices. But the hopeful silver lining is that it appears a lot of device manufacturers are now acutely aware of cybersecurity issues and are taking the much needed engineering and development steps to provide quick responses to found issues… and delivering future products that are easier to fix when the need arises.
What can be done until then? Obviously the critical step for those on the front lines is to deploy any available security updates as quickly as possible. If you are a medical device manufacturer or other healthcare organization, maintaining a strong security posture across your network and all of your endpoints could save you a lot of money in ransom. For your company, it could save you millions in regulatory and legal penalties. For your patient, as scary as it may sound… it could mean the difference between life and death.

WannaCry Again with Petya?

Another massive ransomware outbreak is on the move and it seems few are immune but many more could be…if they would stay up to date on patching.
In what appears to have started in Ukraine yesterday and then quickly spread throughout Europe and beyond, enterprises from virtually every industry are falling victim to another large scale ransomware attack. From oil refineries to banks, government agencies to ad agencies, no one is immune which often means one thing – the motivation is money.
Many researchers are connecting this attack to a family of ransomware known as Petya. Others are claiming that it’s “Not Petya” but an entirely new family of ransomware. In the interest of consistency, I’m just going to call it Petya going forward.
It’s still very early and researchers are still sorting out the details but it does look like Petya is leveraging ETERNALBLUE – the exploit WannaCry used in its global ransomware attack just 2 months ago. If ETERNALBLUE sounds familiar, it should. This particular exploit was included in the tools the ShadowBrokers stole from the NSA and leaked for every cybercriminal to use. The financial motivation here has yet to pay out substantially. Reportedly, the hackers are demanding $300 in Bitcoin ransom but they haven’t collected much, yet.
It also appears that Petya has some new tricks up its sleeve. It seems to be able to spread internally throughout victims’ network by using a custom tool very similar to the popular open source hacking tool Mimikatz, which extracts passwords from memory. It seems that if Petya can infect a PC with access to your domain administrator credentials, it will then be able to spread rapidly throughout your environment with reckless abandon.
It’s (past) time to patch
In the midst of so many doom and gloom headlines today, there is a silver lining. If you updated your software with one patch in particular – MS17-010 – which was released on March 14 – you may be able to stop Petya. In May, when WannaCry hit, organizations were reminded to apply MS17-010 but we’re now seeing that warning fell on far too many deaf ears.
Just this month, Absolute, in partnership with Ponemon Institute, released the Cost of Insecure Endpoints Benchmark Study. A number of interesting findings rose to the surface but a few in particular come to mind now. Namely: 63% say they cannot monitor endpoint devices when they leave the corporate network and 53% say malware-infected endpoints have increased in the last 12 months. Out-of-date, unpatched or corrupted endpoint agents are the most common endpoint security gap today, more than half of the respondents say. And furthermore, 75% of respondents said they are not keeping up with software patching.
Endpoints – and in particular, dark endpoints – are an ever-increasing danger to organizations. Managing endpoint security and protecting data is both a global business performance issue and national security concern. There are many steps you should take to build an effective security strategy around managing your endpoints and the critical data residing on them. If you’re wondering where to begin with this challenge at your organization, I suggest you start today by applying MS17-010. Then make sure your endpoints are as up-to-date as possible on all other outstanding critical security fixes.
After that, it’s critical to create and test an effective endpoint backup strategy. Once you’re satisfied with that, you should consider a nuclear/apocalypse plan: what would you do if you couldn’t fix things? Do you have a standard image for users that you can restore from right away? If you can build the ability to react quickly and remediate hit systems right away, you will be ready for whatever else will come next.
And let’s be pragmatic: there will be something next.

3 Ways to Contain the Next Ransomware Attack

The recent WannaCry ransomware attack underscored the importance of better visibility into dark endpoints. Our own audit data found that as many as 20% of endpoints are “dark” and represent hidden security cracks.  Here are tips that can help your IT department contain the next ransomware attack…

WannaCry: A Wake-Up Call for Early Detection, Hyper-Fast Responsiveness

The WannaCry ransomware attacks of 2017 were a global shock with 150 countries hit and hundreds of aftershocks as employees around the world logged on to infected devices to do their work in the days that followed. The attack, and other ransomware attacks before and since, highlighted just how large the endpoint blind spots are within global enterprises and government organizations…

Loading

Categories