New Ransomware ConcernsWhen can we stop talking about ransomware? Apparently, never. One of the things we can list as part of our “new normal” is new ways ransomware is going to be impacting us differently. Things are worse today than when we discussed ransomware just a couple of months ago. The pandemic has opened up so many ways for the criminals to attack they are having a field day.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

New Ransomware Concerns – Ep 254

The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to

Registration Form


Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

New Ransomware Concerns

Now, the attacks are much more likely to be managed by humans not the spray and pray versions we had in the past.  Human operated ransomware – Human-operated ransomware attacks: A preventable disaster

Reports released by Microsoft just in the last few weeks 10 Ransomware Strains Being Used in Advanced Attacks

13 Bitcoin = 113,983.35 based on the current exchange rate of 8,767.95

Ransomware: Average Business Payout Surges to $111,605

pasted image 0 2

Back to the 10 “strains” that Microsoft has identified because we know not only are they growing in costs and activity but the damage they are doing is much more widespread than ever before. In fact, I think it is time to change the name from Ransomware to something else because that is only an element of what is actually happening.

We have some techie stuff to try to explain here but it is very important you start to understand this stuff.  How do we explain Emotet and Trickbot?

Emotet was discovered in 2014 being used as banking malware used to steal PII. Keep in mind that is when security researchers found it. Since then it has evolved to be much more useful to the criminals. First, it has gotten much better at evading detection. They made it adapt to all the techniques we used to find it and created new ways to hide it. They use some sort of bait to get the malware loaded via a website or email plus sometimes they load it manually because it is a human run attack.

If they load it on a system not only do we not see it is out there but now it starts running a list of other jobs. We call those jobs the payloads and that can be things like ransomware but also other things. One is they can add a module called a WiFi spreader that lets it find nearby networks and force their way into those networks.

A cool new trick they have taught that one to do is to load ANOTHER piece of malware that can do other tricks too. That one is called Trickbot – great name right. In the last few months

Trickbot was discovered in 2016. It’s job has been to deliver different kinds of malware. Ryuk ransomware has been very successful using this method of Emotet, Trickbot and Ryuk to launch attacks.  Trickbot is a tool that lets you plug in as many modules as the attackers want to use. As long as that malware sits there they can continue to attack.

pasted image 0 1

Our previous discussion covered how the ransomware gangs are exfiltrating data before launching attacks. This is one of the ways that is done. The gangs are actively taunting security and IT staff about the attacks as well:

Maze Team statement ridicules security “experts” and IT administrators who try to cover up breaches

The group had some interesting comments aimed at security and IT. Who knows if they are true but just think about what if they are….

Quote from article:

After issuing explanations (cautions), Maze Team turned to media coverage of their work (typo’s below are as in the original):

One more word about the Security “Experts” discussing our activity and our team. We are greately disappointed with those so called Professionals who can’t tell the difference between phishing and lateral movement . We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the to the hosting provider . As long as such so called Professional will work in IT and Security we will have a lot of work.

They also had some caustic comments about some of the network administrators they communicated with about their attacks (spelling errors included):

Another word for the IT specialist and network administrators who are tring to hide the information of the data leak from the company’s executives. They are making everything just the worst. We were really shoked by the fact that some network administrators were trying to hide the leak by offering us the access to the data of other companys, access to private laptops of the company’s president or even the naked photos of their boss’es secreteary. Funny but it’s true.

We are not interested in accesing accounts or bitcoin wallets of the company’s executives. We are doing what we are doing and no other proposals are accepted.

These attackers are not leaving even if you pay the ransom or restore.  We discussed this before about dwell time. If you do not kick them out of your network they will still be in there waiting for you to give them more opportunities or using your systems to attack others.

It is important to note that in the Maze article the two victims of Maze attacks mentioned are MDLab and Stockdale Radiology. That brings us to the final scary point. Healthcare has always been a prime target but now they are even a bigger one.

Colorado Hospital Hit by Ransomware as COVID-19 Continues

pasted image 0

Quote from.

Business continuity and disaster recovery plans are insufficient for this crisis. The work-from-home attack vector is being exploited, and organizations without multi-factor authentication, properly configured virtual private networks, patched secure access gateways, robust network configurations and proper training on work-from-home processes are the most vulnerable.Rich Curtiss, Director of Healthcare Risk Assurance Services, Coalfire

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks

Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do

Microsoft warns of ransomware attacks with ‘motley crew’ of payloads

Report Finds Ransomware Crews Don’t Leave After Being Paid

FBI Alert Tlp White Covid 19 Email Phishing Against US Healthcare…

If you haven’t taken the time to rethink your protections and incident response plans relating to ransomware it should move up that to do list. At the rate the methods being used continue to evolve if you get behind now you will just be easy pickins’ again for the criminal elements lurking on the interwebs.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.