HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 27 – No One is Safe From Ransomware

By May 1, 2020 No Comments
ProactiveIT Podcast Ep 27 No One is Safe from Ransomware & Access Management for Healthcare FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus a Rough Week for WordPress, No One is Safe from Ransomware & Access Management for Healthcare

This is Episode 27!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance, and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback.  What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Chrome 81 Released With 32 Security Fixes and Web NFC API
Firefox 75 released with Windows 10 performance improvements
Juniper Networks Releases Security Updates
Microsoft releases April 2020 Office updates with crash fixes
Hackers Can Compromise VMware vCenter Server Via Newly Patched Flaw
Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update
Microsoft April 2020 Patch Tuesday fixes 3 zero-days, 15 critical flaws
Intel April Platform Update fixes high severity security issues
Apple Releases Security Update for Xcode
More Updates
Apple Patches Two iOS Zero-Days Abused for Years

New This Week

Critical Security Patches Released for Magento, Adobe Illustrator and Bridge
A few updates are available.  Samba, Google Chrome and Juniper
VMware Releases Security Updates for ESXi
High-Severity Cisco IOS XE Flaw Threatens SD-WAN Routers

Cyber Security News

Hackers are exploiting a Sophos firewall zero-day

Contact tracing apps unsafe if Bluetooth vulnerabilities not fixed

5 common mistakes that lead to ransomware

Microsoft Teams patched against image-based account takeover

Biopharmaceutical Firm Suffers Ransomware Attack, Data Dump

Millions of Brute-Force Attacks Hit Remote Desktop Accounts

Smart Parking Meter Company Hit by Sodinokibi

Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update

Topic 1: Ransomware attacks against key sectors fall amidst coronavirus outbreak

Topic 2:  March 2020 Healthcare Data Breach Report

Topic 3:  Average Ransomware Payments Soared in the First Quarter

HIPAA Corner: 

https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol1-508.pdf

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

ProactiveIT Podcast Ep 27 No One is Safe from Ransomware & Access Management for Healthcare PIN

Transcription (Unedited)

This is the prodactive IT podcast this week the latest in it in cybersecurity news plus a rough week for WordPress. No one is safe from ransomware and access management for health care. This is Episode 27 Hi everyone and welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech a client focused and security minded IT consultant Located in Central Connecticut, you can find a set and watch check calm, that’s NWA j tech.com. All right. First of all, thank you for listening to this podcast. Once again. Wherever you’re listening to this, if you could please like, share, comment, review. All of the above. Anything you could do would be greatly appreciated. And we would listen to virtual hugs about that. And if you’re in a HIPAA compliant business, please go to Facebook and in a search type in get HIPAA compliance and join that group where we share lots of HIPAA information that will help your healthcare practice or your business associate. Remain in the HIPAA green. How about that? We don’t have a question of the week. I was sent a few questions in but they’re mostly around zoom and Google Classroom, things like that. I think we’ve talked enough about zoom. So we’re not going to discuss that here. Here, I will say that Google has launched Google meets, which is supposed to be, it’s really just Google Hangouts rebranded, but they’re trying to compete with zoom, of course, and Facebook is launching, through Facebook Messenger, they’re launching a similar service. So be on the lookout for those. And, you know, use whatever you think is appropriate for your business. But just know that zoom has fixed most of the issues. I think all of the issues at this point. There were a few updates that we need to talk about. So we’re just going to add to the April update, I know today’s may 1. Happy May, happy May Day, but there were some updates to discuss. So first of all, critical security patches released from Magento, Adobe Magento, Adobe Illustrator and Adobe Bridge. You’ll need to take care of those. They are critical severities there was a bunch of work Press updates this week. We’re going to talk about some of them on this podcast today. But WordPress core WordPress core files were updated to 5.4 point one and they will adjust seven different vulnerabilities that we’re going to talk about later in this podcast. There were also updates from Cisco to address, iOS xe SD win solution software. There was updates from VMware for security updates for ESXi. Samba released some security updates, Google released another update to Google Chrome so should be on at 1.0 point 404 4.1 to nine. That is to address some security vulnerabilities. Juniper released updates, open SSL not echoes back last week. Okay, so Juniper released updates. We told you about VMware ESXi. Yes, x i. And we told you about Cisco, so Lots of updates again this week, that is a big list of updates for the month of April. And so I will include the entire list in the show notes. If you need to apply those updates, please take care of it, because you’re leaving yourself exposed. And if you were using WordPress, if you have any plugins that were probably five or six this week to add to have a lot of installs with critical vulnerabilities that had patches including a theme that is no longer supported. So get it updated. And if this theme is no longer supported, then remove it, replace it because you’re leaving your website exposed. Okay. All right. Let’s talk some news here. First up on Zd net hackers are exploiting a Sophos firewall zero day so Speaking of updates, so force releases emergency patch to fix SQL injection bug is bloated in the wild impacting its x GE firewall. product. cybersecurity from so forth has published an emergency security update on Saturday to patch zero day vulnerability. And it’s x g enterprise firewall product that was being abused in the wild by hackers. So first heard its first learned of the zero day I went late Wednesday, April 22. After received the report from one of its customers. The customer report is seeing a suspicious field value visible in the management interface after investigating reports so foes determined that this was an act of attack and not an error in its project. The attack used a previously unknown SQL injection vulnerability to gain access to expose the x g devices. So for certain a security advisory, hackers targeted so for 60 firewall devices that had their administrators HTTPS service or the user portal Control Panel exposed to the internet. So for Cid, to hackers, Use the SQL injection vulnerability to download a payload on the device display a little den store files from the firewall. Stolen data could include usernames and hash passwords for the firewall device admin. For the firewall portal admins and user accounts used for remote access to the device. It also included the firewalls license and serial number and user emails. So posted that so you can expect phishing attacks by the way. So posted that passwords for customers, other external authentication systems, such as ad or LDAP, were unaffected. So that’s good news. The company said that, during its investigation, it did not find any evidence that hackers used a stolen passwords to access extra firewall devices, or anything beyond the firewall on its customers internal networks. So false researchers named the malware asking iraq a detailed step by step analysis as a malware as features and modus operandi was published and it’s linked on the Sophos website and then there is the aim a infographic here of of what Sophos published the patch already pushed to customer devices UK company famed for its antivirus product said it prepared and already pushed an automated automatic update to patch all extra firewalls that have the auto update feature enabled this hotfix eliminated SQL injection vulnerability which prevented further exploitation stop the extra firewall from accessing any attacker infrastructure and cleaned up any remnants from the attack asset. So that has been taken care of by Sophos to good job there. For companies that had devices hacked. So forces recommending a series of steps which include password resets, I would reset your password either way, and device reboots, reset portal administrator and device administrator accounts reboot extra device reset password for all local user accounts and all those passwords were hash it is recommended passwords are reset for any accounts where the extra credentials might have been used reuse. So, in other words, even though it’s hashed, the hash may already have been cracked and is sitting on a dark web form somewhere. So change your password. Also on Zd net contact tracing apps on safe if Bluetooth vulnerabilities not fixed. So we’ve been talking about contract test tracing apps for COVID-19. Right. So essentially, it’s an app in Google and Google and Apple have both said that they will include an operating system update down the road few months down the road. Your issues with there’s concerns that Bluetooth is not stable enough to handle something like this. So with governments increasingly looking into looking to use contact tracing apps to help contain COVID-19 such initiatives are likely to spark renewed interest in Bluetooth attacks, which means there is a need for assurance that these apps are regularly tested and vulnerabilities patched. As more governments turn to contact tracing apps to aid in their efforts to continue to Corona virus outbreak, cybersecurity experts are warning this may spark renewed interest in Bluetooth attacks. They urge developers to ensure such apps are regularly tested for vulnerabilities and release patches swiftly to flow potential holes while governments should provide assurance that their databases are secure and the data collected will not be used for purposes other than as originally intended. So, I, you know, when I first read about this, the potential of this happening, I did of course, express my concerns. You know, there’s there’s a track record that anytime apps are developed to hold sensitive information, that sensitive information gets exposed. So there’s there is concern of course that using Bluetooth which has been compromised before refer to Blue snarfing and think it’s blue jacking was the other other thing but you you’ve heard of these things before, we’ve all heard of Bluetooth being and we all know that. Be careful of where we have Bluetooth turned on and what’s near us and what what’s shareable and so forth. Well, this is another thing that that scares people. Right? And I did see another document somewhere or another article that said only about half of of people polled would be for using this type of technology. And I can understand a concern to completely understand a concern. So something to think about naked security by Sophos five common mistakes that lead to ransomware ransomware is down so far this year. That’s the good news. The bad news is it probably will not. That is not a trend that will continue. I’m sure it will pick up again, a lot of the focus right now is on COVID-19. There’s there may have been ransomware attacks. There’s there’s a lot of reasons why ransomware could be down right now. One is, you know, some of them promised not to hit healthcare during this, this pandemic. Another one is a lot of businesses are shut down right now. So they may have ransomware sitting in their environment and not even know it. It’s a little bit harder to get into To an enterprise environment right now, if people are working from home, though not completely impossible. So there’s a lot of a lot of variables there. So but here’s what you can do to protect your business from ransomware. If the first one, this is again on naked security by Sophos protect your system portals, this is what happened with target. And now that a third party vendor was involved, but this is exactly what happened with target. Crooks often sneak in by looking for remote access portals such as RDP and SSH, that aren’t properly secured, perhaps because they were set up temporarily but then forgotten about, learn how to scan your own network from the outside and make sure that there are services that are open are in and listening for connections are supposed to be there and that they’re on regular security checklist. So in other words, if you have telnet, open close it because nobody uses telnet anymore, and I should should clarify my statement. So the target hack was a few years ago. 2015 if I’m not mistake And I could be wrong. But third party, a third party company was compromised. And then that leaked to a hack of a portal that they use for target. And then the hackers got into the target internal system. Now it’s not the third, not entirely the third party vendors fault. It’s probably more target’s fault than the third party vendor. But that’s how they got into a portal. Number two, pick proper passwords. We’ve talked about passwords, we’ve talked about passwords, strong passwords, means uppercase, lowercase numbers and special characters. And the longer the better. Use a password manager. Don’t reuse passwords. And I’m not sure if it’s here, but use multi factor authentication. It’s not here, but use multi factor authentication, wherever possible, wherever possible. I don’t care what it is. It is here I’m sorry, two factor authentication. Use it on your email, use it on your social media. Use it on Your portals, whatever they are, whatever, whether it’s a CRM or a payroll portal or whatever it is, use it. Number three, peruse your system logs. And this is one that’s overlooked a lot. many if not most, ransomware attacks don’t happen instantly or without warning to crooks usually take some time, often days and sometimes longer to get a picture of your entire network first. That’s how they make sure when they finally pull the trigger that initiates the attacks, they will get this destructive result they want for the ransom they planted demand. So there will often be numerous telltale signs in your logs such as appearance of gray hat hacking tools that you wouldn’t expect your own users to need or use sysadmin operations such as creating new accounts that happen unusual times, and network connections from outside that don’t follow your usual pattern. The Sophos managed threat response team can help you here of course, this is an ad, but you know you have some some logs out there where They collect logs from the network and you’d look for certain types of activity and then review it and act on it as you feel necessary. Pay attention to warnings and that’s number four. If you’re if you’ve set up alerting system to shout out, shout you all the time, you will almost certainly end up with alert fatigue. This is a very real thing if you get 100 alerts, and 98 of them are just a waste of time, you need to adjust your alerting to remove those 98. But be careful not to assume that otherwise interesting warnings can be ignored if they mentioned a potential threat was already blocked. Often threats that pop up on your network aren’t just chance events. They’re evidence that cooks are already poking around cautiously to see which action set off what alarms in the hope of pulling off a much bigger attack later on. And number five patch early and patch often don’t leave yourself exposed to potential holes for longer than necessary. So as a rule, we test patching As soon as it rolls out, especially for operating systems, soon as it rolls out and apply it when we think it’s safe, but usually by the end of the same week that the patches came out so it comes out on a Tuesday. By the weekend it’s patched and on all of client machines. Some things like browsers are updated immediately. In a malware, what we use is updated automatically. Things like that get taken care of as quickly as possible. bleeping computer reports Microsoft Teams patch against image here’s another update image based account takeover. After looking at how Microsoft Teams handles image resources, security, researchers found a way to take over accounts by sending recipients a regular gift. The method could have been used for desktop and web versions of teams to get access to multiple accounts at once and still conversations and threads controlling a subdomain under teams. microsoft.microsoft.com was the main condition for the attack and researchers To to choose from Microsoft received a report about the vulnerability and push mitigations to prevent the attack. So Microsoft had a vulnerability with teams that could have been compromised with a just by sending a gift. It’s been addressed no longer an issue on dark reading comm we’ve we’ve actually talked about this a few times this week. So executive farm, which is a pharmaceutical clinical research organization was hit with a ransomware attack. This article that I have here that we’ll link to, was the first of three that I’ve reviewed. The data that was compromised was personally identifiable information and potentially pH I for for executive farm and also for business partner. PAREXEL. It turns out it was the clop ransomware group and they stole data quite a bit of data actually. And have now posted it on the dark web. Because executive forum is has not paid the ransom, no clue what the ransom amount is. This is a HIPAA violation, HIPAA breach, by the way, and it is a data breach. So make make no mistakes here. They exfiltrated the data that makes it a data breach. So they have the data, they posted it on the dark web. exec form is not playing nice. They’re not, you know, no idea how much the ransom request is no idea how it happened or anything. So there will be more information to follow on this. But he up we’re seeing more and more of this and it was actually three We’ll talk about it later in the show but three healthcare breaches resulting from ransomware. Just yesterday they were reported. Threat Post reports millions of brute force attacks hit Remote Desktop accounts so remote, brute force attacks. have increased dramatically against Remote Desktop. Automated attacks on remote, remote desktop protocol accounts are aimed at taking over corporate desktops and infiltrating networks. So Remote Desktop if you’re not familiar with remote desktop protocol, is Microsoft’s way of being able to connect back to a nother Windows machine in another location. And if set up properly, it’s fairly secure. In other words, it should be done over VPN and strong passwords and multi factor authentication and so forth. But what happens is most people don’t do those things. And I just I personally personally witnessed a municipality here in Connecticut that’s not doing it a rather large municipality municipality at that. So there has been a rash of brute forcing attempts aimed at uses a Microsoft proprietary Remote Desktop protocol and striking millions per week. So That’s a lot. attacks are likely offshoot of cyber criminals looking to take advantage of the unprecedented numbers of employees working from home. So more people are working from home. More people are probably using remote desktop. And here’s what they do. They have lists of usernames and passwords. They drop them into a script, the script runs automatically in the attempt to brute force. How do they know where to go? They look for open port 3389 by using n map or something similar to scan. And if you’re if, if it’s 3389 is open. Now they’ve dropped they run the script. It’s really not that complicated. It’s really that easy script that you can get easily on the internet. On hop for security by bitdefender smart parking meter company, it was sold on eBay and I thought this was interesting and it’s part of the title for the podcast today. You know the part that says no one is safe from ransomware So here we are, we have parking meters that were hit with a ransomware attack company named civic smart from Milwaukee. That selling smart parking meters was hit by Soto Nokia ransomware. And Soto KB is one of those ones that will exfiltrate your data and then put it on the internet for the whole world to see if you don’t pay your ransom and the attackers managed to steal a large amount of data, which they don’t use for further leverage. These days, it seems that the most effective industries have something to do with the Coronavirus when it comes to cyber attacks, healthcare organizations are getting it left and right, even if they are working on possible vaccine against the virus. Unfortunately, bad actors don’t stop even in these troubling times and will use any weakness they find in a system to civic smart attack was perpetrated was soda leukemia ransomware and follow the extraction of 159 gigabytes of data. So there is a lot of a lot of data. Usually this kind of action comes from the attackers using maze which we know is not true anymore. There’s probably six or seven rants Somewhere operators that are using this method No, but it looks like it’s now being employed by other groups as well. According to scoop news report, the attack took place back in March, but the company remains silent and chose to pay the ransom and retrieve the files. So that makes it a data breach by the way. According to initial reports, the leaked data included employee records, bank statements, credit card numbers of customers and even contracts with cities and parking garage vendors. smart parking system is a great idea, and it’s used in many cities from around the world. But like any other service that deals with credit card payments and other sensitive data, security must never be in second place. to new strategy used by attackers. To steal data from affected systems seems to be used more widely in the past few months and it’s slowly becoming the new norm in cyber attacks. The other problem is that the company didn’t say anything about the attack and data leak even after it presumably paid to hackers just means that people’s financial personal data were compromised, but they have no idea about it, leaving them exposed to fraud and other hacks. So what should be happening is you should be getting credit monitoring services should have been notified. And this is why, you know, I know, regulation is, in a lot in a lot of ways sucks, but we need an national federal level data protection plan like the GDPR and the ccpa. Not all states. In fact, most states in the United States do not have something like ccpa, California, California and New York to and a couple other states do. Most states do not I don’t know if Milwaukee does or not, I don’t believe they do. But that’s, you know, that’s why we need it. And then finally, we talked a little bit about the word WordPress update to 5.4 point one. So if you’re using WordPress, which I believe roughly 40% of all websites are now WordPress, you should be on version 5.4 point one And here are some of the security issues password reset tokens fail to be properly invalidated if a password reset was requested for a user, but they then logged in and manually updated the password on the profile page, the email password reset link could still be used. Previously, the password reset link would only be valid invalidated if the user change their email address. There’s not many circumstances in which this type of issue could be problematic unless an attacker already had access to the victim’s email account, which would effectively be a worst case scenario. And that would be pretty bad if you did. Certain private hosts can be viewed by unauthenticated users just changed set had the following comment query ensure that only a single post can be returned on date time based queries. This indicates that it was possible for an attacker to view private post by using date and time based queries, though only for protected posts that were created or updated by the exact same time down to the second end, as an unprotected post. The two cross site scripting issues. In the customizer, these vulnerabilities appear to allow for corruption of post content by various users and could allow for the addition of malicious JavaScript by an automatic by an authenticated attacker with contributor capabilities. A user with the ability to write posts such as contributor or an author, without the unfiltered underscore HTML capability, and an administrator or editor could corrupt data from each other’s traps potentially adding malicious JavaScript to a preview or final version of a post cross site scripting issue in the search block this actually appears to refer to two separate vulnerabilities with the same mechanism in both the RSS block in the search block and attacker with the ability to customize the class of either of these blocks, such as a contributor could potentially set the block class in such a way that the malicious JavaScript would be executed when viewing or previewing the post. cross site scripting issue in WP object cache Object caches used to save trips to the database by caching content from the database and making the dash. I’m sorry, the cache contents available by using a key, which is used to name and later retrieve the cache contents. In a few edge cases, an attacker with the ability to change object cache keys might be able to set one of these cache keys to malicious JavaScript. By default, WordPress does not display the stats nor does it allow users to directly manipulate cache keys. It is impossible it is possible that an improperly program plugin or combination of plugins could allow an attacker to manipulate a cache key result a non escaped value being displayed to an administrator viewing the stats via a plugin or custom code designed to display them. cross site scripting issue and file uploads a particular vulnerability could allow a user with the upload underscore files capability authors and above and a default installation to upload a file with the file name set to malicious JavaScript which might be executed when viewing the file. The Media Gallery and authenticated cross site scripting issue in the block editor. This vulnerability existed in a few of the release candidates and does not appear to have been present in the official release. It was discovered by noggin or guy in the duck and WordPress 5.4. release candidate one and release candidate two and it was fixed in 5.4. release candidate five. So those are your seven vulnerabilities that were addressed. Six of them being cross site scripting issues. update to WordPress 5.4 point one. It is not easy to find websites that are not on the latest version. If you’re not you’re you’re putting yourself in your website at risk. right we’re gonna talk some numbers now for hot topics for the week. The first one I’ve kind of touched already touched on it a couple times in this podcast. ransomware attacks against key sectors fall and midst Coronavirus outbreak. This is on tech republic.com campaigns against government agencies educational establishments, and healthcare providers aren’t proving as successful as expected says security firm MC soft cyber criminals who deploy ransomware are always on the hunt for new victims. That’s true even during a time of crisis such as the Coronavirus pandemic. Those summaries more games have vowed to hold off on attacks against hospitals and healthcare providers as the world bad as battles COVID-19 others are still trying to make a profit out of the potential any potential victim. But as the virus has spread, the number of successful ransomware attacks against certain sectors has actually declined according to a blog post published Thursday by MC soft in 2018 966. Government agencies, educational establishments and healthcare providers in the US were hit by ransomware projections call for the same or worse numbers for 2020. But for the first quarter of the year, only 89 such organizations were affected by ransomware. So you’re looking at a 270, which is a significant drop off. If that play I’m sorry, not 270 would be 360. So that’s a little more than a third of what it was last year. However, as you’ll hear, that probably will not remain reducing the number to a level not seen in several years, drilling down on the results of ransomware attacks during the first quarter hit 38 government agencies 26 educational establishments, and 25 healthcare providers. So now here’s the thing. A lot of government agencies are that are considered not essential or shut down right now. All the schools are remote at this point. So there’s some in some of them are closed. And then healthcare providers, you know, some of the ransomware operators have promised not to hit them. I don’t believe that that’s going to be the case but That’s what they promise. This decline has continued into the start of the second quarter with three government agencies to educational facilities and to healthcare providers victimized by ransomware. Now we just learned about three more healthcare providers a couple days ago. So whether or not the overall number of ransomware attack campaigns has fallen. Why is the level of successful tax against the three mentioned sectors declined MC sauce points to a few factors. First, many government educational healthcare organizations have suspended non essential services during the Coronavirus outbreak leaving a smaller attack area for ransom. Second, while people working from home maybe new target they also represent different challenges for ransomware attackers. Just criminal groups are limited by available personnel and resources and can’t always modify their operations as quickly as desired. And third, many organizations are suffering financially as a result of COVID-19 outbreak. As such, they simply can’t afford to pay huge sums of money to attackers demanding a ransom note posted released recently on its website. ransomware groups said we’re living in the same economic reality as you are. That’s why we prefer to work under the arrangements and we are ready for compromise. Though the number of successful ransomware attacks in the public sector has fallen attacks against private sector have remained at around the same level during the Coronavirus outbreak further when even the client against government schools and health care providers is likely temporary, and MC soft believes the level of attacks will ramp up as the year progresses. The government should as noted in a 2019 report seek to bolster security in these sectors and should do as do so as a matter of urgency MC said in a blog post this is critical given that COVID-19 pandemic could amplify existing security risks around the upcoming election, especially as some states have reallocated elections security budgets to fund efforts related to COVID-19. So it is an interesting warning. And I think it’s a legitimate warning. I don’t think this is going to be the trend for the whole year. We’re going To see a jump when when a the ransomware groups figure out how to get around with the work from home and into the enterprise environments and into the healthcare environments and the government agencies and in the schools and so forth. And the schools are changing a lot right now. So that’s that’s likely to leave vulnerabilities. And the other piece of that pie is, we don’t know. There may be ransomware, sitting waiting anywhere. And so they’re changing their mode. And the interesting thing is the flip side of this is that malware has been reported as 30 up an increase of 30,000%. A lot of times that malware will lead to a ransomware attack. Phishing has seen an 85% increase since the beginning of the year. So phishing as we know 90% of phishing leads there to ransomware or 90% of ransom. Attacks begin with phishing. So it’s not that it’s not happening, it will happen. So don’t let your guards down don’t become the next victim simply because you think ransomware attackers have given up to have it. Now let’s talk about the bad side of the ransomware story for 2020. So far, this is on dark reading calm, average. ransomware. Payments soared in the first quarter. Criminals extorting large amounts of money from big enterprises pulled up the overall average significantly compare with the fourth quarter of 2019 Cove where says the ransomware economy continues to boom even as COVID-19 pandemic wreaks havoc on businesses around the world. new data from co were on ransomware attacks on the first quarter of this year showed that compared with the fourth quarter of 2019, medium ransomware payments held relatively steady at around 44,000. But average payments soared 33% to $111,605. Are you prepared to pay $111,000 to someone because You didn’t secure your system, you know, how much salary is that right there and then to, you know, then there’s other fallouts after the fact now it’s a data breach potentially, and lawsuits and whatever else exists out there. The increase in average amounts of insurance By the way, increasing average amounts reflected to significantly bigger ransom payments that large enterprises paid last quarter to get their data back. Compared with smaller medium sized businesses. This year’s first quarter marks the seventh straight quarter, the average payments have increased as recently as the first quarter of 2019. The average ransom payment cohort study was just $12,762 or less than a 10th of the current average. So you can see a big increase over the last year ransomware as an economics driven industry says bill Segal, CEO and co founder of CO where right now the economics are very favorable favorable to cyber criminals. coworkers, data shows that ransomware attacks increased across the board. Last quarter as threat actors took advantage of the pandemic and resulting economic disruption to go after businesses. The attacks resulted in downtime of around 15 days on average for victims down marginally from the previous quarter. But still disturbingly high. Kovar said many of the attacks involve data exfiltration as well and that’s where you get yourself into trouble. phishing emails are often perceived to be the most favored mechanism for attackers to drop ransomware but insecure Remote Desktop protocol. access points, which are available in dark markets for as little as $20 are even more popular and continued to represent the most common ransomware attack vector last quarter, combined with cheaper ransomware kits. The cost to carry out attacks on machines with open RDP or to economically route lucrative for criminals to resist cool were set. Now just we just told you that RDP There are over a million brute force attempts on RDP per week right now, as in previous quarter small professional services firms such as law firms managed service providers and accounting firms were the most heavily targeted and accounted for nearly 20% of all ransomware attacks that Coover account encountered in this year’s first quarter. public sector entities including schools and local governments and other top ransomware. Target and previous quarters attracted a lot of attention in the first quarter of 2020 as well but in break from pattern almost 50% of ransomware attacks on this cat category were directed at schools. According to co where ransomware have served purveyors typically have tended to tech schools and summer to increase the chances of getting victims to pay up before schools reopen uncharacteristic volume of attacks against school districts. In the first quarter suggests that threat actors were trying to take advantage of the hasty move to distance learning to schools had to implement in response to COVID-19. co where said even as some of the threat actors stop targeting healthcare as others continued going after them making healthcare the second most heavily targeted sector with after professional services firms. The payment payoff, security experts have strongly advocated against organizations paying a ransom to get back access to their encrypted data, and systems. Many believe that ransom payments only encouraged more attacks and more threat actors. In fact, the only reason an organization would even consider paying a ransom is if the business would fail, or falter. If it doesn’t says evil. It is the option of last resort only Siegel says only if your business is at risk of permanent damage because the data loss will be so severe should a ransom be considered. He says, Cove wears data suggests that when organizations do end up exceeding a seeding to ransom demand, their chances of good outcome remain fairly high. 99% of businesses that paid a ransom last quarter got a working decryption key for unlocking their data the average data recovery with these keys itself though dropped or dip modestly to 96% in the first quarter of 2020. Compared with 97% in the prior quarter, so in other words, you have a 96% chance of getting your data back if you pay the ransom, cool were found that enterprises stood a better chance of recovering your data when dealing with the operators of some of the top ransomware. Families such as Rioch, Soto leukemia and Phobos. The operators of these families, particularly ryokan Soto kV have attended have tended to target larger organizations. At the other end of the spectrum, some ransomware variants such as Miss Spinoza, and death hidden tier cause data loss when encrypting data and had decryption keys that were buggy as well. So, of course, these the larger ransomware families will give you the data back because if they don’t, then the next the next enterprise environment that they hit isn’t going to pay the ransom because why would they want you’re not going to give the data back don’t pay the ransom. But as it says in the article is strongly discouraged, because it does paint a bigger target. on you. It’s interesting. There’s some contradicting information here that says, you know, health care and schools were targeted heavily again in the first quarter, but then we just read in a previous article that that they were down significantly so not sure where the data comes from, but there you have it. We do have the march 2020 breach, HIPAA breach report. So the numbers for March, not great. March 2020. Saw 7.69% month over month decrease in a number of reported healthcare data breaches, and a 45.8% reduction in the number of breached records. But that’s from February, when February was one and a half million records breached. Now the number of data breaches of 500 or more, was 36 for the month of March, which is average for the year so far. We had 39 February 33 and January. A little bit lower than 2019 for the most Part. Only a couple of months were lower, lower than that. There was 128,921 Records breached and we have the top 10 breaches, nine of them were hacking or an IT incident. All were healthcare providers except for one one business, or I’m sorry, there was two business associates in the top 10, Stephen c Dean, and one digital health and benefits. The one digital health and benefits was a theft. I’m not sure. I don’t recall seeing that breach reported. So I’m not sure what the theft was, but I’d have to guess, a laptop or some unencrypted device. Remember, if your device is encrypted, it does not count as a HIPAA breach if it’s stolen or lost. But if it’s not encrypted, then it becomes a HIPAA breach, and you have to report it. So the number one breach was ambry genetics Corporation a health care provider 232,772 in individual records all the way down to number 10 Washington University School of Medicine which is also a healthcare provider 14,795 causes of March 2020 healthcare data breaches unauthorized access or disclosure was nine theft six lost to hacking it incident 19 and this should come as no surprise but again here we go location a breach of pH I other was one I’m not sure what that means. Other portable electronic device which could have been the stolen device is to electronic medical records to desktop computer could have also been stolen three email 18 network server nine paper films for and laptops three and again, that could have been the stolen device 18 for email again, I think it was almost 40% of all the breaches. The SCADA like I don’t just don’t understand why we’re not taking care of it. We’re not taking care of it though. It’s not happening. We continue to see phishing attacks succeed time and time again. The breaches by covered entity types so we have 26 healthcare providers, six business associates, which seems to be growing three health care plans in one healthcare clearing house. So business associates are outpacing healthcare plans and clearing houses combined. So six business associates health plan and healthcare Clearing House combined as for the OCR did say it would be increased enforcement against business associates. Now that was before the COVID-19 pandemic. So whenever things do settle down, you can expect to see some enforcement.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply