We'd like to hear from you.
As a valued subscriber, we would like to better understand your needs and challenges. Complete our 15 minute survey for a chance to win a $100 gift card and to allow us to learn how we can better serve you.
As a valued subscriber, we would like to better understand your needs and challenges. Complete our 15 minute survey for a chance to win a $100 gift card and to allow us to learn how we can better serve you.
The REvil ransomware group, also known as Sodinokibi or Sodin, is known for using double-extortion tactics against its victims (one of which was former US President Donald Trump), and for its robust ransomware-as-a-service operation, in which developers sell malware to clients or “affiliates” in order to launch their own campaigns. Threatpost reports that the group is currently taking credit for attacks over the past two weeks on nine organizations: law firms, an insurance company, international banks, and a manufacturer located in Africa, Europe, Mexico, and the US. As proof, REvil published some of the documents they claim to have stolen from the victims: computer file directories, customer lists, contracts, and even employer and customer IDs. Rob McLeod, senior director of the Threat Response Unit for eSentire stated, “These attacks come directly on the heels of an extensive and well-planned drive-by-download campaign, which was launched in late December.” Though it’s unclear if payment has been requested, some of the documents disappeared after posting, indicating the victims might have paid up.
Shedding some light on the motivations behind the group’s methods, the Record conducted an interview with an alleged REvil member who calls himself “Unknown.” He claims the gang is steering clear of politics now, as it’s simply not lucrative to side with one party or another. Though he can see the potential of ransomware as a weapon (and alleges the group has affiliates with access to missile launch systems), he states that starting war is not a goal: “It’s not worth it—the consequences are not profitable.” When asked about the impact of COVID-19 on cybercrime, he explains that as a result of the pandemic, fewer victims have the resources to pay, with the exception being pharmaceutical companies, whose pockets have remained deep enough to make them worthwhile targets. He also sees an organization’s use of cyberinsurance as a welcome challenge rather than a deterrent: “Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.” He warns that corporate negotiators might do the target more harm than good, as haggling will likely only compel the gang to increase their ransom demands in order to make up for lost time and resources.
The Unit 42 threat intelligence team and the Crypsis incident response team joined forces to publish the 2021 Unit 42 Ransomware Threat Report, an analysis of the global ransomware threat landscape in 2020. Some highlights:
Infosecurity Magazine reports that Vodafone Spain has been handed the largest penalty ever to be issued by the Spanish Data Protection Agency (AEPD), four fines totaling $9.72 million. The telecommunications company is being penalized for wrongful telemarketing activities and poor data protection policies. Vodafone conducted unsolicited marketing calls, texts, and emails without consent, even targeting customers who expressly stated they did not want to be contacted. They also executed international data transfers that went against the General Data Protection Regulation and disregarded proper data verification methods. The AEPD declared that Vodafone Spain has no “real, continuous, permanent and audited control” over customer data handling and could not "provide detailed documentation on data protection guarantees."
South and City College, a school in Birmingham (and by the way, fellow Americans, that's the Birmingham in the English Midlands, not the one in Alabama) was hit with a serious ransomware incident that caused it to close many of its activities while it investigates and recovers. The College posted this message on its website:
"The College has suffered a major ransomware attack on our IT system which has disabled many of our core IT systems. Access to our college buildings is currently limited, whilst our IT specialists are fixing the problem. Please see our Essential Info for Students page for advice on the gradual return to on-site learning.
"For full details of the cyber-attack and how the college is responding, read our official statement.
"At this time, if you would like to apply for a course or have a query regarding your application please email admissions@sccb.ac.uk.
"Thank you for your cooperation and patience."
The ransomware is believed to have hit the College around midnight this past Friday. Peter Groucutt, Managing Director at Databarracks, wrote with some advice for educational institutions:
"South and City College in Birmingham has not confirmed the specifics of the attack yet, but yesterday, the FBI issued guidance on an 'Increase in PYSA Ransomware Targeting Education Institutions.' The FBI is reporting an increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom.
"This is a double extortion attack, both encrypting and exfiltrating data to extort the victims – threatening to release data on the dark web if ransoms are not met. Attackers are gaining access through phishing emails or compromising Remote Desktop Protocol (RDP) credentials.
"It hasn’t been disclosed if it was PYSA ransomware that hit South and City College in Birmingham, but educational institutions should take note. Education is already shouldering enormous demands during the pandemic. Ransomware attacks like this cause significant disruption of days or even weeks and months.
"Key actions should be to review RDP and warn users about the heightened threat of phishing. Ideally anti-spam tools will prevent phishing emails but they will not prevent every targeted email getting through, vigilant users are vital too. They should also review incident response plans and backup and recovery plans."
China's New Digital Currency Is Easy to Use but You'll Be Watched (Wall Street Journal) As China moves closer to rolling out its new digital cash, there are concerns the government will track every transaction––not just of citizens but of foreign companies in the country. WSJ travels to Chengdu to see this money revolution in action. Photo: Lorenz Huber for The Wall Street Journal
IC3 Releases 2020 Internet Crime Report | Federal Bureau of Investigation (Federal Bureau of Investigation) The FBI’s Internet Crime Complaint Center released its latest annual report, which includes information from 791,790 complaints of suspected internet crime and reported losses exceeding $4.2 billion.
Internet Crime Report 2020 (FBI IC3) In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree.
FBI: Over $4.2 billion officially lost to cybercrime in 2020 (BleepingComputer) The Federal Bureau of Investigation has published its annual report on cybercrime affecting victims in the U.S., noting a record number of complaints and financial losses in 2020 compared to the previous year.
Line app allowed Chinese firm to access personal user data (The Record by Recorded Future) In a press conference today, the Japanese government announced it was investigating the parent company behind the Line instant messaging app after a local newspaper reported that engineers at one of the app's Chinese contractors accessed the messages and personal details of Line users.
French Data Watchdog CNIL Opens Probe Into Clubhouse App (Bloomberg) Probe aims to confirm whether GDPR applies to Clubhouse. German regulator also looking at how app protects user privacy.
Vodafone Spain fined record $9.72M for data protection failures (Compliance Week) Vodafone Spain has been fined €8.15 million (U.S. $9.72 million) for aggressive telemarketing tactics and other data protection failures under the GDPR. The penalty is the highest the Spanish Data Protection Agency has handed out.
MyLife.com Can't Duck Challenge To Reputation Ratings (Law360) A Minnesota federal judge has ruled that reputation rating website MyLife.com can't escape a proposed class action alleging the company falsely suggested consumers had criminal or sex offender backgrounds and required users to pay a fee to correct false information.
We need to talk openly about cyber security (Charity Digital) By sharing information about cyber security breaches, the charity sector can work together to make charities much more secure
Six ways to battle 2021 tax season identify theft (PropertyCasualty360) The high volume of unemployment claims in recent months may have opened a new door for bad actors online, according to HSB.
7 Tips to Secure the Enterprise Against Tax Scams (Dark Reading) Tax season is yet another opportunity for fraudsters to target your company. Here's how to keep everyone in the organization on their toes.
Largest ransomware demand now stands at $30 million as crooks get bolder (ZDNet) There's been a big rise in ransom payments over the last year - and some ransomware gangs demanding vast amounts.
Scam Alert: FTC warns of new phishing email scam about stimulus payments (FOX Carolina) The Federal Trade Commission (FTC) is warning people of an e-mail scam about COVID-19 stimulus payments.
CISA Issues Advisory on TrickBot Campaigns (Dark Reading) US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn security teams to guard against the advanced Trojan malware.
TrickBot Malware (CISA) This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
DearCry ransomware is not very sophisticated: Mandiant (DATAQUEST) DearCry is a new family of ransomware being used after an initial compromise of unpatched on-premises Microsoft Exchange Servers
Missed opportunity: Bug in LockBit ransomware allowed free decryptions (The Record by Recorded Future) A member of the cybercriminal community has discovered and disclosed a bug in the LockBit ransomware that could have been used for free decryptions.