When can we stop talking about ransomware? Apparently, never. One of the things we can list as part of our “new normal” is new ways ransomware is going to be impacting us differently. Things are worse today than when we discussed ransomware just a couple of months ago. The pandemic has opened up so many ways for the criminals to attack they are having a field day.
In this episode:
New Ransomware Concerns – Ep 254
2020 COVID Session Dates
August 18, 19, 20
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
New Ransomware Concerns
Now, the attacks are much more likely to be managed by humans not the spray and pray versions we had in the past. Human operated ransomware – Human-operated ransomware attacks: A preventable disaster
Reports released by Microsoft just in the last few weeks 10 Ransomware Strains Being Used in Advanced Attacks
13 Bitcoin = 113,983.35 based on the current exchange rate of 8,767.95
Back to the 10 “strains” that Microsoft has identified because we know not only are they growing in costs and activity but the damage they are doing is much more widespread than ever before. In fact, I think it is time to change the name from Ransomware to something else because that is only an element of what is actually happening.
We have some techie stuff to try to explain here but it is very important you start to understand this stuff. How do we explain Emotet and Trickbot?
Emotet was discovered in 2014 being used as banking malware used to steal PII. Keep in mind that is when security researchers found it. Since then it has evolved to be much more useful to the criminals. First, it has gotten much better at evading detection. They made it adapt to all the techniques we used to find it and created new ways to hide it. They use some sort of bait to get the malware loaded via a website or email plus sometimes they load it manually because it is a human run attack.
If they load it on a system not only do we not see it is out there but now it starts running a list of other jobs. We call those jobs the payloads and that can be things like ransomware but also other things. One is they can add a module called a WiFi spreader that lets it find nearby networks and force their way into those networks.
A cool new trick they have taught that one to do is to load ANOTHER piece of malware that can do other tricks too. That one is called Trickbot – great name right. In the last few months
Trickbot was discovered in 2016. It’s job has been to deliver different kinds of malware. Ryuk ransomware has been very successful using this method of Emotet, Trickbot and Ryuk to launch attacks. Trickbot is a tool that lets you plug in as many modules as the attackers want to use. As long as that malware sits there they can continue to attack.
Our previous discussion covered how the ransomware gangs are exfiltrating data before launching attacks. This is one of the ways that is done. The gangs are actively taunting security and IT staff about the attacks as well:
The group had some interesting comments aimed at security and IT. Who knows if they are true but just think about what if they are….
Quote from article:
One more word about the Security “Experts” discussing our activity and our team. We are greately disappointed with those so called Professionals who can’t tell the difference between phishing and lateral movement . We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the to the hosting provider . As long as such so called Professional will work in IT and Security we will have a lot of work.
They also had some caustic comments about some of the network administrators they communicated with about their attacks (spelling errors included):
Another word for the IT specialist and network administrators who are tring to hide the information of the data leak from the company’s executives. They are making everything just the worst. We were really shoked by the fact that some network administrators were trying to hide the leak by offering us the access to the data of other companys, access to private laptops of the company’s president or even the naked photos of their boss’es secreteary. Funny but it’s true.
We are not interested in accesing accounts or bitcoin wallets of the company’s executives. We are doing what we are doing and no other proposals are accepted.DataBreaches.net
These attackers are not leaving even if you pay the ransom or restore. We discussed this before about dwell time. If you do not kick them out of your network they will still be in there waiting for you to give them more opportunities or using your systems to attack others.
It is important to note that in the Maze article the two victims of Maze attacks mentioned are MDLab and Stockdale Radiology. That brings us to the final scary point. Healthcare has always been a prime target but now they are even a bigger one.
Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.
If you haven’t taken the time to rethink your protections and incident response plans relating to ransomware it should move up that to do list. At the rate the methods being used continue to evolve if you get behind now you will just be easy pickins’ again for the criminal elements lurking on the interwebs.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!