If you’re a regular visitor to roguesecurity.ca then you’ve probably heard of (ISC)2. (ISC)2 is an international, non-profit organization that provides certifications, networking, and continuing education for security professionals. (ISC)2 is the organisation responsible for some of the most popular certifications in the information security industry including the CISSP (Certified Information Systems Security Professional).
During this 2-hour course, you will learn the major distinctions between ransomware and malware, the key characteristics of ransomware attacks, and the protection strategies and remediation plans for ransomware attacks that should be in place ahead of time.
As small and medium businesses are more frequently becoming victims of cyber attacks, just 28% of SMBs, who were polled in a recent study, were actually concerned about ransomware. This must mean that small and medium businesses are taking security seriously, right? Wrong! That same study reported that 85% of SMBs have reported at least one cyber attack.
With ransomware becoming big business for cyber criminals, SMBs need to consider what they can do in order to protect themselves from being a victim of a ransomware attack in the first place. Given the recent uptick in ransomware attacks, let’s discuss options for reducing the risk of being a victim of ransomware.
Use Multi-factor Authentication
Using only a username and password to login is simply not secure anymore. Multi-factor authentication (MFA) adds a second, and sometimes third form of authentication. For example, you may login with your username and password, and then need to enter a 6-digit number that is available via an app on your phone, or a hardware token.
Ransomware attacks require a method for the attacker to initiate the ransomware on the target network. Today’s ransomware attacks involve an attacker gaining access to a network, stealing the data, and only then will they initiate the ransomware attack.
Using MFA on logins, especially remotely and on email systems, can make it more difficult for an attacker to gain a foothold.
Change passwords regularly and don’t reuse them
Password changes should be done regularly. This adds a moving target for an attacker who may have found one of your passwords in a data breach somewhere, especially if you don’t reuse passwords.
Control the use of Removable Storage Devices
Removable storage devices, such as USB drives and external hard drives, are the perfect weapon for the transport of Malware including ransomware which will replicate itself to external devices.
Controlling the use of these types of devices may involve something as simple as purchasing a standard USB and only allow its use, to something as complex as a Data Loss Prevention (DLP) solution that prohibits actions. Many anti-virus solutions, like BitDefender, also provide device security controls.
Make security awareness a priority
Clicking on a suspicious link, or entering credentials onto a credential phishing site could inevitably lead to the same results as above. There are many ways that attackers can use to gain access to your company’s computer network, and they should all be discussed and tested as part of a continuous security awareness solution. Topics might include:
Being aware of suspicious links
Not opening attachments from unknown senders
Secure password management using password managers
Secure use of removable storage devices
This technically won’t help you to lower the risks of being a victim of a ransomware attack, and you hope that you never have to use them, but, having backups might be critical to your recovery from a ransomware solution and should be taken at regular intervals. These backups should be stored offsite, onsite and on the cloud for the most protection.
No one is 100% safe from cyber attacks but we there are things that we can all do to help reduce the risk.
Unless you’ve been living under a rock, you’ve almost certainly heard of the ransomware attack on Georgia-based Colonial pipeline on May 7th, 2021 that forced the company to freeze many of its IT systems in order to prevent further damage. The attack itself was perpetrated by an advanced persistent threat (APT) group that goes by the name of Darkside.
This particular APT group is highly sophisticated, and similar to groups like Maze, state that they will never target critical and other vulnerable bodies such as schools, hospitals and governments. In this instance, they went after the business side of Colonial Pipeline, as opposed to pipeline operations, which could have been devastating to oil and gas markets in not just the U.S., but internationally, as well.
How The DOJ Recovered Coins From a Bitcoin Wallet
According to a news release by the U.S. Department of Justice on June 7th, 2021, they announced that they were able to recover 63.7 bitcoins valued at approximately $2.3 million USD, by seizing a bitcoin wallet that was used by the threat actors.
When Colonial Pipeline paid the 75 bitcoin ($4.4 million) ransomware payment to the Darkside group, they would have had to send it to one or more bitcoin wallets. A bitcoin wallet is just a string of between 26 and 35 characters that will be entered as the recipient of a bitcoin payment. It’s kind of like entering your friends email address when sending them an eTransfer, except that bitcoin wallet addresses don’t identify the owner in and of themselves.
Bitcoin blockchain data is publicly searchable and available via various websites such as Blockchain.com. The DOJ was lucky enough to find out that the bitcoin wallet, and thus the bitcoins within it, were managed by a company in which they had jurisdiction. Even though the wallet address doesn’t identify the owner, the address needs to be generated by software. In this instance, that software was owned by an organization that the U.S. DOJ was able to get a warrant for.
With that warrant, the DOJ managed to obtain the private key for that bitcoin wallet, access it, and withdraw the funds within it. A private key is a second string of alphanumeric characters that gets generated for every bitcoin wallet address. This private key is just as a password for accessing the wallet, and should be stored securely and safely.
The funds took an interesting route their final wallet, so the DOJ simply had to follow the money until it was accessible. I’ve put the timeline into a table, and have included the last 6 characters of the bitcoin wallet so that you can see how they possibly laundered this through a number of other wallets until it sat in a wallet that the DOJ was able to gain access to.
What you might notice is that the wallet in which was seized by the DOJ contained a little more than 69 bitcoins. Colonial got the 63.7 bitcoins that the DOJ could track directly back to their payment, and the DOJ is going to be the recipient of 5.390422177 bitcoins, or just over $188,000 USD.
The new player in town, Lorenz, has taken credit for the attack. It also appears that Commport Communications did not pay the ransom, estimated to be between $500,000 to $700,000 for the Lorenz group according to estimates provided by BleepingComputer. Like other newer groups, Lorenz, has a public website available via the Tor network to pressure victims into paying. The data, totaling a compressed 35.3 GB, for Commport Communications is now openly available for download via that website, which suggests that Commport refused to pay the ransom.
Interesting to note is the date on the upload. Commport previously released an attack back in November of 2020, but did not believe any data to be compromised at that time. Apparently, they were wrong.
Canada Post has announced a data breach of shipping manifest data associated with 44 of its large business users. The impact is recorded at more than 950,000 records relating customers of those businesses. Shipping manifests contain sender and recipient information that usually includes both names and addresses, and less often email addresses, and phone numbers.
According to CTV News, the data comprised of 97% names and addresses, while the final 3% of records contained an email address and/or a phone number. The attack occurred on May 19th, according to Commport Communications Inc., however, the data compromised was from between July 2016 and March 2019.
Apparently, Commport Communications Inc., notified Innovapost, Canada Post’s IT Service Provider, in November 2020, of a ransomware attack on the organization, but a review at that time determined that no customer data was leaked from Canada Post at that time. I’d be interested in seeing the lessons-learned from that attack, as well as the steps taken to prevent this time of incident from happening again.
At this time the May 19th event hasn’t been attributed to a specific attack vector and may not be related to the November, 2020 ransomware attack, at all.
Supply Chain Attacks
This very well could have been a crime opportunity as we don’t know if any other data was stolen from the Commport Communications environment. Other than Canada Post, they have reference to working with companies such as Walmart, Pepsi, Coca-Cola, P&G, Lowe’s and even Amazon on their website. Regardless of the original intent, this is what is known as a supply chain attack. A supply chain attack is an attack that targets a less-secure element of an organization’s ecosystem. This could be anything from a HVAC provider to a software vendor, or, yes, even an IT provider.
The 2020 Solarwinds attack was a series of supply chain attacks that led to, suspected, Russian-sponsored state actors, believed to be either SVR or Cozy Bear (APT29) gaining access to a number U.S. Government systems including parts of the NSA and the Cybersecurity and Infrastructure Security Agency. Not to mention a number of private and public businesses and governments that we’ll never know about.
Supply chain attacks are the real deal and they work because as business owners we often make the mistake of trusting the security and the systems of the third-parties that we do business with, and sometimes have elevated access within your businesses systems. They’re also complex when done with an intended target, and are therefore oftentimes the mark of an APT (Advanced Persistent Threat).
The issue here, of course, is that if we wish to build our businesses weÂ must rely on third-parties to provide things such as manufacturing, operations, financial services and support.Â Information and Cybersecurity isn’t about making it difficult for the business to operate, it’s about creating opportunities!
A third-party risk program can be as complex or as simple as you need, but is really all about governance around your vendors and suppliers. Develop processes and procedures for every transaction between your organization and your third-parties, and ensure that staff are appropriate trained in executing and managing them.
Creating a vendor risk assessment, or by using one of the many available online, you can easily create a risk inventory of your vendors and suppliers that can give your business self-assurance that your suppliers and vendors are employing the necessary security controls. Some questions that you may find on such a form might be, “Does the 3rd party provide information security training to all employees, contractors, and vendors?”, and “Does the 3rd party employee firewalls at all points of network egress?”.
This isn’t a one-time process, unfortunately, and should be reviewed and updated annually for maximum benefit. Both, the ISO-27001 and the CyberSecure Canada Certification require reviews on an annual basis so getting into the habit, and documenting that you’re doing it, can be very beneficial in the long-term.
For further reading, the Canadian Centre for Cyber Security provides an excellent two-page PDF on Supply Chain Security.
Ransomware is hitting governments hard. Besides the event that Prince Edward Island experienced, the Canadian territory of Nunavut also experienced a ransomware attack in November of 2019 that crippled systems within that entire government.
Ransomware is a type of Malware that, when introduced to a system, can lock the user out of local system files. The ransomware enumerates through the directories on a victim’s computer to build a file hierarchy of the device. Once a list of files is built, the ransomware uses Windows own cryptography API to encrypt the files (in most cases). The encryption keys are then sent back to the attacker for long-term storage and where you can’t access them.
Earlier iterations of many ransomware strains focused on spread and relied on quantity of infections to drive a successful campaign. This was the case with Wannacry and NotPetya whereby the intent was to cripple the victim into paying the ransom. Newer ransomware is using a level of human control that amounts to an attacker silently having control of a victim network prior to the attacker locking out the system files. What this has allowed is for the attacker to ex-filtrate data from the victim’s system. So not only is the victim locked out of their files, but the attacker also has a copy of any number of those same files to hold over you.
Paying the ransom is not the answer to ransomware. Paying the ransom only perpetuates the effectiveness of ransomware and conditions the attackers to continue the attacks. Ransomware has become big business for these attackers. Unfortunately, the obvious result of not paying the ransom is that your files will likely be released to wider audiences. Prevention should be the number one focus, but having strong incident response and business continuity/disaster recovery plans that include an approved and well structure communications plan is also essential.
Regardless of whether you pay the ransom or not, it should be assumed that the data will eventually be released. Without consignment it’s simply impossible to know otherwise.
The P.E.I. Ransomware
The Prince Edward Island government was impacted by a ransomware called Maze. Maze has been attributed to Threat Actor 2101, or simply TA2101, by Proofpoint. This ransomware is notable for its use of publishing ex-filtrated files to the internet via their website if victims don’t pay instead of selling the data on dark web forums.
In addition, threat actors can use this trove of data to phish other businesses, which should definitely be a big concern for P.E.I. businesses.
2020-02-23 — The government reported a 90-minute ransomware incident before it was contained. At that time the province did not believe that any Islanders’ personal information had been affected.
2020-03-03 — Government documents began showing up online when approximately 800MB (uncompressed) of data showed up on Internet. According to the Maze ransomware website, they have approximately 200GB of archives.
The inevitability of the release of the rest of the files can’t prevent recovery, which will almost certainly involve a hard look at the information security of the province. A forensics audit will need to take place in order to determine the extent of files that may have been accessed. Communications will then need to take place to any impacted individuals and businesses so that they may take appropriate actions, if deemed necessary.
Both CreditKarma and Borrowell offer free credit scores and credit reports every quarter. Freezing your credit can be done by calling all major credit bureaus.