The Center for Internet Security (CIS) announced last week that it has launched the Malicious Domain Blocking and Reporting (MDBR) service to assist U.S.-based private hospitals with ransomware and cyber-attacks for free. CIS, a not-for-profit entity, “is fully funding this for private hospitals at no cost, and with no strings attached, because it’s the right thing to do, and no one else is doing it at scale.” According to the announcement, the product is designed as a ransomware protection service and a “no-cost cyber defense for U.S. hospitals.”

CIS teamed up with Akamai to offer its Enterprise Threat Protector software to proactively identify, block and mitigate targeted ransomware threats. The service was previously available (and is still) to public hospitals and health departments through the Multi-State Information Sharing and Analysis Center (MS-ISAC), and according to CIS, over 1,000 government entities have used the product through MS-ISAC. To date, MDBR has blocked almost 750 million requests for access to malicious domains. If an organization uses MDBR, the software will cross-check the request with its database of known and suspected domains and “attempts to access known malicious domains associated with malware, phishing, ransomware, and other cyber threats will be blocked and logged.” The logged data are then analyzed, aggregated reporting is made available for the benefit of the hospital community, and remediation assistance is provided as appropriate.

CIS is now offering the service for free not only to public entities and governmental agencies, but to private hospitals, multi-hospital systems, integrated health systems, post-acute facilities and specialty hospitals. Sounds like a great opportunity for hospitals and facilities to add another tool in their toolboxes to combat ransomware and other cyber-attacks. For more information and to sign up, the CIS website is available here.

Becker’s Health IT reports that two batches of sensitive information of Chatham County, N.C. residents have been posted online on the dark web and light web by the ransomware group DoppelPaymer, and that the files have been accessed more than 30,000 times.

DoppelPaymer obtained the information during a cyber-attack on the County’s systems on October 28, 2020. The group then uploaded the files on November 4, 2020, and again in late January. The posting of information like this usually happens when a victim of ransomware refuses to pay the ransom demand.

The information contained in the files included “medical evaluations of children from neglect cases, personnel records of some employees and documents related to ongoing investigations with the Chatham County Sheriff’s office.”

Chatham County is working to determine its obligations “to ensure we respond in the most appropriate manner possible.”

Two anonymous patients being treated by fertility clinics operated by US Fertility LLC are suing the company following notification that their information may have been compromised in a ransomware attack that affected US Fertility servers and workstations. 

On January 8, 2021, US Fertility notified patients of the incident that allegedly compromised patients’ names, Social Security numbers, financial information, health insurance information and medical information. According to the lawsuit, the incident took place between August 12 and September 14, 2020.

The patients allege that US Fertility did not use reasonable security procedures and practices to protect the information, and they seek to represent those who were affected by the incident. The plaintiffs seek damages, attorneys’ fees and costs and are requesting that all patients’ personal information and protected health information be destroyed unless US Fertility can demonstrate why it should retain the information.

Binary Check Ad Blocker Security News

Today (January 27, 2021) was a BIG win for law enforcement in their efforts to combat cyber crime. U.S. and European law enforcement agencies announced today that through join efforts and cooperation on “Operation Ladybird,” computer servers and the infrastructure that has been used by criminals behind Emotet to victimize individuals and organizations through phishing schemes and distributing vicious strains of ransomware such as Ryuk were seized and are now out of the control of the cyber criminals. Emotet has been described as a cybercrime-as-a-service program because it is a pay-per-install botnet.

According to reports, Emotet has been used by criminals to defraud victims of millions of dollars through extortion and data theft, and the U.S. Department of Homeland Security has estimated that it has cost U.S. state and local governments up to $1 million per incident following an Emotet infection. Investigators have estimated that more than one million Microsoft Windows systems are currently affected by Emotet infections, so the take down is particularly important for those already infected systems.

According to Europol, “The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale.”

This win doesn’t mean that the criminals behind Emotet can’t rebuild and continue to wreak havoc in the future, but slowing them down a bit is helpful in combatting cyber crime and the protection of individuals and companies’ data.

Canon U.S.A. Inc. (Canon) was hit with a class action lawsuit in the U.S. District Court for the Eastern District of New York this week for the ransomware attack that exposed current and former employees’ personal information in November 2020. The plaintiffs reside in Ohio, New York, Florida and Illinois, and allege that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner.

The attack on Cannon occurred in August 2020 and affected current and former employees from 2005 to 2020, as well as their beneficiaries and dependents. The information affected included Social Security numbers, driver’s license numbers, financial account numbers, electronic signatures, and dates of birth. The plaintiffs are seeking certification of a nationwide class.

The SolarWinds cyber-attack is on everyone’s mind this week, given that most experts believe this cyber-attack will have broad impact across both the public and private sectors. For more details about the SolarWinds attack,  please read this. The sheer breadth of this attack led me to reflect on the role of cyber-liability insurance for businesses and why it is critical to understand key policy terms, coverage, exclusions, retention amounts and deductibles.

The initial work begins for businesses when they are selecting the appropriate cyber-liability insurance coverage. It is critical to think about the type of business it is and the nature of the data it possesses. Does the business handle protected health information, social security numbers, sensitive personal information, or biometric data? If so, these are some of the highest risk types of data that need protection. It is important to align risk with policy coverage and limits.

While there is no “standard” cyber-liability insurance policy, most policies provide coverage for financial losses as a result of a data breach or other unauthorized access or disclosure of personal or protected health information. Data breaches are not the only way a business can be damaged in a cyber-attack, however. Some insurance companies offer additional endorsements or specific policy provisions and coverage for losses caused by various other means such as social engineering (i.e., a breach caused by phishing), specific coverage for credit card losses, and denial-of-service attacks, such as ransomware. As we have noted many times in this blog, ransomware is probably one of the biggest threats to businesses today. Will the policy pay ransomware costs?

It also is important to determine whether the policy covers  costs associated with breach response, including forensic and legal costs. Cyber policies typically cover breach response costs for first-party losses, which are direct financial losses to your business, whereas third-party losses include those losses claimed by others, e.g., vendors, clients, or customers who claim injury as a result of the data breach. The bottom line is to always check with your broker and read the policy language carefully to determine what is covered. It is important to understand the exclusions in a policy as well.

Coverage and retention amounts also are important, as the cost of a data breach can be very high, depending upon how many people are affected, the type of data breached, the number of regulated entities to be notified, the amount of forensic and legal costs, and whether call center and credit-monitoring services are offered. Sometimes a $50,000 coverage amount for social engineering fraud simply will not be sufficient to cover all of these expenses.

If your business is hit with a cyber-attack, depending on the circumstances, it is important to understand the obligations in the policy as you notify your broker and the insurance company. Policies typically have notice provisions, even if you are still gathering all of the facts. Timing is important, so before retaining experts for remediation, you may need to notify the insurance company of the claim or potential claim. Many policies have a breach response team ready to assist you. If you want to retain your  own legal counsel or other experts to assist in your response, you will likely need the insurance company’s approval. Once the breach response experts are in place, they will guide your business along all of the necessary steps with respect to remediation, breach notification to regulators and affected individuals, call center activation, and credit monitoring.

Cyber criminals are taking advantage of the increase in online holiday shopping due to the pandemic. They know people are buying gifts online and sending the packages to the recipients. Often, the recipients do not know they are receiving a gift as it is intended to be a surprise. 

Cyber criminals have stepped up their attempts to infiltrate personal devices and company systems through phishing emails and texts that spoof well-known carriers, such as UPS and FedEx. The email or text looks like a real communication from UPS or FedEx as it includes the company logo and tells the recipient that a package is on its way, but that the user needs to either update their delivery preferences or can check the delivery status by “clicking here.” It’s that “clicking here” instruction that dupes users into clicking on the link (even when they know they shouldn’t), which then infects their device or the system with malware or ransomware. 

We all love to get presents and packages. If you are sending a package or gift to someone, let them know that it is on the way. If you receive a message from a carrier that you weren’t expecting, be cautious and wicked paranoid about clicking on any links or attachments, just as you should with any other suspicious email or text.

Brazilian airplane manufacturer Embraer’s data has reportedly been uploaded on a dark web website hosted by ransomware group RansomExx (a/k/a Defray 777) after Embraer reportedly refused to pay a ransom following a ransomware attack last month.

According to ZDNet, the hackers uploaded company files containing “samples of employee details, business contracts, photos of flight simulations, and source code, among others.”

In leaking the data and making it publicly accessible, sometimes selling it at auction, is designed by the attackers to put pressure on the company to pay the ransom to avoid legal obligations and regulatory fines or penalties, or to avoid access to confidential data by competitors and adversaries that can be used against the company.

Although it is logical that cyber-attacks have risen during the pandemic, and there is anecdotal evidence that it is occurring, including our own experience, an interesting new report was recently released by Allianz, which provides cyber-liability insurance products.

According to the report, “While the COVID-19 outbreak cannot be said to be a direct cause of cyber-related claims, exposures have been rising during the pandemic, particularly with regards to ransomware and business email compromise incidents, given the increase in remote working and the likelihood that security safeguards may not be as robust in the home office.”

The report analyzes the cause of loss by value of claims and the number of claims, finding 1,736 claims worth $770 million from 2015-2020. The analysis shows that external manipulation of computer systems (i.e., DDOS or phishing/malware/ransomware) is the most expensive, “but the analysis also shows that more mundane technical failures, IT glitches or human error incidents are the most frequent generator of claims.”

The report also states that “Whether it results from an external cyber-attack, human error or a technical failure, business interruption is the main cost driver behind cyber claims. It accounts for around 60% of the value of all claims analyzed with the costs associated with dealing with data breaches ranking second.”

The number one threat cited in the report is “Laxer Security Post COVID-19 Heightens Cyber Risk.” Since the migration to working from home, the report states that “malware and ransomware incidents have already increased by more than a third, at the same time as a 50%+ increase in phishing, scams, and fraud, according to international police body, INTERPOL.”

The report further reinforces the need for companies to address the increased risk that accompanies a remote workforce, employee education and engagement, and providing employees with tools to protect themselves and their employer’s data. As the report aptly states: “Employers and employees must work together to raise awareness and increase cyber resilience in the home office set up.”

Three recent events are prompting me to update our previous blog post on the difficult decision of whether to pay or not to pay ransomware following an attack [view related post].

The first event is that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory warns that if a company or a vendor facilitates the payment of a ransom to criminals or adversaries “with a sanctions nexus,” the funds could be used “to fund activities adverse to the national security and foreign policy objectives of the United States.” Therefore, companies or vendors acting on their behalf who pay a ransom to a sanctioned individual or governments are at risk for sanctions under the Financial Crimes Enforcement Network (FinCEN) regulations.

The advisory is a very important consideration to weigh in determining whether or not to pay a ransom for encryption keys or destruction of data. For more on the OFAC Advisory, click here:

The second event was a recent thoughtful analysis on this subject matter by KrebsonSecurity, entitled “Why Paying to Delete Stolen Data is Bonkers.” Referring to a Coveware report, which states that almost half of all ransomware cases include the release of exfiltrated data, Krebs quotes from the Report “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.”

Krebs further notes that ransomware victims who pay for the decryption key are relying on hope that the keys will work, which is not always the case.

The final event is that there is growing anecdotal evidence that Ransomware as a Service (RaaS) operators, usually less sophisticated than the big boys, are engaging in double extortion scams against their victims. This means that if you have made the business decision to pay the ransomware for either the decryption keys or the destruction of data, these operators are refusing, after you have agreed to pay a negotiated amount, and they have initially agreed to hold up their part of the bargain, to give you the key or the confirmation of destruction until you pay more ransom. This behavior is certainly inconsistent with the general business plan of ransomware that the attackers will return what has been ransomed after payment, so future victims can be assured that if they pay the ransom, they will get their keys or the data back. This new phenomenon provides a strong argument (in addition to the ones above) to refrain from paying the ransom. They are criminals, after all, and some are more credible and smarter than others. These attackers who engage in double extortion will rapidly get a bad reputation and are shooting themselves in the foot. However, while in the midst of the attack, you just don’t know who you are dealing with, so weighing these risks is challenging at best.