Six Reasons Your Company is Not Safe from Ransomware, No Matter How Much You’re Spending

Six Reasons Your Company is Not Safe from Ransomware, No Matter How Much You’re Spending

Cybersecurity is one of the biggest concerns for every business today. Hacking and ransomware attacks deliver high returns for a relatively low effort and the significant rise in revenue fuels increasingly more aggressive and costly attacks. That recipe means the cybercriminal community will expand and ramp up its activities to keep those cash streams flowing.    

The processes and organizational advancement of these syndicates are astounding. Few people outside the tech industry understand the capabilities of these groups that often get support from nation-states and organizations with evil objectives. While the 24/7 news may cover ransomware attacks on multi-billion-dollar pipeline companies and other high-profile organizations, there is little if any mention of small and mid-size companies. That creates a false sense of security. Many business leaders think their organizations are simply too small to fall into the crosshairs of those cybercriminals.

The reality is that every company is a target today, and it just takes one slip for ransomware to get into the system and potentially shutter the entire organization. According to research firm IDC, approximately 37% of global organizations reported being hit by at least one of the more than 130 variants of these attacks in 2021. Many of those victims likely invested significant resources in their IT system defenses. While businesses must do everything possible to prevent these attacks, a more realistic goal today is to minimize the potential harm that may occur when cybercriminals manage to find those gaps.  

Complacency is also a concern. Unlike the early days of computers, today, businesses should consider cybersecurity investments as a maintenance fee that will likely continue to grow as the threat levels rise. IT spending needs to increase each year to protect its most valuable assets, including customers, employees and data. Ensuring the security of the company’s networks and operations centers is critical, and organizations with remote and hybrid workforces may need to double down on those efforts and investments.     

Minimize the Threats

Prevention is critical. While no one has come up with a 100% foolproof defense against ransomware attacks (other than running a business without computers and internet connections), anything companies can do to boost their collective defenses helps lessen their financial and legal exposure.  

Cybersecurity strategies are business-critical. Building an effective plan and investing in awareness training, anti-ransomware and antivirus tools, and other proactive measures mitigates a company’s risk profile. And while none of those actions can guarantee a company’s complete protection from threats, they reduce liability and cyber insurance costs and lessen the executive team’s anxiety when properly implemented and managed.

Most IT professionals add layers of cybersecurity measures to protect networks, devices and other technologies, including cloud applications and proprietary software. It is virtually impossible to lock down every potential access point to prevent cybercriminals from reaching their ultimate target: data. Stealing and ransoming business and personal data drives hundreds of millions of dollars (potentially billions since many attacks go unreported) in income for nation-state-supported crime syndicates, professional hackers and basement-dwelling amateurs each year. One thing they all have in common is an innate ability to make organizations pay dearly for their mistakes.   

Business leaders need to understand that premise and why no matter how much they invest, no company is ever completely safe from ransomware attacks. Here are some of the ways cybercriminals strike paydirt:

1.       People make mistakes. According to one recent report, human error plays a role in virtually all (94%) cybersecurity breaches, including nonadherence to email protection measures, poor credential management and employee sabotage. No matter how many technologies and policies a company implements, ransomware purveyors know someone will slip up at some point.     

 

2.       Ransomware is a thriving and ruthless business. From rudimentary attacks by rogue workers to elaborate new business models like Ransomware as a Service (RaaS), this is a profitable and rapidly evolving opportunity. The reward for cybercriminals far outweighs the risks, and this community’s almost limitless creativity and cruelty should strike fear into every corporate decision-maker.

 

3.       IT resources are limited. Even before the “Great Resignation,” the number of high-tech job openings was astronomical. The ensuing pandemic and changes in work preferences are impacting many companies’ ability to fully staff their IT departments and adequately protect their systems.     

 

4.       Management support is lacking. Effective cybersecurity strategies begin and end at the top. Executives must prioritize cybersecurity, from adopting strong policies and leading by example to investing in technologies and programs to properly protect their people and systems. Employees often discard or discount initiatives that don’t appear to have solid support from managers and other executive team members.  

 

5.       Supply chain attacks are rising. Cybercriminals understand that there’s usually more than one way into a company’s networks, including access through business partners’ systems. Ransomware attacks from suppliers and contractors are a rising concern. Recent examples include Target and SolarWinds, where cybercriminals first gained access to other companies’ systems from which they spread malware using connected networks and applications. Many organizations implement standards and follow industry best practices to vet their business partners’ IT security tools and methodologies.       

 

6.       Testing is never a high enough priority. Companies can invest a significant amount of their resources on cybersecurity yet not know if it will actually work. Periodic evaluations and adjustments are critical to ensure the integrity of every organization’s defenses. Cybercriminals are constantly looking for openings to exploit, from non-working end-point protection tools and unencrypted email systems to lax credential management. Testing helps businesses identify and rectify those vulnerabilities as well as any others that happen to pop up between evaluations.       

Frame The Threats

Ransomware attacks are non-discriminatory. Cybercriminals target anything and everything, and thanks to new business models, the cost of entry for aspiring hackers is virtually non-existent today. With all of the resources they have on tap, no business or individual is safe.

The risks are rising exponentially, especially for companies that work with sensitive personal and financial data, as well as those adopting WFH (Work from Home) environments. More importantly, the decision-makers must understand that even with the latest measures, those threats will never completely disappear.

Cyber insurance coverage adds another critical layer by mitigating potential liabilities for the business. A basic protection package can also lessen the executive team’s anxiety level and assure other stakeholders that their financial interests are well protected. 

Raising the cybersecurity bar is never easy. However, any cost-effective measure that can prevent a business from being the “lowest hanging fruit” for criminals is worth pursuing. With the threat level of ransomware rising and no guarantees that companies can stop every attack, leadership teams should be open to all potential abatement options today.

Preparing an Organization for Cyber Attacks

As more and more people realize that cyberattacks don’t just happen to ‘others’ but are likely to happen to their organizations, it should be clear that simple awareness of these events is not sufficient: you have to prepare for when, not if, these events happen. We recently had the chance to sit down with Stu Panensky, Partner at FisherBroyles, LLP. Stu and his team have dealt with over 100 ransomware attacks in a counseling role and have a lot of wisdom to share about the current state of cyberattacks and what organizations can and should do to prepare for them. Incident Response Plan One of the key issues we covered in the discussion was the importance of an Incident Response Plan. This is a set of instructions or procedures to detect, respond to, and limit the consequences of a cyberattack against an organization’s information systems.   You want to have this plan put together (and written down) for three reasons:  
  1. You don’t want to have to figure out what to do and who to call while the event is happening—you need to account for the fact that it’s very hard to make rational decisions in disaster scenarios.
  2. You want to have a written document to reference in case computers are encrypted and you can’t use them to access the plan—there should be multiple copies of this printed plan with multiple people to avoid a single point of failure.
  3. You want to have gamed out scenarios, such that there’s a step-by-step checklist you can follow to help the organization respond quickly and calmly—this should include conditions in which the organization can stay ‘open’ and move to non-digital tools to carry on business, and other conditions in which such actions are not tenable.
Communication Matters Generally, in a ransomware situation, threat actors are trying to shorten the timeline. They put pressure on for a decision to be made quickly, but Stu and his team counsel victims to press for more time. This, firstly, allows for the environment to be secured, and secondly, gives time to see if there are alternatives to getting back up and running without relying on a decrypting tool from the threat actor.   The reason you will often need time to secure the environment is the complexity of given networks and interlocking programs, including on-premise servers vs. cloud servers, etc. It’s no good negotiating if the environment is still vulnerable to new attacks.   Tactics that the threat actor can use to create pressure include:  
  • sending emails to your help desk to keep it busy all day long
  • accessing a customer list and sending emails to those customers telling them, “Did you know we’ve attacked this company you do business with?”
  • threatening to make the data breach public, creating a public relations problem
Christmas Miracle Stu told us a “Christmas miracle” story, in which threat actors had attacked a school district right before Christmas vacation. Stu and his team spent a lot of time early in the process communicating with the threat actor. They explained the difficulty for a large bureaucratic organization like a school district to get ransom money at this time of year, with faculty, staff, and students getting ready to go on Christmas vacation.   Stu attributes this transparency as well as playing on the particular time of year with a once-in-a-lifetime resolution in which the threat actor gave the decryption key with the note to “make sure the kids get taught about cybersecurity.”   While Stu says that this is not an outcome most people should expect, he believes that part of how it happened was because he and his team had been highly communicative from the start, and that’s a best practice to implement. Audit Your Vendors and Contracts While many organizations understandably outsource their data security to a third party, they aren’t always clear what the conditions are regarding a cyberattack. Go over your contracts with third party IT providers and find out what is in your agreement in regards to cyberattacks and what their obligations are. You can go further than this and ask what measures they have in place to make sure they are auditing their own systems to be prepared for every sort of attack.   Be aware that you may have responsibilities as well. Stu shared with us an engagement letter that a client had with a retailer in which there was a security provision, that in the case of a cyberattack, including but not limited to ransomware, they were to be notified immediately. If you have engagements with a provision such as this, you need to add it to your incident response plan: “Contact X per their security provision.” Cyber Insurance Another way to outsource risk is to get cyber insurance; Stu says that this is the best form of security. While we agree, of course, he also noted one particularly underutilized aspect of cyber insurance: crisis communications. This is coverage that enables a client’s marketing or internal public relations team to hire a firm to guide them through media statements, social media strategies, social media monitoring, etc. to help get ahead on messaging. This is important not only for internal stakeholders like employees and investors but also for all those who are watching the event happen and may have some tie to the situation.   Stu underlined that there was not a single one of his small or mid-sized clients that did not benefit from having cyber insurance. No One Is Immune As we said at the beginning, it’s not a question of ‘if’ but ‘when’ a cyberattack will happen to an organization you are involved with. It’s not just because of the large number of threat actors out there; it’s also because every organization has something of value that some criminal can chase. Those items of value need to be safeguarded thoughtfully and intentionally now, before a crisis happens.   If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.    Click here to learn more about how we can help secure your business data! www.thecybercrimelab.com

Understanding the Business of Cybercrime

Small business owners may think of cyber criminals as freelance or small group threat actors, but plenty of those criminals work within sophisticated organizations that function like legitimate businesses. Someone who has observed these criminals at work is Mark Lance, Senior Director of Cyber Defense at GuidePoint Security. We recently had the chance to speak with Mark on The Cyber Crime Lab Podcast and want to share a few of his insights to help small business owners realize before it’s too late that everyone is at risk.

 

While Mark has been in information security for 22 years, he’s been in incident response for the last 12 and has seen many different situations. One he recently came across involved a celebrity who suffered a business email compromise.

Business Email Compromise

This type of threat is one of the more common ones that Mark and his team see. In this particular case, someone had managed to get into the celebrity’s email and had, through email chains, successfully impersonated the celebrity and had begun a bank transfer of $2.5M.

Inbox Rules

How can you compromise someone’s email box without them knowing you’re in there? One way, it turns out, is to use a feature that most email services use to help you organize your inbox: rules. The threat actor gained access to the celebrity’s account and looked for any emails that related to transactions, accounting, bank accounts, etc. They then made rules to ensure that any replies to these emails went into the trash, where they could continue to work and draft replies but the celebrity would be blind to the fact that something malicious was happening (people don’t usually check their rules or trash).

 

Because the threat actor had access to all the previous emails and interactions, they had all the context they needed to sound authentic in new exchanges and to make what seemed to be an innocuous request for more funds. In this case, it was innocuous enough that it wasn’t noticed until the celebrity and the celebrity’s manager started to get notifications of a pending money transfer, and Mark and his team were able to discover the trail and get it stopped in time.

 

Part of the success of this particular threat actor was simply tapping into cultural and technical norms; people have become used to dealing with financial requests by email, without requiring voice or video confirmation, and that norm was almost successfully exploited in this instance.

Phishing

Another form of fraud that continues to be successful, despite greater personal and professional awareness of the practice among the public, is phishing. The practice has become more sophisticated, of course. You’re no longer being asked to click on a ridiculous link that bears no resemblance to something the user might be used to. And if you are unfortunate enough to click on it, users won’t be brought to a bad counterfeit of a website they frequently see but to an exact replica, set up to capture a user name and password.

 

If people are expecting the same old phishing techniques and aren’t prepared for the increased sophistication of the approach, they may get hooked by one of these threat actors.

Who Are the Threat Actors?

While there are nation-state-sponsored threat actors, motivated by access to state secrets and weapons blueprints, and hacktivists looking to bring awareness to their causes, the majority of threat actors are simply criminals, after money or IP addresses that can be sold for money.

 

These criminals can be further divided into freelancers or small collectives and large organizations that operate just like legitimate corporations. They tend to go after certain verticals or certain-sized companies. They also appreciate the value of niching!

Criminal IT Support

At times, Mark and his team have managed to find a threat actor who has access to an environment and have taken steps to close doors of access. They’ve then watched in real-time as that closed door is attacked again and escalated through various levels of troubleshooting, just as you would expect when dealing with IT support in a legitimate business.

 

One time a threat actor realized they were caught and started putting in user names they knew would be logged, such as, “We know you are watching us” and “We’re going to get back in.” They won’t give up easily, even when they know they have been caught in the system.

Hire the Best

Criminal IT support doesn’t come from out of the blue. Often it comes from the dark web, where criminal organizations put out job requests, just like you might see on LinkedIn or Indeed, with the same types of interview patterns. At every level, these criminal organizations are operating as if they are legitimate businesses, partly because it means that potential employees don’t have to veer too far off a societal script to be drawn into a criminal scheme.

What To Do?

One of Mark’s strongest messages is that no organization should consider itself immune from attack. From a mom-and-pop-pizza shop to a Fortune 500 organization, there are targets for every type of criminal and every size of criminal organization.

 

Apart from basic user awareness training, a key best practice is implementing multi-factor authentication (MFA), which is a major hindrance to many threat actors.

 

With awareness and security practices in place, organizations can be better prepared for the many threat actors looking for open security doors they can exploit.

 

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

 

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com

DataStream Cyber Insurance Named Best Rapid Pitch at the ASCII MSP Success Summit in Boston

 

DataStream Cyber Insurance Named Best Rapid Pitch at the ASCII MSP Success Summit in Boston

 

The ASCII Group is a membership-based community of independent North American MSPs, MSSPs and Solution Providers. At the 2022 ASCII MSP Success Summit in Boston; DataStream Cyber Insurance was recognized with the Best Rapid Pitch award. The winners at each Summit are selected based on the votes by the MSPs in attendance. At the end of the year, the winner of the ASCII Cup is determined by tabulating the results of all nine events.

 

The ASCII MSP Success Summits bring together nearly 1,500 IT solution providers, dozens of technology vendors, and key industry leaders in a two-day format that incorporates extensive peer networking, education, and training. With events in nine markets across North America, the series focuses on areas that help MSPs advance and move their businesses forward, through the power of community and its offerings.

 

With an emphasis on peer-to-peer knowledge sharing, the Summits are designed for qualified IT professionals and MSPs.

 

For more information on ASCII’s IT Success Summits, please visit www.asciievents.com. Follow ASCII on Twitter @asciigroup and #ASCIISUCCESS.

 

About The ASCII Group, Inc:

 

The ASCII Group is the premier community of North American MSPs, MSSPs and Solution Providers. The Group has members located throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national and international reach. Founded in 1984, ASCII provides services to members including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more. ASCII works with a vibrant ecosystem of leading and major technology vendors that complement the ASCII community and support the mission of helping MSPs to grow their businesses. For more information, please visit www.ascii.com.

 

 

Press Contact

Alysia Vetter

Vice President of Marketing

Tel: 800-394-2724

Email: [email protected]

Web:  www.ascii.com

Tracing the Digital Fingerprints of a Threat Actor

If you’ve got a robust security system in place and have a team member that has over 15 years of cybersecurity experience, you might feel like you’ve done enough to be safe. Unfortunately, for at least one business, that wasn’t enough. We recently had a chance to chat with Luke Emrich, Director of Incident Response at Tetra Defense. He investigated the above case and shared what he learned as well as some tips for how organizations can better prepare for attacks.

Tetra Defense

Tetra helps businesses deal with ransomware attacks, business email compromises, IP theft investigations, and other incidents that need response and investigation. They help businesses improve their cybersecurity posture in accordance with the latest threats (and the latest solutions). As one of Tetra’s case leads, Luke will be one of the first people that a client will speak to when an incident occurs. Together they will work through a game plan and strategy for how to investigate the event, and more importantly, how to recover and how to get the business up and running.

The Attack

It was a Saturday night when it was obvious that something was wrong at a medium-sized SAS company. The 15-year cybersecurity expert we alluded to in the introduction took copious notes from a security engineer late in the afternoon. Server shutdown alerts were coming in one after another and it became clear pretty early on that three separate attacks were happening simultaneously. So this wasn’t one burglar getting into one house, it was a simultaneous attack on three different houses in a neighborhood.

Find the Source

As Luke and Tetra started looking at the situation, they began with the high-value systems that the threat actor may have used as part of the attack. In this case, the threat actor used a tool called Cobalt Strike.

Cobalt Strike

Cobalt Strike is a tool that is often used by the US government and large businesses to emulate the tactics and techniques of a threat actor. In one exercise, one group of “hackers” will use Cobalt Strike to deploy a payload that creates a connection to a server. In the case we’re discussing, the threat actor used Cobalt Strike to deploy ransomware. This allowed the threat actor to go from controlling one computer to five, then ten, and so on exponentially.

Planning and Preparation

Because the company had plans in place for situations like this one, Luke and his team were able to move pretty quickly to try to look at the logs, which the threat actor had been clearing. But because the company had a very granular backup program as part of their planning for attacks, Luke and his team were able to find out when the system was compromised.

Not Just Malware

Luke is quick to point out that ransomware these days is not someone clicking on a bad link that downloads malware. Threat actors these days are likely to have done a lot of reconnaissance and know user names, passwords, and locations of key systems. That’s why it’s important to figure out where the threat actor got in, so you can put protection in place to prevent it from happening again, but then can also restore systems from before that entry. If there aren’t backup protocols in place, restoration won’t be a matter of hours or days, but weeks or months.

Finding the Source

Luke and his team were initially focused on the corporate domain, because that’s where the most important and sensitive data was. But there was a separate domain that had a legacy environment and protocols on it. Even though the threat actor had been clearing the security logs, after a bit of digging Luke and the team were able to see that there had been a Bloodhound detection.

Bloodhound

Bloodhound is an open source project that was released in 2016. It was originally designed for offense: it looks at your setup to determine how big the attack path problem is for your business. You can think of it as a hammer that you can use to hammer nails to help build doors of security. But hammers can also be used to break down doors, and that’s what the threat actor was doing in this case: using Bloodhound to find weaknesses and the fastest paths to gain what they desired. The use of Bloodhound in this particular case led to the realization of the team that there were local administrative credentials being used (remember the legacy environment we mentioned). Those credentials should have been changed when a new computer system was provisioned, but on the antivirus server that bridged the different domains (legacy vs current) the credentials were not changed. When they followed this path they found that not all the logs at that level had been cleared, which allowed the team to trace back to the original entry point.

Six Days Later

Luke had the initial call with the client on Saturday, but it wasn’t until the following Saturday that Tetra was able to come back with answers as to how the threat actor got in, when they got in, and how the company could use their backups to get back up and running. That meant there were six days of hard teamwork (often around the clock) running down leads and trying to follow clues.

Be Prepared

While a week seems like a long time, Luke emphasizes that this was actually a short time to restoration because the company had been prepared and followed a predetermined recovery plan. Some of that preparation includes:
  • Having a robust security program
  • Developing an incident response plan which includes how to act and when
  • Incorporating vulnerability management and patching
  • Ensuring ongoing monitoring of systems (this could be a security operation center or a product that’s watching for anomalous activity in your systems and potentially implementing containment steps if an event develops)
Thanks to the work of Luke and his team, the threat actors didn’t get a dime of the $800,000 in Bitcoin they wanted, and more importantly, this vulnerability was shared with Tetra’s clients to make sure that something similar didn’t happen to them as well. If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from Datastream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.   Click here to learn more about how we can help secure your business data! www.thecybercrimelab.com

What Are An MSP’s Liabilities When Clients’ Become Cybercrime Victims?

The risks MSPs face are not always clear. While most IT business owners are aware of the consequences of losing clients, hiring bad drivers, and not locking their doors, other potential threats are not quite so clear. For example, knowing where the ultimate responsibility falls when a client becomes the victim of a ransomware attack or some other type of cybersecurity incident can get a bit fuzzy.

The factors may be complex and assigning responsibility for failures tends to get similarly complicated. Is the targeted vulnerability on the MSP side or due to client’s negligent employee? IT services providers need to know best practices for minimizing their collective risks to effectively protect their businesses, customers, and the livelihoods of everyone’s employees. Cybersecurity responsibilities must be clearly and frequently communicated to the respective parties, with periodic testing of each safety protocol to minimize the chances of a breach, ransomware attack, or other type of data-related incident.

As with any tech process or theory, a proactive management approach is essential. MSPs must continually assess their collective security environments and add new measures to reduce their company’s liability in the event something bad were to happen to their systems…or to their clients. The things that work well today may become vulnerabilities tomorrow.

The Weakest Links

Whether opening a business or walking down the street, risk is a part of life. Virtually everything and every activity brings some level of uncertainty (if not actual danger) and people spend a lot of time and effort managing the unknowns. Cybersecurity is a perfect example of that concept.

When cybercriminals compromise an organizations’ IT networks or data collection and containment systems, it’s almost inevitable that someone will start pointing fingers. Failures lead to blame. There will never be an unbreakable security perimeter as long as humans are part of the equation, and the responsibility for a lapse often falls to people far beyond those making the mistake. Many business leaders expect cybersecurity to be infallible. Even when an employee bypasses company security policies or ignores basic logic, some will blame their MSPs (or their internal tech teams when applicable) for not doing more to limit, if not completely prevent any subsequent damage. Their understanding of the scope and complexities of these attacks may not mesh with the true challenges of defending their networks, computers, and employees – especially workers who ignore rules, take shortcuts, or intentionally sabotage their systems.

Realistically, the liability for any failure should extend to all the “players.” Employees should pay closer attention and follow best practices. Company executives could invest more to strengthen cybersecurity measures and training and better enforce workplace policies. Unfortunately, everyone expects MSPs to be infallible − no matter how much their hands are tied by clients’ decisions and budget limitations – so they often take most of the blame.

Minimizing those liabilities must be a priority for every business. For MSPs, that mission is even more critical to limit their exposure to the processes and technologies actually in their control when an attack does occur. Proper safeguards and insurance coverage are an essential part of that equation.

The Known Liabilities

Cybersecurity concerns continue to grow. The problem is that there is absolutely no room for error: not from employees, business owners and managers, or the IT teams that support their technology systems. MSPs have to be more diligent than ever to reduce their own liabilities. While no IT services firm can eliminate every risk, some of the steps team members’ can take to minimize the company’s exposure include:

  • Setting and enforcing strict internal cybersecurity policies. Between breaches, ransomware, phishing and a slew of always evolving malware targeting any network opening, MSPs cannot overlook anything today. Establishing and adhering to firm guidelines for the implementation, management and support of every IT system −for clients and internally – must be a priority. Lapses in a provider’s cybersecurity practices and controls can significantly increase its liability if those issues contribute to the breach of a customer’s data.

 

  • Demanding high cyber standards from clients. There is no excuse for poor cybersecurity policy adherence today. If there was one issue that MSPs should ever consider firing a client over, this is the one, especially considering the impact a potential breach could have on both businesses. Providers must be willing to walk away from high-risk organizations to protect their reputations, financial stability, and livelihoods. MSPs that continue supporting clients with known vulnerabilities are amplifying the risks and potential monetary impact to their own bottom lines. Implementing and following through with a tough love approach, delivering cybersecurity upgrade ultimatums to poorly protected businesses, is business critical for IT firms in today’s threat environment.

 

  • Keep building. Cybersecurity is dynamic. MSPs may gain the upper hand over cybercriminals by installing the latest protection measures and adding support options – but those wins may be short-lived without a roadmap of continual upgrades. One of the prime reasons providers attend channel events today is to gain insight on new tools and strategies to combat ransomware attacks and social engineering schemes. Adding layers of protection and upgrading existing tools helps keep cybercriminals at bay. MSPs that continually fortify cybersecurity protection and end-user awareness training (a critical component in any plan) prevent their clients from becoming the “low hanging fruit” those miscreants typically target. Those measures also help limit providers’ liability should something bad occur. MSPs following and promoting industry best practices have less to worry about in this era of high cyber anxiety.

 

  • Checking all the “compliance boxes.” Failure to comply with recovery time or recovery point objectives or backup errors (including data losses) can be major legal and financial liabilities. MSPs have to be compliance experts for all of their clients and adequately support each requirement to limit their mutual liabilities in case of a ransomware attack or other data-compromising event. Rules and regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Industry Regulatory Authority (FINRA) can make clients’ heads spin. While the companies bear a major part of the responsibility for compliance, the blame for any failures is increasingly shifting to the MSP and IT communities. Providers can minimize their risks by adopting all prescribed requirements, testing systems frequently, and stressing the importance of these standards with clients, end-users and their own staff members.

 

No Easy Outs

Managing risk is part of doing business today. MSPs, like their clients, must strive to do the right thing everyday to minimize their legal and financial liabilities.

Following prescribed cybersecurity best practices and addressing regulatory and industry standards are essential steps. However, even the best laid plans can fail in today’s high threat environment, as cybercriminals look for even the smallest opening (typically a human error) to launch an attack.

Every organization needs a cybersecurity-specific insurance policy to minimize the monetary impact of business compromises. No MSP can expect to plug every potential gap or predict when a client’s employee will click that ransomware-launching link. Knowing the company has financial protection and support in these situations helps ease the burden (for everyone).

Triple Extortion Schemes Give Cyber Criminals More Power and Leverage

Triple Extortion Schemes Give Cyber Criminals More Power and Leverage

The riskiest thing many businesses do is maintain the status quo. The cybercrime community appears to take that to heart as they continue to renew and upgrade previously retired malware and launch new and more damaging versions of their malicious software. The greater the creativity, the more money they can generate from unsuspecting individuals and businesses. Unfortunately, cybercriminals are very innovative and imaginative, so MSPs and other security professionals need to work even harder to keep ahead of the latest schemes and attack methodologies.

That job gets tougher as ransomware purveyors find new ways to up their game and outfox unsuspecting and inattentive prey. The latest schemes – including triple extortion attacks − illustrate the lengths cybercriminals will go to terrorize end-users and maximize their ROI on malware development or purchases. Not satisfied with the penetration rate of traditional ransomware, they are doubling down on their successes, further victimizing end-users and businesses reeling after the initial event.

One key reason malware developers are going to that effort is they have a substantial financial stake in expanding the size and depth of the attack vectors. Much like MSPs’ desire to add incremental recurring revenue to fuel cash flow and grow their market and wallet shares, cybercriminals often rely on subscription sales of their code to ensure steady income increases. Adding new features to their “offerings” and schemes keeps demand high and malware developers profitable.

And those margins are surely high already. According to the 2022 Palo Alto Unit 42 Ransomware Threat Report, the average ransom request was approximately $300,000 in 2020, which nearly doubled to $541,000 in 2021. While the actual payments can cost less than the initial demands, malware victims are handing over a lot more cryptocurrency today. Those numbers will continue escalating with the introduction of new and more powerful attack schemes.

Cybercriminals Triple Down on the Threats

In 2019, with companies and the tech industry thwarting many ransomware strikes, negatively impacting their revenue growth, the cybercriminal community developed a solution to generate more income from each successful attack. Double extortion schemes copy all the data in the infected systems before encrypting the network and then threaten to publish or sell the information if the company (or individual) refuses to pay. That “cache” may include credit card numbers, protected health information, or proprietary information that the cybercriminals attempt to sell on the black market.

Malware developers were not content with the financial outcomes of employing those malicious methodologies and added a new twist with triple extortion. In these attacks, cybercriminals attempt to ransom the target company and its customers and other organizations in its ecosystems (and databases). MSPs are certainly not the only people looking to grow wallet share today.

Imagine the impact of a triple extortion attack on a medical practice or hospital? The amount of personal information in one of those systems could put a ransomware purveyor’s kids through law school. Those types of situations could put an attorney or accountant out of business, considering how much damage a data compromise could inflict on their clients and reputation. Even though ransom demands are typically smaller for the secondary victims (the patient or customers), the embarrassment and potential financial ramifications of having sensitive information leaked to the general public would be difficult for any company to overcome.

One of the first publicized examples of a triple extortion ruse was the 2020 Vastaamo breach. The company manages twenty-five psychotherapy centers across Finland and works directly with the country’s public health services. In addition to demanding a significant bitcoin payment from the provider, cybercriminals also sent similar requests to thousands of the organization’s patients, threatening to share their session files and recordings if the ransom wasn’t received.

Data Protection Goes Beyond Technology Solutions   

The Vastaamo triple extortion case highlights the value of data an MSPs’ clients may possess. With access to sensitive information, cybercriminals gain great power and leverage and can make a lot of demands. An MSP’s job is to protect all data, including personal and confidential files, and prevent malware purveyors from scoring the big wins. Triple extortion is most effective when cybercriminals know they have companies over a barrel and have the leverage to dictate lucrative terms for the return of that information.

With the rise of the REvil community and its ransomware-as-a-service business model, things may worsen before they get better. According to Check Point, that group is leveraging DDoS attacks in their schemes and offering to make phone calls to victims’ business partners and the media. Even if their MSP can restore their networks and systems using data backups, they can’t prevent cybercriminals who make their own copies from publicly publishing or selling that information.

The truth is that no IT services company can assure its clients of 100% protection from these types of threats. For those unforeseeable situations, businesses need the appropriate level of cyber insurance coverage. These policies aim to help affected companies regain their financial footing and pay for the restoration services needed to rebuild their operations, integrity, and momentum.

While MSPs address the technical aspects of rebuilding systems and networks, a client’s cyber insurer should have their back, helping provide the resources needed to get businesses back on their feet. From proactive insurance assessments and MSP-supportive recommendations to post-incident handholding, a reputable broker can help IT providers and their clients. Those are the types of services DataStream Insurance provides. We can determine if your clients are insurable and help get them protection from the latest attacks, like triple extortion…and whatever threats may come next.

Disgruntled Former Employees Take Revenge

How it Started

It all started on a Friday morning when employees of a major staffing agency were locked out of an app on their mobile devices that allowed them to clock in and out. This app would track the hours they worked, allowing employees to get paid. The agency would also know how many hours to bill their customers. It’s a simple and paperless solution that works very well…when the technology cooperates.

Because the company was well-established, they also had a paper backup system in place ready to go just for scenarios like this one. However, this system was neither convenient for the hundreds of individuals involved nor guaranteed to be in compliance with different state laws regarding breaks, overtime, etc.

The Vendor Refuses to Help

With their client temporarily “fixing” the issue by switching to a paper backup system, the 1Path team started analyzing what had happened in order to fix the problem. Their credentials weren’t working and their first call was to the vendor of the app. They were not helpful. 1Path owned all the licenses for this application, and the vendor essentially said (with a straight face) that they couldn’t be sure that 1Path hadn’t themselves made the changes responsible for the problems affecting their client.

What had happened was that all user profiles had been deleted and only one (newly created) administrator account remained, [email protected]. Given the situation, Armon and Patrick were flabbergasted at the vendor’s attitude. (Especially given the name of the new administrator account, which would indicate an author with bad intent.) While 1Path was trying to solve a problem for one of their own end-users; they also very much considered themselves as an end-user in relation to their vendor. 1Path was definitely not feeling the love, especially given all the business they had done with this vendor over the years.

Given this temporary dead end, 1Path continued to follow its normal policies and procedures for crisis management. They determined that no current, or former, 1Path employee had access to the environment. This allowed them to create a roadmap to help them get the client up and running again.

While 1Path started the process of getting new, properly provisioned, mobile devices shipped out to hundreds of employees all around the country, they were still working with their vendor to find a faster solution.

The vendor finally agreed that they would be willing to release some information if:

  • An email was sent from a personal email address (not a company one)
  • With a signed letter from the CFO of the company

1Path waited for three days then called to follow up. It turned out that there was something in the letter that the vendor didn’t like and they hadn’t bothered to call to tell 1path what it was. 1Path jumped through some hoops to satisfy the vendor and finally got access to their account. They then found emails in the archive from years ago, when the client was first created, and with that, the vendor was finally able to reset 1Path’s account.

The Culprits

It turns out that the entire attack was orchestrated by two former employees of the client in question. Some time prior, 1Path had exposed the fact that these employees were spying on the email of the CEO, this had led to their dismissal. They then decided to get their revenge on 1Path and cost their former employer a lot of time and money, and their former colleagues a lot of hassle.

They had probably retained access to, or had a copy of, an administrative password that hadn’t been changed and didn’t require multi-factor authentication.

Lessons Learned

The first lesson that 1Path learned was directly related to this security hole. As a result, they implemented a forced password policy (making a user change the password upon login) combined with multi-factor authentication. They didn’t just do this with the client who had suffered the attack, they rolled it out across all their clients.

The password policy change was part of a larger conversation regarding collaboration with customers. Thus explaining the desire to be true partners, which meant abiding by standards that everyone could see would lead to better security. The conversation was also framed in the context that the instigators of the attack seemed to have a collaborative relationship, but “the good guys” didn’t have any collaborative plans in place.

1Path also learned that despite having a “relationship” with their vendor, when the chips were down, that vendor couldn’t be relied upon. The vendor had long contracts written by expensive lawyers ensuring that their liability, in situations like the one above, was almost nonexistent. That has led to 1Path building systems with more backups and redundancies, to make sure that they don’t ever have to rely on a vendor again the way they did in this particular case.

As we said at the beginning of this article, no one expects an IT provider to be perfect. Customers know that at some point there will be a crisis, and it will be in that crisis that a partnership will be tested. 1Path came out of this crisis stronger. They realized where they could improve and adjusted their expectations and policies accordingly.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from Datastream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

 

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com

Surviving and Learning From Kaseya Cyberattack | The Cyber Crime Lab Podcast | Episode 2

When cyberattacks happen, most of us only hear reports from the media about what the FBI might be doing or how the company that was attacked is coping with it. We don’t often get a chance to hear from those on the front lines—from the businesses who were affected or from those who helped those businesses get back up and running.

Luckily, we had just such an opportunity recently, when Jay Tipton, CEO and Owner of Technology Specialists, appeared as a guest on the Cyber Crime Lab Podcast. Jay was one of the 50 managed service providers (MSPs) who were affected and he and his team worked day and night to clean workstations and servers and get his clients back in business.

To better understand what Jay shared, we need to know the facts of the case first.

The Kaseya VSA Ransomware Attack

Even those familiar with the basics of technology might not know what Kaseya or VSA mean.

Kaseya is a software company headquartered in Dublin that offers a framework for maintaining and managing IT infrastructure. The products it offers, including one called VSA, are used by MSPs around the world.

Kaseya VSA is a remote monitoring and management (RMM), endpoint management, and network monitoring solution.

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. In the case of this attack, $70M in BTC was demanded by the attackers.

This particular ransomware attack was probably initiated by a gang known as REvil, which injected code into VSA.

What it Was Like on the Ground

Jay was at a client’s, working on a laptop, and saw a couple of Microsoft products close themselves before he signed off. He thought it might be a standard program bug. But as he headed back to the office, he spoke to one of his team who told him that multiple client calls coming in to say that their computers were down.

When he got back to the office, Jay saw ransomware on one of the computers and went straight into Technology Specialists’ network operation center (NOC) and literally started pulling plugs and turning things off until he could figure out what was going on.

Over the next few hours, it became clear that all his clients had their data encrypted as part of the attack and he had to fend off angry customers who wanted to hold him accountable.

You go from blaming yourself, to thinking of blaming others, to taking full responsibility, being totally numb, and not being able to do anything,” Jay said. He worked for almost two days straight before collapsing onto one of the company couches. He and his top engineer logged almost 500 hours each in the four weeks that followed.

During this time, two things happened that Jay and his customers had no say in:

  1. Kaseya refused to pay the ransom
  2. The FBI acquired a decryption key that it refused to share with Kaseya

The purpose of this article isn’t to critique either Kaseya or the FBI for their actions (that’s already been done) but to give context to what Jay and his team had to do. In the absence of the decrypt key, Jay offered a simple clean and restore of all the workstations and servers affected. This was an active move, as it meant not waiting for a decrypt key—which would take everything “back to normal”—but instead got companies off on the best foot they could manage with whatever backups they had in place.

Since Technology Specialists was itself affected by the attack, they had to find an old server that had contact information for clients to start making appointments to get the hardware fixed.

When they got started, Jay was overwhelmed by the support from clients and team members who pitched in with help—be it time or food. He even had ex-business partners and employees come in to help.

It took six weeks after the first day of the initial attack for all of Jay’s clients to be fully functional.

Prevention?

Jay notes that despite using industry best practices for his clients including two-factor authentication (2FA) on numerous applications, a vulnerability in software was still exploited.  That’s something we have to become increasingly aware of: that despite our best efforts and security measures, it’s likely to be a question not of if but when we deal with a cyberattack that affects us or our businesses.

With that inevitability in mind, Jay and his team have been putting together services that can respond more robustly to future attacks. Jay found that at some points during the attack there was so much information coming in and so little frame of reference to make the right decision, that he simply froze. Unable to make decisions, he wasn’t able to help anyone.

This situation will be remedied in the future. Veterans of the Kaseya attack will fly out by helicopter, if necessary, to more remote clients to help them with the decision-making process that Jay had to struggle with in July and August 2021. As Jay learned, “winning” in this scenario wasn’t about waiting for the authorities to “do something” but about finding a way to communicate with his clients and get a plan of action in place. It was that “can-do” attitude that ensured that Jay kept all but one of his 50 clients, some of whom had been there from the very beginning, in 1998, when Jay started the company. His actions under pressure are a helpful guide for anyone navigating a business crisis, particularly one as traumatic as a cyberattack.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com