Hackermania runs wild, Required Reading Department: The Anatomy of a Ransomware Attack

Cue the Duke Ellington score and Jimmy Stewart for the defense, we now have a moment-by-moment look at how a ransomware attack on an organization unfolds. The example is from a Ryuk ransomware attack last October on an unnamed organization.

      • The first step was a probe of the network via the Trickbot malware
      • Hackers then explored the network to determine a valuation–to monetize data
      • They then unleashed other tools in the Pivot and Profile phase–PowerTrick and Cobalt Strike–to search for open ports and other devices
      • The hackers, finding what they want, deploy their Anchor backdoor and Ryuk ransomware to secure their hold on the network
      • Total time from initial malware to Ryuk ransomware encryption: about two weeks

Ryuk has been a highly successful ransomware, netting its extortioners $61m in ransom between February 2018 and October 2019 according to the FBI. UK’s National Cyber Security Centre advisory indicates global attacks starting in later 2018.

The value in this study is substantial–the SentinelOne article is chock full of terminology and screenshots a programmer or white hat would love. It also reveals a multi-step process that if stopped at step 1 (the Trickbot malware) means a tougher nut to crack for the hackers, and a nearly two-week window for a response. ZDNet’s article is written for us ‘civilians’. The sidebar has links to several articles, including this horror compendium from UK victims, ‘The most stressful four hours of my career‘.  Earlier: Hackermania runs wild…all the way to the bank!

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)