Ransomware Attacks and How to Protect Yourself

What is Ransomware?

An organization or user's access to data on their computer is restricted by malware known as "ransomware." Cybercriminals put businesses in a situation wherein paying the ransom is the quickest and least expensive option to recover access to their data by encoding these files and requesting a ransom demand for the decryption key. For increased motivation for ransomware sufferers to pay the ransom, several variations have included other capabilities, such as data stealing.


The first known ransomware attack was called "AIDS" or "PC Cyborg", which surfaced in 1989. Today, there are many different types of ransomware including Cryptolocker, CryptoWall, CTB-Locker, Locky, and TeslaCrypt. Some ransomware variants even go so far as to disable anti-malware software on infected systems so they cannot be removed by other means.



Emergence of Ransomware

The 2017 WannaCry attack marked the start of the current ransomware mania. This widespread and well reported assault proved that ransomware was both feasible and possibly lucrative. Numerous ransomware variations have since been created and utilized in numerous assaults.


The recent rise in ransomware was also influenced by the COVID-19 epidemic. Gaps in firms' cyber security emerged when they quickly shifted to remote labor. These flaws were taken advantage of by cybercriminals to spread ransomware, which led to an increase in ransomware assaults. When compared to the first half of 2020, ransomware assaults climbed by 50% in the third quarter.



Popular Ransomware Variants

There are several ransomware variants, each with specific features. However, certain ransomware organizations have been more active and profitable than others, setting them apart from the competition.


1. Ryuk

A very targeted ransomware variant is Ryuk. It is frequently sent by spear phishing emails or by utilizing stolen user credentials to access business systems over the Remote Desktop Protocol (RDP). After infecting a system, Ryuk encrypts some file types (but ignoring those that are essential to a computer's functionality), then demands a ransom.


One of the most costly ransomware variants in use is known as Ryuk. The average ransom demanded by Ryuk is above $1 million. As a result, Ryuk's cybercriminals mostly target businesses who have the means to satisfy their demands.


2. Maze

Because it was the first ransomware strain to combine file encryption and data theft, the Maze ransomware is well-known. When victims started declining ransom demands, Maze started gathering private information from their PCs and encrypting it. This data would either be made publicly available or sold to the highest bidder if the ransom demands were not satisfied. A further inducement to pay up was the prospect for a costly data leak.


The organization that created the Maze ransomware has formally ceased operations. This does not, however, imply that ransomware is any less of a concern. The Egregor, Maze, and Sekhmet varieties are said to share a same origin, and some Maze associates have switched to utilizing it.


3. REvil (Sodinokibi)

REvil started out as a conventional ransomware strain, but it has since developed. Now, it uses the Double Extortion method to steal data from organizations while also securing the files. This implies that attackers may threaten to reveal the hacked information if a second payment isn't received in conjunction with demanding a fee to unlock the data.


4. Lockbit

The ransomware-as-a-service LockBit has been active since September 2019 and encrypts data (RaaS). This ransomware was created to swiftly encrypt huge enterprises in order to avoid being immediately discovered by intrusion detection systems and IT/SOC teams.


5. DearCry

Microsoft issued remedies for four Microsoft Exchange server vulnerabilities in March 2021. A new ransomware version called DearCry is intended to exploit four previously discovered vulnerabilities in Microsoft Exchange.


Some file formats are encrypted by the DearCry ransomware. After the encryption process is complete, DearCry will display a ransom notice telling users to email the ransomware's operators to request instructions on how to unlock their data.


6. Lapsus$

A South American ransomware group known as Lapsus$ has been connected to cyberattacks on prominent targets. The cyber gang is well-known for extortion, threatening the publication of private data if its victims don't comply with its demands. The organization has claimed of getting into companies including Nvidia, Samsung, and Ubisoft. The gang masks malware files as legitimate ones by using stolen source code.



How to Protect Against Ransomware


Utilize Best Practices

An effective plan may significantly reduce the cost and effects of a ransomware attack. Adopting the recommended practices listed below can lessen an organization's vulnerability to ransomware and lessen its effects:


Cyber Awareness Training and Education: Phishing emails are a common method for spreading ransomware. It is essential to educate people on how to recognize and prevent possible ransomware attacks. User education is frequently seen as one of the most crucial defenses a company can employ, since many modern cyber-attacks begin with a focused email that does not even include malware but merely a socially engineered communication that tempts the user to click on a harmful link.


Continuous data backups: According to the definition of ransomware, it is software created so that decrypting encrypted data requires paying a ransom. A company may recover from an assault with little to no data loss and without having to pay a ransom thanks to automated, secured data backups. A crucial procedure for preventing data loss and ensuring data recovery in the case of contamination or disk hardware failure is maintaining frequent backups of data. Organizations may recuperate from ransomware attacks with the assistance of functional backups.


Patching: In order to guard against ransomware attacks, patching is essential since hackers frequently search the patches for the most recently discovered exploits before launching assaults on unpatched systems. Because fewer possible vulnerabilities exist within the company for an attacker to exploit, it is crucial that firms make sure all systems have the most recent fixes deployed to them.


User Authentication: Attackers using ransomware frequently exploit stolen user credentials to access services like RDP. A strong authentication process can make it more difficult for an adversary to utilize a password that has been guessed or stolen.

How NDR Is Revolutionizing Cybersecurity

Network Detection and Response (NDR) is an exploding field of cybersecurity, providing network-wide monitoring and advanced detection of potential malicious threat actors and suspicious activity, that other tools may miss. An NDR solution continuously scans all entities of network traffic while creating a baseline of normal network activity, creating an incredibly difficult environment for attackers to hide within.


NDR stands out in the market due to its advanced suite of technologies used for detecting suspicious and malicious traffic, such as deep learning, AI, heuristic analysis, and machine learning.


Gartner created the NDR category in 2020, changing the name from its previous, “Network Traffic Analysis” due to the ever-increasing size and scope of data expansion across the cloud. The larger the networks, the longer threat actors can remain hidden without triggering alerts. NDR can detect and contextualize these problems via analytical techniques such as machine learning for threat detection, from the collection of telemetry data. NDR solutions create a resilient shield against zero-day attacks while utilizing sophisticated software to spot and anticipate potential threats before they surface, by analyzing all traffic flows at once.



The Beginning

Network traffic has been monitored for quite some time, but as the sheer amount of data dramatically increased, many organizations could not quite reel in the same insight they once relied on, leading to a new set of issues.


As technology evolved and systems began to manage the seemingly never-ending waterfall of data, Network Traffic Analysis (NTA) was utilized to provide analysis and behavioral tracking of network traffic for computer security. While NTA is still in-use within Security Operations Centers (SOCs), the market has evolved to open up to more advanced necessities and capabilities, such as those that NDR provides.


Advanced behavioral analytics, machine learning, and AI all form the primary backbone of NDR solutions enabling improved detection abilities, accurately determining threat risk levels, and automating manual tasks routinely performed by analysts, allowing them to focus on triage and rapid response maneuvers. Machine learning gives way to sophisticated detection of “known unknown” cyber threats and new zero-day threats “unknown unknown”


known-unknown: dangers that the company is aware of but whose extent and impact are unknown.

unknown-unknown: threats that the business is not even aware it is unaware of.



Why do I need Network Detection and Response?

Security Information & Event Management (SIEM) and Endpoint Detection and Response (EDR) are crucial tools, but not the end-all-be-all to protecting your organization. NDR fills the gaps to augment and help provide a fully comprehensive security monitoring platform, especially with IoT and cloud computing enticing threat actors to make their move now more than ever.


More traditional detection-focused solutions are using signature-based detection methodologies, which work to identify a threat while a security analyst is alerted. Next, incident response is performed, but only after the attack is successful, which could leave your network compromised by quick-moving, seasoned threat actors. These solutions alone, place your organization at major risk, relying on reactive measures rather than proactive approaches. NDR uses machine learning and automated response to accurately predict and remediate incoming intrusions before an attack has been fully launched, potentially saving your data.


According to ExtraHop, “What's more, while attackers may be able to fool firewalls and traditional IDS by masquerading as legitimate users and services and avoiding signature-based detection, they can't escape NDR. That's because it's almost impossible for them to avoid certain key activities on the network, which NDR can detect. It enhances rules-based detection with machine learning technology to model the behaviors of entities on the network and contextually identify anything that resembles known attack techniques. That means even legitimate-seeming processes may be flagged if their appearance seems unusual.”



Proactive Approach

Cybercriminals have more advanced tools at their disposal than ever before, even accessing nation-state-level tools.


“Tools developed by nation-states have made their way onto the black market many times. An infamous example is the Eternal Blue exploit, which was used by the WannaCry hackers,” comments Ian Pratt, Global Head of Security, Personal Systems, HP Inc. “Now, the return on investment is strong enough to enable cybercriminal gangs to increase their level of sophistication so that they can start mimicking some of the techniques deployed by nation-states too.


NDR provides a safety net against highly pervasive and sophisticated threat actors, providing a deeper level of security than EDR & SIEM together.



Logs and Endpoint Security Aren’t Enough

SIEMs and other endpoint tools are showing glaring weaknesses in detecting threats that are not simply malware-oriented, leaving lateral movements, such as stolen credentials, potentially undetected.


Furthermore, SIEM reporting can be unbelievably frustrating and complex, leaving only trained SIEM specialists with the ability to accurately determine actionable insights. Non-tech-savvy members of your organization would have immense trouble understanding reports which make for confusing strategies and communication gaps.


According to a NetWrix national survey, 63 percent of survey respondents said that they had difficulty understanding the reports output by their SIEM and a further 53 percent reported that they had to manually tweak their SIEM reporting so that non-tech stakeholders could understand.



IoT Needs Sophisticated Protection

IoT devices do not possess the computing ability or just are too small, like your Nest Thermostat, to run security protocols. Cyberattacks on these devices could lead to critical losses because of immediate physical concerns, such as the loss of front-door lock access or home-security take-over. Many of these devices are used in healthcare for patient vital monitoring and other high-risk situations. IoT devices are generally used throughout a large, interconnected network, with many also being portable, leading to the potential exposure of multiple networks.


Many users possess 10 or more interconnected IoT devices, challenging analysts and professionals in managing the complex web of connected features and configurations. NDR empowers organizations to manage these devices by overseeing their network activity, rather than focusing on each individual device’s software.



Context Matters

NDR solutions provide context-rich insights into your network, painting a full picture of all activity, including important questions:


NDR forms a powerful team when used in conjunction with a SIEM to provide rich context and validation to detections made within each tool.



Final Thoughts

NDR can be a lighthouse to organizations struggling to maintain a coherent, complete picture of their cyber environment, due to its state-of-the-art ability to detect incoming threats and anomalies that other tools inevitably miss. From behavioral analytics and machine learning to threat response automation, with the addition of NDR, your organization is better protected from evolving threats.

How Do Biometrics Affect Cybersecurity? 

Biometrics 101 

Biometrics utilize your physical characteristics to assess identification matters such as fingerprint scans, facial recognition, retina scans, etc. as a more advanced sector of security. Biometrics is simply defined as a biological measurement or a unique physical characteristic that not even your twin would share. Think of it as you, yourself, being the password. 


The biometrics industry has experienced massive growth and momentum over the last decade as more and more cyber-attacks have placed companies in a position to think through more advanced, alternative security measures such as biometric identification. Totaling upwards of $68 Billion in just five years, this industry doesn’t show signs of slowing. 


Let’s dive deeper into the benefits but also the potential hidden dangers of biometrics in cybersecurity. 


Three Types of Biometric Security 

Biometric security can be grouped into three main subcategories such as: 


Biological biometrics are exactly what they sound; using your biological makeup to use as identifiers for security purposes such as your DNA, tested through fluid samples. 


Morphological biometrics are most commonly used via your laptops, phones, tablets, etc. which include your physical traits like fingerprints and eye/facial shape, which are mapped through different types of security scanners. 


Behavioral biometrics include your walk, speech, and other purely behavioral traits exhibited on a daily basis that give way to succinct patterns. Similar to how interrogators use small microaggressions such as the twitch of a nose, or the quiver of a lip for hints of false testimony. 


Examples of Biometric Security 

While there are many different forms, here are some more common examples: 


Odds are, you have run into many, if not all these biometrics at one point or another, whether that be at the hospital or just using an electronic device. Biometric security can be used in a plethora of different applications from a simple fingerprint scan to access a phone, to the protection of nuclear systems via multiple advanced biometrics such as retina/iris scans. 


Biometrics has seen a stratospheric rise in adoption over many different industries recently, such as:  


While the adoption rates rise, the costs begin to drop for biometrics as to allow mid to small business use and even individual applications are being seen in the market. In days past, only the most high-end phones were equipped with fingerprint scanners but now even the $75 models come fully equipped with this setup. Biometrics are becoming an integral part of everyday life and it seems only inevitable that most businesses will adopt this ideology as well, even on the smallest scale.  




But, Are They Safe? 

Passwords are forgotten every day, subsequently, they are changed just as often, but biometrics stay with you for your lifetime and are unable to be “changed”, so does this mean they are foolproof? Well, not exactly, but extremely close. 


A biometric such as your handwriting or signature can not be stolen, but it can be learned by someone willing to take the time. Similarly, a physiological biometric like face mapping can be stolen through a photograph or some other illegally obtained means of duplication, while this is just a copy, it could still pose potential issues. Even though these biometrics can, in theory, be “stolen”, that does not mean instant access for your attacker since most systems use what’s called “liveness tests”. These tests help prevent and reject any samples of duplicated information such as fingerprints obtained on a piece of tape, or using a photograph of your target to gain entry.  


Many devices and systems have taken extra precautions against the examples listed above; take LG for example. They combine facial and voice recognition along with a heartbeat sensor to ensure a copy of a fingerprint can not be used in the same manner as a live person. The real challenges lie in solely facial scanners which have been successfully tricked by researchers and attackers alike. 


Researchers at the University of North Carolina set up an experiment to hack into facial recognition systems by downloading social media images of the volunteers and using them to construct 3D models of their faces, ultimately breaking into 4 out of 5 systems; a 90% success rate. 


Cloning fingerprints can be done reliably, cost-effectively, and rather quick as a demonstration at the Black Hat Cybersecurity conference showed duplicating a fingerprint using molding plastic or wax in as little as 10 minutes. Biometrics may be the way of the future, but that certainly does not expel risk. 


One more example of that aforementioned risk presented itself after the release of the Iphone 5, when members of the group, Chaos Computer Club, successfully bypassed the new fingerprint scanner by simply photographing the target fingerprint on a glass surface and then using it to unlock the phone. Obviously, technology has well evolved since the Iphone 5’s release, but with that comes the evolution of hackers and attackers hoping to create new ways to slip by these biometric systems. 


Biometric Data Security Concerns 

The more mainstream adoption of biometrics comes with a few data security concerns attached to it. Cybercriminals aim to get their hands on as much personal data as possible and these biometric systems host exactly the kind of information that attackers seek. In 2015, the US Office of Personnel Management was hacked, exposing upwards of 5.6 million fingerprints of official government employees, essentially leaving their identities unlocked for anyone to steal. 


Best practices for storing this type of data result in housing this information on a single device rather than a database no matter the level of encryption, as hackers can breach a system and take any and all data that is not properly secured, whereas breaching a single devices information is much more difficult. 


Ways to Protect Biometric Identity 

Biometric authentication should not be your sole means of protection as multiple means can dramatically increase the safety of your information, such as “liveness tests” like blinking that aren’t able to be duplicated or machined. 


Even more advanced systems have begun implementing add-on features for enhanced security such as age, gender, and height to increase the difficulty of obtaining all of this information legally.  


Two-factor authentication layered with biometric initial access can be a powerful combination and one that is recommended for secured internet devices as to lessen vulnerability.  


Takeaways on Biometrics 

Overall, biometrics continue to dominate the market and look to drastically increase security of systems through combinations of physical/behavioral scans along with other authentication. Utilizing simple, character-based passwords, are becoming a thing of the past as biometric technology continues to evolve. 


Do you trust biometrics and the new realm of biometric tech? Let me know in the comments. 

Cybersecurity Awareness Month | October 2022


Starting 18 years ago, cybersecurity awareness month has magnified into a global effort to educate, inform, and empower everyone to protect themselves online as cyberthreats continue to see dramatic increases over the past decade. As our livelihoods shift predominately online, we become more vulnerable to prying eyes and malicious threat actors. This collaboration between the National Cybersecurity Alliance (NCA) and The Cybersecurity and Infrastructure Security Agency (CISA) helps to limelight crucial tips and steps to remain vigilant wherever you go online.



Here is an excerpt from CISA on this year’s CAM theme:


“This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people . This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers.”


This year’s theme centers on the individual rather than just large companies and organizations to place importance on the role we all play in creating safer online environments. Here are 4 steps that EVERYONE can take, no matter your expertise in cybersecurity:


1. Enable Multi-Factor Authentication
2. Use Strong, UNIQUE passwords
3. Report Suspicious Emails and Activity
4. Keep Your Software Updated





“When we say See Yourself in Cyber, we mean to see yourself in cyber no matter what role you play.” - CISA


You may not have a role in IT or cybersecurity whatsoever, and you may be the least technologically savvy person in your family, but you still have the ability to safeguard your personal and private data!


Here are some tips from the U.S Securities & Exchange Commission:


Be Careful What You Download. When you download a program or file from an unknown source, you risk loading malicious software programs on your computer. Fraudsters often hide these programs within seemingly benign applications. Think twice before you click on a pop-up advertisement or download a "free" game or gadget.


Use Your Own Computer If You Can. It's generally safer to access your online brokerage account from your own computer than from other computers. If you need to use a computer other than your own, you won't know if it contains viruses or spyware. If you do use another computer, be sure to delete all of the your "Temporary Internet Files" and clear all of your "History" after you log off your account.


Don't Respond to Emails Requesting Personal Information. Legitimate entities will not ask you to provide or verify sensitive information through a non-secure means, such as email. If you have reason to believe that your financial institution actually does need personal information from you, pick up the phone and call the company yourself - using the number in your rolodex, not the one the email provides!


Security Tip: Even though a web address in an email may look legitimate, fraudsters can mask the true destination. Rather than merely clicking on a link provided in an email, type the web address into your browser yourself (or use a bookmark you previously created).


Be Smart About Your Password. The best passwords are ones that are difficult to guess. Try using a password that consists of a combination of numbers, letters (both upper case and lower case), punctuation, and special characters. You should change your password regularly and use a different password for each of your accounts. Don't share your password with others and never reply to "phishing" emails with your password or other sensitive information. You also shouldn't store your password on your computer. If you need to write down your password, store it in a secure, private place.


Use Extra Caution with Wireless Connections. Wireless networks may not provide as much security as wired Internet connections. In fact, many "hotspots" reduce their security so it's easier for individuals to access and use these wireless networks. Unless you use a security token, you may decide that accessing your online brokerage account through a wireless connection isn't worth the security risk.


Log Out Completely. Closing or minimizing your browser or typing in a new web address when you're done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the "log out" button to terminate your online session. In addition, you shouldn't permit your browser to "remember" your username and password information.


Use your voice this October to advocate for a better understanding of safe, online practices, whether that be to your family, via social media, co-workers, etc. YOU can make a difference in the safety of others online.


More on how you can help: Click HERE