Natural Gas Compressor Facility Shut Down After Ransomware Attack

The Department of Homeland Security (DHS) announced this week that a ransomware attack shut down a natural gas compressor facility for two days. While in the network, the attacker deployed software trying to “identify critical assets” before setting off the ransomware and in the process, may have also disabled detection processes in place to identify the ransomware. The date of the attack was not specified.

According to DHS, this attack is illustrative of the many attacks that are recently targeting energy and other critical infrastructure. The attack started through spear phishing emails that included malicious links. The attack allowed the intruder to access the information technology system, and because the IT system was not segmented from the operational technology (OT) system, the attacker was able to access the OT system as well.

Although the attackers were not able to obtain control over the facility, the facility implemented a controlled shutdown because the operator was unable to access and read operational information in real time. Unfortunately, according to reports, the facility’s emergency response plan did not address risk and response to cyber-attacks.

It is imperative that emergency response, incident response, contingent operations and disaster recovery plans all anticipate and are able to respond to cyber-attacks. DHS further urged critical infrastructure organizations to:

  • include cyber-risk planning in their incident response strategies;
  • practice failover to alternate control systems (back-ups);
  • conduct tabletop exercises to train employees, identify technical and human points of failure for operational visibility; and
  • recognize the safety implications of cyber-attacks, among other steps.

These are all basic cyber-hygiene practices that critical infrastructure facilities and operators may wish to consider implementing, particularly because of the devastation that could result from a significant cyber-attack.

Yearly Data Breach Reporting Due to OCR by February 29

Every year, we remind our readers that the HIPAA data breach notification regulations require covered entities to notify the Office for Civil Rights (OCR) of any reportable data breaches that involved fewer than 500 individuals and have not already been self-reported within 60 days following the calendar year. That means that covered entities are required to provide notification to the OCR of data breaches under 500 by February 29, 2020. So this deadline is not missed, many covered entities elect to provide notification to the OCR simultaneously with individual notice, no matter how many individuals are involved.

For those covered entities that wait until the end of the year to report smaller data breaches, now is the time to access the OCR website and report those incidents. The OCR self-reporting website can be accessed here.

Judge Rejects $4 Million TCPA Settlement

This week, a Pennsylvania federal judge refused to approve a proposed $4 million settlement for violations of the Telephone Consumer Protection Act (TCPA) because it would provide the 67,000 class members with only $35 each. In the 50-page opinion, U.S. District Judge Michael Baylson said that Flagship Credit Acceptance LLC (Flagship) ought to be able to provide a significantly higher amount of compensation to the alleged victims for its automatic telephone calls in violation of the TCPA.

Judge Baylson said, “Flagship’s most recent press release reported that its portfolio of managed receivables has grown to $2.9 billion, so class members may reasonably be left wondering why a company with almost $3 billion in assets can only afford a $4 million settlement.”

The judge further stated that “de minimis class action recoveries,” like this one under the TCPA, may not be worth the significant administrative and logistical burdens faced by many courts, especially when the case results in only a small award for the affected individuals.

The lead plaintiff, Robert Ward, and his attorneys, informed the court of this settlement in July 2019, which also included a $1.3 million portion for attorneys’ fees and a $10,000 incentive payment for Ward. However, Judge Baylson ruled that there was insufficient evidence that $4 million was a reasonable amount for Flagship to pay, especially where the TCPA allows for statutory damages of $500 for each call in violation of the Act. Judge Baylson added that there has been insufficient inquiry into whether Flagship’s insurance would pick up any part of the settlement. Until the parties are able to address his concerns or provide sufficient evidence that this settlement amount is fair, the proposed settlement is denied.

This is an interesting decision in a TCPA class action case and could have some effect on future TCPA class action settlements.

Privacy Tip #227 – Sextortion Ransomware

Criminal minds are creative, and new ransomware strains show just how creative cyber-attackers can be. A new strain of ransomware, dubbed Ransomwared, requests a different kind of payment from the victim than the typical bitcoin request. Instead of paying for the decryption of data, or to prevent cyber-attackers from releasing private photos they have obtained through the attack on the Internet, attackers using Ransomwared request that the victim send them explicit and compromising photos as payment.

This is a double whammy for the victim, depending on how vulnerable the victim might be. If the attacker has access to the victim’s data, and the data include compromising photographs, paying the attackers with additional compromising photographs is an untenable position. Providing additional photos to the attackers, which then may be leaked publicly, only adds to the problem.

Security researchers at Emsisoft report that Ransomwared is not very sophisticated, and it has published a fix to assist victims. It is a good reminder that there are fixes to many strains of ransomware which are available to the public through the No More Ransom Project.

Ransomware continues to be extremely problematic for companies and individuals. Although there is a fix to Ransomwared, it shows the lengths to which criminals will go to torture victims and exert power over them.

Over 30 Data Breach Incidents in Health Care Reported to HHS Thus Far in 2020, Affecting Over 1 Million Individuals

Health care organizations continue to be a popular target for hackers. According to information from the U.S. Department of Health & Human Services (HHS), more than 30 reports of data breaches were filed by health care entities in the first month and a half of 2020. Although a few reported breaches involved theft or improper disposal of information, the majority of the reported breaches concerned hacking/IT incidents and unauthorized access or disclosure.

HHS is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals. Cumulatively, the breaches reported through February 13, 2020, potentially affect over 1 million patients. The largest breach involving a hacking/IT incident was reported by health care provider PIH Health, with nearly 200,000 individuals affected. Other significant hacking/IT incident breaches reported included one by a hospital in Minnesota that affected over 49,000 individuals, one reported by a health care provider in Maine that affected 33,000 individuals, one involving an orthopedic group in Texas that affected just over 30,000 patients, and another by a rehabilitation facility in Oregon that affected over 25,000 individuals. In most of these larger breaches, hackers targeted emails, although one breach involved a network server.

While theft was reported as the cause of breaches in only a handful of cases, it was the cause of the largest health care data breach reported thus far this year. Health Share of Oregon, a health plan, reported that more than 650,000 individuals were affected by a breach attributed to the theft of a laptop. This underscores the importance of keeping such devices secure and the data encrypted.

All of these breaches are currently being investigated by the Office for Civil Rights at HHS. Information on reported breaches is regularly updated and available for review on the HHS Breach Portal.

Ransomware Attacks Predicted to Occur Every 11 Seconds in 2021 with a Cost of $20 Billion

Confirming what we are seeing in the field, cybersecurity firm Cybersecurity Ventures has predicted that, globally, businesses in 2021 will fall victim to a ransomware attack every 11 seconds, down from every 14 seconds in 2019. That figure is based on historical cybercrime figures. It is estimated that the cost of ransomware to businesses will top $20 billion in 2021 and that global damages related to cybercrime will reach $6 trillion. Yes, that is with a “T.”

The estimate includes the cost to restore and mitigate following a ransomware attack, and is not limited to actual ransom payments. The recovery cost from a ransomware attack is substantial, and companies would do well to consider these costs when budgeting over the next few years.

It is reported that 91 percent of cyber-attacks begin with a spear-phishing email, which is instructive to businesses regarding the importance of educating employees to not rely on email and to be highly vigilant about all email traffic, links and attachments. Our experience confirms that the attack vector in a very high percentage of ransomware attacks is through phishing emails. These statistical predictions are staggering and worth noting for planning for effective risk reduction through security measures, employee education, and cyber liability insurance coverage.

Frequency and Cost of Insider Threats Continue to Increase

The Ponemon Institute recently issued its 2020 Cost of Insider Threats Global Report (Report), which finds that the frequency and cost of insider threats continues to increase. Sponsored by ObserveIT and IBM, the 2020 Report is the third consecutive one to study insider threats and their impact on businesses in terms of frequency, cost, and time to recover. “Insider threats” are defined as:

  • A careless or negligent employee or contractor
  • A criminal or malicious insider or
  • A credential thief.

According to the Report, the “key takeaway is that, across all three insider threat types…both the frequency and cost of insider threats have increased dramatically over the course of two years….the overall cost of insider threats is rising , with a 31 percent increase from $8.76 million in 2018…to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018…to 4,700 in 2020.This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared with external threats.”

Although negligent insiders caused more incidents than any other type (62 percent of all incidents), credential theft actually cost companies the most. The average cost of an insider threat incident caused by a negligent or careless employee is $307,111, while the theft of users’ credentials cost an average of $871,686, and the theft of privileged users’ credentials (25 percent of all incidents) cost an average of $2.79 million. Criminal and malicious insiders (14 percent of all incidents) cost organizations an average of $756,760 per incident.

A significant cost associated with insider threats is attributable to the investigation of the incident, which includes monitoring and surveillance, incident response, containment and remedial actions. The average cost of the investigation following an insider threat increased 38 percent over the past two years, to $103,798.

In addition, the Report states that “it takes an average of 77 days to contain each insider threat incident. Only 13 percent of incidents were contained in less than 30 days.” The fastest growing industries for insider threat included the retail industry and financial services.

The Report outlines several risk factors that companies may wish to consider in determining the risk for an insider threat, which include: 1) employees are not trained on laws or regulatory requirements related to their work that affects the organization’s security; 2) employees are unaware of steps to take so their devices are secured; 3) employees are sending highly confidential data to an unsecured location in the cloud; 4) employees break the company’s security policies to simplify tasks; and 5) employees expose the organization to risk if they are not keeping devices patched and upgraded.

These are valuable tips for companies to consider when allocating resources to invest in cybersecurity. Employees and insider threats continue to top the list of risks, and providing employees and contractors with education and tools, and implementing measures to catch malicious or criminal insiders are important components of a risk management program.

Ransomware—to Pay or Not to Pay and Should We Get a Bitcoin Wallet Just in Case?

There’s nothing worse than paying criminals. And paying a ransom for data is just that—paying criminals for a criminal act. All you get out of the payment is access to your data. It doesn’t fix the vulnerability or the root problem. Let the record reflect that the FBI does not recommend paying ransoms to cyber criminals.

It is being reported that companies are paying ransom at a faster rate than ever before. Part of the reason for the payments is a response to the experiences of others, including the City of Baltimore, which expended far more resources in recovering from its ransomware attack than the amount requested by the criminals. However, if you look at what the City of Baltimore bought in response to the ransomware attack—although it was more than the ransom requested—it was an investment in its future security, because it upgraded its systems and equipment to protect against future cyber-attacks. The investment was for the future—not a payment to line the criminals’ pockets and leave the system in a state of vulnerability for another attack. When determining whether to pay a ransom, companies may wish to consider whether it is an extortion payment that only buys back access to their own data and doesn’t fix the vulnerability, or an investment in appropriate equipment and protection for the future.

It used to be that companies would consider paying a ransom if they did not have appropriate data back-up systems to migrate to following a ransomware attack. Everyone now knows that the response to a ransomware incident is to have a robust and tested back-up system so you can shut off the infected system and get the company back up and running on the back-up if it was not also infected. Companies that did not have a back-up system had to consider whether or not to pay the ransom. Recently, companies with a back-up system have told attackers to go pound sand, migrated to the back-up system, and killed the old system.

Unfortunately, as companies implement more robust incident response plans, and are able to recover from ransomware attacks without paying ransom, cyber criminals are getting more sophisticated and figuring out how to stay ahead of that “go pound sand” response from victims. Recently, it has been reported that the cyber-criminal group MAZE is infecting businesses with ransomware and exfiltrating company data. Even if a company has sufficient back-ups, and may not need to pay for the decryption key, MAZE has exfiltrated sensitive company data and personal information, and requires payment of a ransom for certification of destruction of the company data. If the company doesn’t pay the ransom amount to be assured of that destruction, the attacker leaks the company data onto the web. MAZE actually hosts a website that lists all of its victims to try to shame them into paying the ransom. If the company pays the ransom, supposedly MAZE will abide by its word and not leak the data.

The consideration of whether or not to pay a ransom is very complicated and each scenario, risk analysis and business decision is different. The operative word is complicated. It is wise for companies to consider the risk of a ransomware attack like those MAZE employs and how it would respond if it were to become a victim of that type of ransomware attack. It is also wise for companies to determine whether they have insurance coverage for a ransom payment.

Some companies consider setting up a bitcoin wallet in the event they decide to pay a ransom following an attack. Paying a ransom to criminals has serious legal implications, which companies should explore carefully with their legal counsel. It is important to know what laws apply and to consider compliance with those laws before jumping into setting up accounts, negotiating directly with the criminals or paying a ransom. Remember that MAZE and other hacking groups are criminals and dealing with them directly is not just a business transaction.

Antwork Uses Drones in China to Assist in Transport During Corona Virus Outbreak

Last week, a medical delivery drone flying from the People’s Hospital of Xinchang County to the disease control center there successfully completed the air transport of needed medical quarantine supplies and patient samples in the corona virus outbreak. This is the first launch of Antwork’s “urban air transportation channel” to help fight the corona virus outbreak in China. Antwork is a technology company that provides large-scale robotic delivery network solutions. This task was accomplished using drones from the Terra Drone Group.

To respond to the needs of the epidemic and to prevent and control further outbreaks, Antwork provided rapid delivery of medical samples and quarantine materials through the deployment of its drone transportation network. In order to minimize the contact opportunities between the samples from infected patients and personnel in the delivery, Antwork used its automatic and unmanned operation mode, and drones from the Terra Drone Group, to accelerate the delivery. The actual transportation process saw a 50 percent increase in efficiency compared with ordinary road transportation. The use of drones for transport also allowed more staff and ambulances to be used in the front-line defense by conserving human and material resources. Using drones for medical supply delivery is a task that all nations are thinking about, which could greatly increase efficiency and help save lives during medical emergencies and disasters as well as disease outbreaks such as this.

Privacy Tip #226 – Beware – Well-Known Brands Used for Phishing Schemes

A new study by Check Point Research shows that cyber criminals are using well-known brands to lure victims into clicking on nefarious links, providing personal information or credentials, or getting users to transfer money. 

This is an old malware trick that we used to see and now recognize. Scammers send a phishing email after copying and pasting the logo of Federal Express, UPS or a bank, and request that the recipient click on a link or provide a payment. 

The criminals are using other brands now, and according to Check Point Research, in the last quarter of 2019, the brands used most often to target victims with phishing emails included Facebook (18 percent of all phishing attempts globally), Yahoo (11 percent), Netflix (5 percent), PayPal (5 percent), Microsoft (3 percent), Spotify (3 percent), Apple (2 percent), Google (2 percent), Chase (2 percent) and Ray-Ban (2 percent). Although the percentages seem small, remember that these are global statistics. That is a lot of phishing emails using those brands.

At one point, the imitation of Microsoft got so bad that Microsoft issued a warning to U.S. officials, think tanks, peace organizations, university staff, and individuals working on nuclear technology to beware of phishing emails targeting them by fraudsters using Microsoft’s brand.

The trick is the same—the fraudsters transpose one letter in the email address or delete one letter to make someone think it is real and not notice the transposed or missing letter.

Phishing emails continue to be the most frequent attack vector of ransomware attacks, so reading emails with an eagle eye, scrutinizing anything received through email, and being wicked paranoid is crucial to protecting personal and business systems.

LexBlog