Cyber Security Today, March 19, 2021
Ransomware is an increasingly lucrative business for threat groups. This is according to the latest research from the Palo Alto Networks Unit 42 Threat Intelligence Unit. The report said that in the US, Canada and Europe, the average ransom paid last year by aggrieved organizations was just over $ 312,000. And that's average. This is a 171 percent increase over the average payout of 2019. The highest ransom payment of last year was $ 10 million - and remember, not all ransomware incidents are reported. A large part of the increase is due to a change in strategy for double extortion - not only encrypting data but stealing data and threatening to release it to the public or other rogues.
According to websites run by the ransomware gang that claim to have stolen data, last year the country was the most hit, with 151 victim organizations, followed by Canada with 39, 39 Germany and 26 United Kingdom. These are the only groups to publish stolen data. Other ransomware groups encrypt only the data and demand payment for the decryption key. Therefore the total number of corporate ransomware victims will be higher.
To protect against ransomware, the report says that employee safety awareness training is important, as well as patching software as soon as security updates are available. Tightly configuring remote access services used by employees will close the avenue of that attack. Furthermore, limit access to data only to those who need it.
There are plenty of ways to trick employees into opening malicious attachments: Claiming a document is an invoice, which includes package shipping information or news about salary increases are popular. Recently information related to COVID has been given. A new scam has occurred, the FBI warned this week: emails containing a phony driving violation charge. Open the document and the victim's device is infected with a malicious malware called trickboat. It has a bunch of bad capabilities to steal passwords and data from devices. Gangs also use it as a first step in a ransomware attack. Ensure that antivirus or anti-malware suites are up to date and employees are trained to look for suspicious emails and text.
Software and website developers sometimes have to place placeholders in their pre-release code until their companies finalize certain things. For example, the last link to an email or web address may not have been selected so some must be temporarily placed there. However, the temporary placeholder can compromise security until those placeholders are replaced with valid links. According to security reporter Brian Krebs, a large US financial services firm called Fisher whose products are used by banks. A developer called a temporary and unregistered website address in an application called "defaultinstgrade.com". But it was not replaced with a registered address when the application went live. An inquisitive researcher was able to register "defaultinstgrade.com" and began receiving emails with sensitive information. The miscreants did that they would have got those messages. The lesson is that developers have to check their code carefully before doing anything live.
Finally, a report this week highlights how important user identification and data access management are to certain attacks. A firm report called BeyondTrust said that last year Microsoft reported over 1,200 vulnerabilities in its products, a record high. The major type of vulnerability allowed an attacker who compromised an employee's account or created a new one to extend unauthorized access to data. This is called access privilege enhancement. Researchers detected 56% of critical Microsoft vulnerabilities, which could be reduced by removing administrative access rights for those who did not need it. One way to control administrative rights is for the security team to implement a zero-trust framework. In short, employees are not confident of using everything. They are limited to accessing only the data they need, and only when they need it.
Don't forget this afternoon in the week's review edition of the podcast with the guest commentator watching the news. Today it will be released earlier than usual, around 1 pm. Eastern for technical reasons.
that's it for today. As always, links to descriptions of these stories are in the text version of this podcast on ITWorldCanada.com. This is where you will also find my news stories aimed at cyber news professionals.
Subscribe to Cyber Security Today on the Apple Podcast, Google Podcast, or add us to your Flash briefing on your smart speaker.
No comments