New Decryption Tool Offered to Combat GandCrab Ransomware Before it Retires

The attackers behind the vicious ransomware known as GandCrab have made their money (loosely estimated at over $2 billion) and are retiring. Most of us work for a living and then retire, but these guys steal money to retire. A lot of money. Shortly after their announcement that they are retiring (no doubt to figure out a new way to steal from us), a decryption tool to nullify the ransomware is being offered through a collaboration led by the FBI, Europol, Bitdefender, and others.

According to ZDNet, “It is thought that over 1.5 million Windows users have been infected with GandCrab since it first emerged in January 2018…by…one of the most aggressive forms of ransomware.”

The decryption tool being offered responds to the most recent versions of the ransomware (GandCrab 5.0 through GandCrab 5.2) and allows users who have been previously attacked by older versions to retrieve the encrypted files.

Bitdefender is releasing a decryptor tool and launching the No More Ransom project.

Although it is good news that the GandCrab attackers are shutting down their operation, it could present problems for victims, because it means that when GandCrab shuts down, all of the keys that can open files for victims will be deleted and the victims will lose forever the ability to restore the files. Further, once the keys are deleted, even if they pay the ransom, they will not be able to get the key.

Therefore, FBI, Europol, Bitdefender, and others have recommended that companies which have fallen victim to GandCrab use the tool to restore any affected files before the encryption keys are destroyed.

Customs + Border Patrol Vendor’s Network Compromises Images and License Plate Data

The United States Customs and Border Patrol (CBP) admitted last week that personal information that it collected from travelers crossing the U.S. borders was exposed in a “malicious cyber-attack” against one of its vendors.

It is being reported that one of CBP’s subcontractors “illegally transferred” to its internal network almost 100,000 photographic images of travelers and license plates collected at the border over a six-week period, and that the network was then compromised by a cyber-attack.

It has been confirmed that no passport information or other government-issued travel documents were stolen and no biometric information was involved. Nonetheless, the CBP is reportedly monitoring the Dark Web and the Internet to see if the images appear for sale.

NFL Considering Cashless Transactions for the Super Bowl

As of today, the only NFL team operating on game day without cash is the Atlanta Falcons at Mercedes-Benz stadium. However, there is an emerging trend of cashless sporting events and the Super Bowl may be added to that list next year. Additionally, the Tottenham Hotspur stadium in London, which will host NFL games, opened cashless in April of this year, and Baltimore Ravens President, Dick Cass, is looking to move towards cashless transactions for the 2020 season. It is likely that many others will follow suit.

The biggest sporting event to consider cashless transactions is the Super Bowl. The 2020 Super Bowl will be hosted in Miami and Miami Dolphins CEO, Tom Garfinkel, said, “[We’ve] been doing a lot of research now and contemplating a cashless Super Bowl.” Cass said that the advantage to NFL fans using only credit cards or payment apps is that the “concession lines would be faster, once people get accustomed to it.” Cass believes that “it’s inevitable at some point that we have almost all cashless transactions.” This seems like it may be a problem for those without bank accounts or credit cards, however the Falcons have addressed that issue by installing reverse ATMs in their stadium, which provide a debit card for purchases for those who only have cash. It is also likely that team payment apps is the next step.

Other downsides? For fans, there will certainly be a loss of privacy. As more and more teams gather precise data about what the individual fan purchased and when, it will allow teams to target those individuals with greater precision and directed ads. Cash permitted fans to make purchases without any tracking involved. Can this information be used against you in other ways? Can this information be subpoenaed? We have certainly seen these issues pop up with other data hubs and mobile apps. We’ll follow this trend as we approach the opening of NFL training camps and the start of the football season.

Alert for Employee Education: FBI Issues Warning About Exploitation of “Secure” Websites

We all have been trained to look at website addresses with a critical eye to make sure they have “https,” as those websites are supposed to be secure. The “s” at the end signifies to us that it is secure. The lock at the beginning of the website address is supposed to signify that it is a secure website. This is something that I mention when I offer employee education to clients—they should only open websites that are secure and locked.

Not anymore. On June 10, 2019, the FBI’s Internet Crime Complaint Center (IC3), issued an alert called “Cyber Actors Exploit ‘Secure’ Websites in Phishing Campaigns.” The alert states that cyber criminals are “banking on the public’s trust of ’https‘ and the lock icon. They are more frequently incorporating website certificates—third party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”

In other words, the cyber criminals are spoofing the HTTPS address and the lock icon, just as they are spoofing domain names, signature lines, email addresses and telephone numbers. I guess we shouldn’t be surprised. But it is important that your employees are aware of this new alert and that they be super cautious about trusting the lock icon and the “https” designation.

According to the FBI alert, “[T]he following steps can help reduce the likelihood of falling victim to HTTPS phishing:

  • Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.

Victim Reporting

“The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at If your complaint pertains to this particular scheme, please note “HTTPS phishing” in the body of the complaint.”

I am incorporating this information into employee training—you may wish to consider doing the same.

Domino’s to Deliver Pizza with Autonomous Robot

It’s begun – as of Fall 2019, you might see an unmanned vehicle resembling a giant pill bug on wheels driving down your street. Domino’s recently announced that it will partner with Silicon Valley start-up robotics company, Nuro, to deliver pizzas to customers. However, this new delivery approach will be limited to online orders placed in Houston, Texas for now. Consider this the company’s test drive.

The Nuro vehicle has a narrow frame, only about half the width of a typical car, and half the weight of a typical car as well. This allows the vehicle to navigate around obstructions and gives it a few additional feet of safety buffer to avoid collisions if someone pulls out of a driveway suddenly or steps out from in between parked cars.

Consumers will be able to track their driverless vehicle via the Domino’s app; once the vehicle arrives at the delivery location, consumers will be able to use a PIN code provided by Domino’s to unlock the vehicle’s compartment and get their pizza. Domino’s Executive Vice President, Kevin Vasconi, said, “The opportunity to bring our customers the choice of an unmanned delivery experience, and our operators an additional delivery solution during a busy store rush, is an important part of our autonomous vehicle testing.” This is likely just the beginning. We are sure to see many more autonomous food delivery services popping up all over the country and around the world.

Privacy Tip #195 – Evite Announces Breach of Account Information of 10 Million Users

If you use Evite for e-invitations or social planning purposes, be aware that it announced last week that the account information for up to 10 million users has been compromised and is for sale on the Dark Web.

According to Evite, the information compromised included users’ names, usernames, passwords, dates of birth, telephone numbers, mailing addresses, and email addresses.

This information can be sold and used by cyber criminals to add to the other personal information available on the Dark Web to perpetrate identity theft. If you have an Evite account, change your password immediately and be extra cautious against the risk of becoming the victim of a phishing attack or identity theft yourself.

Hackers Indicted for Involvement in 2015 Anthem Data Breach

Earlier this month, a federal grand jury returned an indictment charging a Chinese national and another individual as part of an extremely sophisticated hacking group operating in China that targeted large businesses in the United States, including health insurer Anthem. The indictment stemmed from an investigation by the FBI in which Anthem cooperated, earning praise for its assistance.

According to a news release from the U.S. Department of Justice, the indictment alleges that Fujie Wang (a/k/a Dennis Wang) and other members of the hacking group, including another individual charged as “John Doe,” conducted a campaign of intrusions into U.S.-based computer systems. They gained entry into the systems of Anthem as well as three other U.S. businesses, which were not specifically identified. Beginning in February 2014 and continuing into 2015, the defendants used very sophisticated techniques to hack into the companies’ networks and then installed malware and tools on the systems, through which they identified and stole data of interest on the compromised computers, including personally identifiable information and confidential business information.

The indictment indicates that the techniques utilized by the hackers included sending specially-tailored “spearfishing” emails with embedded hyperlinks to company employees. If the links were accessed, a file was downloaded that deployed malware and installed a backdoor tool that would provide remote access to the computer system through a server controlled by the hackers. The hackers then used software to collect the information they wanted and stole it by placing it into encrypted archive files which were sent through multiple computers to China. They also allegedly then deleted the encrypted files from the victims’ computer networks in an attempt to avoid detection.

Charges in an indictment are merely allegations, and defendants are presumed innocent until proven guilty in court. The government has indicated its commitment to prosecuting the case and bringing those responsible to justice.

NCCoE Seeks Comment from Manufacturing Sector for Industrial Control Systems

Protection of industrial control systems is crucial to the security of our country. The National Cybersecurity Center of Excellence (NCCoE) has announced a project for which it is seeking comment: Detecting and Protecting Against Data Integrity Attacks in Industrial Control System (ICS) Environments.

The project scope is to assist manufacturing organizations in taking a comprehensive approach to enhancing the security of their industrial control systems by leveraging the following cybersecurity capabilities:

  • behavioral anomaly detection
  • security incident and event monitoring
  • industrial control system application white listing
  • malware detection and mitigation
  • change control management
  • user authentication and authorization
  • access control least privilege
  • file integrity checking mechanisms

Commenters from the manufacturing sector are urged to submit comments by July 25, 2019.

KiK Sued by SEC Over $100M Initial Coin Offering

In a contentious move, the Securities and Exchange Commission (SEC) recently sued Kik Interactive Inc. for its Initial Coin Offering of $100 million, alleging it violated securities laws by not registering the offering with the SEC.

The SEC alleges that the fundraising of $100 million was illegal because it did not provide proper disclosures to investors.

Kik has launched a crowdfunding site to help raise money to defend against the suit.

Employers and Wellness Plans: Questions about Quest Breach?

Last week, we wrote that Quest Diagnostics reported in a security filing that a collection agency performing collections for the company had suffered an intrusion that exposed almost 12 million individuals’ personal and financial information [view related post]. Another lab company reported days later that it was notified that the information of 8 million of its patients had been compromised as well; that total is now almost 20 million.

What we have been able to learn is that the records compromised were only those in collections, not all lab records. The Connecticut and Illinois Attorneys General are both investigating the facts.

Many self-funded health plans and wellness plans have asked us what to do if they use these two lab companies. Here are some thoughts.

First, we have been told that the self-funded and wellness program products were not affected. If confirmed, this would be good news. This means that normal labs and drug testing that employers perform or employees have taken should not be affected. But any labs that have not been paid, or are in collections, might be affected. Again, it appears that only information of collection cases is involved.

Nonetheless, there is a lot of confusion about the personal information of employees that may have been impacted, and about how to communicate with employees, who are understandably nervous and may have questions for employers and wellness plans.

The lab companies have not yet been told which patients’ personal information was compromised, so it is hard to evaluate which employees’ information, if any, was involved. The lab companies are trying to find that out from the collection agency, but this has not yet been accomplished.

Employees are asking questions, and most companies want to assist their employees, so they are trying to figure out next steps. Employees generally appreciate transparency about what their employer has been told by the lab company. Let them know in an email or other correspondence that you are trying to find out who was impacted, if anyone. If the lab company confirms that the only people who were impacted are those whose bills are in collection, and that affected employees are required to be notified under state or federal law, pass that information along, so they know they will be notified if their information was compromised.

Let them know that you are working on it, that you are in touch with the lab company to find out who was impacted, and that you will assist, if possible, your employees/members in the event their information was compromised.

Let your employees know that you will assist them and answer any questions you can should you learn relevant information. But until you find out what information was actually involved, other than offering support, there isn’t a lot employers can do to assist.