Today (January 27, 2021) was a BIG win for law enforcement in their efforts to combat cyber crime. U.S. and European law enforcement agencies announced today that through join efforts and cooperation on “Operation Ladybird,” computer servers and the infrastructure that has been used by criminals behind Emotet to victimize individuals and organizations through phishing schemes and distributing vicious strains of ransomware such as Ryuk were seized and are now out of the control of the cyber criminals. Emotet has been described as a cybercrime-as-a-service program because it is a pay-per-install botnet.
According to reports, Emotet has been used by criminals to defraud victims of millions of dollars through extortion and data theft, and the U.S. Department of Homeland Security has estimated that it has cost U.S. state and local governments up to $1 million per incident following an Emotet infection. Investigators have estimated that more than one million Microsoft Windows systems are currently affected by Emotet infections, so the take down is particularly important for those already infected systems.
According to Europol, “The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale.”
This win doesn’t mean that the criminals behind Emotet can’t rebuild and continue to wreak havoc in the future, but slowing them down a bit is helpful in combatting cyber crime and the protection of individuals and companies’ data.
Baltimore County Public Schools shut down Monday and Tuesday following a ransomware attack that paralyzed the school system’s network last week right before Thanksgiving.
According to the Baltimore Sun, officials described the event as a “catastrophic attack on our technology system.” The ransomware attack is reported to have hit the entire Baltimore County Public Schools’ network on Wednesday. The attack caused the 115,000 students who were solely remote learning to have an extended Thanksgiving weekend as schools were shut Monday and Tuesday and will resume on Wednesday.
When resuming school tomorrow, the District is advising students and staff that they can use Chromebooks, but not Windows-based devices while the investigation is ongoing. Students and staff are performing a series of security checks on system-issued devices and any students who need a new device or assistance can get assistance at their local public high school.
According to social media accounts, some teachers have surmised that the ransomware strain involved in the attack is Ryuk, which is well- known to have been involved in previous attacks against municipalities and school systems.
At the present time, the attack is being investigated and it is unknown whether or not any personal student or employee information was compromised.
On October 27, 2020, the FBI and the Department of Homeland Security (DHS) warned the health care industry about “an imminent cybercrime threat to U.S. hospitals and healthcare providers.”
According to the warning, which was shared during a conference call, the government has received “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The information was being shared with participants so they can take timely precautions to protect their networks from the threat.
According to KrebsonSecurity, the threat is believed to stem from a Russian cybercriminal gang that may be deploying Ryuk ransomware to more than 400 health care facilities in the U.S. It appears the attack is planned to be coordinated in order to maximize disruption in the health care sector.
Hospitals are urged to confirm that patching of all known vulnerabilities has been completed. Mandiant Solutions has released a list of domains and Internet addresses that have been used by Ryuk in the past in order to assist hospitals with identifying known methods used to infiltrate systems.
Based upon these warnings, hospitals and health care providers may wish to consider prioritizing patching and blacklisting the known domains and Internet addresses used by Ryuk today.
Health care entities continue to face a barrage of attacks from cyber criminals, and it is widely reported that the health care industry is getting hit more frequently than any other industry. Ransomware is the name of the game for these attackers in all industries, including health care.
Unfortunately, what is being touted as one of the largest, if not the largest ransomware attacks against a health care entity in 2020, occurred last week against Universal Health Services (UHS), a Fortune 500 company with more than 400 facilities in the U.S. and the United Kingdom. It is believed that the ransomware attack involved the Ryuk strain, which is linked to Russian cybercriminals.
Following the attack, which occurred over a weekend, UHS reportedly took all of its networks down and had to re-route some patients to other facilities. Since not all of UHS’s computers were able to be used, providers were forced to resort to paper. A ransomware attack such as this is extremely disruptive to patient care. Ransomware attacks are designed to be disruptive, anda disruption to to life-or-death patient care is especially concerning.
UHS has publicly stated that no patient or employee data were compromised in the attack and it is using its contingent operations plan. This response demonstrates the importance of having a contingent operations plan in place and testing it to make sure it works.