As of last night, Malwarebytes started detecting a very popular and very vulnerable application as a PUP.
This application, known as Dell System Detect, is pre-installed with many Dell systems. According to research done by Tom Forbes, older versions of Dell System Detect are vulnerable to a serious remote code execution attack.
What this basically means is that anyone with a vulnerable version of the tool (which maintains persistence on the system and therefore is always running) might be directed by an attacker to a specific website designed to exploit the flaw in the program and execute any commands the attacker wishes.
This could potentially lead to malware being installed without user awareness, stolen credentials, damaged system configuration and more.
Thankfully Dell has since modified this tool based on the research and it is no longer vulnerable, so it’s in the best interest for everyone to update this tool if they are running a computer designed by Dell.
However, we at Malwarebytes are pretty sure there are a lot of folks that won’t know about this vulnerability, so we decided to detect it for the sake of raising awareness.
Vulnerable versions of this tool have been seen as early as mid 2012 though most likely even earlier, according to our sources so anyone with a Dell system purchased a few years ago should take special notice and run a scan ASAP.
To make this easy for the search engines, if you have the following being detected on your system:
PUP.Vulnerable.DellSystemDetect
You are vulnerable to a serious remote code execution attack from cyber criminals. Please update your Dell System Detect software immediately: UPDATE HERE
We wanted to let you know that Microsoft has pushed out a new update in the last 24 hours. Usually updates are held off until “Patch Tuesday” but the severity of the vulnerability they are fixing requires immediate remediation.
The update fixes a serious security flaw found within how Windows products read certain types of fonts.
Basically all that needs to happen is an attacker sends you an office document or directs you to a specific web page with a specific font included.
The attack itself focuses on the Windows Adobe Type Manager Library and how it deals with OpenType fonts, at the end of the day it allows for remote code execution and full on infection if desired.
This is similar to all of the drive-by exploit attacks we warn folks about every week, this time it’s just a different kind of vulnerability.
Anyway, the attack can result in infection of the victim system by malware, any type of malware, so it’s imperative to quickly update your system TODAY. This vulnerability has been discovered in all modern versions of Windows so please update if you can.
If you happen to click the above link and don’t see your version, Microsoft has this to say:
" Versions or editions that are not listed are either past their support life cycle or are not affected"
So all of you running XP might be safe or are just not getting updated, I would go with the latter.
It’s that time again, a new operating system emerges from the Microsoft incubator! While many of you might not get to experience Windows 10 just yet or even in the foreseeable future, we want you to know that when you decide to use it, Malwarebytes has got your back.
The latest versions of our Malwarebytes products supports Windows 10! And that includes:
So one of the first things you should do after setting up your new operating system is to download Malwarebytes Anti-Malware. Trust me, the cyber criminals won’t wait until everyone is comfortable with Windows 10 to start targeting folks using it.
To see our CEO Marcin Kleczynski’s forum announcement about this news click here.
To download the latest Malwarebytes Anti-Malware on your new Win 10 system, click here.
Thanks for reading, safe surfing and enjoy the new tech all you early adopters!
So a few of you might have noticed that we started blocking “Imgur.com” which is a popular image sharing website.
The reason we did this is because of a vulnerability within their code that allowed cyber criminals to load malicious javascript code into the browsers of site users. This in turn was used to turn each system into a DDoS weapon (Distributed Denial of Service).
The targets of these DDoS attacks were 4chan & 8chan, which are bulletin board style image posting sites.
The identity of the attackers or their motivation is unknown at this time, however it’s likely a group of angry sub-internet dwellers utilizing a flaw in the code of imgur rather than employing the use of a botnet (which is the traditional approach) or an army of equally angry users.
Imgur has since released a statement letting folks know that the bug in the code has been patched and that current visitors should be fine.
However, they also recommend that folks clear the cache of their browsers in case the malicious javascript is still loaded and active in the background. There are numerous potential threats associated with allowing this code to run on your system, as described by Lyra883 in a Reddit Post the code can:
Transmit your passwords to attackers
Become a piece of a giant DDoS
Constantly load ads that pay attackers
Request edgelord-tier child pornography from a honeypot without your knowledge
Click Here for instructions how to clear your browsing cache and remove the threat.
Click Here if you are comfortable returning to your imgur use but don’t want to disable your Malwarebytes Web Protection.
The below is also a good tip for whitelisting all of the imgur subdomains:
Keep in mind that by whitelisting a blocked website, you are doing so at your own risk as Malwarebytes Researchers don’t trust it.
We are working to identify if imgur is once again safe for all users and as soon as we feel confident in that fact we will unblock their site. Please stay tuned for any updates and safe surfing!
UPDATE:
After talking with the staff of Imgur about what they did to fix the problems and prevent them from happening again in the future, we have removed our block and there should be no further issues. Make sure you update to the latest database version to remove the block.
UPDATE 2:
From Imgur:
In short, someone managed to upload an HTML file with malicious JavaScript inside of it that targeted 8chan. The vulnerability is completely patched and it’s no longer possible to upload files of that type. Not only was this specific thing patched, but we prevented our i.imgur.com servers from serving anything other than image files. This means that we’ve stopped the possibility to serve any other JavaScript files like this. No user data such as passwords and e-mails was leaked.
Nice work to Imgur for their quick response and movement on fixing this issues to make sure their users are safe and secure!
Thanks everyone for following along and as always, safe surfing!
We here at Malwarebytes take pride in our ability to find the latest threats that users face on daily basis and do our best to not only block and remove them with our products but also inform the general public about their danger through our blog.
In a very few cases, we jump the gun in our efforts to explain a threat and end up posting information that hasn’t been thoroughly analyzed.
This is one of those cases.
We want to offer our most sincere apologies to WinRAR for any harm done by our reporting on a post first seen through the Full-Disclosure mailing list, we simply echoed the original reporting.
We have been in communication with WinRAR and performing our own in-depth analysis of the threat to identify that what we described in our post was simply a new attack vector that could mask itself as any executable.
Users of WinRAR have nothing to worry about as they are not being targeted nor is the WinRAR product itself malicious or allowing malicious files to be run on the system. We have since removed our post on the subject.
The malware itself would need to be double-clicked by a user (who has not patched their operating system since mid 2014) to be activated.
The best way to protect against this particular threat is to right click on any archive you might come across and open it using its associated tool (i.e. WinRAR) to extract it, as opposed to double clicking the archive.
In addition, make sure you install the latest Windows updates as a previously patched vulnerability in Internet Explorer makes this attack possible.
Thank you for your time and understanding
Safe Surfing!
Adam Kujawa Head of Malware Intelligence, Malwarebytes
The Deloitte Technology Fast 500 list ranks North American companies that have had the largest sales growth over the last three years. The list ranks the fastest growing technology, media, telecommunications, life sciences and energy tech companies – both public and private – in North America.
We are honored to have been listed as number 186 on this list and see it as a sign that the world is facing the threat of cyber attacks, malware and digital fraud head on and arming themselves with the tools necessary to fight back.
Also, you should know that while we have had a great year in sales, we will continue to spend every penny we can to the research and development of greater cyber security initiatives, software and operations.
Finally, we want to thank YOU for your continued support and making Malwarebytes that awesome company that it is today!
Very recently, a very popular and useful website called Bleeping Computer reached out to the community at large asking for help.
See, Bleeping Computer is known for helping out folks remove malware and keep their systems safe, without charging any fee or additional costs, similar to our own support forums.
The content is provided by the volunteer efforts of security professionals and the more than 700,000 registered users who ask and answer all questions presented on the site. To summarize, Bleeping Computer is a valuable resource in the efforts to help users live in a malware free world.
Unfortunately, that all might change pretty soon here. A software development company, Enigma software, is suing Bleeping Computer because of a negative review which was posted on the site about their product, Spyware Hunter. Basically they want BC to take down the post because it makes them look bad.
Now as I mentioned earlier, all of the content on BC is provided by volunteers and the only money the site makes is from advertising, and affiliate advertising (which Malwarebytes participates in for purposes of full disclosure) which goes into server costs and the like. So it’s safe to say that the folks who run BC don’t have the kind of cash to hire a legal team and fight back.
Because of this, BC has called out to the community to help provide whatever they can in an effort to not only help BC hire a legal team to counter Enigma but also to maintain freedom of speech for commenters and reviewers.
Basically, if Enigma can force BC to take down a negative review, that means that they can go after any site asking for the same thing and so could anybody else, which basically overrides the freedom of speech and expression we all currently enjoy online.
Now our CEO, Marcin Kleczynski, has decided to lend a hand and donated $5,000 to their cause because he truly believes in the basic rights of every human to be able to speak their mind and present facts or opinions online without fear of being sued or censored for it.
If you want to help out Bleeping Computer, or just want to show your support by posting on their forums, feel free to check out their case.
Otherwise, we wish BC the best of luck and want them to know that we support them in what they have been and will hopefully continue to do for the security community.
So a few weeks ago, Malwarebytes Unpacked won the best corporate blog for 2016 in the Social Security Blogger Awards! Our own Thomas Reed was on the scene to accept the award (pictured below) and I gotta tell ya, it’s gorgeous.
I want to personally thank every single person who voted for us. Without you, this blog, this site, this product wouldn’t be what it is. We work hard to bring you interesting and educational content every week from all over the internet. At the end of the day, we write for you, we post these blog posts to teach you something or to help explain things to folks who don’t read the blog or follow security.
This is the second year that we’ve won this award and we will continue to spend every day repaying your kindness and consideration by pushing out awesome blog posts.
So late last year a quote was going around about a comment for the Special Agent in charge of the Cyber Intelligence program for a Boston branch of the FBI that mentioned how they advise users to just pay ransomware criminals because in many cases, getting the files back by any other method would have been impossible.
Now the FBI itself never officially made that claim and instead didn’t really give an opinion on whether or not to pay after a ransomware infection. Naked Security did a good job covering this story and despite not having an opinion, the FBI did provide many possible protection measures to avoid ransomware infection in the first place.
Well last Friday, the FBI made a decision and not only did they officially inform the world that they agree, ransomware is getting worse, but also decided to tell folks to not pay the ransom, even if you do get infected.
The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom.
Here at Malwarebytes, we always request that users hit with ransomware never pay the criminals, we say this for multiple reasons:
There is no guarantee of getting your files back, even if you pay
By paying the criminal, it reinforces the behavior of using this attack, ensuring that it will be used again
By making it appear profitable, criminals who might otherwise not be involved with ransomware are now learning how to use this tool to extort money from you and your loved ones.
Look, getting hit by ransomware sucks, we know it just as well as you do (though hopefully you never will) but you don’t kick a grenade into your neighbor’s house just because you accidentally pulled the pin. Ransomware has been a serious threat for a few years now and it’s not going to go away, in fact it will only get worse from here.
Proactive protection is key, you need to backup your files, you need to run software that prevents malware from executing, you need to deploy even more security layers than before and be ready for an attack!
If you still have the mindset that you will never be hit by ransomware, that you know how to avoid it and you don’t need to protect yourself, then fine… Just think about what it would be like to have a grenade come in through your window and blow up your kitchen.
For those of you who are ready to take their protection to the next level, here are a few links that might help you get started. Thanks for reading and safe surfing!
Welcome to the new Malwarebytes Unpacked…err…Labs! It’s new, improved, and bigger than ever. Hope you like it.
So why did we mess with a good thing? We decided that we wanted to provide you with even more opportunities for education, communication, and knowledge. So, we created Malwarebytes Labs, your one-stop shop for everything concerning cyberthreats. Here’s what’s new:
Threat profiles
This new section is like a wiki of threats. Each threat will have its own page that will list relevant information such as a short biography, history, removal, and avoidance procedures. The goal is to make it super easy to find out more about the kinds of malware and attacks that plague you and your family.
The threat profile section is searchable, so it’s easy to find what you are looking for. We plan to link these profiles with stories on the blog, so you can look up background info on the threat while you are reading a post about a new development. This section is “living,” meaning that we’ll update it and add to it all of the time, so make sure you check in frequently!
New categories
We’ve condensed our content into five parent categories that allow us to write for a specific audience based on interest and use. Each parent category has several subcategories on topics ranging from Mac to mobile, so it’s easy to find the information you’re looking for.
We have a new category called “101” just for the basics of computer security. These articles make it easy for you to learn something new or pass the info on to a cybersecurity noob who needs schooling. We also have a category for advanced technical analysis (“Threat analysis”), as well breaking news in “Cybercrime” and industry updates in “Security world.” Finally, you can keep up-to-date on new Malwarebytes products and company announcements in the “Malwarebytes news” section.
If you’re the kind of person that likes everything, don’t worry: we are still offering all of the content (regardless of category) in chronological order, just like we do now. Find that in the “All” section.
Glossary
Have you ever started reading one of our posts and come across a term you didn’t recognize? Well, we now have a glossary of computer security and technology terms. Just like the threat profiles, this section is alive and we are going to be updating it with new terms all the time. We are also going to be linking glossary terms to our blog posts, so it doesn’t take time away from learning about the latest threats.
So that’s it, that’s the new Malwarebytes Labs! We hope veteran and new readers alike enjoy what we have built and will continue building. For those of you who have been dedicated readers for the last four years, I personally want to thank you for your continued support and look forward to making Malwarebytes Labs as great as it can be.
How do you like the new look? Let us know in the comments.
Ransomware is a serious threat we deal with everyday and a lot of our posts focus on analyzing the technical details of this threat.
It’s not everyday, however, that we get a chance to take apart ransomware that is still in its early stages of development. Satana, a new Petya-like ransomware, was discovered by our malware hunters and has been torn apart to show you the intricate details of how it works, why it’s not done and what we can expect moving forward.
Satana Lock Screen:
Here is a little bit of history, most malware in the wild today is just a copy of another malware family that already exists. In the case of Satana, it’s obvious that Petya was the inspiration for a new family of malware to be developed, utilizing many of the same tricks but built in a different way.
Petya Lock Screen:
We see these copycats all the time and usually they don’t deviate too far from the original malware family they are based on.
However, one out of a bunch of copycats might shine brighter than the original inspiration, if you want to think of PC Cyborg as the Great-Grandfather of Ransomware, you can say that all modern Ransomware is based on that, you could also say that Cryptolocker spawned the rush of encrypting ransomware we see today.
Will Satana become that family that stands out from all the others and start its own new generation of ransomware or just vanish into obscurity?
Malwarebytes Anti-Malware detects Satana as Ransom.Satana.
Read the analysis here and let us know what you think!
Okay, so I admit the title is a bit misleading and alarmist, but lots of folks will agree this was a bad day to try and use the internet.
This is because today there was a massive DDoS attack that targeted one of the DNS providers that acts as a backbone for the internet, especially in the western part of the world.
The DNS provider targeted is called “DynDNS” and as mentioned before, acts as a backbone for many western web surfers.
So rather than rehash everything you can read about by actual journalists, I am here to tell you how to get around not being able to access your favorite sites by changing your DNS settings on your computer. Now be warned, this is moderately technical and if you happen to make changes that makes the problem worse, just walk backwards and undo what you did.
First we are going to be using the DNS servers of OpenDNS which exist for problems like these and is a totally free, awesome service they provide. #GoGoOpenDNS
Access your DNS settings
So in order to use their DNS servers, you will have to modify your DNS settings on your computer, luckily OpenDNS provides assistance on how to get there through their website, so click here to find out.
Here is are some shortcuts to the more popular operating systems:
Now before you modify your DNS settings, if there is already DNS IP addresses listed in your settings, write those down somewhere, just in case you need to put them back if things go wrong.
Did you do it? Okay good.
OpenDNS addresses
Next you are going to be putting in the IP addresses of the OpenDNS servers, which at the moment are:
208.67.222.222
208.67.220.220
And once you have done that, you are done! Press apply and it should hopefully work for you. At this time you should be able to access your favorite sites once again! If not, there is one more thing you can do that might solve your problem.
Flushing DNS
You are going to need to do what is referred to as “Flushing DNS” which basically means that any bad DNS requests or false IP addresses that your system has saved, need to be cleared out so your system can request the new ones from OpenDNS.
Here is a link to ‘WhatsmyDNS.net‘ which can help you with how to do this from nearly every operating system.
Conclusion
At this point, if you are still unable to find those sites, either something went wrong with the changes you made, something went wrong with OpenDNS, or something went wrong with the web site you are trying to access. Regardless, go ahead and step backward, either erasing your OpenDNS entries (or double check them) so your ISP can give you the ones they prefer to use OR type in the address you had previously. Then you just wait until everything clears up.
This trick will not only help you in situations like a massive DDoS attack on an internet backbone, but also if something goes wrong anytime your local DNS server decides to stop working for you.
Let us know in the comments if this was helpful or if you would rather just call up a family member to do it for you. Thanks for reading and safe surfing!
Let’s face it. We live in a completely different security world from a decade ago and the kinds of threats we face have taken a new form. This time it’s ransomware. Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files.
New technologies are popping up all the time that combat the ransomware issue, however most (if not all) require active protection before you get infected. But what do you do if your company has already been infected? This article aims to help those who have been hit with encrypting ransomware and are faced with either paying or losing files.
Why is ransomware such a problem?
Ransomware has become a huge problem for businesses because it has been so widely adopted by the bad guys. Why? This is “Game Over” malware, meaning that, at least in the criminal’s eyes, once a user gets infected, there is no recovery option other than paying the ransom. Also, victims actually pay the ransom directly to the criminal, cutting out any need for middlemen or having to sell piles of stolen credit card information on darknet forums.
It works, it’s easy, cost-effective and profitable, which is essentially the driving force of new technology since the beginning of time.
It’s likely that the future of ransomware will include things like blackmail (threats to post trade secrets or company intel online or releasing customer information), more aggressive infection and AV evasion techniques, and better target identification—all techniques that we know how to combat. However, while the news of how to stop the malware is spreading, millions of people are still going to get infected because they didn’t get the memo soon enough.
Real world scenarios
It’s not difficult to wrap your brain around how ransomware could do serious damage to businesses. But how, exactly, do CISOs and other security executives deal with the infection and its aftermath? Let’s take a closer look at three different potential ransomware infection scenarios.
Let’s say there are three types of business leaders who deal with computer systems—whether that’s a small business owner or a high-level security official at an enterprise company. Each of these leaders have different opinions about computer security. They can be defined as follows:
The prepared one
The reactionary one
The ignorant one
Now don’t get me wrong. I am not using ignorant as an insult, but rather a factual descriptor of someone who doesn’t know or understand cybersecurity. To be honest, some of the stuff in this industry is hard to wrap your brain around, especially for those who aren’t entrenched.
So our three leaders have different points of view when it comes to security and a little later, I am going to describe how each of these people actually deal with a ransomware infection. But first, how do these guys get infected and what kind of data are they going to lose?
Prepared
Our first leader, the prepared one, likes to think that she has done everything in her power to mitigate an attack. She keeps her system up-to-date, utilizes security software and provides employee training on how to avoid things like phishing attacks. Unfortunately, one of the employees visited a popular and well-respected website that was dealing with a malicious advertising attack. The attack launched a zero-day drive-by exploit on a work system. The exploit installed a brand-new family of ransomware, meaning that many types of security software would be unable to protect the system.
This method, while pretty unlikely, can circumvent many security solutions currently in place. And while it won’t take long for the security industry to start detecting and preventing this type of attack, our business leader has had her customer database encrypted by cybercriminals asking for lots of money.
Reactionary
Our next leader thinks that only gullible and ignorant people get infected with malware, and that by avoiding obvious bad places and deleting obvious phishing emails, he can protect his business from a threat. In some cases, he is right. Many threats can be avoided through user education; however, not all of them, and certainly not the ones that cause the most damage.
So without concern, the leader allows his employees to conduct work, check social media and install software on work computers. Then one day, an employee gets an invoice from a local vendor she uses, same as she does every month, but this time, the email address is spoofed and the invoice is actually a script which neuters any security software and downloads malware. Suddenly, that employee has been infected, and since security software has been disabled, all mapped drives get encrypted, basically stealing thousands of dollars of information in just a few minutes.
Ignorant
Our final leader just doesn’t know enough about computers. He has a few terminals set up in his shop, but they are all using either trial security software, or whatever was cheapest at the time. The leader hears about all of these cyberattacks on the news but has no idea how to protect his business. He shrugs it off as not that important—after all, the media does tend to exaggerate, right?
Well in some cases yes, but in others, they downplay a threat. Either way, the leader suffers from what is known as “security fatigue” or the lack of concern that arises after one is bombarded with news about breaches, malware, hackers and other cybersecurity issues. Once security fatigue sets in, the overwhelmed feelings turn to apathy. Our leader is avoiding learning more about protecting his business because he is “over it.”
Unfortunately for the leader, one of his employees downloaded a malicious torrent online, thinking it was a movie, and decided to watch it on a company system during his lunch break. Now, all of the networked systems in the shop are encrypted, but the most damaging is a folder that keeps all his business secrets, such as recipes for a secret sauce or blueprints.
Three disasters, three options
So our leaders are all infected with ransomware, each one having been hit in different ways and each losing various kinds of data. Now what are they going to do? While these three each have a different stance on how to deal with cybersecurity before the infection, they also have different methods for handling the aftermath of the attack. You can use these as well if you happen to find yourself in their shoes.
Option 1: Backups
Our prepared business leader had the foresight to keep regular backups of her customer database, which means that after infection, all she had to do was clean the systems using recently-updated security software and then restore the backup. Only a day’s worth of data was lost.
Now the thing to be concerned about when it comes to backups is your system accidentally identifying a change in a file and deciding “Hey, I need to upload this!” which in turn means that you are now polluting your backup with encrypted data. So make sure you keep some kind of file history enabled in your backup solution so you can revert to a previous backup if necessary. Also, utilize off-site and/or cloud backups rather than storing everything on a network drive, since many ransomware families are capable of reaching through mapped connections and connected drives to encrypt files outside of the victim HD.
If you have the forethought to properly utilize backups, bully for you! You are the ransomware authors’ worst nightmare. If everyone followed your example, ransomware would be dead by now.
Option 2: Decryption
Our second leader didn’t think he would ever be infected with ransomware because, in his words, “Only ignorant people get infected.” Joke’s on him: He got spear phished!
Now the reactive measure to most malware infections is basically downloading some kind of security software, running a scan and removing the threat. In many cases, this works because other forms of malware need to install, reach out to a remote server to get commands, and then exfiltrate data or launch a DDoS attack, which is a time-consuming process that you can stop by simply removing the malware.
Ransomware isn’t that nice. If you get hit once, your files are encrypted and there is nothing you can do about it—or so many people think. Thanks to the diligent efforts of our information security community, there are actually many decryptors available online. This software, when matched with the correct ransomware family, can decrypt files for free.
There is, however, a problem. Not all ransomware families have had decryptors created for them, and in many cases, people are unable to create decryptors because the ransomware is utilizing advanced and sophisticated encryption algorithms. Then, even if there is a decryptor, it’s not always clear if it’s for right version of the malware. You don’t want to further encrypt your files by using the wrong decryption script.
However, lots of security companies are coming together to create more decryptors, in fact one of those multi-group efforts is at NoMoreRansom.org. These efforts make it easier for folks infected with encrypting ransomware to get their files back without the need to pay. In many cases, you can identify and confirm the family of ransomware you are dealing with by looking closely at the ransom note.
In the above example, you can see the ransom note actually tells you that it’s Petya ransomware. However, when the note doesn’t call attention to its ransomware family name, you can look at the extension name of your encrypted files.
Notice in the below screenshot that an encrypted file has been renamed with the extension “.zcrypt” which is the name of this ransomware family.
If the ransom note doesn’t tell you its family name and there is no extension added to your encrypted files, then look for some unique value, string of words or numbers in the code that could be used, with the assistance of a search engine, to identify what you are dealing with.
EDIT: You could also skip all of this if you head over to ID Ransomware by the Malware Hunter Team and upload the ransom note or one of your encrypted files and it will tell you exactly what you are dealing with.
After that, you can either enter the name of the ransomware and ‘decryptor’ into a search engine and you should hopefully find some good results.
Option 3: Negotiate
Let’s say that you didn’t have the foresight or means to create regular backups of your data. Let’s also say that you have encountered a ransomware family that either doesn’t have a decryption algorithm available or you don’t have the technical means to utilize such a tool. If any of these are true, it’s likely you would be in the same boat as our third leader.
So in this case, rather than pay a king’s ransom to get all your files back, you can pay a smaller amount by identifying a particular system or set of files that you need more than others, then negotiating with the attacker using whatever e-mail address might be listed on the lock screen or, in some cases, the support page for the ransomware. At the end of the day, the bad guys just want to get paid, which means that historically they have been open to negotiating and returning a few files for a smaller amount of profit.
To be absolutely clear, I do not endorse or support paying cybercriminals the ransom. However, it has to be understood that for some folks, the loss of files would be far more damaging than just paying the ransom fee.
Conclusion
So there you have it, the three methods, outside of utilizing modern anti-ransomware security software to prevent infection, that can help you recover from a ransomware attack. They might not be absolute solutions, but anything is better than losing valuable data to cybercriminals. Maybe knowing how disappointing the recovery methods are for a ransomware attack will motivate some folks to actually use proactive protection and anti-ransomware technology, which remains the best option for fighting ransomware infection—not allowing the malware to encrypt your files in the first place.
We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry/WannaCrypt/wCrypt. There is a catch though, it only works for the following operating systems:
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
So if you’ve got a WannaCry infection on one of the above operating systems, there is hope!
IMPORTANT:
The decryptor is only going to work if you haven’t restarted the infected system and you haven’t killed the ransomware process (should be wnry.exe or wcry.exe) so please don’t restart or kill the process if you want to get those files back!
Usage
In order to use this tool, you first need to download it from here.
This tool essentially searches the system’s memory for prime numbers and pieces together the encryption key used. However, it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).
To run it, download the linked file (above) and extract the .zip to a folder on your desktop, (if you can download the file from a clean system and then transfer it via USB, you run less risk of overwriting the key in memory).
Next, you can either double click it (boring) or open the command prompt (Start + CMD) and run it through there (fun!).
The tool will automatically identify the WannaCrypt applications running on the system if they are called wnry.exe or wcry.exe, but if for some reason they can’t find them, maybe check out the running applications on your system (Task Manager/Process Explorer) and find the offender (it’s pretty obvious), then identify the Process Identification Number (PID) and you can just plug that into the command prompt after wanakiwi.exe.
It might take a few minutes for the tool to find the key (or many minutes in some cases), but once it’s found the tool is going to start searching your system for encrypted files and decrypt them automatically.
Fallout
After the tool finishes decrypting your files, you are going to be left with a ransom note as a background and lots of encrypted files next to your unencrypted files.
Here are some possible next steps:
Download Malwarebytes 3.0 (or whatever scanning tool you prefer that can clean up WannaCry) and run a scan on the system to identify all artifacts related to WannaCry. This will help you get the malware off the system in case it tries to encrypt again.
Restart the computer to finish clean-up.
Find all the most important files you want to keep and move them to some form of backup.
Wipe the system and reinstall Windows.
OR you can just go through your system looking for all files with the .WNCRY extension and getting rid of them.
Background
The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi). These guys are incredibly talented and deserve a round of applause!
We found out about the tool thanks to the very extensive blog post by Matt Suiche (@msuiche), which you should check out to get more information about how these tools work. You might remember Matt from his assistance in stopping a variant of the WannaCry released last week by registering the killswitch domain.
Effectiveness
We didn’t want to write about this tool until we tested it in some capacity. A lot of other security researchers have given it a go and it seems that the tool works well in lab environments (sometimes). I personally tested it on a Windows 7 system using the following sample (with mixed results):
My second test with a new profile (for taking screenshots for this post) couldn’t actually launch the malware.
My third test launched the malware, but the decryptor took forever and eventually never found the key.
My fourth test worked like a charm again (original profile).
Some of our other researchers tried it and were unable to get the tool to find the key.
Conclusion
This tool was put together very quickly and it’s meant to help those that it can help and that is likely not everybody. I wouldn’t recommend putting all your eggs in the basket that if you get hit, you couldn’t decrypt using this tool because either:
You are likely going to be unable to recover the key OR
The malware will modify to clean up the running memory or force a reboot after install to make the tool ineffective
But if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the operating systems listed at the beginning of this post, running the tool is not going to break anything that isn’t already broken so it’s worth a shot just to see if you can get those files back.
That being said, once again big thanks to @adriengnt, @gentilkiwi & @msuiche for their hard work, information spreading and ingenious development skills.
Let us know in the comments if this tool worked for you (and your configuration too!)
If you’ve encountered a Malwarebytes web protection block for coinhive.com over the last few weeks, you are either glad about it, angry about it, or don’t really care. Since September 19, the second most frequently blocked website for our customers has been coinhive.com, and when we observe that immense amount of blocking (over 130 million blocks in a few weeks), we try to explain why we are doing what we are doing.
This post will describe what CoinHive is, what it is doing, and why we are blocking it. We’ll even tell you how to exclude this from your instance of Malwarebytes, if you decide to do so.
What is Cryptocurrency mining?
Do you remember when Bitcoin first came out? It was under the radar for a while—mainly hobbyists and folks involved in the development of the cryptocurrency platform paid attention to it. After a few years, Bitcoin (BTC) has become more and more popular, leading to the emergence of an army of Bitcoin miners. Miner is a term used to primarily describe software or hardware (and those that use it) created and utilized for the sole purpose of crunching numbers for the cryptocurrency and in return being given a small share of the currency.
A lot of people got involved in BTC mining, which resulted in a bit of a mixed bag of technologies being created and distributed, and in some cases forced to install. Sometimes, a person with the intent and means can run dedicated BTC miners and collect their small fractions of currency until they get a decent amount and then exchange the coins for goods, services, or government-backed money (USD/GBP/etc.).
Cryptocurrency miners are usually VERY resource intensive. This is because you are asking your system to do immense calculations it probably wasn’t designed to do, quickly, which is fine if you’ve got the hardware for it. But if you are running a 10-year-old system you bought off the shelf, it could not only decrease the speed and efficiency of your system, but even damage the hardware.
Miner running on system while visiting The Pirate Bay. Notice the 100% CPU Usage
Over the years, we’ve observed miners also included with sketchy software and malware, as a means to make more money for the people behind this kind of garbage software. Bitcoin exchange rates have skyrocketed and the amount of money that can be earned by mining BTC is incredibly low (because of how many people are also running these miners). In lieu of this, new cryptocurrencies have popped up.
Here is a list of the most popular cryptocurrencies back in July 2017, according to an article on Mashable:
Bitcoin
Ethereum
Litecoin
ZCash/Monero
Tezos
These are the most popular, and therefore the most valuable, because there has been heavy investment in their growth. It is no surprise then that more than one of these cryptocurrencies have had miners put in places they didn’t belong.
What is CoinHive?
CoinHive is a service that provides cryptocurrency miners you can deploy on your website using JavaScript. The coin of this particular realm is Monero (mentioned above), and it totes the claim that using JavaScript miners is an alternative to advertising revenue.
It offers API access for website owners to deploy a miner on their site, have it communicate with the CoinHive remote server and, unfortunately, allow the miners to be run on user systems, without user permission.
Why are we blocking it?
We do not claim that CoinHive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.
The reason we block CoinHive is because there are site owners who do not ask for their users’ permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.
Another torrent site running a Monero miner in the background, once again 100 percent CPU usage for visiting a website
Either way, for those that know about cryptocurrency miners and especially JavaScript versions of them, this may be a technology you want to see more of. If so, we include instructions on how to add an exception for CoinHive. However, for those that do not know about this kind of technology, its purpose, or what it could do to their system, we are not comfortable allowing greedy website owners to abuse these users and so, we block it.
How to add an exception
At Malwarebytes, we want to arm our users with knowledge about threats and the tools to protect themselves from those threats. However, we are not in the business of censoring or restricting access to a thing people want to use. For cases like CoinHive, it’s kind of a gray area, so in addition to telling you why we block this site and the danger associated with it, we will also tell you exactly how to get around our block.
Step 1: exclusion tab
Inside of Malwarebytes for Windows in the Settings area, is a tab for exclusions. You can navigate there manually or, after trying to reach coinhive.com, you can just click on the Managed Exceptions button at the bottom of the notification.
Step 2: select exclusion type
Your next step would be to select what kind of exclusion you want to make. You’ll be able to allow anything from applications, website, and even exploits! Select the Website Block radio button and press Next.
Step 3: add exclusion
Finally, Malwarebytes will ask you what is the Website URL or IP address for the site you want to exclude. For CoinHive, you’ll need to exclude the website, as well as the IP address associated.
Step 4: rinse and repeat
As I mentioned, you’ll need to add an exclusion for both the CoinHive URL and the IP address associated with its domain name. So please add exclusions for the following:
coinhive.com
94.130.90.152
After you complete adding the exclusions, your exclusion list in the Malwarebytes interface should look like this:
Step 5: testing
Your final step is to actually navigate to coinhive.com and make sure it’s not being blocked. If it is, go back in and check the settings to make sure you entered the URL and the IP address correctly. I tested this myself and it works. If you’ve done everything correctly, you should be able to navigate to the CoinHive website and also use the miners, even with full Malwarebytes protection enabled.
For more information about adding exclusions to your instance of Malwarebytes for Windows, please check out this Knowledge Base article we’ve written that guides you through every type of exclusion.
We hope some of you who are upset about our detection will understand why we decided to block this and similar websites after reading this article. We know there is a lot of controversy over not only this case, but mining technology in general, and moving forward we need to make sure we use it responsibly and securely. All new technologies have growing pains. The key is to make sure to learn lessons from the past, ensure that technology is secure and that the spirit of why it was created in the first place continues on in new evolutions.
We watched as the advertising industry evolved in such a way that made it easy for cybercriminals to use their platforms to attack users. We really don’t want to see miners go down the same path, and we hope it isn’t too late already.
Thanks for reading, safe surfing, and catch you next time!
The threat landscape is changing once again, now that the ocean of cryptocurrency miners has shrunk to a small lake. Over the last couple months, we’ve seen cybercriminals lean back on tried and true methods of financial theft and extortion, with the rise of a familiar Banking Trojan: Emotet.
However, over the last few days, we’ve noticed a large increase in malicious spam spreading Emotet, as well as a higher number of detections from our customers. Looks like we’re in the middle of an active Emotet campaign.
What is Emotet?
For those who are unfamiliar, Emotet is a nasty piece of malware that has had numerous purposes over the years, including stealing data and eavesdropping on network traffic. For its latest trick, Emotet is spreading other banking Trojans, or malware that steals your financial information, bank logins, and in some cases, Bitcoin wallets.
Emotet has the ability to propagate through a network by using the popular EternalBlue vulnerability, first seen in use in the famous WannaCry ransomware outbreak. This functionality makes the malware even more dangerous to businesses, which have numerous endpoints linked together.
Once a system is infected, Emotet can then spread itself outside the network via built-in spam module. Imagine an Emotet-infected endpoint as a flower. Emotet’s spam module, then, would be the bees that spread pollen from flower to flower. The spam module sends new infections to other systems, which (if the users fall victim) creates even more new infections, which then blast spam to even more systems. And the process continues again.
Now, accelerate our metaphorical pollination process by at least 1000x, and you can begin to see how Emotet is quickly making a lot of…um, flowers…for businesses.
Spam campaign
Recently, the security community noticed an increase in malicious spam either spreading Emotet or coming from systems infected with Emotet. In addition to Emotet, this malspam campaign is also pushing Trickbot, a popular information-stealing malware that we spoke about last year when unused code was discovered using the same exploit as WannaCry.
We're seeing a large #Emotet spam campaign with maldocs, originally spewing malicious Word documents, but now sending out PDFs. At its peak, we blocked over 300k spam emails in 3 hrs. Detection name: TrojanDownloader:PDF/Domepidief.A https://t.co/pWja45EInRpic.twitter.com/8uAdQ6d7v3
— Windows Defender Security Intelligence (@WDSecurity) September 18, 2018
This spam campaign is pushing malicious documents to users: first Microsoft Word documents with malicious macro scripts and then PDFs with built-in malicious scripts. This method of attack (malspam), using these specific file types (malicious documents), has become the de-facto default method of spreading malware today.
Malicious spam emails that are spreading Emotet and Trickbot right now have similar subject lines. Below is a list of common subject lines for this campaign:
Sales Invoice Account
September Invoice **** from ****
Statement 20/09/2018 for customer ****
Your Invoice: **** - Our Ref: ****
Account Alert - Your recent Wellsfargo payment notice
Activity Alert: Money transfer details
Activity Alert: Your recent payment notification
Payment details
Your recent payment notice
August Invoice ****
Invoice **** from ****
Invoice for August
Invoice **** - ****
Invoice No - ****
Invoice number ****
Invoice **** from **** for Order : ****
Invoices from ****
INV-****
**** Complete invoice ****
**** report: Complete invoice Q7370 - 21 September 2018
OVERDUE INVOICE
Re: Your recent invoice request for your account
Sales invoice from ****
**** Invoice Ready To View
September Invoice INV-B58986 from ****
SERVICE INVOICE
**** Invoice/Credit
**** Statements/Invoices Ready To View
Your **** Invoice for billing period 08/2018
Increase in stats
In addition to the increase of malspam spreading Emotet, we’ve also observed an increase in Emotet detections from our users. The chart below shows a five month period, from mid-April to mid-September 2018, broken down by the day. You can see a steady increase of Emotet through the end of the summer into September, with the largest spike in Emotet detections happening only a few days ago. While this is not a sign that it will rain Emotet, when you combine that spike with the known ability of Emotet to spread itself quickly and efficiently, we could be in for some nasty infections over the weekend.
Despite its ups and downs—Emotet has not seen a continuous rise over the past year, though there was a similar massive Emotet and Trickbot campaign earlier in 2018—Emotet has been a bit of a thorn in the side of the security community for most of the year. That’s because when it is active, it has potential to do a lot of damage.
How much damage? Emotet is dangerous not only because of its capabilities to spread like wildfire and steal sensitive financial data, but also because it can download and install additional malware, which leaves the door open for anything coming through, from spyware to ransomware. Potential fallout could include:
Stolen financial information, which can later lead to extortion
Stolen proprietary information, which can be held for ransom
Credential theft, which means other accounts and passwords are vulnerable
Theft of locally-stored cryptocurrency wallet
Protracted remediation times for network admins
Loss of productivity for workers whose endpoints must be taken off the network
Stay protected
Staying safe from the current Emotet campaign is not particularly difficult, since it is spread through malicious spam. However, users who don’t have a keen eye or little training in common phishing techniques might fall victim. One of the easiest ways to stay protected against Emotet is simply to keep a keen eye out for shady emails, especially if they have one of the subject lines mentioned above, include an Office document or PDF attachment, and come from unrecognizable email addresses. However, when it comes to social engineering, there is no guarantee someone won’t be fooled.
Thankfully, even if they open the email and download the document, Malwarebytes users (both those who purchased Malwarebytes Premium and business customers) will be safe from the malicious code within the document, as our anti-exploit technology identifies the malicious script and puts a stop to it.
Also, users that have real-time protection enabled will have the malware itself blocked if it somehow manages to get through the anti-exploit defenses.
Malwarebytes has worked hard to keep an eye on this threat, and more importantly, how to stop it. Emotet is a mean adversary, and we expect to continue dealing with it through the rest of the year, as well as any future evolutions or copy cats.
That being said, making sure you, your family, and your employees know how to recognize emails attempting to deliver Emotet—or any other threat—is a key pillar in the fight against cybercrime, right alongside having a strong security solution and a “worst case scenario” plan to protect your data, users, and remediate your machines.
Thanks for reading, good luck out there, and safe surfing!
While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought.
For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and halting operations. And this attack was from a fairly new ransomware family called Ryuk.
Ryuk, which made its debut in August 2018, is different from many other ransomware families we’ve analyzed, not because of its capabilities, but because of the novel way it infects systems.
So let’s take a look at this elusive new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?
What is Ryuk?
Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.
Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.
Ryuk “polite” ransom note
One interesting aspect of this ransomware is that it drops more than one note on the system. The second note is written in a polite tone, similar to notes dropped by BitPaymer ransomware, which adds to the mystery.
Ryuk “not-so-polite” ransom note
Similarities with Hermes
Researchers at Checkpoint have already conducted deep analysis of this threat, and one of their findings was that Ryuk shares many similarities with another ransomware family: Hermes.
Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. In addition, several strings within Ryuk have been discovered that refer to Hermes—in two separate cases.
When launched, Ryuk will first look for the Hermes marker that is inserted into each encrypted file. This is a means to identify if the file or system has already been attacked and/or encrypted.
The other case involves whitelisted folders, and while not as damning as the first, the fact that both ransomware families whitelist certain folder names is another clue that the two families might share originators. For example, both Ryuk and Hermes whitelist a folder named “Ahnlab”, which is the name of a popular South Korean security software.
If you know your malware, you might remember that Hermes was attributed to the Lazarus group, who are associated with suspected North Korean nation-state operations. This has led many analysts and journalists to speculate that North Korea was behind this attack.
We’re not so sure about that.
Notable attacks
Multiple notable Ryuk attacks have occurred over the last few months primarily in the United States, in which the ransomware infected large numbers of endpoints and demanded higher ransoms than what we typically see (15 to 50 Bitcoins).
One such attack was on the Onslow Water and Sewer Authority (OWASA) on October 15, 2018, which kept the organization from being able to use their computers for a time. While water and sewage services, as well as customer data, were untouched by the ransomware attack, it still caused significant damage to the organization’s network and resulted in numerous databases and systems being rebuilt from the ground up.
Infection method
According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.
Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own malspam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.
From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.
Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.
At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom. Since we don’t see even a fraction of the number of Ryuk detections as we see of Emotet and TrickBot through our product telemetry, we can assume that it’s not the default standard operation to infect systems with Ryuk after a time, but rather something that is triggered by a human attacker behind the scenes.
Stats
Let’s take a look at the stats for Emotet, Ryuk, and TrickBot from August until present-day and see if we can’t identify a trend.
Malwarebytes’ detections from August 1, 2018 – January 2, 2019
The blue line represents Emotet, 2018’s biggest information-stealing Trojan. While this chart only shows us August onward, rest assured that for much of the year, Emotet was on the map. However, as we sailed into Q4 2018, it became a much bigger problem.
The orange line represents TrickBot. These detections are expected to be lower than Emotet, since Emotet is usually the primary payload. This means that in order for TrickBot to be detected, it must have either been delivered directly to an endpoint or dropped by an Emotet infection that was undetected by security software or deployed on a system without it. In addition, TrickBot hasn’t been the default payload for Emotet for the entire year, as the Trojan has continuously swapped payloads, depending on time of year and opportunity.
Based on this, to get hit with Ryuk (at least until we figure out the real intention here) you would need to have either disabled, not installed, or not updated your security software. You would need to refrain from conducting regular scans to identify TrickBot or Emotet. You would need to either have unpatched endpoints or weak credentials for TrickBot and Emotet to move laterally throughout the network and then, finally, you would need to be a target.
That being said, while our detections of Ryuk are small compared to the other families on this chart, that’s likely because we caught the infection during an earlier stage of the attack, and the circumstances for a Ryuk attack need to be just right—like Goldilocks’ porridge. Surprisingly enough, organizations have created the perfect environment for these threats to thrive. This may also be the reason behind the huge ransom payment, as fewer infections lead to fewer payouts.
Christmas campaign
While active earlier in the year, Ryuk didn’t make as many headlines as when it launched its “holiday campaign,” or rather the two largest sets of Ryuk infections, which happened around Christmastime.
The chart below shows our detection stats for Ryuk from the beginning of December until now, with the two infection spikes noted with stars.
Malwarebytes’ Ryuk detections December 5, 2018 – January 2, 2019
These spikes show that significant attacks occurred on December 24 and December 27.
Data Resolution attack
The first attack was on Dataresolution.net, a Cloud hosting provider, on Christmas Eve. As you can see from above, it was the most Ryuk we had detected in a single day over the last month.
According to Data Resolution, Ryuk was able to infect systems by using a compromised login account. From there, the malware gave control of the organization’s data center domain to the attackers until the whole network was shut down by Data Resolution.
The company assures customers that no user data was compromised, and the intent of the attack was to hijack, not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.
The attack was discovered late Thursday night, when one of the editors at the San Diego Union-Tribune was unable to send finished pages to the printing press. These issues have since been resolved.
Theories
We believe Ryuk is infecting systems using Emotet and TrickBot to distribute the ransomware. However, what’s unclear is why criminals would use this ransomware after an already-successful infection.
In this case, we can actually take a page from the Hermes playbook. We witnessed Hermes being used in Taiwan as a means to cover the tracks of another malware family already on the network. Is Ryuk being used in the same way?
Since Emotet and TrickBot are not state-sponsored malware, and they are usually automatically launched to a blanket of would-be victims (rather than identifying a target and being launched manually), it seems odd that Ryuk would be used in only a few cases to hide the infection. So perhaps we can rule this theory out.
A second, more probable theory is that the purpose of Ryuk is as a last ditch effort to extort more value from an already-juicy target.
Let’s say that the attackers behind Emotet and TrickBot have their bots map out networks to to identify a target organization. If the target has a large enough infection spread of Emotet/TrickBot, and/or if its operations are critical or valuable enough that disruption would trigger an inclination to pay the ransom, then that might make them the perfect target for a Ryuk infection.
The true intention for using this malware can only be speculated at this point. However, whether it’s hiding the tracks of other malware or simply looking for ways to make more cash after stealing all the relevant data they could, businesses should be wary of writing this one off.
The fact remains that there are thousands of active Emotet and TrickBot infections all over the world right now. Any of the organizations that are dealing with these threats need to take them seriously, because an information stealer might turn into nasty ransomware at any time. This is the truth of our modern threat landscape.
Attribution
As mentioned earlier, many analysts and journalists have decided that North Korea is the most likely attacker to be distributing Ryuk. While we can’t completely rule this out, we aren’t entirely sure it’s accurate.
Ryuk does match Hermes in many ways. Based on the strings found, it was likely built on top of, or is a modified version of Hermes. How the attackers got the source code is unknown, however, we have observed instances where criminals were selling versions of Hermes on hacker forums.
This introduces another potential reason the source code got into the hands of a different actor.
Identifying the attribution of this attack based on similarities between two families, one of which is associated with a known nation-state attack group (Lazarus) is a logical fallacy, as described by Robert M. Lee in a recent article, “Attribution is not Transitive – Tribute Publishing Cyber Attack as a Case Study.” The article takes a deeper dive into the errors of attribution based on flimsy evidence. We caution readers, journalists, and other analysts on drawing conclusions from correlations.
Protection
Now that we know how and potentially why Ryuk attacks businesses, how can we protect against this malware and others like it?
Let’s focus on specific technologies and operations that are proven effective against this threat.
These malicious scripts are macros that, once the user clicks on “Enable content” (usually through some kind of social engineering trick), will launch additional scripts to cause havoc. We most commonly see scripts for JavaScript and PowerShell, with PowerShell quickly becoming the de-facto scripting language for infecting users.
While you can stop these threats by training users to recognize social engineering attempts or use an email protection platform that recognizes malicious spam, using anti-exploit technology can also block those malicious scripts from trying to install malware on the system.
In addition, using protection technologies, such as anti-ransomware add immense amounts of protection against ransomware infections, stopping them before they can do serious damage.
Regular, updated malware scans
This is a general rule that has been ignored enough times to be worth mentioning here. In order to have effective security solutions, they need to be used and updated frequently so they can recognize and block the latest threats.
In one case, the IT team of an organization didn’t even know they were lousy with Emotet infections until they had updated their security software. They had false confidence in a security solution that wasn’t fully armed with the tools to stop the threats. And because of that, they had a serious problem on their hands.
Network segmentation
This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to segment access to certain servers and files.
There are two ways to segment your network and reduce the damage from a ransomware attack. First, restrict access to certain mapped drives based on role requirements. Second, use a separate or third-party system for storing shared files and folders, such as Box or Dropbox.
Evolving threats
This last year has brought with it some novel approaches to causing disruption and devastation in the workplace. While ransomware was the deadliest malware for businesses in 2017, 2018 and beyond look to bring us multiple malware deployed in a single attack chain.
What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making them more dangerous with each new generation. While today, we might be worried about Emotet dropping Ryuk, tomorrow Emotet could simply act as ransomware itself. It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they often signal a change in the shape of things to come.
If you are in the United States, then you likely already know that we are on our 24th day of a government shutdown. While it is considered a “partial” shutdown, there are still plenty of government workers who are not being paid or have been sent home, furloughed.
Last week, TechCrunch posted a concerning story about the shutdown, which covered the findings of NetCraft, a UK Internet service company, who discovered that numerous US government websites are now inaccessible due to expired security certificates.
This is a quick post to explain what happened, and more importantly, how cybercriminals will use this situation to their advantage.
Security certificates
We aren’t going to dig deep into how security certificates work for websites, but the gist is that every vendor or organization that uses a website requires a security certificate for users to access their site with trust. Today, a few browsers, like Chrome, require these certificates before they even let users access the websites. You can recognize when a website uses a valid security certificate, usually indicated by a green lock on the URL bar.
The certificate confirms that the identity of the website that you are communicating with is legitimate. In addition, these certificates make it possible for users to establish a secure connection with the web server hosting the site, which is incredibly important when sending financial or personal information over the Internet.
Since some of the most popular browsers won’t even let users visit a website if it doesn’t have a valid certificate, we now have a lot of users who can’t access government websites because the certificates have expired.
Why did they expire?
If a security certificate lasted forever, what would be the assurance that it hasn’t been stolen by criminals who could then use it on their own malicious websites? Because of this, the organization that owns the website must purchase and deploy a new certificate each year. Think of it as a yearly registration fee, not unlike renewing your car tags.
The reason these certificates were allowed to lapse is because no one’s at work renewing them. Apparently, most US government websites maintain their own certificates. This is why not all US .gov websites are down—just a few of them (at least for now). With the partial shutdown, the people in charge of making sure citizens can access their websites by keeping these certificates up-to-date are unable to do their jobs, which eventually leads to users being unable to access these sites at all.
What’s the problem?
Obviously, not being able to access some government websites is a pain, but is it dangerous? The answer is: yes, because you can bet that cybercriminals are going to take advantage of the situation.
That is why we want to share some vital warnings about how this shutdown may help cybercriminals. Please, share this with everyone you know, at least until the shutdown is over.
Cybercriminals frequently use real-world events to trick users into clicking on a link or opening an attachment. You can look back at a couple of instances where events in Syria directly influenced the actions of cybercriminals, be it state sponsored or otherwise. In another case, the Boston bombing was used to try and scam people. From terrorist attacks to natural disasters, threat actors jump on the chance to exploit episodes of fear and uncertainty.
Fake YouTube page set up to infect Syrian rebels
You can expect that users who are looking for government websites, especially if they offer a service or require personal information or a login to access, are going to find copies of these sites presented as an alternative to access the same website.
Fake Singapore government website. Photo credit: Gov.SG
Users who rely on social services—typically older folks, veterans, or the disabled—will be looking for a way to access the government sites they frequent. When they search for the site, their first link might take them to a dead end, since the security certificate has expired. However, the second or third link might work and take the user to a page that looks exactly like where they want to go.
Classic phishing attack.
What to do about it
The best thing to do right now is share this information with those closest to you so they don’t make a mistake and give away valuable personal info just because the government has issues keeping itself open. Also, be vigilant moving forward, not just in this case but anytime there is sensational news. Don’t just accept what the Internet tells you. Investigate. Think twice. And please, please, when in doubt, do not submit your personal information online.
The bad guys know human behavior, and they know that people can’t help clicking on links that are either convenient or scandalous and sensational. Prove them wrong.
This month, one ransomware story has been making a lot of waves: the attack on Baltimore city networks. This attack has been receiving more press than normal, which could be due to the actions taken (or not taken) by the city government, as well as rumors about the ransomware infection mechanism.
Regardless, the Baltimore story inspired us to investigate other cities in the United States, identifying which have had the most detections of ransomware this year. While we did pinpoint numerous cities whose organizations had serious ransomware problems, Baltimore, nor any of the other high-profile city attacks, such as Atlanta or Greenville, was not one of them. This follows a trend of increasing ransomware infections on organizational networks that we’ve been watching for a while now.
To curb this, we are providing our readers with a guide on how to not only avoid being hit with ransomware, but deal with the ransomware fallout. Basically, this is a guide on how not to be the next Baltimore. While many of these attacks are targeted, cybercriminals are opportunistic—if they see an organization has vulnerabilities, they will swoop in and do as much damage as they can. And ransomware is about as damaging as it gets.
Baltimore ransomware attack
As of presstime, Baltimore city servers are still down. The original attack occurred on May 7, 2019, and as soon as it happened, the city shut down numerous servers on their networks to keep them secure from the possible spread of the ransomware.
The ransomware that infected Baltimore is called RobinHood, or sometimes RobinHood ransomware. When a ransom note was discovered, it demanded a payment of $100,000 or about 13 Bitcoins. Much like other ransomware, it came with a timer, demanding that the victims pay up by a certain date, or the cost of recovering files would go up by $10,000 a day.
RobinHood ransomware is a newer malware family but has already made a name for itself infecting other city networks, as it did for the City of Greenville. According to a report from the New York Times, some malware researchers have claimed that the NSA-leaked exploit EternalBlue is involved in the infection process, however analysis by Vitali Kremez at Sentinel One does not show any sign of EternalBlue activity. Rather, the method of spreading the ransomware from system to system involves manipulation of the PsExec tool.
This is not the first cyberattack Baltimore has dealt with recently. In fact, last year their 911 dispatch systems were compromised by attackers, leaving the dispatchers using pen and paper to conduct their work. Some outlets have blamed the city’s historically inefficient network design on previous Chief Information Officers (CIOs), of which there have been many. Two of its CIOs resigned in this decade alone amidst allegations of fraud and ethical violations.
Trends
Baltimore aside, ransomware aimed at organizations has been active in the United States over the course of the last six months, with periodic spurts and massive spikes that represent a new approach to corporate infection by cybercriminals.
The below heat map shows a compounding effect of ransomware detections in organizations across the country from the beginning of 2019 to now.
A heat map of ransomware detections in organizations from January 2019 to present day
Primary areas of heavy detection include regions around larger cities, for example, Los Angeles and New York, but we also see heavy detections in less populated areas as well. The below diagram further illustrates this trend: Color depth represents the overall detection amount for the state, while the size of the red circles represents the number of detections for various cities. The deeper the color, the more detections the state contains. The larger the circle, the higher number of detections in the city.
US map of overall state and city detections of organization-focused ransomware in 2019
When we take an even deeper look and identify the top 10 cities in 2019 (so far) with heavy ransomware detections, we see that none of them include cities we’ve read about in the news recently. This trend supports the theory that it doesn’t require being surrounded by victims of ransomware to become one.
Wherever ransomware decides to show up, it is going take advantage of weak infrastructure, configuration issues, and ignorant users to break into the network. Ransomware is becoming a more common weapon to lodge against businesses than it was in years past. The below chart expresses the massive spike of ransomware detections we saw earlier in the year.
January and February are shining examples of the kind of heavy push we saw from families like Troldesh earlier in the year. However, while it seems like ransomware is dying off after March, we think more of it as the criminals taking a breather. When we dig into weekly trends, we can see specific spikes that were due to heavy detections of specific ransomware families.
Unlike what we’ve observed in the past with consumer-focused ransomware, where a wide net was cast and we observed a near constant flood of detections, ransomware focused on the corporate world attacks in short pulses. These may be due to certain time frames being best for attacking organizations, or it could be the time required to plan an attack against corporate users, which calls for the collection of corporate emails and contact info before launching.
Regardless, ransomware activity in 2019 has already hit a record number, and while we have only seen a few spikes in the last couple of months, you can consider these road bumps between two big walls. We just haven’t hit the second wall yet.
Observations
Despite an increase in ransomware targeting organizational networks, city networks that have been impacted by ransomware do not show up on our list of top infected cities. This leads us to believe that ransomware attacks on city infrastructure, like what we are seeing in Baltimore, do not occur because of widespread outbreaks, but rather are targeted and opportunistic.
In fact, most of these attacks are due to vulnerabilities, gaps in operational security, and overall weak infrastructure discovered and exploited by cybercriminals. They often gain a foothold into the organization through ensnaring employees in phishing campaigns and infecting endpoints or having enough confidence to launch a spear phishing campaign against high-profile targets in the organization.
Real spear phishing email (Courtesy of Lehigh University lts.lehigh.edu)
There is also always a case to be made about misconfigurations, slow updating or patching, and even insider threats being the cause of some of these attacks. Security researchers and city officials still do not have a concrete answer for how RobinHood infected Baltimore systems in the first place.
Avoidance
There are multiple answers to the question, “How do I beat ransomware?” and unfortunately, none of them apply 100 percent of the time. Cybercriminals spent the better part of 2018 experimenting on novel methods of breaking through defenses with ransomware, and it looks like they’re putting those experimentations to the test in 2019. Even if organizations follow “all the rules,” there are always new opportunities for infection. However, there are ways to get ahead of the game and avoid worst-case scenarios. Here are four areas that need to be considered when trying to plan for ransomware attacks:
Patches
While we did say that EternalBlue likely did not play a part in the spread of RobinHood ransomware, it has been used by other ransomware and malware families in the past. To this end, patching systems is becoming more and more important every day, because developers aren’t just fixing usability bugs or adding new features, but filling holes that can be exploited by the bad guys.
While patching quickly is not always possible on an enterprise network, identifying which patches are required to avoid a potential disaster and deploying those within a limited scope (as in, to systems that are most vulnerable or contain highly-prioritized data) is necessary. In most cases, inventorying and auditing patches should be completed, regardless if the patch can be rolled out across the org or not.
Upgrades
For the last seven or so years, many software developers, including those of operating systems, have created tools to help fight cybercrime within their own products. These tools are often not offered as an update to existing software, but are included in upgraded versions. Windows 10, for example, has anti-malware capabilities built into the operating system, making it a more difficult target for cybercriminals than Windows XP or Windows 7. Look to see which software and systems are nearing end-of-life in their development cycle. If they’ve been phased out of support by an organization, then it’s a good idea to look to upgrading software altogether.
In addition to operating systems, it’s important to at least consider and test an upgrade of other resources on the network. This includes various enterprise-grade tools, such as collaboration and communication platforms, cloud services, and in some cases hardware.
Email
Today, email attacks are the most common method of spreading malware, using either widespread phishing attacks that dupe whomever they can, or specially-crafted spear phishing attacks, where a particular target is fooled.
Therefore, there are three areas that organizations can focus on when it comes to avoiding ransomware infections, or any malware for that matter. This includes email protection tools, user education and security awareness training, and post email execution blocking.
There are numerous tools that provide additional security and potential threat identification for email servers. These tools reduce the amount of potential attack emails your employees will receive, however, they may slow down email sending and receiving due to checking all the mail coming in and out of a network.
User education, however, involves teaching your users what a phishing attack looks like. Employees should be able to identify a threat based on appearance rather than functionality and, at the least, know what to do if they encounter such an email. Instruct users to forward shady emails to the in-house security or IT teams to investigate the threat further.
Finally, using endpoint security software will block many attempts at infection via email, even if the user ends up opening a malicious attachment. The most effective endpoint solution should include technology that blocks exploits and malicious scripts, as well as real-time protection against malicious websites. While some ransomware families have decryptors available that help organizations retrieve their files, remediation of successful ransomware attacks rarely returns lost data.
Following the tips above will provide a better layer of defense against the primary methods of infection today, and can empower your organization to repel cyberattacks beyond ransomware.
Preparation
Being able to avoid infection in the first place is obviously preferable for organizations, however, as mentioned before, many threat actors develop novel attack vectors to penetrate enterprise defenses. This means that you need to not only establish protection to prevent a breach, but ready your environment for an infection that will get through.
Preparing your organization for a ransomware attack shouldn’t be treated as an “if” but a “when” if you expect it to be useful.
To that end, here are four steps for making your organization ready for “when” you experience a ransomware attack.
Step 1: Identify valuable data
Many organizations segment their data access based on required need. This is called compartmentalization, and means that no single entity within the organization can access all data. To that end, you need to compartmentalize your data and how it’s stored in the same spirit. The point of doing this is to keep your most valuable (and biggest problem if lost) data segmented from systems, databases, or users who don’t need to access this data on a regular basis, making it more difficult for criminals to steal or modify said data.
Customers’ personally identifiable information, intellectual property, and financial information are three types of data that should be identified and segmented from the rest of your network. What does Larry, the intern, need access to customer data for? Why is the secret formula for the product you sell on the same server as employee birthdays?
Step 2: Segment that data
If needed, you should roll out additional servers or databases that you can put behind additional layers of security, be it another firewall, multi-factor authentication, or just limiting how many users can have access. This is where the data identified in the previous step is going to live.
Depending on your operational needs, some of this data might need to be accessed more than others and, in that case, you’ve got to set up your security to account for it, otherwise you might hurt operational efficiency beyond the point where the risk is worth the reward.
Some general tips on segmenting data:
Keep the system with this data far away from the open Internet
Require additional login requirements, like a VPN or multi-factor authentication to access the data
There should be a list of systems and which users have access to data on which systems. If a system is somehow breached, there is where you start.
If you have the time and resources, roll out a server that barely has protection, add data that looks legitimate but, in reality, is actually bogus, and ensure that it’s vulnerable and easy to identify by an attacker. In some cases, criminals will take the low-hanging fruit and leave, ensuring your actual valuable data remains untouched.
Step 3: Data backup
Now your data has been segmented based on how important it is, and it’s sitting behind a greater layer of security than before. The next step is to once again identify and prioritize important data to determine how much of it can be backed up (hopefully all the important data, if not all the company data). There are some things to consider when deciding on which tools to use to establish a secure backup:
Does this data need to be frequently updated?
Does this data need to remain in my physical
security?
How quickly do I need to be able to back up my
data?
How easy should it be to access my backups?
When you can answer these questions, you’ll be able to determine which type of long-term storage solution you need. There are three options: online, local, and offsite.
Online
Using an online backup solution is likely going to be the fastest and easiest for your employees and/or IT staff. You can access from anywhere, use multi-factor authentication, and rest easy knowing it’s secured by people who secure data for a living. Backing up can be quick and painless with this method, however the data is outside of the organization’s physical control and if the backup service is breached, that might compromise your data.
Overall, online backup solutions are likely going to be the best option for most organizations, because of how easy they are to set up and utilize.
Local
Perhaps your organization requires local storage backups. This process can range from incredibly annoying and difficult to super easy and insecure.
Local storage allows you to store offline, yet onsite, maintaining a physical security presence. However, you are limited by your staff, resources, and space on how you can establish a backup operation locally. In addition, operational data that needs to be used daily may not be a candidate for this type of backup method.
Offsite
Our last option is storing data on removable hard drives or tapes and then having them stored in an offsite location. This might be preferable if data is especially sensitive and needs to be kept away from the location at which it was created or used. Offsite storage will ensure that your data is safe if the building explodes or is raided, but the process can be slow and tedious. You also are unlikely to use this method for operational data that requires regular access and backups.
Offsite backups are only needed in cases of storing extremely sensitive information, such as government secrets, or if the data needs to be maintained and kept for records, but regular access isn’t required.
Step 4: Create an isolation plan
Our last step in preparing your organization for a ransomware attack is to know exactly how you will isolate an infected system. The speed and method in which you do this could save the entire organization’s data from an actively-spreading ransomware infection.
A good isolation plan takes into consideration as many
factors as possible:
Which systems can be isolated quickly, and which need more time (e.g, endpoints vs. servers)?
Can you isolate the system locally or remotely?
Do you have physical access?
How quickly can you isolate systems connected to the infected one?
Ask yourself these questions about every system in your network. If the answer to how quickly you can isolate a system is “not fast enough,” then it’s time to consider reconfiguring your network to speed up the process.
Luckily, there are tools that provide network administrators with the ability to remotely isolate a system once an infection is detected. Investing time and resources into ensuring you have an effective plan for protecting the other systems on your network is paramount with the type of threats we see today.
Ransomware resilience
As we’ve covered, there has been a bumpy increase in organization-focused ransomware in 2019 and we expect to see more spikes in the months to come, but not necessarily in the cities you might expect. The reality is that the big headline cities hit with ransomware make up only a few of the hundreds of ransomware attacks that occur every single day against organizations across the country.
Cybercriminals will not obey the rules for how to conduct attacks. In fact, they are constantly looking for new opportunities, especially in places security teams are not actively covering. Therefore, spending all your resources on avoidance measures is going to leave your organization in a bad place.
Taking the time to establish a plan for when you do get attacked, and building your networks, policies, and culture around that concept of resilience will prevent your organization from becoming another headline.
DISCLAIMER: This post is not partisan, but rather focuses
on risk assessment based on history and what threats we are facing in the
future. We do not endorse any healthcare plan style in any way, outside of
examining its data security risk.
For many folks, the term ‘Healthcare for All’ brings up an
array of emotions ranging from concern to happiness, and with the changes that
come with this policy, we’re not surprised. However, beyond the usual arguments
on this subject, we wanted to ask the question: Are there any security risks we
need to be worried about if the United States were to switch to ‘Healthcare for
All’ policies?
To clarify, there are many healthcare for all style plans currently on paper, being fine-tuned in Washington and in the minds of politicians. So, for the purposes of this article, we’re referring to ‘Healthcare for All’ plans that are meant to replace, not supplement, private insurance plans in addition to legislation that prohibits private insurance companies from collecting and/or storing patient data.
‘Healthcare for All’ data security
To start, we’re going to examine the government’s track
record of securing patient data. Since we
aren’t living in a world where ‘Healthcare for All’ exists in our country, we’ll
use data security practices concerning Heatlhcare.gov and the department that runs
it, the Centers for Medicare and Medicaid Services (CMS) to get a sense of how
well patient data might be secured by government departments.
The Healthcare.gov website had a bumpy start back in October of 2013. Numerous issues resulted only a small percentage of patients being able to sign up with the website in the first week.
Request header sent to third party advertisers, including personal information. Thanks to EFF.org
Later, In September 2015, the Department of Health and Human services (HHS) inspector general completed a federal audit of CMS and the Healthcare.gov website. Their primary concerns were not about patient information being compromised, but rather the breach of a database called MIDAS that stored a lot of personally identifiable information about users of Healthcare.gov. Namely that this database had numerous high severity vulnerabilities that needed to be patched and that overall, health officials didn’t utilize best practices across the entire system.
“The study had three main objectives: To determine the major external entities that collect, store, and share Medicare beneficiary data, to determine whether the requirements for protection of Medicare data align with federal guidance, and to assess CMS oversight of the implementation of those requirements.”
Turns out that while there are some requirements in place to ensure that certain entities are cleared for access to this data, there are some who are not and therefore could abuse the data they gain access to! There are three main groups that access Medicare beneficiary data, either Medicare Administrative Contractors (MACs), who process Medicare claims, research organizations, and entities that use claims data to assess the performance of Medicare service providers.
Unfortunately, only the processes for clearing access to this data
for MACs and service provider entities are in line with federal guidance, which
is designed to be used for all CMS contractors.
Researchers, on the other hand, aren’t considered CMS contractors. Basically, the oversight required by federal
regulation on access to this data was previously applied to only 2/3rds of all users
who could access that data, so there is no guarantee that the data was fully
protected.
While we listed out numerous instances of government controlled
patient data being put into compromising positions, reports of lost medical
data from government-controlled systems are actually very small. I couldn’t
find anything that blamed the CMS or HHS for a data breach.
Private Insurance data security
The luck of not having much, if any, medical data breached despite
numerous occasions of unpatched vulnerabilities being identified for healthcare.gov
and it’s controlling department doesn’t quite extend to the private insurance world.
“From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.”
In
addition to that, there were complaints that Premera mislead consumers about
the breach and the full scope of potential damage that could be done.
In October of 2018, an employee with Blue Cross Blue Shield of Michigan lost a laptop that had customer’s personal medical data saved on it. The company jumped into action and worked with a subsidiary to change the access credentials to the encrypted laptop and to their knowledge, there is no evidence that the patient data was compromised, however, according to CISOMag:
“The access information includes the member’s first name, last name, address, date of birth, enrollee identification number, gender, medication, diagnosis, and provider information. Blue Cross clarified that the Social Security numbers and financial account information were not included in the accessible data.”
“Dominion National has undertaken a comprehensive review of the data stored or potentially accessible from those computer servers and has determined that the data may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, as well as individuals affiliated with the organizations Dominion National administers dental and vision benefits for. The servers may have also contained personal information pertaining to plan producers and participating healthcare providers. The information varied by individual, but may include names in combination with addresses, email addresses, dates of birth, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers, and subscriber numbers.“
These were three examples of breaches that occurred to actual
health insurance companies, not third parties or government-controlled
healthcare organizations. In two of
these instances, the attacker maintained a foothold on the network for over a
year (9 years in Dominion’s case!) and in another instance, someone just lost a
laptop full of patient data (the same thing happened to the Department of
Homeland Security & The Department of Health & Human Services over the
last few years. We need to just tape our laptops to our bodies like a tourist with
a passport!)
Why neither of these is the problem
Okay, so which is it? Is it more secure to entrust our government
with control of patient data, or are we in better hands with private insurance
companies? The reality is, neither one
matters because neither is the actual problem.
It’s not the organizations that we depend on to protect our data
that are being breached as much as the third-party organizations they work with. From mailing services to labs to billing
organizations, most of our patient data breaches are happening to organizations
who don’t have any real need to hold on to our data, which may be why they fail
to secure it.
Third party breaches
In September of this year, Detroit-based medical contractor, Wolverine Solutions Group (WSG), was breached, resulting in the possible compromise of hundreds of thousands of patients nationwide. WSG provided mailing, as well as other, services to hospitals and healthcare companies. They were hit by a Ransomware attack which resulted in data that belonged to numerous healthcare organizations patients being ransomed.
While the investigation into the attack hasn’t resulted in any
evidence that data has been stolen, in a quote of WSG President Darryl English
in the Detroit Free Press:
“Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, Social Security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information,”
“I haven’t been put under the knife in four years,” he said. “So I had a phantom surgery that not even I knew about? I have received no bills in the mail, and have received no phone calls. I have no emails. They just randomly appeared on my credit report. “I think they’re not letting out as much out of the bag as they’ve got in there,” Mayes said of the Wolverine Solutions Group breach.
In May, Spectrum Health Lakeland started sending out letters to about a thousand of their patients, because their billing services company (OS, Inc) was breached, resulting in the possible theft of patient names, addresses and health insurance providers, but not social security and driver’s license numbers (the bad guys will have to find that somewhere else I guess.)
According to an article for MLive Michigan that covers the breach:
“Billing services company OS, Inc. confirmed Wednesday , May 8, an unauthorized individual accessed an employee’s email account that held information related to some Spectrum Health Lakeland patients, according to a Spectrum Health news release.”
A successful phishing attack against the employees of Solara Medical Supplies, reported in mid-November, lead to a breach that lasted almost a year and resulted in the loss of employee names and potentially addresses, dates of birth, health insurance information, social security numbers, financial and identification information, passwords, PINs and all kinds of other juicy data.
However, a big concern about the breach of employee e-mail
accounts for a third-party vendor is the possibility for attackers to use those
infected systems as staging areas to launch additional malicious phishing
attacks using e-mail addresses from employees of Solara.
Actual numbers of affected patients are still being worked out, however according to Health IT Security, at least six covered entities have reported that their patient data was compromised by the attack. This includes patient information from 12 million folks who have utilized Quest Diagnostics and 7.7 million Labcorp patients.
“And just this week a sixth provider, Austin Pathology Associates, reported at least 46,500 of its patients were impacted by the event. Shortly after, seven more covered entities reported they too were impacted: Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX.”
When known affected patients’ tallies are added together, approximately 25 million patients have had their data compromised thanks to this attack. There are still providers who are figuring out the full extent so you can rest assured that the number is likely going to rise.
So, coming back to our original question, it looks like our
biggest problem with keeping control of medical data is that it’s spread out
all over the place! A ‘Medicare for All’ plan may reduce breaches to some
extent because you’ll remove a few companies that could possess the data,
however, just based on our own research in this article, often we see greater success
by cybercriminals breaching third-party medical vendors than going after
government or established insurance companies.
What is being done?
If this is your first-time hearing about the potential dangers of third-party data sharing, don’t fret, because politicians are on it! A first step in taking action to curb data theft is to establish a department specifically for digital privacy—an idea introduced this month by Rep Anna G. Eshoo [D-CA-18]. The Online Privacy Act of 2019 was introduced to the U.S. House of Representatives in early November.
The purpose of the bill is:
”To provide for individual rights relating to privacy of personal information, to establish privacy and security requirements for covered entities relating to personal information, and to establish an agency to be known as the United States Digital Privacy Agency to enforce such rights and requirements, and for other purposes.”
Online Privacy Act of 2019
There are some politicians who are against this bill and want to continue to have the Federal Trade Commission be the department concerned with digital privacy, however we can see how well that is going.
Beyond just a new department for privacy, Senator Mark R. Warner [D-VA] has called out new legislation on patient data sharing to put in more language about the importance of establishing controls and security in the development of technologies that allow patients greater insight into their Electronic Health Record (EHR). You can read about the legislation called the ACCESS act on our blog as well.
The proposed legislation from the Department of Health and Human Services (HHS) requires insurers participating in CMS-run programs, like Medicare, to allow patients to access their health information electronically. They plan to do this by establishing an Application Programming Interface (API) that third-party vendors can utilize to obtain data and make it viewable to the patient.
Sen. Warner, who has been a huge advocate for privacy and security, wrote a letter to the legislation authors, asking for a serious focus on the security of that API so it’s not abused. In the letter he states:
“…I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had a profound impact across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security…”
Senator Mark R. Warner [D-VA]
We don’t know what help these efforts will provide in the long
run, but we are in a good position to start really discussing the dangers and
solutions to problems concerning digital healthcare data, specifically it’s uses
and abuse.
The wrap-up
Now that we’ve covered all that, did we answer our question?
Does ‘Medicare for All’ have any impact on data security? It looks like the
answer is no, regardless of the health plan we use, the data is going to continue
to be vulnerable, in large part because of third-party sharing.
Neither the government nor private health insurance have a perfect score when it comes to data security, however both have been affected by third-party breaches. In the case of private insurance companies, breaches like that at OS, Inc. circumvented all efforts made by Blue Cross and other insurance companies to protect their patient data. At the same time, government health care technology has been riddled with misconfigurations and poor practices that frankly make it a miracle that data hasn’t already been completely harvested by cyber criminals.
The good news is that every attack brings the knowledge of how to avoid one in the future. Our health data is more secure now than any other point of digital healthcare record history, and it’s only going to get better! With the backing of government legislation on the protection of not just medical data, but how it’s transferred and stored, we can turn this whole thing around.
Unfortunately for the millions of patients who have had their personal data stolen and likely stored away in the databases of numerous criminals, and those who are likely going to have to deal with fraud and theft by criminals because of it for the foreseeable future, we are the broken eggs in this security omelet. Let’s hope the next group fare better.
However, we at Malwarebytes are pretty sure there are a lot of folks that won’t know about this vulnerability, so we decided to detect it for the sake of raising awareness.
