STE WILLIAMS

There’s little sign that cybercriminals are about to let up on ransomware attacks anytime soon. If anything, they appear to be honing their tactics for even more dangerous and disruptive attacks on enterprise organizations over the short term.

Emsisoft recently analyzed threat data from the second and third quarters of this year and found ransomware attacks have become more focused and targeted. The success some attackers have had in extorting ransoms from enterprise targets appears to have spawned more concerted efforts by others to do the same.

“While the total number of ransomware attacks has declined, there has been a significant increase in the number of high-impact attacks targeting companies and public entities,” says Fabian Wosar, CTO at Emsisoft. 

Like other businesses, criminal enterprises typically tend to adopt strategies that will produce the greatest returns. For the moment, enterprise ransomware attacks appear to be one of them. “Ransoming critical business data is more profitable than spray-and-spray attacks against home users,” Wosar says.

The most visible example of the trend was Sodinokibi, a ransomware-as-a-service threat used by multiple groups in targeted attacks on various major organizations in Q2 and Q3. The malware is believed to be the work of the same group behind GandCrab, a now largely inactive ransomware strain that is estimated to have netted its distributors some $2 billion in less than two years.

Sodinokibi first surfaced in April 2019 and accounted for 4.5% of all ransomware detections in Emsisoft’s study. The malware is extremely evasive and includes advanced techniques to avoid detection by security tools, Emsisoft said. Attackers have used multiple methods to distribute the malware, including via phishing emails, by exploiting a security bug in Oracle’s WebLogic software, and through compromised managed service providers.

Most initial Sodinokibi attacks involved targets in Asia. But in recent months the ransomware strain has been deployed against targets in Europe and the US as well. The most high-profile of these was a series of coordinated attacks on 22 local governments in Texas that disrupted critical services, including payment processing and ID-card printing in several of the affected cities. None of the victims paid the demanded ransom.

Another ransomware sample that caused considerable havoc for enterprise organizations in Q2 and Q3 was Ryuk, according to Emsisoft. Like Sodinokibi, Ryuk was used in multiple damaging attacks on local governments, including one against Riviera Beach, Florida, which netted the attackers $600,000, and another against Lake City, Florida, where the threat actors walked away with $460,000.

Emsisoft detected significantly larger volumes of attack traffic associated with other ransomware strains. The most commonly reported ransomware strain in the previous two quarters, for instance, was STOP, aka DJVU, which accounted for 56% of all submissions. The malware, which targets home users, first surfaced in 2018 and currently has more than a dozen variants. Victims are typically asked to pay the equivalent of about $490 in Bitcoin to get their data back.

Other high-volume strains included one called Dharma targeting businesses, which accounted for 12% of all ransomware attacks in the previous two quarters; Phobos, a tool used in targeted attacks on schools with 8.9% of all ransomware traffic; and GlobeImposter 2.0 (6.5%).

“While Dharma and Phobos are more commonly used than Ryuk and Sodinokibi, the latter have a higher profile because they’re the malware of choice in attacks that are publicly disclosed — namely, attacks on state and municipal government, schools, and hospitals,” Wosar says.

Emsisoft’s analysis showed that US organizations are among the most heavily targeted in ransomware attacks. Some 13.5% of all ransomware submissions between April and the end of September were from the US. Hundreds of local government agencies, schools, and public entities in the country were hit in ransomware attacks during the period under review, Emsisoft says. Only Indonesia, with 17.1%, and India, with 15%, had more attacks in Q2 and Q3 this year.

Disruptive Attacks Increase
Emsisoft’s report is consistent with those from others about an increase in targeted ransomware attacks on enterprise organizations. Some vendors have reported evidence of attackers gaining access to target networks and then lurking in them for weeks to identify high-value systems to attack.

The trend prompted the FBI to issue an alert earlier this month warning of high-impact ransomware attacks threatening US businesses and other organizations.

“Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly,” the FBI warned, citing complaints it has received from victims. While state and local government entities have borne the brunt, threat actors have actively targeted organizations in other sectors as well, including healthcare, industrial, and transportation, the agency noted.

The FBI has advised organizations not to pay a ransom to get encrypted data back. But there are signs that attackers, in turn, are finding new ways to force victims to comply.

FireEye earlier this month reported an increase in incidents where attackers are infecting hundreds of machines across a victim’s network — instead of just high-value ones — to maximize disruption and leave them with little choice but to pay.

“Ransom demands vary enormously, with the average being in the region of $30,000,” Wosar notes. But recovery and business interruption costs can be substantially higher. “The largest publicly disclosed ransom demand so far this year has been the $5.3 million that the city of New Bedford [Massachusetts] was asked to pay,” he adds.

Related Content:

• Attackers Focus on More Disruptive Ransomware Infections
• ‘It Saved Our Community’: 16 Realistic Ransomware Defenses for Cities
• Texas Towns Recover, but Local Governments Have Little Hope for Respite from Ransomware
• GandCrab Developers Behind Destructive REvil Ransomware
• 8 Ways Businesses Unknowingly Help Hackers

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/targeted-ransomware-attacks-show-no-signs-of-abating/d/d-id/1336095?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware generates massive profits for its operators. How much do they make, and how do their spend their illicit earnings? Newly published research on Sodinokibi ransomware sheds some light on this.

The McAfee Advanced Threat Research (ATR) team has been investigating ransomware-as-a-service (RaaS) Sodinokibi, also known as Sodin or REvil, since it was spotted in the wild back in April. Around the same time, GandCrab’s operators announced their retirement. Secureworks analysis showed Gold Garden, the group behind GandCrab, is also behind REvil ransomware.

From the start, it was clear Sodinokibi was a serious threat. It was first seen propagating by exploiting a vulnerability in Oracle’s WebLogic server; however, its affiliates have several tactics. Some attackers exploited a Windows privilege escalation bug, Kaspersky Lab researchers found.

Given the severity of Sodinokibi’s attacks, in particular those targeting US managed services providers, McAfee’s team wanted to take a deeper dive, says John Fokker, head of cyber investigations. ATR researchers are now publishing a series of blog posts to detail their findings on Sodinokibi and its connections to GandCrab. The first in the series digs into the code and inner workings of the ransomware; the second analyzes affiliate structures in RaaS campaigns. Affiliates are the attackers who buy ransomware from Sodinokibi’s operators and deploy it.

Part three uncovers new information on the size and associated revenue of the Sodinokibi campaign. Researchers linked underground forum posts with Bitcoin transfer traces to learn more about how the threat has grown and what affiliates do with the money they generate.

Sodinokibi generates a unique Bitcoin wallet for each victim, a tactic Fokker says is “quite similar” to other types of ransomware he’s studied. He also points to attackers’ heavy reliance on a prominent Bitcoin mixing service called Bitmix.biz, which obfuscates the origins of transactions so it’s difficult to connect funds from an infection to a final wallet or cashout.

“We see it pop up quite regularly in the payments we’ve been tracking,” he says of the mixer.

But some attackers were confident enough to share information that helped the researchers. One underground forum post discussed attackers’ success and offered a 60% cut to Sodinokibi affiliates. After three successful payments, the affiliate would receive 70% of the ransom. This is a common strategy, also seen in GandCrab and Cryptowall, Fokker explains in a blog post.

An attacker, operating under the alias “Lalartu,” commented on this post. A look back in the archives revealed additional comments from Lalartu, one of which included partial transaction IDs on the Bitcoin ledger, along with transfer amounts. With some help from Chainanalysis software, researchers used this information to retrieve the full transaction IDs and map them.

Following the Money

Analysis revealed a “very, very profitable business – and a big business too,” Fokker says. Sodinkibi’s tendency to target MSPs enables affiliates to infect thousands of victims with little activity and a relatively small number of samples and versions, which he calls “a game changer.”

Various samples showed around 0.44-0.45 Bitcoin, or $4,000 USD, in payment; however, researchers note the average ransom ask is $2,500-$5,000 USD. When a victim pays an affiliate’s wallet, it takes an average of two to three transactions before it reaches its final destination. From there, researchers saw the split between affiliates and Sodinokibi operators: 60-70% stays with the attacker, and the remaining 40-30% is forwarded along to the operators.

Considering the split between affiliates and operators, this gives the former an average of $700-$1,500 per paid infection. Some of these funds are transferred from a victim’s wallet; other Bitcoins are bought at an exchange and transferred to an affiliate’s wallet. Based on the list Lalartu shared, and the average value in Bitcoin at the time, an average of $287,499 was transferred within 72 hours – generating $86,000 in profit for the operators from one affiliate.

Based on analysis of the samples and amount of transaction ID numbers, researchers counted more than 41 active Sodinokibi affiliates and report a high number of infections in a short period of time. “Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune,” Fokker points out in the blog.

What do the affiliates do with their cut? To find out, researchers chose a wallet and followed its transactions. Most have money transferred through an exchange; some goes to services and some to Bitmix.biz to conceal activity. In some instances, affiliates paid for services bought on Hydra Market, a Russian underground market for services and illicit products paid for in Bitcoin. Fokker doesn’t believe they’re shopping for malware, as they have more sophisticated means, but this does demonstrate how ransomware is supporting ongoing criminal activity.

It’s unclear where Sodinokibi’s operators may be from, but Fokker notes there is a strong affiliation with the former Soviet Union. This doesn’t necessarily mean the actors are Russian – they could be from any nation – though he points to the tendency of Sodinokibi to work with Russian-speaking individuals and avoid encryption of any former Soviet-affiliated countries. This could indicate affiliates are of that nationality and trying to avoid prosecution of their country.

Related Content:

• Targeted Ransomware Attacks Show No Signs of Abating
• 5 Steps to Protect Against Ransomware Attacks
• 8 Ways Businesses Unknowingly Help Hackers
• More Breaches, Less Certainty Cause Dark Web Prices to Plateau

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/sodinokibi-ransomware-where-attackers-money-goes/d/d-id/1336097?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For several years now, security experts have been trying to bring attention to the growing threat that insecure Internet of Things (IoT) devices pose to networks around the world. The enormous growth in popular connected devices like webcams, DVRs, and smart watches has made it possible for hackers to amass huge botnets that can launch devastating distributed denial-of-service (DDoS) attacks.

Unfortunately, some vigilante hackers have tried to solve this problem with “bricker” malware that infects and destroys insecure IoT devices before they can become part of a botnet. This might seem like a positive on the surface, but this tactic creates serious, sometimes life-threatening risks as more IoT devices are used in industrial networks and healthcare organizations.

Let’s start at the beginning. IoT security became a top-of-mind issue in late 2016 thanks to the record-breaking DDoS attacks by the Mirai botnet and its subsequent source code release. In a perfect world, this should have been the wake-up call to improve IoT security. Unfortunately, slim profit margins and rapid development times kept IoT security considerations on the back burner and led some individuals to take matters into their own hands. The first instance of IoT vigilantism was in 2017 when a strain of malware known as BrickerBot began making its rounds.

Similar to the Mirai botnet, BrickerBot exploited flaws like insecure, hard-coded passphrases to log in to vulnerable IoT devices. But once it connected to a device, it didn’t add it to a massive botnet. Instead, it deleted files, corrupted the system storage, and disconnected the device from the Internet, effectively making it unusable. While it is possible to restore the device to factory defaults, the average IoT user likely doesn’t have the technical skills to do this. The author of BrickerBot, known by the pseudonym Janit0r, explained in an interview that his malware was intended to prevent devices from being infected by Mirai. Janit0r believed that if IoT manufacturers and owners weren’t going to take security seriously, then the devices shouldn’t exist to begin with.

In the end, BrickerBot destroyed over 10 million devices in just nine months before Janit0r retired it from service. While that may sound like a lot, it’s still less than one-tenth of 1% of the estimated 14 billion IoT devices online worldwide.

But the end of BrickerBot wasn’t the end of IoT bricking malware. In early 2019, a new variant of IoT bricking malware called Silex began infecting devices worldwide. Within a few hours, Silex had infected thousands of devices, deleting system file and firewall rules, and effectively rendering them useless. With the Mirai source code public, it’s not a stretch to think there are other similar malware variants lurking undiscovered in the wild today. Thankfully, individual IoT owners can also protect themselves from both botnets and brickers by changing the default passwords on their IoT devices, not exposing the telnet port (which BrickerBot uses to infect devices) and performing basic network segmentation and monitoring.

Bricker malware is dangerous because it doesn’t discriminate between different types of IoT devices. Almost every industry is incorporating IoT technology in some way. “Smart city” technology is becoming widely adopted across the globe, with municipalities connecting everything from power grids to traffic lights to networks. Healthcare is another sector that’s quickly adopting IoT technology, with the Internet of Medical Things projected to reach $136.8 billion worldwide by 2021. While some might question the need for refrigerators to connect to the Internet, there is no arguing that the ability to quickly share data from an ECG/EKG machine could be the difference between life and death. As widespread IoT adoption continues to grow within these sectors and overall, bricking malware can have some devastating consequences.

The problem is that many of these new IoT applications exhibit the same security lapses as consumer IoT devices, but with significantly higher risks if they fail. A rash of bricked industrial IoT sensors could cause widespread power outages, and an infusion pump or medical monitor that unexpectedly shuts off could put patients’ lives at risk. The authors of BrickerBot and Silex might not have been so ready to claim their work was for the good of the Internet if they truly considered the serious collateral damage that they might cause along the way.

There are other options to improve IoT security that don’t involve such a high degree of risk. Security researchers can work on raising awareness about connected device security, participating in public education initiatives and trying to drum up consumer demand for secure devices. Just last year the state of California, the fifth-largest economy in the world by GDP compared with other sovereign nations, passed Senate Bill 327, which mandates that manufacturers of connected devices equip their products with reasonable security features by January 2020. While the bill will have little effect on the masses of inexpensive IoT devices imported from foreign countries every year, it’s a step in the right direction that can be built upon with future legislation.

There is no denying the IoT industry needs to fundamentally change its approach to security, but vigilantism is not the answer. There are less destructive ways to convince both manufacturers and consumers that developing and deploying secure devices is worth the investment.

Related Content:

• 7 Malware Families Ready to Ruin Your IoT’s Day
• A Safer IoT Future Must Be a Joint Effort
• Securing Our Infrastructure: 3 Steps OEMs Must Take in the IoT Age
• Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Works of Art: Cybersecurity Inspires 6 Winning Ideas“

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and … View Full Bio

Article source: https://www.darkreading.com/iot/why-bricking-vulnerable-iot-devices-comes-with-unintended-consequences-/a/d-id/1336009?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We know there are plenty of jobs out there for those interested in working in security. And there is also no shortage of security certifications for those who want to demonstrate to employers they have earned the education they need to succeed. But in a fast-moving and evolving field, which certifications are catching fire lately?

Part of the answer depends on the company that’s hiring. According to Simone Petrella, CEO of cybersecurity training and education firm CyberVista, companies with emerging security programs may be more reliant on certifications than those with more mature programs. In those cases, CISSP and the Security+ are among the most popular general certifications. (More on those later.)

Specialized ones by industry, such as healthcare, are growing, however, as are requests for cloud certifications, Petrella adds. As time goes on, “run-of-the-mill certs are probably less useful than the more specialized ones,” she says.

Now back to our original question of which certifications, specifically, are ones to consider. For that we reached out to popular issuers of certifications to find out. From training for entry-level newbies, to experienced veterans, to niche-industry knowledge, here are the certifications security professionals are seeking this year.

(Image: dlyastokiv via Adobe Stock)

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/14-hot-cybersecurity-certifications-right-now/b/d-id/1336074?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Symantec is revamping its endpoint tool lineup with Symantec Endpoint Security (SES), a new platform designed to deliver protection, detection, and response in a single agent installation. SES also aims to reduce the attack surface, hunt for threats, and assess and prevent breaches.

The idea is to provide businesses with an easier way to fight more advanced attacks. SES can be deployed and managed via the cloud or on-premises, or a hybrid of both, with one install on traditional and mobile enterprise devices. Its varying levels of threat-hunting capabilities are meant to supplement the existing resources of any given organization, Symantec explains.

Businesses that cannot manage threat hunting, remote, investigation, and preauthorized remediation can find these capabilities in SES. Enterprise users with their own in-house investigation teams can opt into the Threat Hunting Center add-on, which is designed to automate threat hunting across security devices in the SOC and enable faster response.

Read more details here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/symantec-adds-endpoint-security-tool-to-revamp-portfolio/d/d-id/1336089?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple