ransomware – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Bad Rabbit Halted, Law Firm Breach Raises Questions

The week’s top trending event was the outbreak of Bad Rabbit ransomware, which quickly spread across Russia and Eastern Europe before most of the infrastructure behind the attack was taken offline hours later.

Bad Rabbit was largely spread via watering hole attacks using compromised news media websites that prompted users to install a fake “Flash Update.” Symantec reported that the vast majority of infection attempts occurred in Russia within the first two hours of the malware’s appearance, but there were also infection attempts observed in Japan, Bulgaria, Ukraine, the U.S., and other countries.

The malware used an SMB component as well as the “Mimikatz” tool, along with some hard-coded default usernames and passwords, to attempt to spread laterally across a network after infection. It was later discovered that the malware also leveraged the leaked NSA exploit EternalRomance in a way that was “very similar to the publicly available Python implementation of the EternalRomance exploit” used by NotPetya (or Nyeta) malware.

“The BadRabbit exploit implementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” Cisco researchers wrote. “We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor.”

Those infected with Bad Rabbit were directed to a Tor payment page and presented with a countdown timer for when the ransom demand would increase, starting at 0.05 bitcoin (around $280). The Register reported that various researchers have found that recovering infected machines appeared difficult, but not impossible.

Other trending cybercrime events from the week include:

TheDarkOverlord targets surgery clinic: TheDarkOverlord said it has stolen terabytes of data from London Bridge Plastic Surgery, including sensitive photos and information on some high-profile clients. “We have TBs [terabytes] of this shit. Databases, names, everything,” a representative from The Dark Overlord told The Daily Beast. “There are some royal families in here.” The clinic confirmed that it was likely breached and said it has launched an investigation into the stolen data.
Cryptocurrency-related cybercrime: A phishing scam impersonating MyEtherWallet managed to trick several users into handing over the passwords to their wallets, and as a result approximately $16,000 was stolen. Coinhive, which provides websites with a JavaScript miner, said that its Cloudflare account was hijacked due to the use of an insecure password and lack of two-factor authentication, and as a result the attacker was able to steal hashes from users. Coincafe said that an unauthorized third party gained access to a system that was decommissioned in 2014 containing customers’ personal information, and the third party then contacted some of those customers and said they would erase their compromised data for a fee. The website for the new cryptocurrency Bitcoin Gold was taken offline by a DDoS attack.
Updates on previously disclosed breaches: Whole Foods said its payment card breach affected nearly 100 locations. U.S. Cellular said an investigation into automated attacks against online user accounts in June revealed that the incident also exposed bank account and routing numbers. West Music, which operates westmusic.com and percussionsource.com, is the latest company to notify customers of a payment card breach tied to third-party payment processor Aptos. Alliance College-Ready Public Schools said they are one of multiple school districts and charter networks affected by a vulnerability that exposed information from the school data platform Schoolzilla. The NSA contractor tied to the leak of confidential hacking tools allegedly disabled his antivirus and infected his computer with malware when installing a pirated version of Microsoft Office.
Other notable events: A contractor lost control of a Dell customer support website designed to help customers restore their data and computers to their factory default state, and the hijacked website may have been used to push malware while it was compromised. Researchers discovered two publicly exposed MongoDB databases belonging to Tarte Cosmetics that contained the personal information of nearly two million customers. FirstHealth of the Carolinas, which has more than 100 physical locations, said that a WannaCry variant forced the shutdown of its network to prevent the malware from spreading. Memory4Less is notifying customers that their personal information may have compromised due to an unauthorized user installing malware on its network between November 2016 and September 2017. LightHouse Management Services and the Iowa Department of Human Services announced employee email account breaches. COL Financial Group said it has experienced a “possible breach.” Two websites run by the Czech Statistical Office that reported the results of the country’s parliamentary elections were temporarily taken offline by DDoS attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The offshore law firm Appleby said that client data was stolen last year, and the International Consortium of Investigative Journalists (ICIJ), which obtained the hacked data, has contacted the firm over allegations of wrongdoing and says it plans on publishing a series of stories related to the breach.

Business Insider reported that the law firm’s super-rich clients are “bracing themselves for the exposure of their financial secrets.” The incident has echoes of the 2016 “Panama Papers” leak, which involved the Panama-based law firm Mossack Fonseca and has led to numerous consequences around the globe — including the resignation of prime ministers in Iceland and Pakistan, and calls for the impeachment of Ukraine’s president.

It is unclear at the moment what fallout, if any, may occur due the breach at Bermuda-based Appleby, and it is important to note that the company said in a statement that it has found no evidence of wrongdoing.

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches,” the company said. “Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”

However, there have already been reports that leak has led to renewed scrutiny of Glencore Plc’s acquisition of Katanga Mining Ltd., which runs copper and cobalt mines in Congo, and claims that aircraft buyers may have used Isle of Man for abusive Value Added Tax (VAT) avoidance.

Appleby’s clients include FTSE 100 and Fortune 500 companies, and the breach serves as a reminder that law firms are often the target of malicious actors due to the combination of sensitive documents they hold along with the potentially weaker security inherent in some third parties. Additional documents and reporting related to the Appleby breach will likely be published throughout the coming months.

Weekly Cyber Risk Roundup: Banks Threatened with DDoS Attacks and Researchers Investigate NotPetya

South Korean financial institutions dominated the week’s top trending targets due to a series of extortion demands that have threatened distributed denial-of-service (DDoS) attacks unless those institutions pay between 10 and 15 bitcoins ($24,000 to $36,000) in ransom each.

At least 27 financial institutions received the extortion demands from a group claiming to be the Armada Collective, including major banks, security companies, and the Korea Exchange, the Korea Joongang Daily reported. It is unclear if the group behind the threats is associated with the real Armada Collective, or if it is yet another group that is attempting to leverage the popular extortionists identity in order to gain credibility. In early 2016, a group was able to successfully extort more than $100,000 by threatening DDoS attacks under the Armada Collective name — but researchers concluded that specific threat was empty and the group never actually carried out any attacks — despite being profitable.

According to The Korea Times, the group carried out a small attack last Monday on the Korea Financial Telecommunications & Clearings Institute (KFTC), Suhyup Bank, DGB Daegu Bank, and JB Bank — with a promise of more powerful attacks to come in the future if the institutions do not pay their ransoms by the July 3 deadline. The DDoS attacks did not disrupt any services, the Times reported, and the small DDoS attack against KFTC last Monday lasted for only 16 minutes. Previous extortion campaigns have seen groups using a similar tactic of small DDoS attacks to prove they have some capability and lend credibility to their threats; however, the full capabilities of the group behind the most recent demands is unclear.

It is possible that the group is simply looking for easy blackmail targets following the recent $1.1 million dollar ransom payment that was made by South Korean web hosting firm Nayana. Researchers had previously speculated that the large ransom payment could lead to more South Korean organizations being targeted.

Other trending cybercrime events from the week include:

Attackers target government: Dozens of email accounts belonging to members of parliament and peers were breached during “a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.” A hacker going by the name “Vigilance” said that he gained access to 23 state of Minnesota databases and was able to steal 1,400 email addresses and some corresponding “weakly encrypted” passwords. The hacker then published the information in protest of the police officer charged with killing Philando Castile being found not guilty. Multiple government websites were defaced with pro-ISIS propaganda and a logo saying the hack was carried out by “Team System DZ.”

Organizations expose more data: The personal information of 2,200 Aetna customers in Ohio and Texas was compromised due to their data being “inappropriately available for a period of time.” Corpus Christi Independent School District said that it is notifying 6,100 individuals that employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online. The Campbell River School District is warning parents and guardians of Timberline Secondary students that their personal information may have been “inappropriately accessed” due to a file being left on a shared drive that students and staff could access. Users of the UK government’s data dashboard, data.gov.uk, were asked to change their passwords after a file containing their names, email addresses, and hashed passwords was left publicly accessible on a third-party system.

Disgruntled employees harm employers: A Pennsylvania man has been sentenced to one year and one day in prison for hacking and damaging the IT networks of several water utility providers across the U.S. East Coast. A disgruntled employee led to a breach of Professional Counseling and Medical Associates’ electronic health records system. The FBI said a former employee of Transformations Autism Treatment Center tried to hack into the company’s computer system and steal the personal information of autistic children.

Other notable incidents: Internet radio service 8tracks said that a copy of its user database has been leaked, including usernames, email addresses, and SHA1-hashed passwords. The full leaked dataset includes around 18 million accounts. Information security consultant Paul Moore reported a data breach involving Kerv after he received both an email from an “anonymous” Kerv user that “had inside information which wouldn’t otherwise be available” and admin credentials from a Tor address. Acting State Supreme Court Justice Lori Sattler told police that she was scammed out of $1,057,500 when she responded to an email impersonating her real estate lawyer and wired the money to an account at the Commerce Bank of China. Two men who are suspected to be part of an international group that hacked into Microsoft’s network in early 2017 have been arrested by British police.

Cyber Risk Trends From the Past Week

One of the biggest stories that occurred last week was the spread of a ransomware/wiper malware known as NotPetya.

The outbreak was similar to May’s quick spread of the WannaCry ransomware, and those that were infected across the Ukraine, the UK, the Netherlands, India, Spain, Denmark, and elsewhere were shown a ransom demand asking for $300 in bitcoin along with contact details. However, various researchers quickly concluded that the intention behind the attack was likely disruption, not monetary gain.

Previous versions of similar ransomware like Petya used a personal infection ID that contained crucial information for the key recovery, Kaspersky explained in its analysis. However, the NotPetya malware uses randomly generated data in place of that personal key. That means that the attackers have little hope of actually recovering their data, even if they wanted to do so.

As Ars Technica noted, other researchers have come to similar conclusions about NotPetya. Matt Suiche of Comae Technologies concluded that the ransomware aspect of NotPetya may a have been a front to push the media narrative towards the attacker being an unknown cybercriminal group rather than a nation-state attacker with data destruction in mind.

The head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection agreed with that assessment, saying “I think this [NotPetya malware] was directed at us” and that the event was definitely not a criminal attack, but likely a state-sponsored one carrying over from Ukraine’s ongoing cyberwar with Russia. That theory is not confirmed, but as SurfWatch Labs noted, “strong evidence points to the attack beginning with the hacking of the Ukrainian accounting software MeDoc where the automatic update feature was used to download the worm.”

Ukraine’s security service SBU announced that a number of international organizations are helping to investigate the NotPetya attacks and identify the culprits, so more information about the attacks will likely be announced in the near future.

Weekly Cyber Risk Roundup: Million Dollar Extortion Payments and TheDarkOverlord Loses Credibility

Ransomware made headlines this past week due to several infections that disrupted business operations, as well as a million dollar extortion payment that was negotiated by South Korean web hosting firm Nayana after its servers were infected with Erebus Ransomware on June 10. Nayana said the payment was necessary to restore 150 servers and the 3,400 affected client websites, most of which were for small companies and startups.

The initial ransom demand was for 5 billion won ($4.4 million) in bitcoin, but the company managed to negotiate the payment down to 1.3 billion won ($1.1 million or 397.6 bitcoin). In a statement on the company’s website (Korean language) on Thursday, Nayana CEO Hwang Chilghong said he knows the company should not negotiate with hackers, but that the damage was too widespread and too many people would be harmed if the company did not pay the extortion.

WannaCry was also back in the news this week due to Honda Motor saying that plants in Japan, North America, Europe, China, and other regions were recently infected with the ransomware despite efforts to protect their networks following last month’s WannaCry outbreak. One location, a Sayama automobile plant located near Tokyo, was idled due to the infection. Authorities in Victoria, Australia also announced that 55 traffic and speed cameras were accidentally infected with WannaCry due to a maintenance worker using an infected USB stick. Local media reported that the police have decided to cancel 590 fines sent to road users caught by the WannaCry-infected cameras.

Other ransomware news includes Waverly Health Center in Iowa being infected with an unknown ransomware variant and having to shut down their IT systems for a period of time, and Proofpoint researchers saying that the ransomware infections recently reported at several UK universities were part of a larger malvertising campaign carried out by the AdGholas group that leveraged the Astrum Exploit Kit to spread Mole ransomware.

Other trending cybercrime events from the week include:

Massive voter database leaked: A database containing detailed information on 198 million U.S. voters and compiled by GOP political consultant Deep Root Analytics was left exposed to the Internet for 12 days. The information included data pulled from voter lists maintained by the RNC that was augmented by other sources such as social media sites. The leak includes data on some voters such as ethnicity, religion, contact information, and views on a variety of political issues. In addition, the data included proprietary information such as unique RNC identifiers for each voter.

POS breach discovered at The Buckle: The clothing store chain The Buckle announced that point-of-sale (POS) malware was discovered on some of its retail POS systems and that some payment cards used between October 28, 2016 and April 14, 2017 may have been affected. The Buckle believes that the malware did not collect data from all transactions or all POS systems for each day within that time period. The company also said that all stores had EMV technology enabled during the time that the incident occurred, which helped to limit the impact of the breach.

Services disrupted: The CyberTeam hacking group announced on Twitter that it was responsible for the outage that affected Skype on Monday and Tuesday. Microsoft has not confirmed the cause of the outage, but the service was reported down in multiple countries across Europe, as well as Japan, Singapore, India, Pakistan, and South Africa. Square Enix said that Final Fantasy XIV game servers were being repeatedly targeted by DDoS attacks from an anonymous third party.

More incidents tied to errors and glitches: The email addresses of registered consultancies of the UK government’s Cyber Essentials scheme were exposed due to a configuration error in the Pervade Software platform, according to the IASME Consortium, which runs the accreditation. The sensitive personal information of students was compromised when a staff member at the UK’s University of East Anglia “mistakenly” emailed a spreadsheet with confidential data to 320 American Studies students. A man used a glitch to steal more than £99,000 from the Clydesdale Yorkshire Bank last December when, for approximately one hour, the man’s account showed a credit balance even though he did not have any money.

Other notable incidents: Online banking service Ffrees notified its users that some of their personal information was “temporarily exposed” due to an “information security incident.” Virgin Media is advising more than 800,000 customers using the Super Hub 2 router to change both their network and router passwords if they are using the default passwords shown on the device’s attached sticker. Torrance Memorial Medical Center said a phishing attack compromised email accounts containing “work-related reports” and the personal data of patients. The latest batch of CIA documents released by WikiLeaks, dubbed “Brutal Kangaroo,” revolves around “a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” A joint law enforcement action known as the eCommerce Action 2017 led to the arrest of 76 professional fraudsters and members of Internet-based criminal networks across 26 countries.

Cyber Risk Trends From the Past Week

Larson Studios, the family-owned audio post-production business that was hacked by TheDarkOverlord, has finally provided public comments about the December 2016 attack that led to the theft of a variety of unaired episodes from major studios. That incident led to leak of ten episodes of Netflix’s Orange is the New Black and eight episodes of ABC’s Steve Harvey’s Funderdome.

The takeaway from company president Rick Larson following the ordeal: “Don’t trust hackers.”

He learned that lesson after Larson Studios eventually paid TheDarkOverlord a $50,000 ransom as part of an agreement between the two to keep the breach private. However, a few months later the FBI told Larson Studios that TheDarkOverlord was attempting to extort the company’s clients with the stolen video, and the group then tried to publicly pressure Netflix and others into paying a ransom demand.

Why TheDarkOverlord would attempt to double-dip on the group’s ransom demand is somewhat puzzling. As SurfWatch Labs has noted in multiple blogs, the group has spent the past year carefully projecting an image of professionalism, framing its extortion demands as straightforward “business proposals” and using the media to try to spread the group’s message: pay up and everything will quietly go away. For example, in June 2016 when the group first began making headlines, TheDarkOverlord used the media to warn companies, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” They also warned that the ransom payment would be “a modest amount compared to the damage that will be caused” from a public leak. The group’s tone did not change when it came to extorting Netflix nearly a year later: “You’re going to lose a lot more money in all of this than what our modest offer was.”

It appears that after a full year of trying to build that image as a “trustworthy” extortionist, TheDarkOverlord has now lost its credibility — and, it should be noted, that credibility is what pushed companies like Larson Studios over the edge when deciding if the company should pay. As Rick Larson told Variety, previous media reports suggested that paying TheDarkOverlord actually worked.

TheDarkOverlord appears to be in damage control now, and the group is trying to regain that credibility by arguing that Larson Studios violated its agreement by contacting the FBI. The group also continues to leak data on other organizations, but hopefully those organizations will take heed of the message from Rick Larson to never put their trust in hackers — and it’s clear that now includes TheDarkOverlord.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

Other trending cybercrime events from the week include:

Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

Cyber Risk Trends From the Past Week

As WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry. “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

web browser, router, and handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.

As WannaCry Spreads, Law Firm Reveals Separate Ransomware Cost Them $700,000

Businesses across the world are still recovering from last Friday’s outbreak of the WannaCry ransomware. On Monday, White House homeland security adviser Tom Bossert said that the ransomware had hit more than 300,000 computers, and security researchers have since detected several new versions of the malware — at least one of which doesn’t have the widely reported “kill switch” built in that has been used to slow the malware’s spread.

Much has been written about the effects of the ransomware on patients at NHS facilities, on downtime at factories, and on disrupted services at numerous other organizations. Various groups have estimated that the potential costs from the WannaCry outbreak may total between several hundred million and $4 billion.

The attention on WannaCry is deserved; however, there is a much smaller piece of ransomware news that emerged last month that highlights the devastating impact ransomware can have on a single organization. In a complaint filed in April against its insurer, the law firm Moses Afonso Ryan Ltd. (MAR) claims that a ransomware infection took more than three months to resolve, costing the firm more than $700,000 in lost billings.

“During the three months that the documents and information of MAR was held captive by the perpetrators of the ransomware attack, the attorneys of the firm were unproductive and unable to work at a reasonable efficiency,” the firm wrote in its complaint. “Year to year billing comparisons reveal a reduction of over $700,000 of billings for the three months of interruption.”

Dispute Over Insurance Policy Coverage

MAR is suing its insurer, Sentinel Insurance Company, claiming that the policy it purchased “is designed to protect MAR against precisely the type of loss it has now incurred as a result of the ransomware attack and interruption of its business.”

Sentinel countered that it did, in fact, pay $20,000 in damages, but it denied the additional claim for the alleged lost “business income” as it exceeded what Sentinel believes are the limits of the policy.

Like the other insurance-related lawsuits — such as the Fourth Circuit ruling against Travelers Insurance in August 2016 — the dispute appears to revolve around the language of the policy and what specifically the policy covers when it comes to cybercrime.

“Sentinel admits that it has not paid for all of the losses MAR has claimed resulted from the ransomware attack it suffered, as certain of the losses claimed are not covered by the policy,” Sentinel argued in court documents. “The only coverage under the policy for loss or damage caused by a computer virus is under the Computers and Media Endorsement [section], which changes the policy to provide additional coverage [up to $20,000] for certain computer-related losses.”

Three Months to Resolve the Ransomware?

The lawsuit is yet another reminder that organizations need to ensure they know what their insurance policies cover in regards to cyber-attacks, but that is not the only cyber risk management lesson worth noting from the lawsuit. The court documents also revealed that it took several months for MAR to recover from the single ransomware incident — far more than the average of 42 hours that Ponemon found most ransomware victims spend.

The process to recover encrypted documents and recreate lost ones took more than three months, MAR said.

The long recovery time was due to a variety of reasons, which the law firm outlined in its complaint:

In May 2016, a ransomware infection led to all of the documents and information stored on the MAR computer network being disabled and the computer network losing all functionality. MAR then hired security experts to fix the problem, but those experts were unable to gain access to the files.
In June 2016, the firm made contact with the attacker and negotiated a 13 bitcoin ransom. It took several days to purchase the bitcoins and pay the extortionist because the firm said they were unaware that new account holders could only purchase 2 bitcoins per day.
In July 2016, the firm had to re-establish communication with the attacker after discovering the decryption keys and tools it purchased did not work. A second bitcoin ransom was then negotiated and paid.
In August 2016, MAR had to recreate documents after discovering that it could not recover documents saved on a temporary server during the three months of business interruption.

All of this resulted due to a combination of events: an attorney at MAR clicking on an email attachment from an unknown source, a lack of proper backups and incident response plan to address a well-known security issue, and a malicious actor that took advantage of the situation by demanding multiple ransom payments.

MAR is just one example of a business that was unprepared for a ransomware attack, and numerous other organizations are likely experiencing similar issues this week. As Elliptic noted, WannaCry has generated over $80,000 in ransom payments since Friday.

However, organizations that decided to pay the WannaCry ransom were lucky that it only required a $300 or $600 payment depending on how quickly they acted. In addition, multiple researchers have reported that organizations were able to successfully restore their files after payment, even as law enforcement agencies have advised there are no guarantees when dealing with cybercriminals.

This is not the case for many ransomware victims. Some recent ransomware campaigns have been observed charging a full two bitcoin in ransom (around $3,700) for any infections, and some organizations have received targeted ransom demands totaling tens of thousands of dollars — and, in cases like MAR, the decryption keys purchased at those inflated prices may not even work.

Hopefully, WannaCry will help push organizations towards better understanding, preparation, and incident response around ransomware since the problem is not going away any time soon.

Weekly Cyber Risk Roundup: WannaCrypt Spreads and Trump Signs Executive Order

The week’s top cybercrime event was the spread of WannaCrypt ransomware, which managed to infect tens of thousands of computers on Friday. The attack affected NHS hospitals and facilities in England and Scotland, Telefonica and Gas Natural in Spain, FedEx in the U.S., and numerous other organizations — largely across Asia and Europe.

By Saturday researchers reported more than 126,000 detections of the ransomware across 104 countries. The number of infections may have been worse, but the security researcher MalwareTech managed to halt the spread of the malware by purchasing a domain name, which essentially triggered a “kill switch.” MalwareTech explained why the ransomware had this design:

“I believe [the attackers] were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan … however, because WannaCrypt used a single hardcoded domain, my [registration] of it caused all infections globally to believe they were inside a sandbox and exit.”

WannaCrypt leverages an allegedly NSA-derived exploit called “EternalBlue” that was made public by TheShadowBrokers last month. Microsoft has patched the flaw (MS17-010), but Friday’s events made it clear that many organizations have yet to apply that patch. Microsoft also announced that it is taking “the highly unusual step” of providing a security update for Windows XP, Windows 8, and Windows Server 2003 to help protect its customers from the threat. Organizations should patch immediately. As MalwareTech noted on Sunday, the last version of WannaCrypt was stoppable, but the next version will likely remove that flaw.

Other trending cybercrime events from the week include:

Third-party providers lead to breaches: Hackers managed to gain access to the stem files of Lady Gaga last December by sending spear phishing messages to executives at September Management, a music management business, and Cherrytree Music Company, a management and record company. Debenhams Flowers said that 26,000 website customers had their data compromised due to malware stealing their payment details from Ecomnova, a third-party e-commerce company. The email addresses and usernames of individuals who used the dating website Guardian Soulmates were exposed by a third-party service provider, resulting in members of the site receiving explicit spam emails.
Malicious actors sell and leak stolen data: A dark web vendor using the handle “nclay” claims to have 77 million records stolen from social learning platform Edmodo and is attempting to sell them on the dark web for just over $1000. The data allegedly includes usernames, email addresses, and passwords that are hashed with bcrypt and salted. Malicious actors leaked 9GB of internal documents from the campaign staff of France’s President-elect Emmanuel Macron in the days prior to the country’s election. A group known as “TuftsLeaks” published financial information belonging to Tufts University, including department budgets, the salaries of thousands of staff and faculty, and the ID numbers of student employees.
Healthcare organizations expose data: Patients of Bronx-Lebanon Hospital Center had their sensitive health and personal information exposed to the internet due to a misconfigured rsync backup managed by IHealth Innovations. The records and files from a number of departments were publicly accessible and viewable, including cardiology, surgery, pulmonology, psychiatry, and neurosurgery. A flaw in the website of True Health Diagnostics allowed users to view the medical records of other patients by modifying a single digit in the PDF link to their own records. Diamond Institute for Infertility and Menopause in New Jersey said that 14,633 patients had their data exposed due to an unknown individual gaining access to the third-party server in February 2017.
Other notable cybercrime news: An internet-connected backup drive used by New York University’s Institute for Mathematics and Advanced Supercomputing contained hundreds of pages of documents detailing an advanced code-breaking machine that had never before been described in public. The project was a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. A California court has found a former private security officer guilty of hacking into the servers of Security Specialists, his former employer, to steal data on customers; delete information such as archived emails, server files, and databases; deface the company website; steal proprietary software; and set up a rival business that used the stolen software. The incident occurred after the employee was fired in 2014 for logging into the payroll database with administrative credentials in order to pad his hours. Confluence Charter Schools is warning parents and staff that a hack of network servers has impacted email, phones, SISFIN, its financial system, and its student information system Infinite Campus and that the “breach has caused some files to be unrecoverable.”

Cyber Risk Trends From the Past Week

On Thursday, President Donald Trump issued an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The order includes a variety of mostly reporting requirements designed to protect federal networks, update outdated systems, and direct agency heads to work together “so that we view our federal I.T. as one enterprise network,” said Trump’s homeland security advisor Tom Bossert.

The order also requires the heads of federal agencies to use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to assess and manage their agency’s cyber risk. Each agency must submit a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days that outlines their plan to implement the framework. The director of OMB and other supporting officials will then have 60 days to review the reports and pass along information to the president regarding a plan to align budgetary needs, policies, guidelines, and standards with the NIST framework. The Obama administration had previously encouraged the private sector to adopt the NIST framework, but government agencies were never required to follow it — until now.

“It is something that we have asked the private sector to implement, and not forced upon ourselves,” Bossert said at the daily White House press briefing on Thursday. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”

The order also includes reporting regarding critical infrastructure, which builds upon the order issued by Obama in 2013, and reporting on “strategic options for deterring adversaries and better protecting the American people from cyber threats.”

As many media outlets have reported, the executive order has received a mostly positive response from the cybersecurity community; however, it is largely a continuation of the cybersecurity policy under previous administrations and has received some criticism for being more focused on reporting than actions.

Slew of Source Code and Malware Leaks Increases Risk for Organizations

Earlier this month, an undergraduate student in Korea apologized for creating and making public the joke ransomware “Resenware.” The malware didn’t ask for money to decrypt files; instead, it required victims to score more than 200 million points on the “lunatic” level of the shooting game Touhou Seirensen ~ Undefined Fantastic Object.

The student told Kotaku that he released the joke malware on Github before falling asleep and by the time he woke up it had spread and “become a huge accident.” The source code was quickly removed from Github and a tool was released allowing infected users to decrypt their files without having to play the game. The creator then apologized for making a “kind of highly-fatal malware.”

That’s all well and good, but as Will Rogers once said, “Letting the cat out of the bag is a whole lot easier than putting it back in.”

A warning from Resenware shared by Malware Hunter Team.

The story highlights how quickly publicly available source code can be spread, copied, and potentially repackaged by malicious actors. That isn’t as likely to happen with Resenware due to the lack of a financial component, though it could be utilized by actors looking to cause harm rather than turn a profit. Nevertheless, profit-driven actors have numerous other recent source code leaks they can pull from.

For example, in December 2016, the source code for a commercial Android banking Trojan, along with instructions on how to use it, was released on a cybercriminal forum. Malicious actors quickly used that code to create the BankBot Trojan, which Dr. Web researchers noted can steal login credentials and payment card details by loading phishing forms and dialogs on top of legitimate applications, as well as intercept and delete text messages sent to the infected device. Since then, BankBot has made several appearances in the Google Play store, confirming Dr. Web’s January conclusion that the leak “may lead to a significant increase in the number of attacks involving Android banking Trojans.” In fact, just last week two malicious applications utilizing BankBot, HappyTimes Videos and Funny Videos 2017, were removed from the Google Play store after receiving thousands of installs.

The BankBot Trojan is just one example of the continuing evolution of malware as the stockpile of effective cybercriminal tools continues to accumulate. The leak of these tools, whether made as a joke by amateurs or for malicious purposes by professional cybercriminals, means that more polished malware is now at the fingertips of malicious actors than ever before.

Even if an inexperienced actor is unable to take and modify public malware source code, they can simply turn to professionally run as-a-service malware options that are likely doing so.

Last week MalwareBytes released a report with an interesting chart on ransomware trends. It shows that the Cerber ransomware-as-a-service (RaaS) has come to dominate the ransomware market with a nearly 90% share as its main competitor, Locky, has declined.

2017-04-19_Cerber — Cerber is dominating the ransomware market as Locky fell off sharply, according to MalwareBytes’ honeypots.

“Cerber [has spread] largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting, and a slew of new features, but by also making it very easy for non-technical criminals to get their hands on a customized version of the ransomware,” the report authors noted.

Those types of criminal operations can greatly benefit from the large amount of exploits and malware source code that has made its way into the public domain this year.

For example, since March 2017 we’ve seen:

The release of the source code for the NukeBot banking Trojan, a modular Trojan that comes with a web-based admin panel to control infected endpoints.
New allegedly NSA-developed exploits leaked by TheShadowBrokers, including last week’s release of a series of now-patched Windows exploits and a critical vulnerability that can hijack Solaris systems that was released a week prior (and patched today by Oracle).
More leaks of alleged CIA exploits and tools, some of which claim the CIA benefited by repackaging components of the Carberb malware source code, which was leaked in 2013, into CIA hacking tools.
A report last week claimed that the Callisto APT Group used tools leaked from the surveillance company HackingTeam, which was breached in 2015, in a series of targeted attacks last year.

Whether it’s nation-state actors, cybercriminal groups, or amateur hackers, they can all benefit by the leak of these tools over the past month. If past leaks are any indication, malicious actors will incorporate any effective tools and techniques from the recent leaks into their already-existing cyber arsenals.

As the collective knowledge grows on the cybercriminal side, it’s crucial that organizations harness their own threat intelligence in order to have their finger on the pulse of malicious actors. With that information they can more effectively counter the slew of new vulnerabilities, exploits, and as-a-service tools being used to infiltrate their networks and damage their organization.

New Cryptocurrencies Gain Traction, Spark Concern For Law Enforcement

Last month a new ransomware emerged known as “Kirk Ransomware.” The malware was interesting not just because of the Star Trek-themed imagery of James Kirk and Spock that it used, but also because it may be the first ransomware to demand payment via the cryptocurrency Monero.

Victims of the Kirk Ransomware are walked through how to make their ransom payments using Monero.

There are literally hundreds of different types of existing cryptocurrencies like Monero that cybercriminals can choose from, but bitcoin is the most well known and has been the most widely used, by far, when it comes to ransomware. Bitcoin’s status as the reigning cryptocurrency king has been driven, in part, by the growth of cybercriminal markets and ransomware actors that greatly benefit by having a semi-anonymous payment option available. However, bitcoin is facing both growing pains and an expanding group of credible challengers that claim to have better answers to some of the current issues facing cryptocurrencies.

Cryptocurrencies are, for better or worse, intertwined with cybercrime, and dark web markets and malicious actors adopting new forms of payment such as Monero and Ethereum are helping push those currencies to new heights. With that growth comes new opportunities for cybercriminals as well as new concerns for law enforcement.

As we noted in a recent blog on AlphaBay’s plans to adopt Ethereum next month, the cryptocurrency has seen a dramatic increase in price on the heels of AlphaBay’s announcement and partnerships with legitimate financial institutions. Likewise, Monero was worth around $2.50 the day before AlphaBay announced plans to adopt the currency, and less than eight months later it has jumped to more than $26.

In December 2016 an AlphaBay support representative told Bitcoin Magazine that Monero accounted for about two percent of its sales, so bitcoin remains king. However, one can assume that the actors behind AlphaBay have plenty to gain financially by riding the wave created by the largest dark web marketplace adopting new cryptocurrencies — besides simply appeasing their customers.

Monero — which advertises itself as a “secure, private, untraceable currency” — is perhaps the most praised among cybercriminals. Bitcoin was not designed to be anonymous, and every transaction is publicly visible on the distributed ledger known as the blockchain. That’s why malicious actors use third-party tools such as bitcoin tumblers to help hide the origins of bitcoins. It’s also why law enforcement officials and security researchers have been able to “follow” bitcoins to bust those buying and selling illicit goods and services.

Monero, on the other hand, allows users to send and receive funds without transactions being publicly visible on the blockchain, which is one of the reasons some malicious actors prefer it.

“Bitcoin is much more vulnerable to chain analysis,” advised one AlphaBay member in September 2016, when the dark web market adopted Monero. “I can’t stress strongly enough how much more secure it is for darknet transactions.”

2017-04-06_ABMonero — Monero is safer for both the buyer and seller, wrote one AlphaBay user.

Although cryptocurrencies such as Monero have not been as heavily scrutinized by law enforcement as the more popular bitcoin, their adoption among malicious actors is a concern — even if Monero is not perfect.

“There are obviously going to be issues if some of the more difficult to work with cryptocurrencies become popular,” Joseph Battaglia, a special agent working at the FBI’s Cyber Division in New York City, said at an event in January. “Monero is one that comes to mind, where it’s not very obvious what the transaction path is or what the actual value of the transaction is except to the end users.”

As a case in point, the dark web marketplace known as Oasis, which beat AlphaBay by two weeks to become the first market to accept Monero, suddenly went offline in late September 2016 in what may have been an exit scam. Various users quickly reported that at least 150 bitcoin was lost in the potential scam, but guessing how much Monero currency was stolen proved to be much more difficult.

“If we can’t find out, that’s a good thing,” wrote one redditor.

However, the FBI likely has a different view.

Ransomware Disrupting Business Operations and Demanding Higher Payouts

Malicious actors are continually fine-tuning their tactics, and one of the best examples of this is the evolution of ransomware. Ransomware has largely been an opportunistic, rather than a targeted, form of cybercrime with the goal of infecting as many users as possible. That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful.

As I wrote earlier this month, the surge of extortion attacks impacting organizations has led to a number of fake extortion threats, including empty ransomware demands where actors contact organizations, lie about the organization’s data being encrypted, and ask for money to remove the non-existent threat. Cybercriminals like to follow the path of least resistance, and an attack doesn’t get much easier than simply pretending to have done something malicious.

However, attacks over the past year have proven that infecting organizations with ransomware can result in much higher payouts. The more disruptive the attack, the more money some organizations are willing to pay to make the problem go away. As a result, ransomware actors are shifting their targets towards more disruptive attacks, which we examine in our latest report, Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

A quick look at some of the ransomware mentioned in SurfWatch Labs new report.

It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by paying $17,000 to decrypt its files after a ransomware attack. The incident was novel at the time, but those types of stories have since become commonplace.

For example:

On November 25, 2016, an HDDCryptor infection at the San Francisco Municipal Transportation Agency led to the temporary shutdown of ticketing machines and free rides for many passengers, costing an estimated $50,000 in lost fares.
On January 19, 2017, a ransomware infection of the St. Louis Public Library computer system temporarily halted checkouts across all 17 locations and led to a several-day outage of the library’s reservable computers.
On January 31, 2017, a ransomware infection in Licking County, Ohio, led to the IT department shutting down more than a thousand computers and left a variety of departments – including the 911 call center – unable to use computers and perform services as normal for several days.
In February 2017 at the RSA Conference, researchers from the Georgia Institute of Technology presented a proof-of-concept ransomware that targets the programmable logic controllers (PLCs) used in industrial control systems (ICS).

As the Georgia Institute of Technology researchers noted: “ICS networks usually have little valuable data, but instead place the highest value on downtime, equipment health, and safety to personnel. Therefore, ransomware authors can threaten all three to raise the value side of the tradeoff equation to make ICS ransomware profitable.”

In short, if actors understand what is most valuable to an organization and can find a way to effectively disrupt those goals, they can find success in yet-to-be targeted industries. It may require more legwork, but the higher potential payouts may make it worthwhile for some actors to engage in less widespread but potentially much more profitable attacks.

Government agencies, consumer services, educational institutions, healthcare organizations, and more have all had services disrupted by ransomware over the past six months.

In addition, just last week, researchers discovered a new ransomware family, dubbed “RanRan,” that doesn’t even ask for money. Instead, the ransomware attempts to force victims “to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” The malware is described by the researchers as “fairly rudimentary” and there are a number of mistakes in the encryption process, but it serves as an example of how malicious actors that are not financially motivated can nevertheless leverage ransomware to achieve their goals.

Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payouts. For more information on these evolving ransomware attacks, download SurfWatch Labs’ free report: Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

Fake Extortion Demands and Empty Threats on the Rise

I’ve previously written about the rise of extortion as an emerging trend for 2017, but if you didn’t want to take my word for it, you should have listened to the numerous warnings shared at this year’s RSA 2017. Cyber-extortion has become one of the primary cybersecurity-related issues facing organizations — and it appears to be here to stay.

My analyst team has researched cyber extortion and have found that malicious actors are not only engaging in these threat tactics, but they’re using the surging popularity of extortion and ransomware to target organizations with a variety of fake extortion demands and empty threats. We cover this topic in depth in our latest report, The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

In the graphic below I’ve noted some popular extortion threats, how actors carry out the threats and the impending results. Essentially they’re following the path of least resistance and most profit.

The Many Faces of Extortion: Popular Threats

2017-02-28_extortionittbyyearupdated — The number of organizations publicly associated with ransom and extortion continues to grow, and 2017 is on pace to see the highest number yet, based on data from the first two months of the year.

The gist of it all is that organizations have real fear around these threats and trust that bad actors have the ability to carry out these threats. Putting trust in bad guys is a bad idea!

The fake ransoms are successful in large part because their real counterparts have impacted so many organizations. We’re already on pace to have more organizations publicly tied to ransoms and extortion in 2017 than any other year.

FBI officials have estimated the single subset of extortion known as ransomware to be a billion-dollar-a-year business, and fake ransomware threats have sprung up in the wake of that growth. A November 2016 survey of large UK businesses found that more than 40 percent had been contacted by cybercriminals claiming a fake ransomware infection. Surprisingly, two-thirds of those contacted reportedly paid the “bluff” ransom.

DDoS extortion threats are similarly low-effort cybercriminal campaigns, requiring only the sending of a threatening email. Earlier this month, Reuters reported that extortionists using the name “Armada Collective” had threatened Taiwanese brokerages with DDoS threats. Several of the brokerages experienced legitimate attacks following the threats; however, 2016 saw several campaigns leveraging the Armada Collective name where the threats were completely empty. One campaign generated over $100,000 in payments despite researchers not finding a single incident where a DDoS attack was actually made.

A portion of the extortion email sent to the owner of Alpha Bookkeeping Services in Port Elizabeth, South Africa, in September 2016.

Extortion is also frequently tied to data breaches — both real and fake — as it is an another simple and direct avenue for cybercriminals to monetize stolen data. In January 2017 the E-Sports Entertainment Association (ESEA) was breached and the actor demanded a ransom payment of $100,000 to not release or sell the information on 1.5 million players.

ESEA said in its breach announcement that it did not pay the ransom because “paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data.”

That is what reportedly happened to many of the victims who paid ransoms to have their hijacked MongoDB and other databases restored: they found themselves out both the data and the ransom payment. As noted in our report, it’s hard to have faith in cybercriminals, and organizations who do pay ransoms should be aware that in many cases those actors may not follow through after receiving extortion payments.

For more information on extortion threats and how to keep your organization safe, download the free report: The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.