More on how the Conti ransomware gang works, individuals victimized by ransomware, news on wiperware and more.
Welcome to Cyber Security Today. It’s Monday, May 2nd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Conti ransomware gang will use any tactic to get victims to pay for the release of stolen and encrypted data. According to researchers at CheckPoint Software, that includes claiming that it has a “big legal department” that can find out a victim organization’s real financial status and ability to pay. In all probability that claim is an exaggeration. But the blog points out it is true that the gang tries to pin its ransom demand to as much information it can get on an organization, including from stolen documents. The average ransom demand recently has been about 2.8 per cent of a victim organization’s annual revenue. A discount is offered for victims who pay fast. The blog looks at recently-leaked Conti members’ texts to get an idea of how the gang negotiates. The ransom demanded of one victim was $2 million. The victim organization, a government transport agency, offered $500,000. An agreement was reached for just over $1.1 million. Cybersecurity experts say data encryption, network segregation and protected data backups are the best strategies to make sure you don’t have to pay ransomware gangs.
More on ransomware: For some reason people download software updates from strange websites or links in texts and emails instead of from official software developers’ sites. And for some reason, those people are surprised at getting hacked. The latest example is documented by the Bleeping Computer news service. It says the Magniber strain of ransomware is being spread to individuals who download what they think is a Windows 10 update. These people didn’t use the Windows Update feature on their computers. Presumably they trusted a message that popped up on their screen or clicked on a link in an email or text. This is another warning: The internet if full of scams. Think carefully before you click.
Using a hacked email account to send phishing emails to victims is an old tactic used by threat actors. They hope the victim trusts the sender’s email address and clicks on an attachment. According to researchers at Mandiant, one of the latest to use the tactic is a Russian-based gang known by security researchers as APT29. Recently it compromised several email addresses to send infected messages to employees in a number of embassies around the world. The subject lines of the emails had government-related topics such as Ambassador Absence, Non-Working Days of the Embassy and Embassy Closure Due to COVID-19. The goal is to distribute malware to compromise Windows computers. Once inside APT29 finds ways to elevate their access privileges. In many cases, says the report, this gang can get domain administration privileges in less than 12 hours. Tactics include compromising authentication tickets. Ways of defending against attacks like this include the use of multifactor authentication to protect logins, better protection of Active Directory and training employees to not automatically trust emails from senders they may know.
The NotPetya wiper malware began multiplying around the world in 2017. But thanks to unpatched Windows computers it’s still circulating. That’s according to a new report from Fortinet on how to fight this type of malware. The biggest number of vulnerable systems recently detected were in Turkey, followed by Mexico, the United States, the Philippines and Canada. Wiper malware is a particularly nasty weapon used by a variety of attackers, because its goal is to erase everything on a victim’s IT system. Most recently it’s been alleged that Russian-based threat groups have launched wiper attacks against the government and other organizations in Ukraine. The Fortinet article says the best protection against wiper malware are secure off-site data backups, network segmentation and having a thorough incident response and disaster recovery plan.
Finally, storage administrators using certain models of network-attached storage devices from QNAP and Synology are urged to take mitigation action for critical vulnerabilities in their devices’ software. The vulnerable component is the Netatalk file server, an open-source component found in software of a number of NAS storage appliances. Synology says users of its DiskStation Manager 7.1 should upgrade to the latest version. For those using version 7.0 and lower, Netatalk has been disabled. Synology is working on fixes. In the meantime there are workarounds. QNAP has fixed the vulnerabilities in version 4.5.4. 2012 and later of its QTS operating system. It is working on fixes for earlier versions. In the meantime QNAP administrators should disable AFP, which is short for Apple Filing Protocol. Netatalk is an open-source version of AFP. The news site Dark Reading notes that Western Digital disabled Netatalk from its products in January. Other storage vendors whose software uses Netatalk are looking at installing the latest patch from the developer in their products. Storage administrators should watch and install the latest security updates.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.