It is being reported by ZDNet that the Maze ransomware group has attacked two companies that, apparently, refused to pay the requested ransom, so Maze, as it promises, recently released approximately 76GB combined of the companies’ data on the Internet.

True to its threat, once Maze is able to infiltrate a company’s system, it exfiltrates data without the company’s knowledge, then encrypts the data and drops a ransomware note. If the company elects to migrate to its back-up system and refuses to pay the ransom, Maze notifies the company that it has already exfiltrated data and that if the company does not pay a ransom for a certificate of destruction, it will release the data online.

So far, based on our research, Maze has, in an oxymoronic kind of way, been men of their word, as we have not seen any reports that they have reneged on their promise to destroy the data. Criminals who will keep their word! It is a difficult concept to wrap one’s brain around.

Of course, it does make sense, because if they were to accept Bitcoin for a certificate of destruction and then share the data with other criminals or post it online, the word would get out quickly and no companies would ever pay for a certificate of destruction, as they would have no confidence that the criminals would keep their promise. This would destroy Maze’s entire business plan and their flow of income. Ransomware is here to stay and the attacks are becoming more and more sophisticated.

The criminals behind the Maze ransomware [view recent related posts here and here] have gone big and hit Cognizant, one of the largest technology consulting companies in the U.S., with its nasty ransomware.

Cognizant stated on its website that it “can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.”

Maze is particularly nasty because it is known to exfiltrate the data before encrypting the data, but it is unknown at the present time the status of the attack on Cognizant.

According to Cognizant’s filing with the Securities and Exchange Commission on April 20, 2020, the attack “may continue to cause an interruption in parts of our business and may result in a loss of revenue and incremental costs that may adversely impact our financial results.”

Despite the fact that the hackers behind Maze ransomware previously promised not to hit medical organizations during the coronavirus pandemic, it recently attacked a British medical lab that is slated to test COVID-19 vaccines during the pandemic. The Maze hackers previously said publicly that it would “stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus.” Apparently not so.

What do we expect from criminals—that they will actually keep their word? It just seems particularly despicable right now.

Despite the public pledge, the cyber criminals behind Maze [view related posts] hit Hammersmith Medicines Research (Hammersmith), a British laboratory facility that is ready to test coronavirus vaccines with medical trials, with its ransomware on March 14, 2020. According to a spokesman for Hammersmith, which performed tests in the past for the Ebola vaccine, the cyber attack was identified and stopped without paying the requested ransom.

The problem with Maze is that its business plan relies on the ability to exfiltrate the victim’s data, then increase pressure on the victim by threatening to publish the data on the dark web if the victim doesn’t pay the ransom. It has been reported that Maze has used the same pressure techniques with Hammersmith after it refused to pay the ransom. Maze is now threatening to publish patient data from Hammersmith of patients involved in medical trials 8-20 years ago. Maze has reportedly already published some of Hammersmith’s patient data on the dark web. Just what Hammersmith needs to worry about while ramping up to test coronavirus vaccines.

Perhaps the hackers behind Maze should be thinking about their own health when they hamper coronavirus vaccine medical trials and approvals–they may need the vaccine one day. If only they would focus their capabilities on doing some good for the world or leave those who are actually working for the greater good to continue to do their good work without interruption.

I continue to be amazed in my day-to-day virtual conversations by how many people are unaware of one of the most devastating compromises ever to happen—the recent compromise of Microsoft’s Exchange versions 2013-2019. It is critically important for all Microsoft Exchange users that are using Exchange On-Premises (such as those using Office 365) to be aware of the compromise because it could have a significant impact on your business.

Microsoft announced that its Exchange versions 2013-2019 were compromised and issued patches for the vulnerabilities on March 2, 2021 [view related post]. It is estimated that more than 30,000 U.S.-based companies will be affected by the compromise, which gives the attackers access to emails and potentially to other information technology assets. This is extremely serious, yet many people are unaware of the gravity of the issue and how it could impact their business.

The U.S. Cybersecurity & Infrastructure Security Agency issued an alert for leaders of companies on the compromise:

For Leaders:

An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:

  • What steps your organization has taken;
  • Whether your organization has the technical capability to follow the guidance provided below; and
  • If your organization does not have the capability to follow the guidance below, whether third-party IT security support has been requested.

Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed.

C-Suite executives and leaders of companies may wish to learn more about the compromise and how it could affect the company and to evaluate this guidance from CISA as soon as possible.

 

We spend a lot of time reporting on ransomware because we are seeing more incidents than ever before, and our readers comment that keeping them up to date on ransomware tactics is helpful. The ransomware gangs, strains and vectors are constantly changing, so it is very challenging for companies to keep up with their latest tactics.

The Coveware Quarterly Report is one resource that is very helpful in understanding the newest methods and successes of ransomware attackers, and Coveware’s Third Quarter Report was recently released.

The Report confirms what we are seeing in the field, and confirms how the landscape is changing. The big news is that the Maze group has allegedly dispersed, with some members joining others. Maze wreaked havoc last year, when it started exfiltrating data from victims before it dropped the ransomware and then threatened to publish the data if the company didn’t pay.

The Report is a must read, but here are some highlights (depressing as they are):

  • There is no guarantee that if you pay the ransom to delete data that they will actually delete it or that they will not come after you again. (They are criminals, after all). In Q3, exfiltration of data before the introduction of ransomware doubled, and half of all ransomware attacks included exfiltration of data. These are not promising statistics.
  • Although Maze is allegedly out of business, others have copied its tactics forexfiltrating data, including AKO, Ranzy, Netwalker, Mespinoza, Conti, Sekhmet, and Egregor. Egregor is believed to have inherited Maze. Sodinokibi has re-extorted victims after they have paid the ransom.
  • Some gangs provide fake proof that they have your data to get you to pay.
  • There is no guarantee that the exfiltrated data will not be sold to other groups.
  • Ransom demands are increasing.
  • The biggest ransomware threats in Q3 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer.
  • Wasted, Nephilim and Avvadon made it into the top 10 list of market share of ransomware variants.
  • More than 50 percent of all attacks are successful through attacks on Remote Desktop Protocols (RDP). Coveware sees this method of attack as the most cost-effective way to compromise organizations and stresses the importance of properly securing RDP connections.
  • Almost 30 percent of attacks see the ransomware distributed via phishing emails, which have steadily increased since late 2019.
  • The average ransom payment in Q3 was $233,817, up 31 percent from Q2 2020.
  • The median ransom payment in Q3 was $110,532 up 2 percent from Q2 2020.
  • Ransomware is a disproportionate problem for small and medium-sized businesses—those with a median of 168 employees—which is up 68 percent from Q2 2020.
  • Most victims of ransomware have less than $50 million dollars in annual revenue.
  • Professional service firms, especially small ones such as law firms and accounting firms, are especially vulnerable.
  • The average number of downtime days of victimized businesses is 19 days.

These statistics are ones to pay close attention to and use when determining risk management priorities. It is clear from the Report that addressing RDP and employee education as top priorities makes sense. According to the Report, one possible reason for the increase in the use of RDP is “that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”

As coronavirus cases increase again throughout the U.S., remote working appears to be the norm, so ransomware attackers are using, and will continue to use, the shift from the office to the home to attack victims.

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The advisory acknowledges that the incidents of ransomware attacks on U.S. companies have risen during the COVID-19 pandemic. Although the advisory does not mention that companies have been paying ransoms when they are victimized, it has been publicly reported that companies have paid ransoms, particularly when data has been exfiltrated and the cybercriminals are threatening to post the data online unless a ransom is paid for confirmation of destruction, as is the scheme used by Maze.

The advisory warns that paying ransoms “not only encourage future ransomware payment demands, but also may risk violating OFAC regulations.” The advisory “describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

If you want to read a well-written history of ransomware, read the advisory, as it lays out nicely the evolution of ransomware and its effect on businesses.

According to OFAC:

“[F]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

OFAC further states that “[C]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” These sanctions include civil penalties based on strict liability.

In light of the advisory, OFAC:

encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (emphasis ours). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”

The OFAC advisory is a stark warning for responding to ransomware attacks and incident response. It lays out important considerations in determining how it may impact your incident response plan, questions to ask your cyber liability insurer about coverage around ransom payments, and the risks associated with a ransomware payment in your enterprise-wide risk management program.

Cyber liability insurers are in a good position to provide insight into the types of cyber incidents that are hitting the industry. Coalition, a provider of cyber insurance globally, which “serves over 25,000 small and midsize organizations across every sector of the US and Canada,” issued its Cyber Claims Report this week about the claims trends it is experiencing and an analysis of cyber risk based upon those claims.

According to the report, after analyzing thousands of reported incidents, it found that “the majority of losses” fell under breach response coverage, cyber extortion costs coverage, and funds transfer fraud coverage. According to the report, “[T]hese three loss types accounted for 87 percent of reported incidents and 84 percent of claims payouts.”

It further confirmed what we are seeing in the industry—that “the types of attack techniques criminal actors used to target our policyholders are also highly concentrated. Phishing, remote access, and social engineering attacks accounted for 89 percent of all known attack techniques.”

If this doesn’t tell you where to put your resources in prevention and resiliency, I don’t know what does. According to the report, 54 percent of all claims came from email/phishing schemes, 29 percent of claims were the result of remote access, 6 percent were attributable to “other social engineering,” and 3 percent each or 9 percent total were attributable to third-party compromise, brute force authentication attacks and “other.”

The report notes that ransomware is becoming increasingly sophisticated, which we have repeatedly reported from our experience, and that it has increased 47 percent in severity from Q1 to Q2 in 2020. This means that the ransomware criminals are increasing their ransom demands and “the complexity and cost of remediation is growing. The average ransom demand amongst our policyholders increased 100 percent from 2019 through Q1 2020, and increased another 47 percent from Q1 to Q2 in 2020.”

The report and the reality that we are seeing is grim. Ransomware strains such as Maze, Ryuk, Sodinokibi and DoppelPaymer are taking ransomware attacks to a new level by exfiltrating data before requesting the ransom, and then showing proof of life that they have the data in their possession and then threatening to publish the data unless a ransom is paid for a certificate of destruction. According to Coalition, the average ransom demand ranges from a high of Maze at $420,000 down to Sodinokibi at $73,920.

The Coalition report paints a stark picture of reality that is necessary to confront in order to put practices in place to implement incident response planning, prevention and resiliency.

When the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get together to issue an alert to warn us about a security threat, you can bet that the threat is real, and that they have seen it used successfully at an alarming rate.

The joint advisory issued on August 20, 2020, “Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign,” warns companies of the increased use of vishing attacks by cyber criminals. The advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward” [see related Privacy Tip].

People are always amazed at how much time and effort cyber criminals take to get the big pay-off. I always say this is how they make their living. We go to work every day and get a lot of work done in a legal way, while they go to work every day to figure out how to steal from us. They are spending the same amount of time on strategy, development and implementation to work out the details of the crime as we are in making an honest living. What they are doing in cyber crime is no different than planning for a bank robbery. They have to plan carefully and then execute the crime. That’s what the cyber criminals have done with their vishing campaign.

The vishing campaign referred to in the advisory started with the criminals registering domains and creating phishing pages that duplicate a company’s internal VPN (virtual private network) login page, including the requirement for two-factor authentication or a security passcode. They then obtained SSL (Secure Socket Layer) certificates for the registered domains, including support(victim company name), ticket(victim company name), employee(victim company name), or (victim company name)support. The point is that they are using the actual company name in combination with IT support to lure the victims and convince them into thinking the domain is real. It certainly looks very real.

The criminals then do online research on potential company victims, and according to the alert, “compile dossiers” on employees of the companies “using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” This is publicly-available information about companies and their employees that the criminals use to implement the crime. They aggregate the publicly available information and then start calling the employees on their cell phones. When an employee answers, they engage them in conversation as if they know them (from social engineering—including name, address, position in the company) to get them to believe they are from IT support. They advise the employee that the company has changed the VPN and that a link to the new login will be sent, which includes multi-factor authentication, and that they will need to log in to reset the VPN. During the call, they assist the employee in logging in to the VPN and in the process, they gain access to the employee’s log in credentials and now have access to the employee’s account.

Once in the employee’s account, the criminals have access to other potential victims in the company using the same tactics, and are able to “fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert acknowledges that this old scam, previously used on telecommunications and internet service provider employees, has now expanded to all industries because of the transition from work at the office to work from home during the pandemic. Companies need to be aware of the campaign, alert their employees, and provide them with resources and tips to avoid falling victim to it.

Adding insult to injury for cruise ship company Carnival Corporation (Carnival) following the hit from the pandemic to the travel industry as well as a class action lawsuit relating to the Diamond Princess’ fate during the pandemic, Carnival disclosed in its August 17, 2020 8-K filing that it recently  experienced a ransomware attack. According to reports, Carnival disclosed that the successful attack accessed and encrypted a portion of its IT systems and the attackers demanded a ransom to provide the encryption key. A double whammy for a company that has been hit hard by the pandemic. It reiterates that cyber criminals just don’t care if you are down on your luck and will hit victims whenever they can.

It also is reported that Carnival has confirmed that the attackers exfiltrated and downloaded some of its data, which may have included the personal information of customers and employees. Unfortunately, if the attackers were Maze or ReVIL/Sodinokibi, this may signal that Carnival is in for a second request for ransom if they don’t pay the first one to obtain the encryption key.

Carnival is the largest cruise ship operator in the world, employing over 150,000 individuals. It is estimated that more than 13 million people book a Carnival cruise each year, so depending on the data that were stolen and how long the company stored employee and customer personal information, the incident could involve the data of tens of millions of individuals.

Carnival is in the midst of its investigation and is working with law enforcement and cybersecurity experts. It has stated that the attack has not materially affected its business operations or financials.

There have been numerous examples of how hackers can get hold of sensitive and deeply personal information and use it against individuals to embarrass and extort them into sending money or compromising pictures to the hackers to prevent the information from being posted on the web.

These examples include cyberbullying, online love scams, blackmail through the compromise of sexually explicit content or photographs, or pretending to be someone the user trusts. Once they get this sensitive personal content, knowing that people don’t want their family or friends to find out about it, they hit the user with a ransom demand. This has been going on for a very long time.

As hackers continue to find new ways to use old scams that have been successful, a recently reported example of hackers trying to use sensitive data against users is the Maze group, which hit two plastic surgery groups with ransomware, one in Seattle and the other in Nashville. Maze threatened to publish before-and-after pictures of patients who have undergone plastic surgery if the plastic surgery groups didn’t pay the ransom.

Apparently neither plastic surgery group did pay the ransom, and Maze now has posted the data, including the before-and-after pictures of patients, which researchers have said are identifiable.

Hackers will continue to find ways to embarrass or trick users into paying a ransom. They will victimize both individuals and companies that may have information or pictures that could be embarrassing or are deeply personal, in order to coerce a payment so the information is not disseminated.

Think about what you are doing online with your own personal information or pictures, and consider how you would feel if the information or photos on your phone or in your personal email were widely disseminated online. Then consider changing your behavior or deleting the material that you would be concerned about if it got into the hands of others.