Security Stop Press : Insurance Industry and Security Coalition To Tackle Ransomware

Three major UK insurance associations have united in a coalition with GCHQ’s National Cyber Security Centre (NCSC) to help reduce ransom payments made by victims of cybercrime.

The Unprecedented cross-sector coalition is comprised of the NCSC and the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA).

With Ransomware being the biggest day-to-day cyber security threat to UK organisations, the coalition, working closely with the NCSC, has developed a set of guidelines and a frameworks for a broad range of stakeholders including insurance providers, businesses, and cyber security professionals, aimed at reducing the frequency and impact of ransomware attacks.

NCSC CEO Felicity Oswald said: “It’s really encouraging to see all corners of the insurance industry unite to support victim organisations with guidance that will help them to better understand their options and reduce harm and disruption to their businesses.”

Security Stop Press : ConnectWise LockBit Alert

Just days after it was announced that the UK’s National Crime Agency (NCA), the FBI, and Europol had taken down the Russian LockBit ransomware gang’s website, it’s been reported that LockBit ransomware is still being deployed via flaws in a popular remote access tool.

Researchers at cybersecurity companies Huntress and Sophos have highlighted how two bugs in the ConnectWise ScreenConnect remote access IT support tool, usually used by IT technicians, are being exploited to launch LockBit attacks.

ConnectWise has issued an alert urging IT administrators to take quick action to patch the two critical vulnerabilities. Details are available here.

Security Stop Press : Follow-On Extortion of Ransomware Victims

Security researchers, Arctic Wolf Labs, have reported that victims of Royal and Akira ransomware are being targeted in follow-on extortion attacks.

In these follow-on attacks (starting in October 2023), two of which were documented by Arctic Wolf Labs, the threat actors falsely claimed they were trying to help victim organisations. They even claimed they would hack into the server infrastructure of the original ransomware groups involved to delete the stolen data.

Tech Insight : Cyber Criminals With A PR Department

A whitepaper by researchers at Sophos highlights how, rather than remaining anonymous, ransomware gangs now engage with the media to shape the narrative around a hack and gain a tactical and strategic advantage.

The Ransomware Threat 

Ransomware is a type of malicious software designed to block access to a computer system or data (typically by encrypting it), until a ransom is paid. It’s worth remembering that even if a ransom is paid, it may not mean that data is ever returned. Ransomware has become increasingly popular among cybercriminals due to its lucrative nature and the ease with which it can be distributed, such as via phishing emails, malicious downloads, or exploiting security vulnerabilities. The rise of cryptocurrencies has also facilitated anonymous ransom payments, making it harder to trace and prosecute perpetrators.

Ransomware’s effectiveness in generating revenue for attackers plus the increasing digitisation of many business-sectors have contributed to its growing prevalence as an attack ‘vector’. For example, ransomware attacks have increased by over 37 per cent this year compared to previous years (ThreatLabz) and over the last five years, there has been a 13 per cent rise in ransomware attacks. Also, the global cost of ransomware is estimated to have exceeded $30 billion this year (tech.co).

The Commoditisation and Professionalisation of Ransomware 

The Sophos whitepaper highlights the fact that whereas historically, cybercriminals preferred to operate in obscurity and avoid public attention (for obvious reasons), there has been a marked shift in the behaviour of ransomware gangs. Sophos says that, aided by the commoditisation and professionalisation of ransomware, these criminal groups are now actively engaging with the media for a variety of tactical and strategic reasons.

Why? 

Some of the key reasons highlighted by Sophos as to why ransomware gangs now court the media include:

– Leveraging media attention. It seems that ransomware gangs now understand that their activities are newsworthy and are prepared to use media coverage to bolster their credibility and exert pressure on victims. For example, they sometimes link to existing coverage on their leak sites, thereby showcasing their notoriety and influence (making a name for themselves and bolstering their criminal ‘brand’).

– Many ransomware gangs now seek direct communication with journalists and invite and facilitate communication with them. For example, criminal gangs do this through FAQs on their leak sites, dedicated private PR channels, and public notices. This approach not only allows them to control the narrative but also serves as a means to intimidate victims by demonstrating their media reach.

– Bizarrely, some groups even give in-depth interviews, thereby hoping to provide a positive perspective of their activities, which could serve as a recruitment tool. This not only increases their notoriety but also offers insights into the ransomware scene from their perspective.

– Sophos reports that ransomware groups have even started issuing what they call “press releases,” often written in fluent English. These releases can, for example, range from recruitment announcements to attacks on organisations for not complying with their demands, thereby applying pressure, and causing reputational damage to victim organisations.

– According to Sophos, ransomware gangs have also started to focus on their own branding, using catchy names and slick graphics on their leak sites to attract media attention and distinguish themselves in the public domain.

Media Management Roles

Reading the above, it’s perhaps not such a surprise to learn that, in some well-established ransomware groups, Sophos reports that there are even individuals who have media management roles and are dedicated to negotiating ransoms and managing public communications. This indicates a worrying level of organisation and professionalisation akin to legitimate businesses.

Criticism and Mistrust of Media 

That said, and despite their engagement, it seems that the split personality and confused logic of ransomware gangs can’t help but shine through as they tend to display a contradictory attitude towards the media. For example, Sophos highlights how they often criticise journalists for what they perceive as unfair or inaccurate coverage and occasionally attack individual journalists to make them feel uncomfortable or cause reputational harm. However, as befits a more media-savvy approach (with a brand and image at stake) they also tend to refrain from making direct threats.

The Unique Position of Ransomware Gangs 

In the world of cybercrime, this need for publicity means that ransomware campaigns now occupy a unique position. Unlike other threats that thrive on remaining undetected, ransomware groups must make themselves known to demand ransoms. This involves using leak sites and media engagement. It should be remembered, however, that all this is used to apply pressure on victims, attract recruits, manage their public image, and shape the narrative of their attacks.

The Implications For The Security Community And Businesses 

To combat the problem of the increasing media savviness of ransomware gangs, many believe that the security community and media need to adopt specific strategies. These could include:

– Refraining from directly engaging with ransomware actors unless it aids in defence or is in the public interest.

– Factual reporting, i.e. focusing on providing information that aids defenders and avoids glorifying the threat actors, thereby reducing their manipulative power.

– Providing adequate support to journalists and researchers who may be targeted by these groups.

– Avoiding publicly naming or crediting threat actors unless necessary and factual, can deny them the publicity they seek, thereby limiting their powers and thwarting some of their criminal ambitions.

Why Aren’t Ransomware Gangs Afraid? 

As the Sophos whitepaper indicates, ransomware gangs often appear to be unfazed by the legal consequences of their actions. Some of the main reasons for this may be:

– An adequate level of anonymity and decentralisation. Despite their media engagement, ransomware operations still manage to maintain an adequate level of anonymity, often using encrypted communication and cryptocurrency for transactions, which makes the successful tracking and identification of perpetrators challenging.

– Jurisdictional challenges. Many ransomware gangs operate from countries with lax cybercrime laws or where local authorities are either unable or unwilling to cooperate with international law enforcement efforts. This creates a kind of safe-haven for cybercriminals.

– Sophistication of operations. Ransomware gangs are now becoming increasingly sophisticated, using advanced techniques to avoid detection, and employing a variety of methods to launder ransom payments.

– The ransomware-as-a-Service (RaaS) model allows ransomware developers to lease their malware to affiliates who conduct attacks, further complicating law enforcement efforts as the developers can claim ignorance of the actual attacks.

Some Sucesses 

Despite these challenges, police around the world have had some notable successes in recent years. Collaborations between international law enforcement agencies have led to the disruption of major ransomware operations, arrests of key figures, and seizure of ransom payments. For example, the takedown of the Emotet botnet, the arrest of individuals connected to the REvil and Egregor ransomware groups, and the recovery of part of the ransom paid in the Colonial Pipeline attack are some significant victories. However, these successes are relatively rare compared to the scale and frequency of ransomware attacks, while the constantly evolving nature of these cybercriminal groups continues to pose a substantial challenge to law enforcement worldwide.

What Does This Mean for Your Business?

This shift by ransomware gangs from hiding away to actively contacting the media seems counterintuitive, brazen, and shocking. For many of the reasons explained above, ransomware gangs don’t seem to fear detection and capture. Despite their media activities, the main point is that if businesses are well prepared with security measures in place, the ransomware threat can be mitigated and the gangs will have little to report.

Proactive businesses should, for example, implement robust cybersecurity practices to prevent breaches, and develop and regularly update a comprehensive incident response plan. It’s also important for businesses to educate employees about ransomware tactics, including their use of media and public relations strategies, and to engage with cybersecurity experts to stay informed about the latest ransomware trends and defence strategies. Businesses also need to be aware, like the attackers, that they may need to prepare a media strategy in case of a ransomware attack to control the narrative and minimise reputational damage.

There’s also clearly a part that the media can play in limiting the manipulative power of ransomware gangs by not engaging with them and by denying them the publicity they crave. Better collaboration between law enforcement globally and increasing investment in detecting and tackling these groups is also an important priority to protect businesses. The more brazen and open attackers become, the more likely they are to make mistakes and leave clues and trails that could lead to their detection and capture.

By understanding the evolving landscape of ransomware threats and their media strategies, businesses and the security community can better prepare and respond to these increasingly sophisticated cyber-attacks.

Security Stop Press : Toyota Hack Warning

Toyota Financial Services (TFS), a subsidiary of Toyota Motor Corporation, has warned customers that it recently suffered a data breach which exposed sensitive personal and financial data.

The correspondence with affected customers follows Toyota confirming last month that unauthorised access on some of its Europe (and Africa) systems had been detected. Medusa ransomware reported that it was behind Toyota’s system being compromised and issued Toyota with an $8,000,000 ransom request to have the stolen data deleted.

The advice from TFS to its customers is to contact their bank to take additional security precautions, add 2FA to their online accounts, monitor any unusual activities, and obtain a current credit report from Schufa (a German credit rating agency). Toyota has also said that it has informed the responsible state data protection officer (for North Rhine-Westphalia) in compliance with GDPR.

Security Stop Press : Doubling of Ransomware Attacks Requires Preparedness

Cyber threat intelligence company Cyble has highlighted in its recent threat report how ransomware use has doubled compared to Q3 of the year, has been adapted to bypass common defence strategies, and how there’s been increased weaponisation of vulnerabilities to deliver the Ransomware.

Cyble identifies notable trends such as exploiting zero-days, targeting networking devices, focusing on the healthcare sector, the targeting of high-income organisations (with sensitive data), and the growing popularity of ‘Rust’ and ‘GoLang’ ransomware variants. Cyble also notes how the US is still the most targeted region and how major players like LockBit are still a threat.

The advice to businesses is to amplify employee training, establish strong incident response and data recovery plans, adopt security protocols like Zero-Trust Architecture and MFA, collaborate and utilise threat intelligence platforms, proactively manage vulnerabilities, and ensure secure supply chains and vendor risk management.

Security Stop Press : Ransomware Attack On UK IT Service Provider

It’s been reported that according to a dark web victim blog of cybercrime hacking gang ‘Donut,’ Nottingham-based IT Service Provider Agilitas may have been the subject of a ransomware attack.

Donut is reported to be claiming that it is in possession of the source code and SQL databases belonging to Agilitas and is threatening to start posting the information onto the dark web to force the company to meet its ransom demands.

This highlights how no businesses (even IT Service Providers and security experts) are immune to being targeted by cyber criminals and the advice to all businesses is to remain vigilant, continuously update their security protocols, and educate their employees about the dangers of phishing and other cyber threats.

Security Stop Press : 60 Million Individuals & 1000 Businesses Hit By MOVEit Hack

It’s been reported (Emsisoft) that the hack of MOVEit software by the Russian Cl0p ransomware gang may have impacted nearly 1,000 organisations and 60 million individuals.

The supply chain attack ‘payroll hack,’ which exploited a vulnerability in Progress’s popular MOVEit software (used to move sensitive files like employee addresses or bank account details), is reported to have stolen and exposed the information of major companies including British Airways, Boots, the BBC, and almost 1000 others worldwide.

This highlights the importance of businesses having comprehensive cyber security in place including effective backup, and business continuity and disaster recovery plans.

Security-Stop-Press : Most Consumers Will Ditch Brands Hit By Ransomware

Research from Object First has revealed that 75 per cent of consumers would ditch a company known to hit by a ransomware attack in favour of a safer competitor. The research results emphasise how seriously today’s consumers take their data protection. The message to businesses is to prioritise cyber security and data protection measures such as reliable backup and recovery, password protection, and identity and access management.