Blog

Ransomware: A Primer

There have been discussions about whether or not ransomware activity is on the decline, including by our own experts here at Consortium Networks, spurred by geopolitical activity and law enforcement actions, the fact is that Q1 of 2023 has seen a 27% increase in ransomware data leaks over Q1 2022 (672 vs 855). This issue is not only growing in terms of frequency, but speed as well. In the past, we saw operators spend months studying a system and the organization whereas recently there have been instances of organizations’ data being encrypted within a matter of days from initial infiltration. According to the numbers, Ransomware is still a huge problem. 

Ransomware actors regularly innovate their TTPs but at a high-level ransomware attacks typically follow a core set of patterns: initial access, lateral movement, execution, exfiltration, encryption, user notification, and extortion. In some cases DDoS has also been applied against victims and in others, threat actors moved directly to extortion bypassing the encryption step.

Some of the more effective means of combating ransomware have been backing up data in a secure environment that cannot be encrypted by the threat actors, and using legitimate services that have developed ways of decrypting many of the strains of ransomware.

However, neither of these methods deal with the significant potential damages resulting from sensitive data being leaked on publicly open ransomware extortion sites. The leaks can cause loss of intellectual property, competitive advantage, insider information, personally identifiable information (PII), personal health information (PHI), lead to various lawsuits, etc.

Thus, while it is very important to have a plan for dealing with a ransomware event, it is still preferable to try to prevent the event in the first place. In order to do so, it is vital to understand how the threat actors may gain access to victim systems and networks.

Companies Face New SEC Regulations

Many companies are now grappling with the imminent enforcement of the new SEC regulations. According to Davis Polk, this affects specifically “market entities” including “many types of broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.” A rule proposed by the SEC last year would make a company obligated to report a cybersecurity breach within 4 days of noticing it. This rule, which changes the game on incident reporting, is now up for comments with the comment period ending on May 22nd.

Sifting Through the Hype: Insider Threat, ChatGPT and Cybersecurity

ChatGPT and generative AI have become an inescapable part of the cybersecurity conversation since January, dominating everything from individual conversations to the massive RSA conference in late April. Fears abound about how generative AI could revolutionize cybercrime and radically change the cybersecurity landscape. 

Some fears are well-founded, particularly those that popped up following Samsung’s source code being accidentally leaked by an employee to ChatGPT. However, this is no new issue, and source code has been leaked by accident well before ChatGPT came onto the scene. The greater issue here is one that has been around much longer and is much less flashy than emerging technology and that is strong, comprehensive, and understandable cybersecurity policies.

In Other News

Announcements

Cybersecurity Firms Announce Shared Information Sharing Platform: A number of cybersecurity firms operating in the critical infrastructure space announced a joint effort to break down information gaps across the various critical infrastructure industries. The Emerging THreat Open Sharing (ETHOS) platform is “a vendor agnostic initiative that aspires to cut through the noise by automating the discovery and dissemination of real-world threat information from its industry members,” says Deputy CTO for OT and IoT at Tenable Marty Edwards. General membership applications will go live in June.

South Korea, US Commit to Cooperation Against North Korean Cyber Threat: According to a joint statement by the US and South Korea following President Yoon Suk Yeol’s visit to the White House, the two countries will soon sign a cybersecurity cooperation agreement to combat North Korean cybercrime.

UN Cybercrime Treaty to be Released in June: The United Nations Cybercrime Treaty will be released in June after 5 years of debate over what it will cover according to a senior US Justice Department official speaking at the RSA Conference in San Francisco at the end of April.

Guidance

CISA Releases Security-By-Design and Default Principles Guide: CISA is following up on the recently released White House National Cyber Strategy in its recent Security-by-Design guidance for manufacturers, indicating the federal government’s intention to shift liability for cyber incidents to manufacturers and away from end-users.

CISA Releases Three SBOM Documents: CISA released three community-drafted documents relating to the Software Bill of Materials (SBOM) in April. The “(SBOM): Types of SBOM Documents” summarizes SBOMs commonly created today and the data that is typically presented alongside them. The “Minimum Requirements for VEX” document specifies the minimum elements to create a vulnerability exploitability exchange (VEX) document. Finally, the “SBOM Sharing Lifecycle Report” describes the different parties and phases of the SBOM sharing lifecycle to assist in choosing suitable SBOM sharing solutions.

Threat Intelligence

Cybercriminals Posing as PRC Officials to Target Chinese Communities: The FBI warned last month that cybercriminals are posing as members of the Chinese government to target Chinese nationals in the United States. 

Researchers Warn of New Fast-Encrypting Ransomware: Cybersecurity researchers are ringing the alarm on the newly discovered fast-encrypting “Rorschach” ransomware. Israeli cybersecurity firm CheckPoint says the ransomware appears to be unique and that it has overlaps that could link it to any known ransomware strain or group.

Russian Military Targeting Router Vulnerabilities: CISA and technology firm Cisco released separate advisories last month warning of a Russian military (APT28/Fancy Bear) campaign on Cisco routers.

UK Warns Russian Hacktivists Targeting Western Critical Infrastructure: The British National Cyber Security Centre (NCSC) warned that pro-Russian hacktivists known for their fairly harmless digital defacement campaigns have plans to move to more destructive attacks on Western organizations. NCSC assesses that the hacktivists currently are unlikely to have the necessary skills to do real-world damage on critical infrastructure systems, they may soon be the recipients of “external assistance,” especially after demonstrating the ability to infiltrate Canadian gas infrastructure as discovered in March’s trove of leaked intelligence documents. 

Hacks

Annual OpIsrael Attacks Hit Israeli Critical Water Infrastructure: Several water monitors that are part of Israeli irrigation and wastewater treatment systems were left non-functional following a cyberattack at the beginning of April. This attack was part of the broader annual OpIsrael campaign in which anti-Israeli hackers attack Israeli networks throughout Ramadan. The irrigation system impacted by this attack is one of the most sophisticated and sought-after water management systems in the world and has been a part of many conversations in getting countries to the negotiating table for the Abraham Accords, making this target high-value both because of its importance as critical infrastructure and as a political statement. Other victims include Israeli media agencies, medical websites, government websites, and university websites.

UK Criminal Record Office hacked: U.K.’s criminal records office admits the website isn’t down for maintenance, but rather were victims of a cyberattack. The agency claims it did not report this earlier because it might have hindered ongoing investigations.

Western Digital Announces Hackers Accessed Data: Western Digital, known for SanDisk products, hard drives, and memory cards, has taken its websites down completely following a data breach until they feel confident the problem has been eliminated. 

Capita Locked out of Network: Capita, the outsourcing company that runs crucial operations for the NHS and the military, were locked out of their systems. The hack took out their servers and their clients are now asking to know what the hackers were able to access. 

Check Point Cyber Security Taken Down in Annual Operation Israel attack: Israeli cybersecurity website Check Point was taken down in an Anonymous Sudan hack as part of the annual OpIsrael campaign.

Lumen Technologies Hit Twice, Impact Unknown: Lumen Technologies was hit with two separate hacks on Monday the 24th. As of now, it seems as though this will have no effect on how operations are running but could prove to be harmful in the future. 

42 Minnesota County Schools Close Due to Cyberattack: Minnesota county schools canceled class after they noticed irregularities within their system. All 42 schools were canceled Monday the 10th due to not being able to access any of their core systems or softwares. This happened a month after ransomware group Medusa released private student information on the dark web also taken from Minnesota public schools. 

Data Leaks

Hyundai Hack Leads to Exposure of French and Italian Clients: Hyundai announced that there has been a data breach that may impact Italian and French car owners who have booked a test drive. This hack is rumored to have stolen email addresses, physical addresses, telephone numbers, and vehicle chassis numbers. 

Yum Brands Data Breach’s Full List of Impacted People Still Unknown: Yum Brands, the owner of Taco Bell, Pizza Hut, and KFC, fell victim to a ransomware attack that led to a data breach. A notification was sent to everyone who might have been affected, but the full amount of impacted individuals is still yet to be known. 

The Consumer Financial Protection Bureau Reports Breach a Month after Discovery: The Consumer Financial Protection Bureau (CFPB) reported a cyber breach that could affect “roughly 256,000 consumer accounts at a single institution” after an employee sent mass amounts of company data to his personal email. 

Second Wave of Oakland Information Released: The hacker group “Play” shared a second wave of information on the dark web after a February ransomware attack against the city of Oakland, California.

Ransomware

Lewis and Clark Ransomware Attack claimed by Vice Society: Lewis and Clark College was hit by a ransomware attack which was claimed by cyber crime group Vice Society. Vice Society is known for attacking schools and selling their information on the dark web. 

Truman Univeristy Attack Leaves Classes Canceled and Students Locked Out of Devices: Truman Univeristy in Kirksville, Missouri, was hit with a cyber attack that took out all the networks and servers. There has been a large increase in cyber attacks on schools, likely because they previously have been fairly lax when it comes to cyber security. Classes were canceled for over a week and students were urged to not sign into any Truman devices while servers were brought back up.  

San Bernardino County Cyber Attack: The San Bernardino County Sheriff’s Department is currently in recovery after an officer clicked a malicious link that caused a cyber attack. It is not clear whether data has been stolen in this attack but they had to shut down the station for weeks to try and recover the systems. 

Reports

EDR Software Increasingly Vulnerable: As hacking defense systems get better, hackers get craftier, experts say as they see EDR systems increasingly being successfully targeted.

New Class of Russian Hackers: A new league of Russian hackers have emerged in the last 18 months and they, unlike some of the other big players in the arena at the moment, seem ideologically motivated rather than financially motivated. These players seem more inclined to cause harm than just conducting DDoS or other nuisance attacks. NCSC has suggested significantly upping your cyber security game if you think you might be targeted. 

Chinese Government Opens Investigation into Micron: Micron, a US memory chip vendor, is being investigated by the Chinese government as a potential national security risk. These accusations closely mirror those the US made about Huawei, a Chinese telecom equipment vendor. Trade restrictions around the world are trying to block the Chinese semiconductor business. The Micron accusations are likely retaliation for the United States’s hand in this and/or the conveniently timed accusations against Huawei. 

Sophos Warns of Increased Attacks: Almost 94% of companies were victims of a cyber attack within the last year. All companies should prepare for some sort of attack within the next year, warn researchers. Data theft, phishing, ransomware are just some of the ways that Sophos warns that malicious actors will try and hack into any and every company.

Policy and Politics

United States

White House Formalizes Data Privacy Strategy: The White House released its strategy to support the further development of privacy-preserving data sharing and analytics technologies. This strategy will support the development of the US data privacy ecosystem in the absence of a federal comprehensive privacy law.

Bill to Assist K-12 Cybersecurity Revived: A bipartisan group of legislators are reviving a bill that would direct CISA to provide K-12 education with more resources and guidance. The bill also carries with it an additional $10 million in funding for grant opportunities.

Cyber Safety Review Board Poised for Codification: The White House is proposing legislation that would codify the Cyber Safety Review Board (CSRB), an independent DHS expert panel intended to research and distill the lessons of major cyber incidents. 

CISA Seeking Comment for Secure Software Self-Attestation Form: CISA has issued a request for comment on the Secure Software Attestation Form after it released, in conjunction with the Office of Management and Budget, proposed guidance on secure software.

Global

EU Proposes $1.2 Billion Cyber Plan: The European Union proposed the EU Cyber Solidarity Act last month, a $1.2 billion plan to counter cybersecurity threats. The proposal will require agreement from all EU member states and the European Parliament to become law.