(A friendly reminder from our RSP team for Cybersecurity Awareness Month, and how the growing business of ransomware is affecting our digital world. Vigilance and good email hygiene are critical to your data's protection!)
You’ve. Been. Hacked.
Three words that no business owner wants to read while opening their daily email, yet it happens more and more every year.
"Attacks are evolving and how attackers get in to the environment and what they take has also changed over the last 12 months. We are seeing more exfiltration of data and the sale of this stolen data on the dark web.
It used to be that attackers would leverage RDP vulnerabilities to gain access to environments and just deploy the ransomware, but that has evolved with new threats such as Ryuk and Emotet where attackers leverage Phishing attacks, vulnerabilities such as the vulnerable legacy protocol SMBv1 (common vulnerability) through to harvesting VPN credentials. The variants of Netwalker, Ryuk and Egregor are now exfiltrating data from client environments." -Elgan Jones, Kivu Consulting
Cybercriminals are Getting Smarter
Our partners at Kivu Consulting have compiled some critical trends to note that have transpired post-COVID and are worth serious consideration:
"Our research demonstrates that cyber-crime is continuing to evolve during the COVID-19 pandemic. In the first half of 2020, we observed markedly higher ransom demands from attackers, a general trend of opportunistic attacks turning into targeted attacks (and a swing back around in some cases), and an increase in organized cyber-criminal syndicates leveraging theft of sensitive information to extort high ransoms from victims, even from those with valid and unaffected back-ups.
Phishing persisted as the ubiquitous attack vector for malware distribution and business disruption while cyber criminals increasingly exploited vulnerabilities in remote infrastructure. Even prior to the rise in remote work, Hiscox noted in its Q1 2020 Cyber Claims Report a spike of European claims in February linked to VPN vulnerabilities. Upon close examination of our H1 data, we identified a shift in the methodology of how phishing tactics launched ransomware attacks from Q1 to Q2 in 2020. Phishing techniques evolved from opportunistic “spray and pray” attacks to more targeted approaches.
Additionally, we discovered a reversion back to mass-spam campaigns to generate revenue from easy targets, courtesy of Ransomware-as-a-Service suites such as Avaddon at the end of Q2. We predict attackers will continue to practice phishing throughout 2020, resulting in more ransomware attacks, inventive Business Email Compromise (BEC) scams and the proliferation of other malware.
Doxing is the act of stealing a ransomware victim’s data and threatening to publish and/or sell it on the dark web. We began tracking doxing when Maze launched the first dedicated website to leaking and discrediting companies with compromised security postures in November 2019. The victims featured on the Maze site sustained infiltration by unauthorized threat actors that executed ransomware attacks against them. The practice of doxing, or data exfiltration, matured as we found ten ransomware groups resorting to the practice earlier in 2020. The number of doxing victims increased each week throughout May and June 2020, with Maze significantly contributing to this trend. Most notably we found that the doxed industries that attracted the most media attention, such as schools, public sectors, and healthcare, do not actually represent the most targeted industries." -Kivu Consulting
It is Only a Matter of Time
The reality many companies face is that it’s not “if” your systems will be compromised, but “when”. Our team sees this reality play out over and over again. Cybercriminals will go to great lengths to access your data, and while many of these breaches aren’t large enough to make the headlines they still affect families, businesses, and bank accounts on a weekly basis across North America.
Online’s Principal Consultant and Healthcare Practice Lead, Adam Kehler was on vacation when he was alerted of a ransomware incident, and he shares his story with us here today:
This is a Real Life, Worst-Case Scenario
Last week I was just finishing up a week of vacation with my family, getting ready to leave for the airport, when I got a phone call. It was a contact I had met at a conference a few months ago. He told me he had a client that had been infected with ransomware and didn't know what to do. Their terminal servers were down, their EMR server may or may not have been infected, and because the IT team was new to the organization, they did not know if they had usable backups.
This is a worst-case scenario and a place that no organization wants to wake up to on a given morning. Incidentally, the workshop at which we met this contact was one that Rob Harvey and I led where we walked through exactly this scenario: "You are notified that your systems are affected by Ransomware. What do you do?"
Unfortunately, this particular health center was not one of those that attended this workshop.
What Should you do?
The greatest take-away from the day was: Incident Response is not just a technical issue. In fact, it is largely administrative. Decisions related to communications, documentation, downtime procedures or when to close the doors, when to pre-emptively take down critical systems such as EMR are generally operational and business decisions. While the IT manager may provide input and be part of the decision-making process, the decisions ultimately relate to keeping the business running and mitigating operational risk.
There are things your organization can do to avoid being in this situation – and some of them are most certainly technical in nature:
- Patch systems quickly
- Make SURE you have good backups and test recovery to ensure you can restore properly.
- Conduct on-going security awareness training and conduct regular phishing tests on employees
- Implement multi-factor authentication
- Segment your network to reduce the spread
These are protection basics that every organization should have in place. As attacks get more sophisticated, sometimes these basics aren’t enough and ransomware and other malicious attacks still get through. If and when that happens you want to do know exactly what to do so that you don’t have to come up with a plan at the last minute.
Avoiding the "they didn't know what to do" portion of the phone call I received is not about having done the right technical things but making sure you are ready as an organization with an Incident Response Plan.
In this plan we recommend that you include:
- Who needs to be part of the Incident Response team Develop communications plans for both internal communication and external communication?
- List the contact information of key stakeholders and relevant vendors
- List additional contact information for help. This may include a Lawyer, Security Consultant, US-CERT, or local FBI office
- Plan for documentation of the incident and collection/maintenance of evidence
- Clearly document Breach Notification Requirements
Once you have your plan you must TEST it. An organization will not know the effectiveness of their plan until they test it. This is generally executed in the form of tabletop exercises.
As it turned out, this organization was able to locate and restore from backups, their EMR server was not affected, and they were able to recover without too much impact to patient care. They were lucky. Many organizations are not as lucky. Online recommends that all organizations regardless of size take proactive steps to ensure they are prepared for when, not if, they experience ransomware or another type of attack.
If you’re a small-to-medium sized business and you are wondering what the status of your current security system’s capabilities are, I invite you to reach out.
If security is not something your organization is confident about, then it could be a matter of time before the wrong people take notice of that – today is the right time to get ready.
For more tips on how to protect yourself from cybercriminals, check out these other insightful blogs we've posted for Cybersecurity Awareness!