The Refactored IT Privacy and Security Weekly Update for May 18th 2021

This week we take apart the various elements of ransomware so you know what the stats are upfront. Costs, protective steps, and tooling so that if the unthinkable ever were to happen you would know your options.

We remind you that although ransomware is (literally) stealing the headlines, there are a few other gremlins out there that you might also want to sidestep.

We end with some entertaining quotes from cryptographers made while they were out of their dark workshops attending the RSA conference this week.

Encrypted or decrypted … we think you’ll find that this is the best IT Privacy and Security Weekly Update yet, so let’s refactor and get started!

IE: Irish health service struck by Russia-based Conti ransomware
This story from Digital Asset employee Julian Murray in Dublin

Ireland’s nationalised health service has shut down its IT systems following a “human-operated” Conti ransomware attack, causing a Dublin hospital to cancel outpatient appointments.

The country’s Health Service Executive closed its systems down as a precaution, local reports from the Irish public service broadcaster RTÉ said, reporting that Dublin’s Rotunda Hospital had cancelled appointments for outpatients – including many for pregnant women.

“The maternity hospital said all outpatient visits are cancelled - unless expectant mothers are 36 weeks pregnant or later,” reported RTÉ, adding: “All gynaecology clinics are also cancelled today.”

HSE Ireland. @HSELive. · May 14. There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.

So what’s the upshot for you? This ransomware attack, that according to even the lowest of miscreants, should not target hospitals and healthcare, painfully goes on.

US: Major U.S. Pipeline Crippled in Ransomware Attack

Update on DarkSide and Colonial Pipeline: Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers last Friday, contradicting reports earlier last week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern U.S. Seaboard.

Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

Then last Friday: Russia-based cyber-extortionist Darkside appeared “out of business” after unknown actors shut down the servers of the group. US cybersecurity firm Recorded Future said that Darkside had admitted in a web post it had lost access to certain servers used for its web blog and for payments.
Recorded Future threat intelligence analyst Dmitry Smilyanets said he found a Russian language comment on a ransomware website ostensibly from “Darksupp”, described as the operator of Darkside. “A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers,” Darksupp wrote.
Accessed via TOR on the dark web, the Darkside site address showed a notice saying it could not be found.

So what’s the upshot for you? We bet Darkside will be back. Another name, another ransomware variant, but they will be back.

Global: A quick refresher of just how expensive a ransomware attack can be.

First, the average ransomware payout is $170,404.

Second, only 8% of organizations managed to get back all of their data and only 29% got back half their data.

Third, In the end, between restoration, loss of business, reputational degradation, and other costs, bringing a business back to normal after a ransomware attack averages about $1.85 million.

So what’s the upshot for you? CISA has done some great work with their recommendations which number too many to detail, but should be part of a checklist you use to secure a home or work environment.

Global: Victim of Ransomware? Try these decryption tools.

At the time of writing, this collection had links to a large number of good ransomware decryption tools.

So what’s the upshot for you? 191 and counting. Wait a week and there will be more.

Global: Victim of Ransomware? Try these sites.

The first task in identifying whether there is a tool to decrypt your files is knowing what Ransomware has been used. Start with these.

So what’s the upshot for you? Nothing beats knowing about resources like these before you need them!

US: Last week’s Biden cybersecurity Executive order.

Although this Executive order lists lots of actions, the committee they are assigned to and the due dates, the top three are:

  1. Within the next 6 months, Federal agencies will be required to introduce multi-factor authentication (MFA) to their systems and encrypt all data.
  2. IT companies contracting with the US government to meet higher security and breach notification requirements. For breaches, there would be timeline for disclosure based on a sliding scale related to the severity of the incident.
  3. Like NYC’s restaurant rating system: A new star rating system pilot for software sold to the government will also be launched so that the officials and everyone else, for that matter, can judge how secure it is.

So what’s the upshot for you? For the rest of the directives and there were loads … we did search for a project management Gantt chart… a tool used for tracking different workflows. We couldn’t find anything online yet, but we are “Biden” our time. (sorry, couldn’t resist)

FR: AXA itself, now Faces DDoS After Ransomware Attack

French insurance company AXA confirmed on Sunday that it has become a victim of a ransomware attack. The incident comes days after the company officially announced that it would stop bearing the cost of ransomware crime payments.

The group said the threat actors had targeted its Asia Assistance division, impacting IT operations in Thailand, Malaysia, Hong Kong, and the Philippines, adding that “there is no evidence that any more data has been accessed.”

It was later confirmed that the Avaddon ransomware gang has claimed responsibility for the attack. The group said on Saturday that they had hacked the AXA’s Asia operations and stolen three terabytes of data including:

  • ID cards;
  • Passport copies;
  • Customer claims;
  • Reserved agreements;
  • Denied reimbursements;
  • Payments to customers;
  • Contracts and reports;
  • All customers IDs and all customers bank account scanned papers;
  • Hospitals and doctors reserved material (private investigations for frauds);
  • Customer medical reports (included HIV, hepatitis, STD, and other illness reports).

So what’s the upshot for you? Avaddon is a Ransomware as a Service (RaaS) operation, like DarkSide, that asks affiliates to follow certain rules and pays each one of them with 65% of the ransom payments they bring in, with the operators getting a 35% share.
The Avaddon ransomware gang follows the same MO as other ransomware groups such as breaching the security of its target, exfiltrating data and locking the files on the victim’s system, and demand ransom payment for a decryption key, however, if the ransom is not paid, Avaddon additionally carries out DDoS (distributed denial of service) attacks on the network of its victim.
With ransomware attacks up 102% over this time last year, we are seeing a pattern develop. We wonder which direction AXA will go on this. They only just announced that they would not cover ransomware payments on their French policies. Will they backtrack? Stay tuned for more!

Global: 2021 DDos Attack numbers blow past all previous years

According to research from NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT), threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020. That’s an extraordinary number in several ways:

If this activity holds, we are on a trajectory that blows right by the unprecedented 10-million attack threshold recorded in 2020.
The first two months of the year are usually the slowest months in the DDoS attack calendar. This year, we saw 972,000 attacks in January, which eclipses the record set last May for the largest number of attacks yet seen in one month.
All three months of the first quarter surged over the 900,000-attack mark—just as we were getting used to the new baseline of 800,000 attacks per month.

  • Q1 2021
  • Total attacks: 2.9 million
  • 31% increase year over year
  • Max size: 480 GigaBits or GigaBytes per Second
  • Max throughput: 675 Mpps or Mega (million) packets per second
  • Top attack type: UDP (this encompasses all 30+ UDP Reflection/Amplification DDoS Vectors)

So what’s the upshot for you? With Ransomware taking the center stage it’s easy to forget that threat actors are also wielding other tools to attempt to extort funds from companies.

US: Bill Gates Left Microsoft Board Amid Probe Into Prior Relationship With Staffer

Microsoft Corp. board members decided that Bill Gates needed to step down from its board in 2020 as they pursued an investigation into the billionaire’s prior romantic relationship with a female Microsoft employee that was deemed inappropriate, people familiar with the matter said.

Members of the board tasked with the matter hired a law firm to conduct an investigation in late 2019 after a Microsoft engineer alleged in a letter that she had a sexual relationship over years with Mr. Gates, the people said.

Bill Gates and Melinda French Gates announced earlier this month that they were ending their marriage.

So what’s the upshot for you? Bill, you mess around and Melinda will find out…

AU: I am seeing someone else’s security camera feeds on my phone?

“As per title. Seemed to happen a couple of hours ago. I am seeing someone else’s camera feeds using the app on Android. My wife who also has full access under her own email can see another person’s feed (2 devices, 2 different feeds) on her iPhone. The emails we used to register for the Android app are correct in both apps. Anyone experiencing this? I’m located in Sydney Australia and I have the 2C camera system from JB HIFI eufy 2C Wire-Free HD Security Cam with Home Base 2 Kit (2 cameras) | JB Hi-Fi

So what’s the upshot for you? We keep wittering on about the security of security cameras, with this just being further proof.

US: Got a lost Uncle? Don’t post that on social medial!

This new trick has quickly risen to the number three position for scams ranked by the Feds.

The FBI warns the public of scammers seeking to extort family members of missing persons.

These actors identify missing persons through social media posts and gather information about the missing person and family to legitimize their ransom demands without ever having physical contact with the missing person. The criminal actor generally requests between $5,000 and $10,000 in ransom, with $7,000 requested in multiple instances.

Offenders often claim the missing person is ill or injured, adding to the urgency of the situation and putting additional pressure on family members to pay the ransom,” the FBI warned.

So what’s the upshot for you? Where does this end? If you post your number and a photo of your lost cat on a telephone pole, should you expect a ransom demand?

BR: Bizarro banking Trojan expands its attacks to Europe

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world.

Bizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry.

Bizarro is distributed to Windows users via MSI packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website.
When Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking websites. When a user restarts the browsers, they will be forced to re-enter the bank account credentials, which will be captured by the malware. Another step Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser.

So what’s the upshot for you? Bizarro is yet another example of a South American banking trojan evidencing threat actors adopting new technical methods to complicate malware analysis and detection on Windows devices. Update, patch, and don’t click on unsolicited files and links. If it says it is from a bank, you can verify by going to the bank’s website and initializing communication from there. Note that most banks are hugely interested when they discover that someone is trying to compromise them or their customers.

Global: In 2020, Apple blocked over 200,000 apps from the App Store over privacy concerns

In 2020, the App Review team rejected over 215,000 apps for those sorts of privacy violations. Apple believes privacy is a fundamental right, and this commitment is a major reason why users choose the App Store.

Apple terminated 470,000 developer accounts in 2020 and rejected an additional 205,000 developer enrollments over fraud concerns.

In just the last month, Apple blocked more than 3.2 million instances of apps distributed illicitly through the Apple Developer Enterprise Program. The program designed to allow companies and other large organizations to develop and privately distribute internal-use apps to their employees that aren’t available to the general public.

So what’s the upshot for you? As Apple fights court battles to retain their 30% margins on App Store transactions, expect lots of new PR to justify the App Stores’ existence.

US: From the RSA Conference: Bruce Schneier Warns of the Coming AI Hackers

“All systems of rules can be hacked,” Schneier said. “Even the best-thought-out sets of rules will be incomplete or inconsistent, you’ll have ambiguities and things that designers haven’t thought of, and as long as there are people who want to subvert the goals in a system, there will be hacks.”

Schneier highlighted a key challenge with hacking that is conducted by some form of AI: it might be difficult to detect. Even if the hack is detected, it will be difficult to understand what exactly happened.

Schneier noted that researchers are working on explainable AI, but he doesn’t expect it to yield any short-term results for several reasons. In his view, explanations of how AI works are actually a cognitive shorthand used by humans, suited for the way humans make decisions.

“Forcing an AI to produce a human-understandable explanation is an additional constraint, and it could affect the quality of its decisions,” he said. “Certainly in the near term, AI is becoming more opaque, less explainable.”
When AI systems are able to conduct malicious hacking activities, he warned, they will operate at a speed and scale no human could ever achieve.

“As AI systems get more capable, society will cede more and more important decisions to them, which means that hacks of those systems will become more damaging,” he said.

So what’s the upshot for you? That’s the key point, the more you cede reliance on something to someone or something else, the weaker your position when things go wrong. Take all the supply issues (e.g.: personal protective equipment) revealed during the Covid-19 pandemic as one example.

US: From the RSA Conference: Internet Misinformation

“Research shows that a false story reaches people six times faster than just the actual news or the truth.”

Among the many topics that are the target of misinformation on the internet today is public health related to the COVID-19 vaccine.

One rough estimate shows that misinformation on public health alone generated billions of social media views in a year. The impact of one such misinformation campaign was revealed in a UK poll reporting that 8% of UK residents believe that 5G technology actually spreads the coronavirus.

In the United States 27% of Americans are hesitant to get the COVID-19 vaccine, much in part due to manipulation campaigns.

“These theories are just a small part of the global infodemic that is running largely unchecked on social media platforms. It doesn’t have to be this way.”

The end game is to make you doubt everything you believe, which leaves you open to believing anything.

So what’s the upshot for you? Look out for sensational headlines. The fact that a topic is not being reported on traditional news media outlets can be a red flag. Traditional media outlets typically have to properly source and attribute news before it is published.
A couple of tools might also help, the Botometer at checks the activity of a Twitter account and gives it a score. Higher scores mean more bot-like activity.
or Crowdtangle. About Us | CrowdTangle Help Center CrowdTangle is a public insights tool from Facebook to follow, analyze, and report on what’s happening with public content on social media.

US: Best 11 quotes from the cryptographers’ panel at the RSA conference

  • Unplug it, baby.’ --Whitfield Diffie, in response to Ramzan’s question “If you could design a piece of [security] advice short enough to fit on a bumper sticker, what would that advice be?”
  • ‘It is astonishing to me how much energy is going into the commercialization of technology that doesn’t yet exist.’ --Ron Rivest, on quantum computing.
  • ‘This year, the focus in quantum computing has been two steps ahead, one step back.’ --Adi Shamir, mentioning that Microsoft recently backtracked on research they’d made three years ago that claimed an impressive “breakthrough” in quantum physics – that they had observed the existence of the elusive Majorana fermium.
  • ‘I’m entirely unimpressed’ --Ross Anderson, on quantum cryptography. “As far as quantum cryptography is concerned, I’m entirely unimpressed, because all you can do is rekey your encryptor and we’ve known how to do that for 40 years.”
  • ‘They took some decisions that defined the privacy for the whole world.’ --Carmela Troncoso, on mobile phone operating system companies’ (Google and Apple) role in the privacy of contact tracing applications.
  • ‘Machine learning [systems] are, at the moment, they’re totally untrustworthy.’ --Adi Shamir.
  • 'Maybe the question we should be asking is not ‘can we make the machine trustable’ but 'can we make the ones [who] are using these machine learning [someone] we want to trust with them?" --Carmela Troncosco, on machine learning and how the privacy risks posed by how companies collect the data they feed to ML tools.
  • ‘The company was being run by bankers as a cash cow.’ --Ross Anderson on SolarWinds."SolarWinds was a mature company. Once upon a time it was a keen start-up with lots of lively engineers, but recently it had become a monopoly and much of the technical expertise had been farmed to engineers in Eastern Europe. And so they weren’t caring as much about security as they used to.
  • ‘Cryptographers are actually pretty terrible at designing resilient systems.’— Ron Rivest. “The idea of rekeying and reauthenticating everyone is not one we talk about much. Overall I would give us a grade of C-minus, us cryptographers, on resilience. I think the systems we design tend to be brittle and tend to break if there’s a serious key compromise.” Shamir countered, “So I will actually give our system designers a D or an F. But I’ll give cryptographers an A.”
  • ‘It’s just rent-seeking by tech companies.’ — Ross Anderson, on the development of “vaccine passport” apps.
  • ‘I want to see numbers get factored.’ — Ron Rivest, on Claus Schnorr’s proposed algorithm for factorization that claims it could defeat the RSA cryptosystem.

So what’s the upshot for you? There’s not much that one could add to that except thanks to the RSA conference for keeping the lively conversations flowing!

And that’s it for this week! Stay safe, stay secure, and see you in Se7en.


An excellent post this week @rps Well done!

Related: One of the New Zealand District Health Boards is currently undergoing a ransomware attack, allegedly similar in scope and origin to the recent Irish attack.

1 Like

Thanks Quidagis! I will look into the NZ HB attack. Personally, I think there should be a whole different penalty system for ransomware artists that attack healthcare facilities. I’ll refrain from a rant.

As always, we all really appreciate your participation and company here on!