Too Much Ransomware to Treat Cases Individually

Various government agencies, radio stations, etc. have been hit. A new version of ransomware is making it’s way around firms in China. Too much really. Let’s concentrate on the .gov problems, because it can hit any of you, and you will – through your taxes – pay the bill. And we know that politicians don’t want to spend money on stuff they don’t understand, or won’t help them get reelected. Is it any wonder that they haven’t spent money on IT security? Worst first…

Transparency? Truth in government? The Little People might get the idea that the State isn’t All Powerful. I-TEAM reveals untold story behind computer hacking at Hopkins Airport.

The FOX 8 I-TEAM has uncovered information that the City of Cleveland withheld from the public about the computer hacking at Hopkins Airport that left flight message boards down and affected other computers too.

A search for backups that aren’t infected took place. Disk storage has gotten so cheap that people think they can use the spinning magnetic stuff for all the backups. But it you leave it connected to your network that is an online backup, and it won’t protect you from a fire (unless it is at a remote location) and it really won’t protect you from ransomware.

Baltimore, if you remember, was hit with Ransomware in early May. Baltimore won’t send water bills until at least early August.

The billing system was disrupted in May by a ransomware attack that also shut down city workers’ emails and online payment systems.

Now while ransomware is getting much more sophisticated, the stuff that hit Baltimore depended on unpatched versions of Windows. And they were hit 2 years after Microsoft, the government, and everyone with any appreciation of IT security told them to patch their damn systems. (Despite all of that, the attack was “unexpected” and they want you to pay for the clean-up.)

Syracuse was hit with the Ryuck ransomware last week. (One of the new, more sophisticated attacks.) Syracuse school district, Onondaga County libraries, recovering from cyberattack.

The school district attack rendered computer files and systems inoperable, freezing the district out of access. They’re still working to restore some systems. Meanwhile, the county libraries’ online and phone services were also knocked out. Library programs and checking out books are continuing the old-fashioned way.

At least they didn’t pay the ransom.

And a reminder out of Kentucky to be sure that you get help from people who really understand the problem. Library still plagued by ransomware.

They thought they were good. They ran a “scrubbing program” (antivirus?), but it didn’t remove Cryptolocker from the entire network. And not it’s back. So this time they are consulting someone who knows what to do.

‡ You think your servers are immune to structure fire? What about wild fire? Floods? Tornadoes? Terrorist – or disgruntled employee – attack? What would you do if tanker truck full of toxic waste turned over in front of your building and you were forced to evacuate? What if that happened while everyone was at lunch, and you couldn’t even grab the laptop off your desk? Do you have everything you need at a remote location? Do you have a remote location?

Advertisements

New Ransomware Attacks Flaw Patched in October of 2018

I guess some people just refuse to accept the fact that YOU NEED TO UPDATE YOUR DAMN MACHINES. New Ransomware Found Exploiting Former Windows Zero-Day Flaw. At this point, no one feels sorry for you.

Kaspersky labs have detected malware named Sodin, Sodinokibi or REvil. It seems to be fairly sophisticated.

The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection – functionality that is not often seen in ransomware.

“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors,” said Fedor Sinitsyn, a security researcher at Kaspersky.

A lot went into the creation of this encryptor, so you can be sure that it will used far and wide. So far use is concentrated in Asia, but it has been seen in Europe, and both North and South America.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

UPDATE your machines, and keep them updated.

Another Florida City Hit With Ransomware

I missed this story. It certainly didn’t get the coverage of Baltimore, or Atlanta, or even Riviera Beach.

You can expect cities, counties, and other municipal organizations to get hit with similar attacks in the near future. They run their own email-servers. (Because that’s what they’ve always done!) The powers-that-be won’t approve money for stuff like anti-virus, updated software, updated PCs, etc. because “Things work just fine; we don’t need to spend money you crazy IT people screaming about how the Sky is about to fall.” And everything about the organization is public-record, making Spear Phishing as easy as 10 minutes on the city’s website.

First it was Riviera Beach, then it was Lake City, and now it is Key Biscayne. Third Florida city falls victim to ransomware attack.

Both Key Biscayne and Lake City were hit with Ryuk, the final piece of what is known as the “Triple threat attack,” the other two being Emotet and Trickbot malware. It’s uncertain whether the Riviera Beach attack was also based on Ryuk, which was originally linked to the notorious North Korean “Lazarus” hacking group.

Also Georgia’s Judicial Council and Administrative Office of the Courts was hit by the same triple-threat.

So if you can pay (as Lake City did) the hackers, why couldn’t you pay the IT department last month when they asked for money to prevent this? And it isn’t clear to me if Key Biscayne is going to pay or not.

What’s the Cost of Poor Cyber Security?

It can be high. Norsk Hydro Q1 core profit plunges after cyber attack.

Norsk Hydro was hit by a ransomware attack in March of this year. (LockerGoga ransomware to be specific.) It had a tremendous impact on first quarter results.

Aluminium-maker Norsk Hydro , the victim of a cyber attack in March that paralysed its IT systems, posted an 82% drop in first-quarter core profits on Wednesday

Core profit dropped from just over 400 million US dollars to $64.3 million.

So do you think any of the folks in the executive suite will be called to account for why they decided to “save money” by not investing in security? I don’t.

For review of what happened at Norsk Hydro, what they did that was right, and what they did that wasn’t so good, see this link.

Baltimore STILL Suffering from Ransomware

I feel like they are in the mode “search for the scapegoat.” Baltimore Council President Scott to form panel to examine city’s cybersecurity after crippling computer hack.

I wonder if his panel will discover past requests for IT support dollars that were deemed not important. Any bets? (On whether there were requests, or on whether his panel will find evidence of them?)

The ransomware attack last week on the city’s computer network has caused widespread problems across agencies, including shutting down systems essential for completing home sales in Baltimore.

“This cyberattack against Baltimore city government is a crisis of the utmost urgency,” Scott said.

Actually this guy said, after the previous hack, that they weren’t spending enough on IT security. But it’s easy for one politician to say “we should fix this.”

A review of city budgets shows that certain elements of cybersecurity strategy has lagged as funding has declined.

After they suffered a MAJOR attack about a year ago, funding for security DECLINED. They deserve whatever they get. And what they’ve got is, they can’t pay bills or accept payments. So there’s that.

Security isn’t free. It takes software, and people (who need training regularly) and probably outside audits. Oh, and training so people outside of IT don’t click on spear-phishing emails.

And people ask me why I will never work in Information Technology again. I don’t know how to do something with nothing. I can’t put 10 pounds in a 5-pound bag, not matter how loud you scream. And public bureaucracies aren’t that much different than private. (The best plan, in case of emergency, is to keep your resume updated on your PC at home.)

Ransomware: What you can do about it

Lot’s of stories about ransomware. Here’s one on defending against it. The Best Ways to Defend Against Ransomware Attacks.

The list of things to do is relatively short, and worth looking into. But the number one thing on that list is something everyone should be aware of.

Be Aware of Ransomware Phishing Emails

Phishing emails are often a part of ransomware attacks, which play upon employees opening malicious email attachments from attackers. Because of this, employees must be educated about the dangers of phishing in order to reduce the potential consequences of human error. Instituting company-wide training in order to recognize phishing attempts is a method to lower the risk of an employee mistake in the event of a ransomware attack.

As they say, go read the whole thing; you may learn something. (I promise, it won’t hurt.)

Payroll Service Provider Pays Ransomware Extortion

Paying didn’t solve all of their problems, and paying up just encourages bad behavior. Payroll Provider Gives Extortionists a Payday.

If you are paying someone to manage parts of your business, like your payroll, you should be damn sure that you are getting what you are paying for. Namely the management of computer resources.

Roswell, Ga. based Apex HCM is a cloud-based payroll software company that serves some 350 payroll service bureaus that in turn provide payroll services to small and mid-sized businesses. At 4 a.m. on Tuesday, Feb. 19, Apex was alerted that its systems had been infected with a destructive strain of ransomware that encrypts computer files and demands payment for a digital key needed to unscramble the data.

No word on the nature of the ransomware in question, but most incursions today are the result of phishing, or even spear-phishing. Are your employees aware of what that looks like?

They worked to recover, but eventually decided that the only way to get things back for their customers in a timely manor was to pay up, and get the decryption key.

Unfortunately for Apex, paying up didn’t completely solve its problems. For one thing, Oxman said, the decryption key they were given after paying the ransom didn’t work exactly as promised. Instead of restoring all files and folders to their pre-encrypted state, the decryption process broke countless file directories and rendered many executable files inoperable — causing even more delays.

One of their businesses is still off-line.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.

In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can spell the end of cloud-based business, but just being down for more than a few days can often be just as devastating. As a result, the temptation to simply pay up may become stronger with each passing day — even if the only thing being ransomed is a bunch of desktops and servers.

I get why small companies outsource things like payroll. The rules always change. The penalties for getting it wrong are terrible. But that doesn’t mean you should just pick the first company you see, or the cheapest alternative.