Month: September 2019

Ransomware
operators have targeted more American intitutions than ever this year,
including state and local government systems, school districts, healthcare
facilities and other entities. And with the payouts circulated in the news,
it’s hardly a surprise that their appetite keeps growing. While government
officials scramble to strengthen their cybersecurity, taxpayers are angry.

A recent wave of ransomware attacks on state-owned infrastructures across the US has taxpayers up in arms over local officials’ handling of the situation. For example, two cities in the state of Florida – City of Riviera Beach and Lake City – paid a combined $1 million in June to ransomware operators to regain access to their municipal systems. And ransomware attacks across the nation are crippling medical offices and school systems just as the school year starts.

Nearly 80%
of citizens across the US are increasingly worried about ransomware attacks on
cities, according to a survey by Morning Consult on behalf of IBM. Taxpayers see ransomware
as a threat to their personal data and their city’s data. Nearly 60% of those
surveyed are against their local governments using tax dollars to pay ransom
and would prefer their city face higher recovery costs rather than use tax
dollars to pay the ransoms.

While the public’s stance is laudable, recovering from a ransomware incident can cost anywhere between $20,000 and $20 million. Atlanta paid $17 million and Baltimore spent $18 million to recover from a ransomware contagion after refusing to succumb to the attackers’ ransom demands. Considering that attackers typically demand around $400,000 for the decryption keys, it is perhaps no surprise that many local governments decide to pay.

According to
the same study, just under half of respondents believe protecting cities from
ransomware is the federal government’s job, above state and local decision
makers. And 90% are in favor of increasing federal funding to improve
cybersecurity in cities.

A recent
study by The Harris Poll ended with similar findings: Americans
won’t vote for candidates who approve ransomware payments. Asked to
elaborate, 86% reasoned that, when organizations make ransomware payments, they
encourage cyber criminals to strike again, a stance shared by cybersecurity
experts.

Imagine a world without Wikipedia. Do you even remember what it was like when you had to use your memory to recall the order of James Bond films, guess how old Tina Turner is, or try to say with any certainty with what country France has its longest land border?

Now many of us don’t feel it’s so essential to amass general knowledge, as Wikipedia is always at our fingertips to tell us what year Queen released Bohemian Rhapsody.

So you can imagine the pain that was caused to pub quiz cheats and students writing essays this weekend when crowd-sourced internet encyclopedia Wikipedia, one of the world’s most popular websites, was hit by a distributed denial-of-service attack.

According to the Wikimedia Foundation, nonprofit charitable organization behind Wikipedia, the site was hit with a malicious attack that made the site inaccessible from several countries for intermittent periods.

Many of the reports of users unable to access Wikipedia came from Europe.

The Wikimedia Foundation condemned the attack, saying it threatened “everyone’s fundamental rights to freely access and share information.”

And Wikipedia wasn’t the only high-profile victim of a DDoS attack this weekend.

Players of World of Warcraft Classic found they had difficulties connecting to the game’s servers after they too were impacted by a DDoS attack.

Blizzard, the makers of World of Warcraft, confirmed on Twitter that its systems had been impact by a series of DDoS attacks.

Interestingly, a Twitter account calling itself “UkDrillas” claimed responsibility for both the attack against Wikipedia and World of Warcraft Classic through a series of tweets.

One individual alleged to be a member of UkDrillas, based in the UK, was doxxed by angry gamers who clearly didn’t appreciate having their World of Warcraft fix taken away from them.

With such a high profile target it’s hard to imagine that law enforcement agencies are not already investigating. If that’s the case, the least the members of UkDrillas will have to worry about is grumpy gamers coming after them.

World of Warcraft is no stranger to being the target of DDoS attacks from rival gamers. Last year, a 38-year-old Romanian man was sentenced to one year in a US federal prison and ordered to pay $29,987 in restitution to Blizzard Entertainment after launching a denial-of-service attack against World of Warcraft’s European servers.

The UKDrillas account which bragged about the most recent attacks on Wikipedia and World of Warcraft has now been suspended by Twitter.

A ransomware
gang looking to get rich overnight went to the city of New Bedford with a demand
of $5.3 million after infecting the municipality’s systems. The criminals
refused a counter-offer that would make many hackers drool. And instead ended
up with nothing.

One July night, according to New Bedford Mayor Jon Mitchell, the attackers infected the city’s IT network with Ryuk, a prominent strain of ransomware. 158 workstations had been encrypted when IT administrators discovered the attack on the morning of July 5, Mitchell said at a press conference yesterday. They quickly disconnected the infected systems from the network, reducing the damage considerably. According to the mayor, the infected workstations represented only four percent of the city’s government infrastructure.

The hackers demanded
the exorbitant sum of $5.3 million for the decryption keys, but city officials
decided not to cave in. Instead, they made a counter-offer of $400,000, which
the city’s insurer would have covered – likely at the insurer’s recommendation,
as recovering from a ransomware attack the hard way typically ends up costing
the same, or more. However, the gang refused, and communication between city
officials and the ransomware operators became severed.

“In
light of these considerations, I decided to make a counter-offer using
insurance proceeds in the amount of $400,000, which I determined to be
consistent with ransoms recently paid by other municipalities,” Mayor
Mitchell said. “The attacker declined to make a counter-offer, rejecting
the city’s position outright.”

IT administrators
then proceeded to recover the lost data from backups. It isn’t immediately
clear if the city had backed up all the data encrypted by Ryuk.

Ransomware
operators are increasingly targeting government systems and critical
infrastructures in the United States as victims often comply with the
attackers’ demands. In June, two cities in Florida paid a cumulative $1 million
ransom to the criminals who crippled their systems with ransomware. In its “how
to deal with ransomware” rulebook, the Federal Bureau of Investigation
notoriously advises ransomware victims to refuse paying ransom. However,
industry experts are sometimes on the fence — for instance when a medical
center’s patient data is held to ransom, putting actual lives at stake.

So-called artificial intelligence apps like Zao had been stirring up controversy with their potential abusive use to beat facial recognition systems.

The Chinese deepfake video app proved itself to be widely popular as users had fun transplanting their digital faces onto footage from movies and popular TV shows such as “Game of Thrones.”

But deepfake video isn’t the only area raising concerns. The ability to make convincing deepfake audio, mimicking the voice of real people, is also ringing alarm bells due to its potential for abuse by criminals and scammers.

A report in The Wall Street Journal brings their fear into the spotlight with a claim that an energy firm was defrauded out of $243,000.

According to the report, the chief executive of the unnamed UK-based firm believed he was talking to his boss at the company’s German parent company, when he was ordered to immediately move €220,000 (approximately US $243,000) into what he thought was the bank account of a Hungarian supplier.

Rüdiger Kirsch, a fraud expert at the company’s insurance company told the WSJ that the executive was told the payment was urgent and should be made within the hour, and was made more believable because the UK-based CEO recognized his boss’ “slight German accent” and the “melody” of his voice on the phone.

The funds were duly transferred to an account under the criminals’ control in Hungary, and then onto an account based in Mexico, before being ultimately moved elsewhere.

When the scammers tried the trick again to request a further payment, the UK company became suspicious noticing that the calls were originating from Austria rather than Germany.

Quite what makes Kirsch believe that deepfake technology was being used, rather than just someone who is really good at doing an impression of a particular German chief executive, is not made clear.

Although some media reports have suggested that this is the first noted instance of deepfake audio being used in a scam that may not be accurate.

A couple of months ago a representative of security firm Symantec told BBC News that they knew of three cases where “seemingly deepfaked audio” of different chief executives had been used to trick staff to transfer money into bank accounts under the control of scammers.

Unfortunately when I quizzed Symantec at the time for further information they were unable to confirm who the victims had been, how they came to believe the CEO’s conversation had been mimicked through deepfake technology, or even what country the affected companies were based in.

What’s clear, regardless of the method used to try to dupe staff into believing they are speaking to someone they’re not, is to have systems and procedures in place to confirm that large transfers of money or sensitive data are properly authorised.

A simple phone call clearly can no longer be considered enough.

Around 400
dental offices across the United States have fallen victim to ransomware after
the operators breached an IT vendor shared by all the practices.

A notice
sent out by the Wisconsin Dental Association reveals that hackers breached the
backend software shared by hundreds of dental practices around the country and crippled
their computers, incapacitating the offices.

“PerCSoft,
the IT vendor for DDS Safe, took immediate action to contain the threat;
however, roughly 400 practices around the country lost access to electronic
files as a result of the virus,” the notice reads.

According to sources familiar with the matter, the IT vendor resorted to paying the attackers ransom to obtain the decryptor and help out victims of the attack. The process is slow, but ongoing, according to the WDA Insurance & Services Corp., which endorsed the product.

The
ransomware strain used in the attack is REvil, also knowm as Sodinokibi or Sodin,
a continually evolving piece of malware with a considerable market-share in the
ransomware scene in recent months.

As Catalin Cimpanu observes in a coverage of the incident for ZDNet, the vulnerable backend software is ironically advertised as an actual solution against ransomware. At the time of this writing, the marketing materials touting DDS Safe’s anti-ransomware abilities, are still up on the vendor’s website.

It is believed the same group behind this attack is responsible for similar attacks targeting MSPs in June of this year, and later in August, days before the attack on dental practices. While the group likely exploited different bugs in the supply chain of their victims, the modus operandi is identical.