Ransomware and extortion continue to dominate the headlines in 2017. The past week saw several widely reported incidents involving service outages and lost data due to infections, as well as warnings that malicious actors are attempting to extort organizations via the threat of DDoS attacks.
The Austrian hotel Romantik Seehotel Jägerwirt paid approximately $1600 in ransom after ransomware locked the hotel out of its computer systems and the hotel was unable to issue new key cards to arriving guests. The hotel’s reservation system was down for 24 hours; however, the initial media reports that customers were locked in their rooms due to the incident were false, the owner told Motherboard. The hotel’s managing director told The Verge that the issue was that the hotel could not program keycards for the guests checking in on the same day due to the system being down. The Local reported that it was the fourth time hotel had been hit by such an attack, prompting the company to go public in order to warn others about these types of cybercrime incidents.
Several other ransomware-related service outages were announced this week. Licking County, Ohio, shut down more than a thousand computers due to a ransomware infection. A variety of departments, such as the 911 call center, were unable to use computers and had to switch over to other forms of communication, and services such as court house phones and the issuing of court documents were made unavailable, 10TV reported. In addition, The Washington Post reported that ransomware left 123 of the 187 Washington D.C. police surveillance cameras, which monitor public spaces across the city, unable to record from January 12 to January 15. The ransom demand was not paid as the police simply removed all software and restarted the system at each site.
Finally, Hong Kong’s Securities and Futures Commission warned that brokers across the city are being targeted with DDoS attacks and extortion demands from cybercriminals, and it is urging financial institutions to implement and review security measures.
Other trending cybercrime events from the week include:
- Warning issued following two dozen W-2 breach announcements: The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert on Thursday warning employers that W-2 phishing scams are spreading into sectors beyond the corporate world, including school districts, tribal organizations and nonprofits. In addition, the scammers are following up the request with a more traditional fraudulent wire transfer request, resulting in some organizations losing both employees’ W-2s and thousands of dollars due to wire transfers. SurfWatch Labs has identified at least 24 organizations publicly tied to W-2 data breaches over the past two weeks. The emails are a form of the popular Business Email Compromise scam, such as the one against Sedgwick County that led to $566,000 being fraudulently transferred.
- Shamoon malware strikes again: Saudi Arabia’s telecom authority is warning organizations to be on the lookout for Shamoon 2 after recent attacks led to at least three government agencies and four private sector companies going offline for 48 hours. Among those targeted were multiple petrochemical and IT services companies, which reportedly shut down their networks in an attempt to protect themselves. It appears the goal of the attack was disruption, not data exfiltration, similar to previous Shamoon attacks; however, the incident was less destructive than similar attacks in November as backups were more commonplace due that previous incident.
- Czech foreign ministry targeted with DNC-style hack: A foreign government hacked the email system of the Czech foreign ministry and accessed the email system used by employees to communicate with people outside the ministry in an attack similar to the breach of the Democratic National Committee, Foreign Minister Lubomir Zaoralek said. A spokesperson for the Czech minister said the scale of the attack is still being assessed but noted that other ministries “might be in a little bit of a problem.” Officials indirectly accused Russia of carrying out the attacks.
- Printing company exposes 400 GB of data: A PIP Printing and Marketing Services franchise branch located in California exposed 400 gigabytes of sensitive information due to a publicly available backup server without any password protection. The exposed data includes 50 GB of scanned documents relating to court cases, medical records, well-known companies and celebrities, as well as an archive of correspondence with attached documents, some of which have credit card numbers and billing details in plain text.
- Other cybercrime announcements: The Xbox360 ISO and PSP ISO forums, which provides gamers with links to free and often-illegal game downloads, were hacked in September 2015 and the details of 2.5 million accounts were leaked. Security firms Dr. Web and Emsisoft were targeted by DDoS attacks after publishing research related to a botnet of Linux devices and an update for the Merry Christmas ransomware (MRCR) decryptor tool. The hacking group OurMine hacked into a variety of social media accounts belonging to the WWE and CNN. Toys “R” Us is forcing reward members to reset account passwords after the vendor responsible for managing the program notified the company of attempts to access customer accounts and steal coupons using credentials reused from other data breaches.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.
Cyber Risk Trends From the Past Week
The past week once again saw numerous organizations exposing data due to insecure public databases, and several of those databases reportedly contained data that was no longer in use.
Security researcher Chris Vickery discovered unsecured database backup files from Indycar, which exposed the personal information of more than 200,000 users as well as Indycar employee login credentials. The user data was related to a now-retired Indycar bulletin board and contained sensitive information such as names, usernames, email and physical addresses, dates of birth, password hashes and security questions and answers.
As Vickery noted, holding that user data was unnecessary since the board was no longer in use:
Why do companies hold on to password hashes long after the associated site has been shuttered? That’s nothing but liability. They are putting customers at risk for no gain. There was absolutely nothing for Indycar to gain by holding on to these password hashes. And now they are faced with negative PR as word of the situation gets out to racing fans.
In addition, Polish game development studio CD Projekt RED, which developed the popular Witcher franchise, announced that a now-obsolete forum database was hacked and more than 1.8 million user credentials were stolen in March 2016.
“It’s the old database we used to run the forum before we migrated to the login system powered by our sister company — GOG.com,” the company wrote in a post on its forums. “At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier.”
The incidents are reminders that when it comes to cybersecurity, less data tends to equals less risk. This is particularly true for data that is no longer required to be held and may therefore receive less scrutiny than data that is being actively used. In short, if your organization is holding on to unnecessary data, it is opening itself up to unnecessary risk.