In wake of global ransomware attack, key resources to resist, respond, recover
Friday, May 19, 2017
Posted by: Brian Monroe
By Brian Monroe
May 19, 2017
In the wake of the unprecedented WannaCry ransomware attack that hit the world one week ago today, infecting more than 230,000 computers in 150-plus countries, many victims are left wondering what they could have done differently to prevent an infection.
Some reports are pointing fingers at North Korea, noting the hackers may have used exploits identified by and later stolen from the U.S. National Security Agency. The attack is also being viewed as an international wake-up call for banks, hospitals, law firms, transportation networks and large government operations or private companies of all stripes to better gird themselves against cyber attacks.
That’s because the particular attack vectors used and vulnerabilities exploited in the WannaCry attack were actually patched by Microsoft on most systems in April. Many companies simply hadn’t updated their networks, leaving the door open to creative criminals.
The countries most affected by the assault include Russia, Ukraine, India, Taiwan, Britain, Spain and Germany, according to media outlets and technology firms, regions left scrambling by a frustrating attack demanding between $300 and $600 in Bitcoin. Some reports note that the group behind the attack had no real way to track who actually paid.
Overall, it is estimated that more than 90 percent of hack attacks are successful due to human error - from failing to implement routine software updates, to thoughtlessly clicking links in suspicious emails, or falling for a spoofed message purporting to be from the CEO.
That’s why ACFCS has collected a range of resources below to help companies better make themselves more resistant to attacks in the first place, identify breaches at the outset and recover more quickly when malware worms its way into your systems.
The resources listed include ACFCS content and external pieces from trusted government and private sources.
WannaCry could have been far worse, according to media reports, noting that two researchers in the United States and United Kingdom worked to divert the attack by buying a domain name that acted as a “kill switch” in the viral code.
WannaCry is likely a glimpse of things to come. The attack is an amalgamation of several hacker techniques – classic probing and puncturing of unpatched systems, installation of self-propagating ransomware and demanding payment by untraceable addresses in Bitcoin. Media reports have stated that hundreds of victims have already paid more than $70,000 tied to the attack.
Worse, ransomware is by all accounts surging in terms of attack types, attempts and success rates.
Government and private sector firms have noted ransomware, once a minor nuisance in the pantheon of cyber attackers, has grown to the top issue in recent years, growing exponentially as more criminal and nation state groups get into the game, and employ tactics like spear phishing and business email compromise to fine tune the illicit initiatives.
In this ACFCS story, we noted that in the fight against ransomware, updated systems and offline backups are critical defense and recovery stratagems. We detail the top 10 things to do in an attack. Some highlights of the story include:
- Don’t pay – or you will end up paying more: In ransomware attacks, even if the person pays, the attackers may still hold some or all of their systems hostage or attack again at another time, starting the cycle again. Try to remember, as official and polished as these criminals may make their “tech site help” look, they are still criminals and just want your money.
- Don’t give attackers permission – by restricting permissions: Construct your system that only certain individuals with certain rights, privileges and passwords can access or make changes to more critical parts of the computer or network. That way you can limit users’ ability to install and run unwanted software, which may prevent the spread of malware to one or more computers. The mantra should be the lowest privilege gets least access to the system.
- They found flaws in your system – now look for flaws in theirs: If you didn’t back up your system, there could be some options to unlock and recover your data. Not all ransomware is foolproof – tools exist to help with diagnosis and unlocking. First, figure out the variant – ID Ransomware is one tool. Then, find a decrypter from Avast, Kaspersky, AVG and others
As a last resort, bring in the big guns – and say no to paying that ransom: A collaboration between Intel Security, Kaspersky Lab, and Europol called No More Ransom! has a collection of decryption tools for Ransomware that has been cracked by researchers. The site is www.nomoreransom.org.
To read the full story, please click here.
This ACFCS “Resource Roundup,” offers eight open source avenues to bolster cyber programs, practices and knowledge.
Secure Password by Kaspersky: A straightforward tool to check the strength of passwords and get tips to make these virtual gateways harder for criminals to crack. https://password.kaspersky.com/
Have I Been Pwned?: This site searches for any data, including names and email addresses, that have been released or associated with any known data breaches. For instance, you can look up and see if your email address has popped up tied to bank accounts, such as JPMorgan, Yahoo email or even Ashley Madison. https://haveibeenpwned.com/
Kaspersky Cyberthreat Map This is arguably one of the most well-known cyber threat attack maps and, consequently, is also one of the most sophisticated and entertaining. It breaks down types of attacks, countries originated and getting attacked and other critical data points. The site displays a three-dimensional earth array with colorful fusillades of cyberattacks launching to destinations the world over.
To read the whole story, please click here.
This is a great guide by ACFCS partner Cybint Chief Executive Officer Roy Zur, appropriately titled Cyber Security: A Short Guide for Financial Institutions of a Ransomware Attack
On Friday, May 12, 2017, the world experienced one of the largest “Ransomware” attacks in history. The Ransomware hit dozens of countries around the world, causing damage to critical infrastructures within hospitals and public transportation, and to businesses including law firms and financial institutions.
Since 2016, cyber attacks through Ransomware have grown exponentially, and now surpass all other forms of malware as the number one menace to cyber assets and the technology infrastructure. The rise of Bitcoins (digital untraceable payments) has contributed greatly to the increasing popularity of Ransomware among hackers.
Protecting yourself and your clients from Ransomware means understanding how it works, then taking appropriate security actions. The information contained in this piece is meant to arm you with the knowledge you need to minimize your risk from Ransomware. Here are some tips to protect institutions, clients and yourself:
a. Know your “Cyber Rating” and improve cyber awareness. 95 percent of all security incidents involve human error, so the first stage is to identify the main human factor gaps in the organization. At Cybint, we offer a free assessment for you and your organization to gain the insights you need here: http://www.cybintsolutions.com/assessment.
b. Update your system regularly. Many of the updates you get to your computer or smartphone are security updates. It means that the company (for example Microsoft® for Windows) identified a security breach, and asked you to update your system to avoid this breach. The same update was released to hackers, who will be looking for the “weakest links.” Most of those weakest links are people, perhaps like you, who didn’t have the time to update their system until it was too late.
c. Avoid unfamiliar websites. Before entering an unfamiliar website, you should check its trustworthiness. There are available online tools to help you do it like https://www.mywot.com/ and lists of dangerous websites like https://www.malwaredomainlist.com.
d. Backup. Hackers know that the secret of effective Ransomware is penetrating your backup systems. Your approach should be to use several types of backup, with a cloud-based file syncing backup (to allow recovery of the previous version), and long-term “offline” (or logically isolated) backups of data stored in locations inaccessible to the infected computer. Backing up to locations such as external storage drives can prevent them from being accessed by the Ransomware, thus making data restoration faster and easier.
For the full story, please click here.
From Fortinet, a report on mapping the ransomware landscape to better understand the scope and sophistication of the threat.
A snippet from the report: When a cyber threat grows in magnitude by 35 times in one year, every organization should pay heed. This is exactly what happened with ransomware. Hacktivists targeted organizations around the world representing myriad industry segments and businesses of virtually every size.
Traditional security approaches are not sufficient to thwart ransomware attacks. Advanced models using next-generation firewalls, layered security, and proactive threat intelligence are a requisite. To read the full report, click here.
London is not falling down
The City of London Police’s National Fraud Intelligence Bureau (NFIB) has also issued an alert to help individuals and businesses better protect their digital assets in an attack. The full advice is available as a PDF document, available by clicking here, courtesy of The Fraud Tube.
The notice includes Key Protect messages for businesses to protect themselves from ransomware, such as:
- Install system and application updates on all devices as soon as they become available.
- Install anti-virus software on all devices and keep it updated.
- Create regular backups of your important files to a device that isn’t left connected to your network as any malware infection could spread to that too.
It also highlights that The National Cyber Security Centre’s technical guidance includes specific software patches to use that will prevent uninfected computers on your network from becoming infected with the “WannaCry” Ransomware: https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance.
And offers additional in-depth technical guidance on how to protect your organization from ransomware, at https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware.
Here is link to a recent ACFCS “Quick Tips” webinar on BEC, including ransomware, and another link to a webinar on overall cyber preparedness.
Business email compromise (BEC):
Just a few weeks before Wannacry, the FBI released BEC red flags, noting that in recent years the cyber attack type has hit $5 billion in losses.
The U.S. Federal Bureau of Investigations (FBI) is warning companies anew – ironically just weeks before the largest global ransomware attack in history – about the surging scourge of business email compromise fraud, a devious attack technique that can bypass the most sophisticated cyber defenses because it relies on simple human error, such as someone answering an email that seems to come from a boss to send a wire to a new address for a longtime supplier.
Business E-mail Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The E-mail Account Compromise (EAC) component of BEC targets individuals that perform wire transfer payments.
Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link.
The victim clicks on the link, and it downloads malware, allowing the subject(s) unfettered access to the victim’s data, including passwords or financial account information.
Some recent three-year stats:
Domestic and international incidents:
Domestic and international exposed dollar loss:
Banks are also a prime target. Stats in the last six months of 2016
Total U.S. financial recipients:
Total U.S. financial recipient exposed dollar loss:
The attacks put banks under even more pressure for cyber countermeasures and compliance convergence. For more details on figures, trends, defenses and what to do if attacked, click here.