At a glance.
- A look at how Nefilim ransomware operates.
- Lawsuits in data breach case may test limits of US privacy law.
- Data-scraping at LinkedIn.
Profile of Nefilim ransomware.
Trend Micro offers an in-depth look at ransomware-as-a-service operation Nefilim. Run by a threat group researchers have dubbed Water Roc, Nefilim takes advantage of tools that already exist in the target’s system in order to move through the environment undetected for weeks. As well, Water Roc conducts extensive research about its victims in order to determine the most effective method of attack and the optimal extortion pricing. Having grown out of the Nemty ransomware family, Nefilim targets financial, manufacturing, or transportation companies with deep pockets mainly in North or South America. Water Roc employs a double-extortion technique, as is the current trend, but they drag the data leak process out over months or even years as a warning to future victims.
Scripps Health data breach lawsuits test the limits of privacy law.
Since the massive ransomware attack of US healthcare provider Scripps Health earlier this year, victims have filed four class action lawsuits, two in state court and two federal. All of the suits allege that Scripps violated data privacy regulations such as the California Confidentiality of Medical Information Act, the Federal Trade Commission unfair trade practice regulations, and the Health Insurance Portability and Accountability Act. However, GovInfoSecurity reports that one federal case is unique in that it also claims the disruption in services resulted in distress to the plaintiff, Michael Rubinstein, a patient with a blood disorder who was forced to miss a scheduled bone marrow biopsy. “Rubenstein experienced emotional distress in the form of anxiety and lost sleep due to missing this critical appointment,” the lawsuit claims. Similar privacy cases have yet to determine whether the lack of healthcare services due to an attack constitutes “concrete” injury. Technology attorney Steven Teppler of Mandelbaum Salsburg P.C. asks, “Taken to its extreme, will a potential plaintiff in this instance be required to show physical injury?”
LinkedIn hit by data scrapers (who post data to the dark web).
Professional networking platform LinkedIn already experienced a security incident that resulted in the publication of the data of 500 million of its users this past April. Now, Threatpost reports, a second posting of 700 million LinkedIn records has appeared on the dark web. The data, listed for sale on hacker forum RaidForums, included a sample of 100 million records as evidence of its legitimacy. Researchers at Privacy Shark analyzed the sample and found that the data includes full names, gender, email addresses, phone numbers and industry information, likely gathered through scraping of public profiles, much like the April exposure. LinkedIn’s press statement supports this theory: “This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.” Still, even public data poses the threat of spam campaigns, identity theft, or brute-force attacks.