Hostage data – another cybercrime threat.

May 19th, 2021 by Stephen Jones Leave a reply »

Hostage Data

Ransomware continues to evolve with new threats. In a recent incident data was not only encrypted, but was also copied back to the criminals. Apple was the target through a supplier. The ransom note stated that without a payment, the data would be auctioned off.

So not only m business issues where you can’t access data, but also the stress of the data possibly being released or sold and who knows what GDPR and other compliance issues and costs.

While you may not work in organizations where data is worth $millions, it is still worth a significant amount, especially when its customer data. Ensure that you already have local data encrypted, and without the keys present, so that criminals can’t read your data.

With SQL Server and TDE the certificate is inside the local master database, and If someone should attach it and get access to the master database, then they could read your databases. An SMK and a DMK, might not offer adequate protection, .
Always Encrypted will help, unless you have lots of servers or other machines on your network with the certificates, in which case someone might be able to piece together the keys and read data.

Attacks are increasingly more numerous and creative. Backups might protect against some ransomware, but not when copies of your files are sent to criminals. So consider whether the access you allow from servers to the outside world needs to be more restricted. A challenge administrators, but they have to protect systems.

A cyber-criminal gang that took a major US fuel pipeline offline over the weekend acknowledged the incident in a public statement. “Our goal is to make money and not creating problems for society,” DarkSide wrote on its website.

The US issued emergency legislation on Sunday after Colonial Pipeline was hit by a ransomware cyber-attack. The pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, petrol and jet fuel. The operator took itself offline on Friday after the cyber-attack.

A number of cyber-security researchers, speculated that the cyber-criminal gang could be Russian, because their software avoids encrypting any computer systems where the language is set as Russian.

The incident highlights the risk ransomware can pose to critical national industrial infrastructure, not just businesses.

In addition to a notice on their computer screens, victims of a DarkSide attack receive an information pack informing them that their computers and servers are encrypted. The gang lists all the types of data it has stolen, and sends victims the URL of a “personal leak page” where the data is already loaded, waiting to be automatically published, should the company or organisation not pay before the deadline is up. DarkSide also tells victims it will provide proof of the data it has obtained, and is prepared to delete all of it from the victim’s network.

It has a website on the dark web where it lists all the companies it has hacked and what was stolen, and an “ethics” page where it says which organisations it will not attack. DarkSide also works with “access brokers” – nefarious hackers who work to harvest the login details for as many working user accounts on various services as they can find. Rather than break int accounts and alert users or the service providers, these brokers sit on the usernames and passwords and sell them off to the highest bidders – cyber-criminal gangs who want to use them to carry out much larger crimes.

According to Digital Shadows, a London-based cyber-security firm, DarkSide operates like a business. DarkSide might have bought account login details for remote desktop software such as TeamViewer and Microsoft Remote Desktop. the cyber-criminal gang is likely to be based in a Russian-speaking country, as it avoids attacking companies in post-Soviet states including Russia, Ukraine, Belarus, Georgia, Armenia, Moldova, Azerbaijan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan and Uzbekistan.

Damages related to cybercrime is set to hit $6 trillion according to Cybersecurity.  Security experts now estimate that cyberattacks cost businesses $1.6 million to recover. Even scarier: in 2019 the average time it took to identify a breach was 7 months according to IBM. According to the FBI, an average of 4,000 ransomware incidents occur daily at an annual cost of $1 billion.

In 2019 his year, following a ransomware attack, the US city of Baltimore estimated its impact at more than $18 million – a much higher cost than the approximately $70,000 ransom, which the city refused to pay.

The arms race between sysadmins that protect infrastructure and criminals that attack it has taken yet another a leap forward.


Comments are closed.