Jeff Peters

Weekly Cyber Risk Roundup: Cryptocurrency Wallets Emptied and a Dozen Power Plants Breached

Cryptocurrency theft was among the week’s top trending cybercrime practices due to users at both South Korean cryptocurrency exchange Bithumb and Classic Ether Wallet reporting that their digital currency wallets were emptied due to cyber-attacks.

Bithumb reported that one of its employees personal computers had been hacked in February 2017 and that the personal details of 31,800 Bithumb website users (about 3 percent of total users) had been compromised as a result. The stolen data included users’ names, mobile phone numbers, and email addresses. The exchange said there was no direct access to funds stored on the exchange; however, it appears the attackers were able to use the contact information to carry out phishing attacks against Bithumb users in order to obtain the one-time passwords needed to gain access those users’ funds.

One user reported losing as much as 1.2 billion won ($1.04 million) in the attack. Bithumb said shortly after the attack that it would pay up to 100,000 won ($87) to victims. Additional compensation will be available once individual losses are verified, the company said, but it is unclear if victims will be fully reimbursed.

Users of the Classic Ether Wallet also reported having their wallets emptied earlier this month. That theft appears to be due to a malicious actor managing to socially engineer the service’s German hosting provider 1&1 into handing over access to the domain. The actor then switched the site’s settings to direct the funds to his or her own malicious server. Multiple users who visited classicetherwallet.com and provided their private key while the site was in control of the fraudsters reported that they had their account emptied. Exact losses due to the incident is unclear, but some media outlets reported it could be nearly $300,000 worth of Ethereum Classic cryptocurrency.

Other trending cybercrime events from the week include:

Large databases exposed: Two databases containing the personal information of 3 million WWE fans were exposed to the Internet without requiring a username and password. The data included names, email and physical address, educational background, earnings, and ethnicity. UK car insurance company AA exposed the sensitive information of over 100,000 customers due to insecure database backups related to AA’s online store and never informed those customers of a breach, Motherboard reported. The database obtained by Motherboard included 117,000 unique email addresses, names, physical and IP addresses, details of purchases, and payment card information such as the last four digits of the card and its expiration date.

Insiders lead to extortion, theft: A former Dentons litigation associate in Los Angeles has been charged with extortion over allegedly demanding that his former law firm pay him $210,000 and give him a piece of artwork or else he would leak sensitive data to the Above the Law blog. According to court documents, the man accessed confidential information when one of the firm’s partners gave him access to his email while working a case. A crime analyst with the Smyrna Police Department was charged with 31 counts of computer theft over the alleged theft of information without authorization, including the driver’s licenses and mobile data of 28 victims.

Sabre confirms breach affecting multiple companies: Sabre said its investigation into a previously disclosed breach found that an unauthorized party was able to use compromised account credentials to gain access to payment card information and certain reservation information for a subset of hotel reservations processed through the SHS SynXis Central Reservations system. The breach occurred over a seven-month period from August 2016 to March 2017. Sabre said it notified partners and customers that use the reservations system, as well as some travel management companies and travel agencies that booked travelers that may have been affected. Sabre did not disclose the total number of individuals affected by the breach.

Other notable incidents: A Georgia men pleaded guilty to charges related to a BEC scam that defrauded Sedgwick County out of $566,000. Anonymous Bulgaria has leaked files from the Azerbaijan Embassy in Bulgaria that claim Silk Ways Airlines has carried tens of tons of heavy weapons and ammunition headed to terrorists under the cover of 350 diplomatic flights. Cove Family & Sports Medicine said that a ransomware infection encrypted medical records as well as a portion of its backup records. Walnut Place said that while it was investigating a previous ransomware infection it was affected by a second ransomware incident. Medicaid members in Indiana are being warned that their patient information was potentially accessible between February and May of 2017. Wooster-Ashland Regional Council of Governments said that its computer network as breached on May 26 and more than 200,000 records were compromised. The Simcoe County District School Board is warning parents of a potential privacy breach at Collingwood Collegiate Institute involving their email addresses and phone numbers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Russian state-sponsored hackers are responsible for recent cyber-intrusions into the business systems of U.S. nuclear power plants and other energy companies, government officials said. It is the first time Russian government hackers are known to have compromised the networks of U.S. nuclear plants, the officials added.

The statements followed a joint alert from the FBI and Homeland Security at the end of June that warned APT actors were targeting employees in the energy sector with phishing messages and watering hole attacks designed to harvest credentials that could be used to gain access to victims’ networks. The attackers were observed sending highly targeted messages to senior industrial control engineers containing fake resumes for control engineering jobs, as well as compromising websites commonly visited by their target victims and deploying man-in-the-middle attacks.

There is no evidence of any breaches or disruptions of the cores systems controlling operations at the plants, The Washington Post reported. Instead, the focus appears to be on systems dealing with business and administrative tasks, such as personnel. The New York Times reported that the joint DHS and FBI report concluded that the hackers appeared determined to map out computer networks — potentially with a goal of carrying out more destructive attacks in the future. Bloomberg reported that at least a dozen power plants had their networks breached by the APT actors, including the Wolf Creek nuclear facility in Kansas.

“There was absolutely no operational impact to Wolf Creek,” a spokeswoman for the nuclear plant said. “The reason that is true is because the operational computer systems are completely separate from the corporate network.”

However, as we’ve seen in attacks just this week, potentially compromised personnel and business data could be leveraged in future targeted phishing messages to gain more information or access — or to find a weak point or an individual that may be leveraged for future attacks.

Weekly Cyber Risk Roundup: Banks Threatened with DDoS Attacks and Researchers Investigate NotPetya

South Korean financial institutions dominated the week’s top trending targets due to a series of extortion demands that have threatened distributed denial-of-service (DDoS) attacks unless those institutions pay between 10 and 15 bitcoins ($24,000 to $36,000) in ransom each.

At least 27 financial institutions received the extortion demands from a group claiming to be the Armada Collective, including major banks, security companies, and the Korea Exchange, the Korea Joongang Daily reported. It is unclear if the group behind the threats is associated with the real Armada Collective, or if it is yet another group that is attempting to leverage the popular extortionists identity in order to gain credibility. In early 2016, a group was able to successfully extort more than $100,000 by threatening DDoS attacks under the Armada Collective name — but researchers concluded that specific threat was empty and the group never actually carried out any attacks — despite being profitable.

According to The Korea Times, the group carried out a small attack last Monday on the Korea Financial Telecommunications & Clearings Institute (KFTC), Suhyup Bank, DGB Daegu Bank, and JB Bank — with a promise of more powerful attacks to come in the future if the institutions do not pay their ransoms by the July 3 deadline. The DDoS attacks did not disrupt any services, the Times reported, and the small DDoS attack against KFTC last Monday lasted for only 16 minutes. Previous extortion campaigns have seen groups using a similar tactic of small DDoS attacks to prove they have some capability and lend credibility to their threats; however, the full capabilities of the group behind the most recent demands is unclear.

It is possible that the group is simply looking for easy blackmail targets following the recent $1.1 million dollar ransom payment that was made by South Korean web hosting firm Nayana. Researchers had previously speculated that the large ransom payment could lead to more South Korean organizations being targeted.

Other trending cybercrime events from the week include:

Attackers target government: Dozens of email accounts belonging to members of parliament and peers were breached during “a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.” A hacker going by the name “Vigilance” said that he gained access to 23 state of Minnesota databases and was able to steal 1,400 email addresses and some corresponding “weakly encrypted” passwords. The hacker then published the information in protest of the police officer charged with killing Philando Castile being found not guilty. Multiple government websites were defaced with pro-ISIS propaganda and a logo saying the hack was carried out by “Team System DZ.”

Organizations expose more data: The personal information of 2,200 Aetna customers in Ohio and Texas was compromised due to their data being “inappropriately available for a period of time.” Corpus Christi Independent School District said that it is notifying 6,100 individuals that employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online. The Campbell River School District is warning parents and guardians of Timberline Secondary students that their personal information may have been “inappropriately accessed” due to a file being left on a shared drive that students and staff could access. Users of the UK government’s data dashboard, data.gov.uk, were asked to change their passwords after a file containing their names, email addresses, and hashed passwords was left publicly accessible on a third-party system.

Disgruntled employees harm employers: A Pennsylvania man has been sentenced to one year and one day in prison for hacking and damaging the IT networks of several water utility providers across the U.S. East Coast. A disgruntled employee led to a breach of Professional Counseling and Medical Associates’ electronic health records system. The FBI said a former employee of Transformations Autism Treatment Center tried to hack into the company’s computer system and steal the personal information of autistic children.

Other notable incidents: Internet radio service 8tracks said that a copy of its user database has been leaked, including usernames, email addresses, and SHA1-hashed passwords. The full leaked dataset includes around 18 million accounts. Information security consultant Paul Moore reported a data breach involving Kerv after he received both an email from an “anonymous” Kerv user that “had inside information which wouldn’t otherwise be available” and admin credentials from a Tor address. Acting State Supreme Court Justice Lori Sattler told police that she was scammed out of $1,057,500 when she responded to an email impersonating her real estate lawyer and wired the money to an account at the Commerce Bank of China. Two men who are suspected to be part of an international group that hacked into Microsoft’s network in early 2017 have been arrested by British police.

Cyber Risk Trends From the Past Week

One of the biggest stories that occurred last week was the spread of a ransomware/wiper malware known as NotPetya.

The outbreak was similar to May’s quick spread of the WannaCry ransomware, and those that were infected across the Ukraine, the UK, the Netherlands, India, Spain, Denmark, and elsewhere were shown a ransom demand asking for $300 in bitcoin along with contact details. However, various researchers quickly concluded that the intention behind the attack was likely disruption, not monetary gain.

Previous versions of similar ransomware like Petya used a personal infection ID that contained crucial information for the key recovery, Kaspersky explained in its analysis. However, the NotPetya malware uses randomly generated data in place of that personal key. That means that the attackers have little hope of actually recovering their data, even if they wanted to do so.

As Ars Technica noted, other researchers have come to similar conclusions about NotPetya. Matt Suiche of Comae Technologies concluded that the ransomware aspect of NotPetya may a have been a front to push the media narrative towards the attacker being an unknown cybercriminal group rather than a nation-state attacker with data destruction in mind.

The head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection agreed with that assessment, saying “I think this [NotPetya malware] was directed at us” and that the event was definitely not a criminal attack, but likely a state-sponsored one carrying over from Ukraine’s ongoing cyberwar with Russia. That theory is not confirmed, but as SurfWatch Labs noted, “strong evidence points to the attack beginning with the hacking of the Ukrainian accounting software MeDoc where the automatic update feature was used to download the worm.”

Ukraine’s security service SBU announced that a number of international organizations are helping to investigate the NotPetya attacks and identify the culprits, so more information about the attacks will likely be announced in the near future.

Weekly Cyber Risk Roundup: Million Dollar Extortion Payments and TheDarkOverlord Loses Credibility

Ransomware made headlines this past week due to several infections that disrupted business operations, as well as a million dollar extortion payment that was negotiated by South Korean web hosting firm Nayana after its servers were infected with Erebus Ransomware on June 10. Nayana said the payment was necessary to restore 150 servers and the 3,400 affected client websites, most of which were for small companies and startups.

The initial ransom demand was for 5 billion won ($4.4 million) in bitcoin, but the company managed to negotiate the payment down to 1.3 billion won ($1.1 million or 397.6 bitcoin). In a statement on the company’s website (Korean language) on Thursday, Nayana CEO Hwang Chilghong said he knows the company should not negotiate with hackers, but that the damage was too widespread and too many people would be harmed if the company did not pay the extortion.

WannaCry was also back in the news this week due to Honda Motor saying that plants in Japan, North America, Europe, China, and other regions were recently infected with the ransomware despite efforts to protect their networks following last month’s WannaCry outbreak. One location, a Sayama automobile plant located near Tokyo, was idled due to the infection. Authorities in Victoria, Australia also announced that 55 traffic and speed cameras were accidentally infected with WannaCry due to a maintenance worker using an infected USB stick. Local media reported that the police have decided to cancel 590 fines sent to road users caught by the WannaCry-infected cameras.

Other ransomware news includes Waverly Health Center in Iowa being infected with an unknown ransomware variant and having to shut down their IT systems for a period of time, and Proofpoint researchers saying that the ransomware infections recently reported at several UK universities were part of a larger malvertising campaign carried out by the AdGholas group that leveraged the Astrum Exploit Kit to spread Mole ransomware.

Other trending cybercrime events from the week include:

Massive voter database leaked: A database containing detailed information on 198 million U.S. voters and compiled by GOP political consultant Deep Root Analytics was left exposed to the Internet for 12 days. The information included data pulled from voter lists maintained by the RNC that was augmented by other sources such as social media sites. The leak includes data on some voters such as ethnicity, religion, contact information, and views on a variety of political issues. In addition, the data included proprietary information such as unique RNC identifiers for each voter.

POS breach discovered at The Buckle: The clothing store chain The Buckle announced that point-of-sale (POS) malware was discovered on some of its retail POS systems and that some payment cards used between October 28, 2016 and April 14, 2017 may have been affected. The Buckle believes that the malware did not collect data from all transactions or all POS systems for each day within that time period. The company also said that all stores had EMV technology enabled during the time that the incident occurred, which helped to limit the impact of the breach.

Services disrupted: The CyberTeam hacking group announced on Twitter that it was responsible for the outage that affected Skype on Monday and Tuesday. Microsoft has not confirmed the cause of the outage, but the service was reported down in multiple countries across Europe, as well as Japan, Singapore, India, Pakistan, and South Africa. Square Enix said that Final Fantasy XIV game servers were being repeatedly targeted by DDoS attacks from an anonymous third party.

More incidents tied to errors and glitches: The email addresses of registered consultancies of the UK government’s Cyber Essentials scheme were exposed due to a configuration error in the Pervade Software platform, according to the IASME Consortium, which runs the accreditation. The sensitive personal information of students was compromised when a staff member at the UK’s University of East Anglia “mistakenly” emailed a spreadsheet with confidential data to 320 American Studies students. A man used a glitch to steal more than £99,000 from the Clydesdale Yorkshire Bank last December when, for approximately one hour, the man’s account showed a credit balance even though he did not have any money.

Other notable incidents: Online banking service Ffrees notified its users that some of their personal information was “temporarily exposed” due to an “information security incident.” Virgin Media is advising more than 800,000 customers using the Super Hub 2 router to change both their network and router passwords if they are using the default passwords shown on the device’s attached sticker. Torrance Memorial Medical Center said a phishing attack compromised email accounts containing “work-related reports” and the personal data of patients. The latest batch of CIA documents released by WikiLeaks, dubbed “Brutal Kangaroo,” revolves around “a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” A joint law enforcement action known as the eCommerce Action 2017 led to the arrest of 76 professional fraudsters and members of Internet-based criminal networks across 26 countries.

Cyber Risk Trends From the Past Week

Larson Studios, the family-owned audio post-production business that was hacked by TheDarkOverlord, has finally provided public comments about the December 2016 attack that led to the theft of a variety of unaired episodes from major studios. That incident led to leak of ten episodes of Netflix’s Orange is the New Black and eight episodes of ABC’s Steve Harvey’s Funderdome.

The takeaway from company president Rick Larson following the ordeal: “Don’t trust hackers.”

He learned that lesson after Larson Studios eventually paid TheDarkOverlord a $50,000 ransom as part of an agreement between the two to keep the breach private. However, a few months later the FBI told Larson Studios that TheDarkOverlord was attempting to extort the company’s clients with the stolen video, and the group then tried to publicly pressure Netflix and others into paying a ransom demand.

Why TheDarkOverlord would attempt to double-dip on the group’s ransom demand is somewhat puzzling. As SurfWatch Labs has noted in multiple blogs, the group has spent the past year carefully projecting an image of professionalism, framing its extortion demands as straightforward “business proposals” and using the media to try to spread the group’s message: pay up and everything will quietly go away. For example, in June 2016 when the group first began making headlines, TheDarkOverlord used the media to warn companies, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” They also warned that the ransom payment would be “a modest amount compared to the damage that will be caused” from a public leak. The group’s tone did not change when it came to extorting Netflix nearly a year later: “You’re going to lose a lot more money in all of this than what our modest offer was.”

It appears that after a full year of trying to build that image as a “trustworthy” extortionist, TheDarkOverlord has now lost its credibility — and, it should be noted, that credibility is what pushed companies like Larson Studios over the edge when deciding if the company should pay. As Rick Larson told Variety, previous media reports suggested that paying TheDarkOverlord actually worked.

TheDarkOverlord appears to be in damage control now, and the group is trying to regain that credibility by arguing that Larson Studios violated its agreement by contacting the FBI. The group also continues to leak data on other organizations, but hopefully those organizations will take heed of the message from Rick Larson to never put their trust in hackers — and it’s clear that now includes TheDarkOverlord.

Weekly Cyber Risk Roundup: Industroyer Malware and Fines for Delayed Breach Notification

Ukrainian power utility Ukrenergo was back in the news as the top trending cybercrime target after researchers analyzed new samples of a destructive malware, dubbed “Win32/Industroyer,” which they said was likely used in the December 2016 attack against the Ukrainian power grid.

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly,” ESET researchers wrote. “To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).”

The Industroyer malware uses four payload components designed to gain control of switches and circuit breakers, with each component targeting a particular communication protocol: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). The malware is notable as it “is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.”

Hackers may have hidden in Ukrenergo’s IT network undetected for six months before carrying out their December 2016 attack, which led to a power blackout in Kiev that lasted a little over an hour. Although it’s not confirmed, it is “highly probable” that Industroyer was used in that incident. The Ukrenergo attack occurred a year after a similar attack against Prykarpattyaoblenergo, which caused approximately 230,000 people to lose power. Researchers have warned that both of those incidents in Ukraine could be tests for potential attacks against Western countries’ critical infrastructure facilities in the future.

Other trending cybercrime events from the week include:

FIN10 targeted mining companies and casinos: A financially-motivated hacking group known as FIN10 spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data, and then holding it for ransom. According to researchers, the attacks targeted sensitive files such as corporate records, private communications, and customer information, and the ransom demands ranged between 100 and 500 bitcoin. The hackers were also able to essentially shut off the production systems of some mines or casinos that did not comply, making them unable to operate for a period of time.
Updates on previously disclosed attacks: The attackers behind the 2015 attack against TV5Monde conducted reconnaissance inside the TV5Monde network for three months before launching a sabotage operation that knocked multiple channels offline and compromised multiple social media accounts. France’s national cybersecurity agency said that the attackers used a compromised third-party account that allowed them to connect to the TV5Monde VPN and that once they were inside the network they used one of two camera-control servers as a beachhead for privilege escalation. The agency also noted that the attackers were able to create their own admin-level account in Active Directory and used the IT department’s wiki to gain information. GameStop is notifying an undisclosed number of online customers that their payment card details were stolen between August 10, 2016 and February 9, 2017. The breach was acknowledged by GameStop in April, but the company only recently began notifying affected customers. Cowboys Casino in Alberta said that data stolen from a breach last year has been posted online and that the hackers are threatening to post more data next week. WikiLeaks’ latest dump of CIA documents is CherryBlossum, a project that is focused on compromising wireless networking device.
Universities targeted: Southern Oregon University said it sent $1.9 million to a malicious actor impersonating Andersen Construction, a contractor that is working on the McNeal Pavilion and Student Recreation Center construction project. University College London said that a major ransomware attack occurred on June 14 and disrupted access to a number of users’ personal and shared drives for several days after UCL users visited a compromised website. Ulster University in Northern Ireland was infected with ransomware that affected a “significant number of file shares” due to a “zero day attack.” The initial attack occurred on June 14, and the university said it believes they are will be in a position to restore the file share service by late morning on June 19.
Other notable incidents: A database containing the personal information of 6 million users of online survey site CashCrate was stolen by hackers due to an apparent compromise of third-party forum software. A developer at Tata Consultancy Service in India posted the source code and internal documents for a number of unnamed financial institutions to a public GitHub repository. Italy’s data protection authority said that Wind Tre, the country’s biggest mobile operator in terms of mobile SIMs, must notify customers of a March 20 data breach that affected 5,118 customers. A hacker pleaded guilty to the 2014 theft of hundreds of user accounts from a U.S. military communications system, an intrusion that the Department of Defense said cost $628,000 to fix.

Cyber Risk Trends From the Past Week

New York’s attorney general Eric Schneiderman announced last Thursday that CoPilot Provider Support Services must pay $130,000 in penalties as well as reform its legal compliance program over violations related to delayed notification of a breach.

According to the attorney general, an October 2015 data breach of CoPilot’s website administration interface, PHPMyAdmin, allowed an unauthorized user to download reimbursement-related records for 221,178 patients, including their names, genders, dates of birth, addresses, phone numbers, and medical insurance card information. However, CoPilot did not begin formally notifying affected consumers until January 2017, more than a year after the incident occurred — an “unacceptable” violation of New York law.

“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” New York’s attorney general wrote. “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”

In January, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a $475,000 fine to Presence Health for similar reasons. OCR said that it was the agency’s first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information and that the settlement amount “balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”

That regulatory scrutiny may get more intense with the enforcement of the EU’s General Data Protection Regulation (GDPR) next year. The GDPR requires companies notify the appropriate authorities of a breach within 72 hours of discovery if that company collects, stores, or processes personal data for people residing in the EU. As SearchSecurity noted last month, that could force a change for the better when it comes to prompt breach notification by companies since the monetary penalties associated with violating the GDPR are much harsher than the current regulations.

Weekly Cyber Risk Roundup: ‘Staggering’ Amount of Data Exposed and Hacks Lead to Fake News

Organizations are making it easy for cybercriminals by putting vast amounts of sensitive data at risk due to improper security configurations, various researchers recently warned, and this past week saw several new data breaches announced due to the public exposure of sensitive customer, patient, and other internal data.

The first warning came from Appthority, which said it discovered a “staggering amount” of leaked enterprise data from apps due to a vulnerability dubbed “HospitalGown.” The researchers said that almost 43 TB of data was found exposed across 1,000 apps due to the app developers’ failure to properly secure the backend servers with which the apps communicate and where sensitive data is stored. As a result, enterprises are leaving themselves open to data exfiltration, leakage of personal information, and potential ransom attempts, the researchers said.

In addition, John Matherly, the founder of Shodan, said that improperly configured HDFS-based servers are exposing over five petabytes of data. Matherly said he found that the smaller number of HDFS servers leak 200 times more data than MongoDB servers. He discovered 4,487 instances of HDFS-based servers exposing over 5,120 TB of data, whereas the 47,820 MongoDB servers leaked 25 TB of data. These warnings came as several organizations announced data breaches due to publicly exposing sensitive data:

A car dealership database has been publicly exposed for more than 140 days, exposing customer, vehicle, and sales details of more than 10 million car owners, including VIN numbers.
Victory Medical Center said patient information was discoverable via search engines dating back to 2013, and as a result around 2,000 patients had some of their personal information compromised.
A Cosmetic Institute in New South Wales exposed the sensitive personal information, including before-and-after photos, of more than 500 female patients after uploading their data to a publicly accessible index of the clinic’s website.

Other trending cybercrime events from the week include:

IP theft leads to extortion attempts: CD Projekt Red said that internal files such as documents connected to its upcoming game Cyberpunk 2077 were stolen by extortionists and that those files may be released to the general public as the company will not pay the ransom. TheDarkOverlord has leaked eight episodes of ABC’s unaired show “Steve Harvey’s Funderdome” on The Pirate Bay, following through on the group’s promise to release shows stolen from Hollywood-based post-production company Larson Studios late last year.
Variety of malicious actor arrested: A contractor at Pluribus International Corp. has been charged with leaking a top-secret National Security Agency document that describes Russian efforts to compromise the U.S. election. Chinese authorities have arrested 20 Apple employees for allegedly using the company’s internal computer system to gather and sell customers’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million). South Korean police have arrested a group of hackers that breached the hotel and guesthouse reservation app “Good Choice” in March and stole the personal data of more than 990,000 users. Two men were indicted for a $12 million identity theft scheme that involved thousands of victims, including students applying for financial aid. The men acquired personal identifying information of victims by either purchasing it or by obtaining the information through the Data Retrieval Tool on the Free Application for Federal Student Aid (FAFSA) website. A guidance counselor at Tryon Elementary School in North Carolina admitted to using information about some of his elementary school students in a $436,0000 Medicare scam.
Personal data transmitted insecurely: The Mississippi Division of Medicaid is notifying 5,220 individuals that their protected health information may have been exposed due to their information not being securely transmitted when online forms were submitted. HSBC Bermuda said the personal information of customers was compromised when the company sent an email to a small number of retail banking customers that included an attachment containing HSBC Bermuda customer data. The personal information of almost 13,000 employees of Public Services and Procurement Canada was exposed due to a spreadsheet with sensitive data being sent to 180 people in the department via unencrypted email.
Other notable incidents: Al Jazeera said that it faced a large-scale cyber-attack on Thursday against all of its systems, websites, and social media platforms. The University of Alaska is notifying 25,000 students, staff, and faculty members that their names and Social Security numbers were compromised due to a successful phishing attack in December 2016. The Maltese government has seen a significant increase in attacks believed to be carried out by Russian hacking groups in recent months — ever since Malta assumed the important position of presidency of Europe’s Council of Ministers in January. Since then, the Maltese government’s IT systems have seen a rise in phishing attacks, DDoS attempts, and malware on computer systems.

Cyber Risk Trends From the Past Week

Recent incidents have confirmed that malicious actors are using cyber-attacks and data leaks to both blatantly fabricate entire news stories and discreetly drop small pieces of fake information that can potentially have wide-reaching geopolitical implications.

For example, on May 24, a report appeared on the official Qatari news agency’s website describing a variety of statements made by the emir of Qatar, including tensions with U.S. President Donald Trump, a desire for friendship with Iran, and praise for both Hamas militants and the leader’s relationship with Israel.

The statements received widespread attention, but Qatari officials claimed they were false — a claim now backed by the FBI, which believes the fake news operation and subsequent diplomatic crisis was orchestrated by Russian officials. The New York Times described the incident as “the opening skirmish in a pitched battle among ostensible Gulf allies.” The Times also reported that the false comments led to Saudi Arabia and U.A.E. rallying dependent Arab states to cut off diplomatic relations, travel, and trade with Qatar, as well as the fracturing of the American-backed alliance against the Islamic State and Iran.

Other Russian-tied disinformation campaigns have been more subtle. Citizen Lab recently detailed a series of “tainted leaks” tied to documents stolen from journalist David Satter. Satter had his email account compromised in a targeted phishing attack in October 2016, and those emails were then selectively modified and “leaked” on the blog of CyberBerkut, a pro-Russian hacktivist group. The modified documents were designed to both cause the programs they examined to appear more subversive of Russia than they actually were as well as to discredit specific opposition individuals and groups critical of Russian President Putin and his confidants.

Both incidents are yet another example of how much impact a disinformation campaign mixed with a little bit of hacking can have on governments around the world. As the Times warned, “Any country can get in the game for the relatively low price of a few freelance hackers.”

Motivated actors could use similar tactics to impact specific organizations with tainted data leaks. A single fake email — or even a few lines modified in a legitimate email — could easily be slipped into a larger dump and then shared with news outlets. That could lead to a crisis similar to the one facing Qatar, where leaders are forced to defend themselves against statements that were never actually made before those statements spread far and wide.

Weekly Cyber Risk Roundup: Chipotle and Kmart Announce POS Breaches

Payment card breaches were back in the news this week as both Chipotle and Kmart announced point-of-sale breaches affecting a number of locations.

The Chipotle incident, which was first disclosed on April 25, appears to be the larger of the two breaches. A recent company update on the breach said it now includes most of the company’s 2,250 locations. The restaurants were affected by point-of-sale malware for various periods of time between March 24 and April 18.

The infection was made worse by Chipotle’s decision not to adopt EMV payment technology due to concerns that the upgrades would “slow down customer lines,” according to a recent class-action lawsuit filed over the breach.

The Kmart investigation is currently ongoing, so it’s unclear how many of the company’s 735 locations are affected; however, it may be less impactful than a similar point-of-sale malware infection in 2014 since all of Kmart’s stores were EMV ‘Chip and Pin’ technology enabled during the time of the most recent breach, the company said in its press release.

“We believe certain credit card numbers have been compromised,” Kmart’s parent company Sears Holdings said in a statement. “Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Other trending cybercrime events from the week include:

Top Secret information exposed to public: Top Secret information related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD), was exposed to the public via an unsecured Amazon Web Services “S3” bucket that required no credentials to gain access. Security researcher Chris Vickery and other Upguard researchers said the now-secured data set points to NGA contractors Booz Allen Hamilton (BAH) and industry peer Metronome. The data discovered included information that would ordinarily require a Top Secret-level security clearance from the DoD as well as plaintext credentials that granted administrative access to at least one data center’s operating system and what appeared to be Secure Shell (SSH) keys of a BAH engineer.
Healthcare breaches due to unauthorized sites, third-parties: Children’s Mercy said that patient information was compromised due to an unauthorized website operated by a physician that was created as an educational resource but did not have proper security controls in place. Adventist Health Tehachapi Valley said that 714 patients who used its vendor Fast Health to pay bills online to Tehachapi Valley Healthcare District and Adventist Health may have had their payment card details compromised due to unauthorized code on a server that was designed to capture payment card information.
Extortion attacks continue: A hacking group calling themselves “Tsar Team” has published more than 25,000 private photos and other personal data from patients of the Grozio Chirurgija clinic in Lithuania. The hackers broke into the servers of the cosmetic surgery clinic earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world. The blackmail ranged between €50 and €2,000 worth of bitcoin, authorities said, with nude photos, passport scans, and other sensitive data being used to ramp up the ransom demands. A hacking group known as “RavenCrew” has claimed responsibility for the hack of customer data from the ticketing platform Qnect and subsequent SMS messages that were sent to the company’s customers urging them to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom. It’s believed the hackers may have exploited a security hole recently noticed by a customer.
Other notable breaches: OneLogin, a company that allows users to manage logins to multiple sites and apps all at once, announced it had experienced a breach that impacts all customers served by the company’s U.S. data center. Old Mutual said the personal information of “a relatively small group” of customers in South Africa was compromised due to unauthorized access to one of its systems. Camberwell High School in Melbourne announced a data breach due to a student gaining unauthorized access to the school management software Compass and accessing the personal information of families. The incident is similar to a breach at Blackburn High School involving the Compass system that occurred two weeks ago. Augusta University said that a phishing attack led to unauthorized access to faculty email accounts and that as a result less than one percent of patients had their personal information exposed.

Cyber Risk Trends From the Past Week

TheShadowBrokers continued to make headlines over its new subscription exploit service this past week. The hacking group said that it will release its first “dump” of planned monthly exploits and/or data to its subscribers in early July – for approximately $24,000.

Those who want to join the dump service must pay 100 ZEC (Zcash) by the end of June. The group said it has not yet decided what will be in its first dump, although it previously teased that such dumps could include:

web browser, router, and handset exploits and tools,
select items from newer Ops Disks, including newer exploits for Windows 10,
compromised network data from more SWIFT providers and central banks,
and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The group wrote that the monthly dump service is “for high rollers, hackers, security companies, OEMs, and governments.”

After TheShadowBrokers’ announcement, a crowdfunding campaign was started to help researchers and organizations purchase the upcoming July exploit dump; however, two days later the researchers behind the effort, England-based security researcher Matthew Hickey (aka Hacker Fantastic) and the French security researcher known as x0rz, cancelled the campaign citing legal reasons.

“What we tried with @hackerfantastic was a bet we could somehow get early access to help vendors and open-source software fix the bugs before any public release, that means making the 0days a little less toxic that it could have been if released (from 0day to 1day, still powerful but less efficient),” x0rz wrote. “I guess now we should only spectate what will happen next, like we did before. It’s unfortunate but that’s the way it ought to be.”

x0rz believes that TheShadowBrokers may still publicly release the dump because the group is “not here for the money and are really just seeking media coverage.” However, we’ll all have to wait until next month and see exactly what the group has to offer and – if it follows through on its promise – how damaging its monthly exploit and data dumps can potentially be for organizations.

Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

How the digital footprints of organizations have changed over the past couple years.
Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations

Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when malicious actors were able to gain access to employee accounts containing sensitive data.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote an attorney in one breach notification letter. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

The extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, but that at least five organizations have received letters from Equifax about a series of incidents over the past year, Krebs reported. Those included defense contractor giant Northrop Grumman, staffing firm Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In addition to those companies, an IRS official said that 870 organizations reported receiving a W-2 phishing email over the first four months of 2017, and about 200 of those companies lost data as a result. That was a significant rise from 2016’s numbers, which included about 100 reports and 50 confirmed breaches. The official said that the increase was driven by progress made against identity theft, which has pushed cybercriminals to need more personal data to able to impersonate taxpayers. As a result, there has been a shift towards targeting those in the payroll industry.

Other trending cybercrime events from the week include:

Men plead guilty to trade secret theft: A Chinese national has pleaded guilty to economic espionage and theft of a trade secret in relation to the theft of proprietary source code from his former employer, an unnamed U.S. company. As a developer, the man had access to a clustered file system developed and marketed by his employer as well as its underlying source code, the DOJ wrote. The man attempted to use the stolen source code to start a large-data storage technology company, according to communication he had with undercover officers. An engineer at a defense contractor has pleaded guilty to selling sensitive satellite information stolen from his employer to a person he believed to be an agent of a Russian intelligence service. In a series of meetings between February and July of 2016, the man sought and received thousands of dollars in cash payments for the trade secrets.
New data breaches announced: Williamson County Schools in Tennessee said that approximately 33,000 current and former WCS students had their usernames, encrypted passwords, and email addresses compromised due to a breach at third-party vendor Edmodo, a free classroom tool that allows students and teachers to share files and assignments. A data breach at the Florida Department of Agriculture and Consumer Services has exposed the names of 16,190 concealed weapon licensees as well as the Social Security numbers of 469 individuals. Approximately 3,000 individuals had their information compromised due to unauthorized access to a city computer in Stillwater, Oklahoma. UW Health said that 2,036 patients had their personal information compromised due to an unauthorized individual gaining access to an employee’s email account. The Canada Revenue Agency has fired an employee for improperly accessing the accounts of 1,302 taxpayers. A breach at Blackburn High School led to the theft of personal information of families, and that information was then used to send phishing emails to parents asking them to provide their payment card details.
Russia targeted Pentagon employees’ Twitter accounts: Russia sent more than 10,000 phishing messages to Defense Department officials with the goal of getting the officials to click a malicious link and, ultimately, gain control of their devices and Twitter accounts. The efforts took place after the 2016 presidential election and were disclosed in in a March report to U.S. counterintelligence officials investigating Russian interference efforts. The compromised accounts could have been used to spread false information, as has been done in the past by Russian hacking groups.
Hacking groups arrested: Twenty members of the Russian hacking group behind the Android Trojan “Cron” have been arrested. The group managed to infect over one million mobile devices and stole approximately $800,000 from Russian banks. Twenty-seven individuals tied to a series of ATM “Black Box” attacks across Europe have been arrested. A “Black Box” attack is a method of ATM jackpotting where criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect an unauthorized device that sends commands directly to the ATM cash dispenser in order to “cash-out” the ATM. Sixteen individuals have been arrested related to the theft of a copy of Baahubali 2 and subsequent ransom attempt from the movie’s producers, Arka Mediaworks Entertainment Ltd.

Cyber Risk Trends From the Past Week

It is now less than one year until the EU General Data Protection Regulation (GDPR) goes into effect, yet some organizations are either unaware of the upcoming privacy changes or believe they will have issues meeting next year’s deadline, according to recent research.

The GDPR was approved by the EU parliament in April 2016, and the new regulation will be fully enforceable on May 25, 2018. Among the most talked about changes from the upcoming regulation is the increase in potential fines for data breaches. Breached organizations can be fined as much as 4% of their annual global turnover or €20 million, whichever is greater, when it comes to serious violations. Lesser violations are subject to half the maximum penalty — up to €10 million or 2% of turnover. As the NCC Group noted, those new numbers mean that last year’s ICO fines could have been 79 times higher: £69m rather than £880,500 in total.

“TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR,” The Register noted last month. “Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.”

It is important to note that the new regulations generally apply to any organization that offer of goods or services to individuals in the EU, so the GDPR has global implications. However, a recent study of 500 organizations in the UK, Germany, France, and the U.S. found that 75% of organizations indicated they will struggle to be ready for next year’s deadline. According to the Varonis survey, the top three challenges facing organizations around GDPR include:

Article 17 (“Right to be forgotten”), where they must discover and target specific data and automate removal when requested by the consumer
Article 30 (Records of processing activities), including identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted
Article 32 (Security of processing), which means ensuring least privilege access, implementing accountability via data owners, and providing reports that policies and processes

For organizations looking to learn more about preparing for GDPR, ICO has a 12-step guide available.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

Other trending cybercrime events from the week include:

Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

Cyber Risk Trends From the Past Week

As WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry. “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

web browser, router, and handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.

As WannaCry Spreads, Law Firm Reveals Separate Ransomware Cost Them $700,000

Businesses across the world are still recovering from last Friday’s outbreak of the WannaCry ransomware. On Monday, White House homeland security adviser Tom Bossert said that the ransomware had hit more than 300,000 computers, and security researchers have since detected several new versions of the malware — at least one of which doesn’t have the widely reported “kill switch” built in that has been used to slow the malware’s spread.

Much has been written about the effects of the ransomware on patients at NHS facilities, on downtime at factories, and on disrupted services at numerous other organizations. Various groups have estimated that the potential costs from the WannaCry outbreak may total between several hundred million and $4 billion.

The attention on WannaCry is deserved; however, there is a much smaller piece of ransomware news that emerged last month that highlights the devastating impact ransomware can have on a single organization. In a complaint filed in April against its insurer, the law firm Moses Afonso Ryan Ltd. (MAR) claims that a ransomware infection took more than three months to resolve, costing the firm more than $700,000 in lost billings.

“During the three months that the documents and information of MAR was held captive by the perpetrators of the ransomware attack, the attorneys of the firm were unproductive and unable to work at a reasonable efficiency,” the firm wrote in its complaint. “Year to year billing comparisons reveal a reduction of over $700,000 of billings for the three months of interruption.”

Dispute Over Insurance Policy Coverage

MAR is suing its insurer, Sentinel Insurance Company, claiming that the policy it purchased “is designed to protect MAR against precisely the type of loss it has now incurred as a result of the ransomware attack and interruption of its business.”

Sentinel countered that it did, in fact, pay $20,000 in damages, but it denied the additional claim for the alleged lost “business income” as it exceeded what Sentinel believes are the limits of the policy.

Like the other insurance-related lawsuits — such as the Fourth Circuit ruling against Travelers Insurance in August 2016 — the dispute appears to revolve around the language of the policy and what specifically the policy covers when it comes to cybercrime.

“Sentinel admits that it has not paid for all of the losses MAR has claimed resulted from the ransomware attack it suffered, as certain of the losses claimed are not covered by the policy,” Sentinel argued in court documents. “The only coverage under the policy for loss or damage caused by a computer virus is under the Computers and Media Endorsement [section], which changes the policy to provide additional coverage [up to $20,000] for certain computer-related losses.”

Three Months to Resolve the Ransomware?

The lawsuit is yet another reminder that organizations need to ensure they know what their insurance policies cover in regards to cyber-attacks, but that is not the only cyber risk management lesson worth noting from the lawsuit. The court documents also revealed that it took several months for MAR to recover from the single ransomware incident — far more than the average of 42 hours that Ponemon found most ransomware victims spend.

The process to recover encrypted documents and recreate lost ones took more than three months, MAR said.

The long recovery time was due to a variety of reasons, which the law firm outlined in its complaint:

In May 2016, a ransomware infection led to all of the documents and information stored on the MAR computer network being disabled and the computer network losing all functionality. MAR then hired security experts to fix the problem, but those experts were unable to gain access to the files.
In June 2016, the firm made contact with the attacker and negotiated a 13 bitcoin ransom. It took several days to purchase the bitcoins and pay the extortionist because the firm said they were unaware that new account holders could only purchase 2 bitcoins per day.
In July 2016, the firm had to re-establish communication with the attacker after discovering the decryption keys and tools it purchased did not work. A second bitcoin ransom was then negotiated and paid.
In August 2016, MAR had to recreate documents after discovering that it could not recover documents saved on a temporary server during the three months of business interruption.

All of this resulted due to a combination of events: an attorney at MAR clicking on an email attachment from an unknown source, a lack of proper backups and incident response plan to address a well-known security issue, and a malicious actor that took advantage of the situation by demanding multiple ransom payments.

MAR is just one example of a business that was unprepared for a ransomware attack, and numerous other organizations are likely experiencing similar issues this week. As Elliptic noted, WannaCry has generated over $80,000 in ransom payments since Friday.

However, organizations that decided to pay the WannaCry ransom were lucky that it only required a $300 or $600 payment depending on how quickly they acted. In addition, multiple researchers have reported that organizations were able to successfully restore their files after payment, even as law enforcement agencies have advised there are no guarantees when dealing with cybercriminals.

This is not the case for many ransomware victims. Some recent ransomware campaigns have been observed charging a full two bitcoin in ransom (around $3,700) for any infections, and some organizations have received targeted ransom demands totaling tens of thousands of dollars — and, in cases like MAR, the decryption keys purchased at those inflated prices may not even work.

Hopefully, WannaCry will help push organizations towards better understanding, preparation, and incident response around ransomware since the problem is not going away any time soon.