Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Recovery. Show all posts

The Evolution of Computer Crime: From Tinkering to Ransomware Threats

 



In the early days of computing, systems were relatively isolated, primarily reserved for academic and niche applications. Initial security incidents were more about experimentation gone wrong than intentional harm.

Today, the scenario is vastly different. Computers are everywhere—powering our homes, workplaces, and even critical infrastructure. With this increased reliance, new forms of cybercrime have emerged, driven by different motivations.

Computer crimes, which once revolved around simple scams and tech-savvy groups, have evolved. Modern attackers are more professional and devastating, often state-sponsored, like ransomware collectives.

A prime example of this evolution is ransomware. What began as simple criminal schemes has turned into a full-fledged industry, with criminals realizing that encrypting data and demanding payment is a highly lucrative enterprise.

Ransomware attacks follow a predictable pattern. First, the attacker deploys an encryptor on the victim’s system, locking them out. Then, they make their presence known through alarms and ransom demands. Finally, if the ransom is paid, some attackers provide a tool to decrypt the data, though others might threaten public exposure of sensitive data instead.

However, ransomware attackers face two key challenges. The first is infiltrating the target system, often achieved through phishing tactics or exploiting vulnerabilities. Attacks like WannaCry highlight how these methods can devastate unprotected systems.

The second challenge is receiving payment without revealing the attacker’s identity. Cryptocurrencies have helped solve this problem, allowing criminals to receive payments anonymously, making it harder for authorities to trace.

Preventing ransomware isn’t solely about avoiding the initial attack; it’s also about having a recovery strategy. Regular backups and proper employee training on cybersecurity protocols are crucial. Resilient companies use backup strategies to ensure they can restore systems quickly without paying ransoms.

However, backups must be thoroughly tested and isolated from the main system to prevent infection. Many companies fail to adequately test their backups, leading to a difficult recovery process in the event of an attack.

While ransomware isn’t a new concept in technical terms, its economic implications make it a growing threat. Cybercriminals can now act more ruthlessly and target industries that can afford to pay high ransoms. As these attacks become more common, companies must prepare to mitigate the damage and avoid paying ransoms altogether

How to Recover a Hacked Gmail Account Even After a Security Breach

 

Having your Gmail account hacked can feel like a nightmare, especially when recovery details like phone numbers and email addresses have been changed by a hacker. Fortunately, recovering a compromised account is still possible, even if most security and recovery options have been altered. Google’s account recovery system is designed to assist users in situations where hackers manage to bypass protections, such as two-factor authentication (2FA). The key is to begin the process from a device and location you frequently use to access your Gmail account. This could be your home or workplace, using the same browser or device. Providing as much accurate information as possible, such as previous passwords, is critical to proving ownership of the account and speeding up the process. 

There’s also a delay system in place that can put recovery requests on hold for a few hours or even several days, depending on the level of risk involved. While frustrating, this measure is a security feature designed to protect accounts from unauthorized access. If acted upon quickly, users may still be able to recover their account using the original recovery information, such as a phone number or email address, for up to seven days after the details are changed. 

If recovery through Google’s automated system is proving difficult, users with linked YouTube accounts have sometimes found success by contacting YouTube support. Social media channels have also proven helpful in expediting the recovery process in more complex cases.  

The question remains, how do hackers bypass Gmail’s security systems? One common method is session cookie theft, which involves stealing the data that keeps users logged in after 2FA has already been verified. By taking over these session cookies, hackers can change your account’s security settings without needing to go through 2FA again. 

To protect against these types of attacks in the future, Google recommends steps like using passkeys, which are more secure than SMS-based 2FA. Passkeys are resistant to phishing and hacking attempts that steal session cookies. Additionally, Google has implemented protective measures like frequent cookie rotation and device-bound session credentials to limit the effectiveness of such attacks. Taking proactive steps like enabling these features and always monitoring account activity can help you avoid falling victim to similar hacking attempts in the future.

Ascension Ransomware Attack: Worker Error Leads to Data Breach and Recovery Efforts

 

Ascension, one of the largest health systems in the country, recently revealed that a ransomware attack on its systems was due to a worker accidentally downloading a malicious file. The health system emphasized that this was likely an honest mistake. Importantly, Ascension noted there is no evidence that data was taken from their Electronic Health Records (EHR) or other clinical systems, where full patient records are securely stored. 

However, the attackers managed to access files containing Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals. With the help of third-party cybersecurity experts, Ascension has gathered evidence indicating that the attackers extracted files from a small number of file servers used primarily for daily tasks by its associates. These servers represent seven out of approximately 25,000 servers across Ascension’s network. 

Currently, Ascension is uncertain about the specific data affected and the identities of the impacted patients. To determine this, a comprehensive review and analysis of the compromised files is underway. Ascension has started this process, but it is a substantial task that will require significant time to complete. As a precaution, Ascension is offering complimentary credit monitoring and identity theft protection services to any patient or associate who requests it. Those interested can call the dedicated call center at 1-888-498-8066. 

The cyberattack, reported on May 8, caused significant disruptions, including shutting down access to electronic health records across Ascension’s 140 hospitals and leading to delays in patient care. On a positive note, Ascension announced on Friday that EHR access has been restored across its hospitals. This restoration means that clinical workflows in their hospitals and clinics are functioning similarly to pre-attack conditions, improving efficiencies in appointment scheduling, wait times, and prescription fulfillment. However, medical records and other information collected between May 8 and the date of local EHR restoration may be temporarily inaccessible.  

Despite this progress, the investigation into the incident is ongoing, along with efforts to remediate additional systems. The cyberattack on Ascension is part of a larger trend of ransomware attacks targeting healthcare systems. In a related incident, Change Healthcare, affiliated with UnitedHealthcare, faced a ransomware attack on February 21. UnitedHealth Group CEO Andrew Witty disclosed to a House subcommittee that he paid $22 million in bitcoin to protect patient information during this attack. 

Ascension has not made any statements about ransom payments but confirmed last month that the attack was ransomware-related, with class action lawsuits citing a Black Basta ransomware attack. As Ascension continues its recovery and investigation, it underscores the need for heightened cybersecurity measures and vigilance to protect sensitive health information from cyber threats.

Increasing Number of Ransomware Targets Opting Against Ransom Payments

 

For an extended period, ransomware groups have instilled fear in various organizations, including businesses, schools, and hospitals. However, there is a positive shift as an increasing number of victims are now rejecting ransom demands.

In the fourth quarter, the percentage of victims succumbing to ransom payments reached an all-time low, standing at a mere 29%, according to cybersecurity provider Coveware, specializing in assisting companies against ransomware attacks. 

This decline is not an isolated incident but part of a growing trend that commenced approximately three years ago when around 60% of victims yielded to ransomware demands. Coveware attributes this change to the enhanced capabilities of the industry in responding to successful ransomware incidents. Despite these attacks having the potential to encrypt entire networks and pilfer sensitive information, many companies are now able to recover using their own backups.

Moreover, there is a heightened awareness among victims that paying a ransom provides no assurance of data deletion. Instead, there is a risk that the stolen data might be traded clandestinely to other cybercriminal groups, and the ransomware gang could exploit the information to target the victim again.

Coveware notes, "The industry continues to get smarter on what can and cannot be reasonably obtained with a ransom payment. This has led to better guidance to victims and fewer payments for intangible assurances." 

However, on the downside, ransomware groups are still extracting substantial funds from those who choose to pay up. In Q4, the average ransomware payment soared to $568,705, up from $408,644 a year earlier. Simultaneously, the number of data breaches in 2023 set a new record at 3,205 publicly known compromises, as reported by the Identity Theft Resource Center.

Coveware emphasizes the need for a united front against the ransomware menace, urging the industry to establish stronger collaborations with law enforcement on a continuous basis rather than seeking assistance only during a ransomware attack. 

The company highlights that less than 10% of victims contacted by law enforcement for further assistance in the aftermath of a ransomware incident actually continue to collaborate. This lack of follow-through impedes law enforcement efforts, as proper evidence collection from victims is crucial to concluding investigations. Coveware's data reveals that the majority of ransomware victims are small to medium-sized businesses with employee headcounts below 1,000 people.

Backups can be Quicker and Less Expensive than Paying the Ransom

 

Ransomware operators want to spend as little time as possible within your systems, which means the encryption they use is shoddy and frequently corrupts your data. 

As a result, paying ransoms is typically a more expensive chore than simply refusing to pay and working from our own backups. That is the perspective of Richard Addiscott, a senior director analyst at Gartner. 

"They encrypt at an extremely fast rate," he said on Monday at the firm's IT Infrastructure, Operations, and Cloud Strategies Conference 2023 in Sydney. "They encrypt faster than you can run a directory listing."

Therefore, ransomware creators use poor encryption techniques and end up losing some of the data they later try to sell you. If ransomware operators deliver all the data they claim, Addiscott said, it is not simple to restore from corrupt data dumps delivered by criminals. Many people don't; instead, they start a new round of discussions regarding the cost of more releases by demanding a ransom. 

According to him, just 4% of ransomware victims actually manage to get all of their data back. Only 61 percent actually retrieve any data. Additionally, the average disruption to a victim's business is 25 days. 

Addiscott proposed that organisations design and practise ransomware recovery playbooks to shorten the period. Securing funding to prepare for a speedy post-ransomware recovery requires couching the risk in business terms rather than IT terms. 

According to Addiscott, the themes that are likely to release the purse strings are revenue protection, risk reduction, and cost control. Although he shook his head as he recalled instances when business leaders authorised enormous and speedy ransom payments that dwarfed the denied investments that may have rendered them unnecessary. 

He advised good preparation because ransomware crooks have figured out one technique to speed up stalled payment negotiations: whacking their victims with a DDoS attack, so they're battling two fires at once, and are thus willing to pay to make at least one problem go away. 

Ransomware operators also like to double-dip by demanding payment from the organisations whose data they have stolen, then mining the data to locate new targets. Addiscott mentioned an attack on a healthcare provider in which clients were confronted with a payment demand or their medical records will be revealed. 

Customers identified in a stolen data heist may be targeted with the suggestion that they notify suppliers that they want payments made in order to reduce the risk of their data being disclosed. Immutable backups and an isolated recovery environment, according to Addiscott, are a good combination of defences. 

However, he also stated that the people behind ransomware are brilliant, vicious, inventive, and relentless, so they will find new and even more nefarious ways to strike. 

The analyst did have one piece of good news: there would be a 21% decrease in ransomware attacks in 2022 compared to 2021. He hypothesised that the decline was caused by sanctions making it more difficult for Russian-based ransomware groups to operate.