Coveware issued its Q1 2021 Ransomware Report on April 26, 2021, which concludes that “[D]ata exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data.”

The Report states that the average ransom payment increased 43 percent from $154,108 in Q4 2020 to $220,000 in Q1 2021, and the median payment in Q1 2021 increased from $49,450 to $78,398, a 58 percent increase. According to Coveware, the activity by CloP in Q1 2021 was “extremely active.”

Seventy-seven percent of all threats included the threat to leak exfiltrated data, which was an increase of 10 percent from Q4 2020. Sodinokibi continued to dominate the market share as a ransom type at 14.2 percent, followed by Conti V2, Lockbit, CloP, Egregor, Avaddon, Ryuk, Darkside, Suncrypt, Netwalker, and Phobos. Of these, Egregor has sunset its operations, and Netwalker was dismantled by law enforcement.

The top vectors for attacks included remote desktop protocol compromise, “phishing emails that install credential stealing malware,” software vulnerability, and vulnerabilities in VPN appliances.

State and local governments have been hammered with business email compromise (BEC) attacks over the past few years and the onslaught does not appear to be abating.

Last week, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification to state, local, tribal, and territorial governments that they are being targeted by BEC attackers. The FBI noted that it is seeing an increase in these attacks, which have caused losses ranging between $10,000 and $4 million.

According to the FBI, state and local governments are low hanging fruit that scammers target because they have inadequate resources and cybersecurity controls. The FBI cites two risks as contributing to these attacks: the move to remote working and the failure to provide sufficient training to the workforce.

The FBI urged all members of the workforce to receive security awareness training, to learn how BEC attacks occur, and how to spot phishing and fraudulent emails. The FBI further suggested that additional measures for state and local governments to adopt include multi-factor authentication on email accounts, blocking automatic email forwarding, monitoring email Exchange servers for configuration changes, enabling alerts for suspicious activity (including foreign IP address logins), adding banners from external sources, and using filtering service (spam filter) as well as internal phishing tests. The FBI Alert is worth a read and can be accessed here.

The California State Controller’s Office (SCO) was recently a victim of phishing. According to its website, an employee of the SCO’s Unclaimed Property Division clicked on a link in an email, entered their user ID and password, and unknowingly provided a hacker with access to the email account. According to the website, “SCO has reason to believe the compromised email account had personally identifying information contained in Unclaimed Property Holder Reports. The unauthorized user also sent potentially malicious emails to some of the SCO employee’s contacts.”

The SCO was in the process of notifying individuals who either received one of the malicious emails or may have had their information potentially exposed. SCO recommended these individuals place a fraud alert on their accounts with the three major credit bureaus. We have said many times that organizations must be vigilant in training employees not to click on links in emails, particularly when being asked to input user credentials and log in information. Given the fact that the SCO in California oversees disbursements for what California State Controller Betty T. Yee has called the fifth largest economy in the world, this attack could have been much worse.

The statistic that cybercriminals have been unleashing 18 million phishing emails laced with malware on a daily basis into cyberspace during the pandemic is mind boggling and one that executives should pay attention to when prioritizing resources for user education. Math was never my strongest subject, but the math of 18 million malicious emails targeted at all of us on a daily basis is a LOT.

A new study rolled out by Google, in collaboration with researchers at Stanford University, studied over a billion malicious emails and targets that Google had identified and blocked over a period of five months, to get more intelligence about who was being targeted and how the campaigns were targeting users. The study found that users in the U.S. were targeted more than any others in the world, followed by the United Kingdom and Japan.

The study found that the most effective phishing scams were fast and short lived, lasting one to three days. They found that over 100 million malicious emails were launched in these short time frames. In addition, they found that if a user’s email address or personal information had been previously compromised, they were five times more likely to be targeted by a phishing scheme. The study also concluded that users aged 55 to 64 were 1.64 times more likely to be targeted by cybercriminals than 18-24 year olds.

The statistic is astounding, but the results of the analysis are very informative for businesses. The take away is that the number of phishing schemes continue to rise, user education continues to be essential in protecting company data against these schemes, and education is particularly important depending on users’ age.

Binary Check Ad Blocker Security News

Those of us who are not health care workers, essential workers or the highest-priority cohort in our state to receive the COVID-19 vaccine are patiently awaiting our turn. We are anxious to receive the vaccine for our personal safety and health, while monitoring complaints about vaccine rollouts in different states.

As we have reported before, criminals and fraudsters prey on unsuspecting victims who have been anxious (understandably so) about many different issues that have arisen since the beginning of the pandemic, including their jobs, the infection rate of COVID-19, the prevalence of COVID-19 in their community, obtaining relief through funds from the state or federal government, and unemployment payments.

The pandemic has been used by fraudsters and scammers to attempt to obtain personal information or money from victims. These scams have included phishing schemes, telephone schemes and the introduction of malware and ransomware into networks and systems to obtain personal information or money under false pretenses.

With the development and rollout of COVID-19 vaccines, the fraudsters and scammers continue to prey on the uncertainty and anxiety of individuals in figuring out how and when they will be vaccinated. Each state has its own rollout plan, and these plans frequently change depending on the number of allocated vaccines and how they will be distributed and administered. Unfortunately, whenever there is confusion in communication, fraudsters and scammers are at their best.

It has been widely reported that there has been an increase in attempted fraud by criminals around COVID-19 vaccinations. These schemes include emails and telephone calls to individuals providing them with information about how they can get vaccinated in advance of their scheduled time. Fake websites are set up for appointments where the criminals request individuals to input their personal information, including their name, date of birth, address and Social Security number, in order to secure a vaccination time slot.

In addition, there are some reports about a black market springing up around COVID-19 vaccinations and that scammers are luring victims to pay for vaccinations with the promise that, if they pay, they can jump the line to receive it. Unfortunately, it is very tempting, and many people are falling for it.

It has become such a problem that the Federal Trade Commission (FTC) has provided a warning and guidance to consumers about these widespread scams and how to protect oneself from them. The most basic tip is not to provide your personal, financial or health information to anyone who texts, calls or emails you regarding a COVID-19 vaccination. The FTC confirms in its warning that no legitimate healthcare site, provider or other entity that is distributing and administering vaccines will ask for this information in order for you to sign up for a vaccination when it is your turn.

As we have reported before, be very vigilant about requests to click on any links or attachments or to provide any personal information in the context of COVID-19, including around the vaccine or getting vaccinated. For more information, visit the FTC’s guidance here.

The U.S. Attorney’s Office for the District of Massachusetts is warning small businesses that received loans through the Paycheck Protection Program (PPP) of a dramatic increase in reports of business email-compromise schemes related to the program. Scammers are using information about PPP recipients posted by the Small Business Administration (SBA) to impersonate PPP lenders requesting additional information about PPP loan applications or loan forgiveness.

In July 2020, the SBA published information about PPP loan recipients, which included business names and addresses for loans greater than $150,000. In December 2020, the SBA released the exact loan amounts for more than 600,000 small businesses and nonprofit organizations that received at least $150,000 in loans. The published data also included the names of entities receiving less than $150,000, which represent about 87 percent of the total number of loans in the program, as well as the name of the lender and distribution date for each loan.

Scammers are using this publicly-available information to send phishing emails to PPP loan recipients, impersonating the recipients’ PPP lenders to request sensitive information, such as email addresses and passwords, Social Security numbers, and financial information. This information could be used to gain access to a business’s computer network to compromise confidential information or for identity theft.

Recipients of PPP loans should carefully review the headers of emails that appear to come from their PPP lenders to ensure that the domain of the sender’s email address matches the domain of other emails received from the lender. They also should use common sense to question whether the lender is likely to be contacting the recipient at that particular time (e.g., in response to an application or loan forgiveness), or whether the timing appears to be unconnected to other communications with the lender. Recipients should not respond to, or click any links, in any suspicious emails; recipients may want to call their lenders if they believe the content or timing of an email is suspicious.

Suspected criminal activity may be reported to the Department of Justice’s National Center for Disaster Fraud at https://www.justice.gov/disaster-fraud.

2020 will go down as one of the most stressful in my career as a cybersecurity professional. I have been working in this area of law full time since 2003. So that says a lot.

On top of the stress of the spread of the coronavirus, this has been a particularly stressful year assisting clients with security incidents, ransomware extortions, data security in migrating from on premises to work from home, and keeping employees educated and vigilant. Indeed, it has been difficult and exhausting. And I’m just the lawyer.

Your IT professionals have been through HELL this year. They are working beyond capacity, with limited resources, trying to keep organizations safe from highly sophisticated hackers and nation states, including Russia and China. They are doing their very best to find the right tools to keep the bad guys out of networks and systems, at the same time trying to get their users not to click on links, attachments or phishing emails. They are getting attacked from within and without. It is a war for them every day.

Give them some love. A thank you goes a long way. Our IT professionals are losing sleep every night, working long hours, keeping our data safe, and dealing with attacks that you can’t even begin to fathom.

They battle for us in the background, on the front line, and never get any credit for how important their job is to our ability to do our job.

So this holiday season, take a little time and reach out to your IT professionals and say “Thank you.” They deserve a ton of credit and LOVE from all of us.

Although it is logical that cyber-attacks have risen during the pandemic, and there is anecdotal evidence that it is occurring, including our own experience, an interesting new report was recently released by Allianz, which provides cyber-liability insurance products.

According to the report, “While the COVID-19 outbreak cannot be said to be a direct cause of cyber-related claims, exposures have been rising during the pandemic, particularly with regards to ransomware and business email compromise incidents, given the increase in remote working and the likelihood that security safeguards may not be as robust in the home office.”

The report analyzes the cause of loss by value of claims and the number of claims, finding 1,736 claims worth $770 million from 2015-2020. The analysis shows that external manipulation of computer systems (i.e., DDOS or phishing/malware/ransomware) is the most expensive, “but the analysis also shows that more mundane technical failures, IT glitches or human error incidents are the most frequent generator of claims.”

The report also states that “Whether it results from an external cyber-attack, human error or a technical failure, business interruption is the main cost driver behind cyber claims. It accounts for around 60% of the value of all claims analyzed with the costs associated with dealing with data breaches ranking second.”

The number one threat cited in the report is “Laxer Security Post COVID-19 Heightens Cyber Risk.” Since the migration to working from home, the report states that “malware and ransomware incidents have already increased by more than a third, at the same time as a 50%+ increase in phishing, scams, and fraud, according to international police body, INTERPOL.”

The report further reinforces the need for companies to address the increased risk that accompanies a remote workforce, employee education and engagement, and providing employees with tools to protect themselves and their employer’s data. As the report aptly states: “Employers and employees must work together to raise awareness and increase cyber resilience in the home office set up.”

Binary Check Ad Blocker Security News

We spend a lot of time reporting on ransomware because we are seeing more incidents than ever before, and our readers comment that keeping them up to date on ransomware tactics is helpful. The ransomware gangs, strains and vectors are constantly changing, so it is very challenging for companies to keep up with their latest tactics.

The Coveware Quarterly Report is one resource that is very helpful in understanding the newest methods and successes of ransomware attackers, and Coveware’s Third Quarter Report was recently released.

The Report confirms what we are seeing in the field, and confirms how the landscape is changing. The big news is that the Maze group has allegedly dispersed, with some members joining others. Maze wreaked havoc last year, when it started exfiltrating data from victims before it dropped the ransomware and then threatened to publish the data if the company didn’t pay.

The Report is a must read, but here are some highlights (depressing as they are):

  • There is no guarantee that if you pay the ransom to delete data that they will actually delete it or that they will not come after you again. (They are criminals, after all). In Q3, exfiltration of data before the introduction of ransomware doubled, and half of all ransomware attacks included exfiltration of data. These are not promising statistics.
  • Although Maze is allegedly out of business, others have copied its tactics forexfiltrating data, including AKO, Ranzy, Netwalker, Mespinoza, Conti, Sekhmet, and Egregor. Egregor is believed to have inherited Maze. Sodinokibi has re-extorted victims after they have paid the ransom.
  • Some gangs provide fake proof that they have your data to get you to pay.
  • There is no guarantee that the exfiltrated data will not be sold to other groups.
  • Ransom demands are increasing.
  • The biggest ransomware threats in Q3 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer.
  • Wasted, Nephilim and Avvadon made it into the top 10 list of market share of ransomware variants.
  • More than 50 percent of all attacks are successful through attacks on Remote Desktop Protocols (RDP). Coveware sees this method of attack as the most cost-effective way to compromise organizations and stresses the importance of properly securing RDP connections.
  • Almost 30 percent of attacks see the ransomware distributed via phishing emails, which have steadily increased since late 2019.
  • The average ransom payment in Q3 was $233,817, up 31 percent from Q2 2020.
  • The median ransom payment in Q3 was $110,532 up 2 percent from Q2 2020.
  • Ransomware is a disproportionate problem for small and medium-sized businesses—those with a median of 168 employees—which is up 68 percent from Q2 2020.
  • Most victims of ransomware have less than $50 million dollars in annual revenue.
  • Professional service firms, especially small ones such as law firms and accounting firms, are especially vulnerable.
  • The average number of downtime days of victimized businesses is 19 days.

These statistics are ones to pay close attention to and use when determining risk management priorities. It is clear from the Report that addressing RDP and employee education as top priorities makes sense. According to the Report, one possible reason for the increase in the use of RDP is “that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”

As coronavirus cases increase again throughout the U.S., remote working appears to be the norm, so ransomware attackers are using, and will continue to use, the shift from the office to the home to attack victims.

Criminals are apparently not taking any time off during this pandemic, and in fact by all accounts have increased their attacks, particularly targeting entities whose attention is diverted to dealing with the fallout of the Covid-19 crisis. In particular, educational institutions across the country have faced a recent onslaught of ransomware attacks, often crippling an already vulnerable infrastructure just as classes were set to resume. Check Point Research recently published a report advising that cyber-attacks targeting academic institutions increased 30 percent between July and August (with upwards of 600 attacks per week). Although the research does not reveal why the surge occurred, it is likely not a coincidence that Covid-19 has compelled schools to utilize and vastly expand the use of new and unfamiliar technologies that allow remote learning, which in turn may have opened up new opportunities for cybercriminals to attack. In addition, although financial resources were spent on acquiring new technologies, the same expenditures were not necessarily invested in associated security. Often times cyber-attacks start with a phishing-email, that once opened allows cybercriminals to gain access to an organization’s infrastructure over time. As attention has been diverted to dealing with emergency Covid-19 issues, organizations have less resources focused on cyber-attacks. Accordingly, as the Covid-19 emergency persists, educational institutions must be sure not lose focus on monitoring cyber-attacks. Failing to expend the additional resources on cybersecurity prevention and monitoring, could very likely cost the school significantly more in the long run.