On paper, ransomware isn’t nearly as scary and devastating sounding as the reality tends to play ...
On paper, ransomware isn’t nearly as scary and devastating sounding as the reality tends to play out. Imagine if one day your company was locked out of all its data. Its financial records, its client information, your billing system, and the like all ransomed. In many cases the ransom while steep is a pittance compared to the cost of your business losing its data and the productivity losses that go with it. The thing is, more than half the time the ransom is paid, the data remains locked. After they’ve anonymously taken your money, they have little motivation to take the extra steps to unlock your data, if they even bothered to retain the encryption key in the first place. Office 365 now has two tools that allow organizations to safeguard their data against ransomware attacks and restore your files even if you are compromised by a ransomware attack. File Restore This tool has been part of OneDrive for a while now, but Microsoft recently made available on all Office 365 licenses including Home and Personal. File Restore allow OneDrive users to roll back their entire OneDrive to any point in the previous 30 days. So if your files are ransomed, the hard drive they’re on gets destroyed, get corrupted, or your hapless coworker accidently deletes all of them, you can get back up and running in moments. Ransomware Detection and Recovery Office 365 now detects ransomware on the device its installed on and lets you know it's happening. Whether it's you phone, tablet or PC Office 365 will alert you and send you and email with instructions on how to respond to the attack. In this notification you're given a link to the aforementioned File Restore feature. This link also includes the data and time of the attack to you can quickly see what happened and restore your device to before it was infected. The choice for file storage is clear We've been telling businesses to stop using file servers for a while now, but now that all version of Office 365 include these features with OneDrive, it now the right choice for everyone, including home users. If you have data that you value, whether it's your company's financial records or family photos, don't leave it to hard drives to keep it. Put it in the cloud, make it indestructible. https://youtu.be/BzfuYVB8DpY
Microsoft Office 365 Microsoft has rolled out a series of new tools to protect its Office 365 Home and 365 Personal customers from a variety of cyberthreats, including ransomware. Kirk Koenigsbauer, Microsoft's corporate vice president for Office, said subscribers to these two Office productivity suites will receive additional measures to protect against ransomware, email-based threats, stronger password protection and advanced link checking in Office products. The first new ransomware defense has the company bringing its File Restore feature over from OneDrive for Business to the consumer-level OneDrive accounts. Files Restore allows you to restore an entire OneDrive account to a previous point in time within the last 30 days. This would allow a person to rebuild or replace any files encrypted by a ransomware attack, Koenigsbauer wrote in a blog. Microsoft's next step is adding the ability to detect a ransomware attack in progress in Office 365 and then lead the victim through the recovery process. “If an attack is detected, you will be alerted through an email, mobile, or desktop notification and guided through a recovery process where you'll find the date and time of attack preselected in Files Restore,” he said. For 365 users who share important information via email or through links, Microsoft will enable password protection for these actions. If the subscriber so chooses he or she can set a password that has to be input to access a shared file. Microsoft believes this will protect a document if it is accidentally shared with an unauthorized person. Also on the email front, Outlook.com will now offer end-to-end email encryption and an Outlook user can now prevent an email, and any attached documents, from being forwarded beyond its intended recipient. The final security upgrade has the company bringing its advanced link checking technology to Word, Excel, and PowerPoint from Outlook.com. Microsoft Word has recently become a popular conduit for cyberattackers who used the documents and their various vulnerabilities to launch fileless attacks. “Starting later this year, links you click in Word, Excel, and PowerPoint will also be checked in real-time to determine if the destination website is likely to download malware onto your computer or if it's related to a phishing scam. If the link is suspicious, you will be redirected to a warning screen recommending you don't access the site,” Koenigsbauer said. Microsoft added this advanced protection to Outlook last fall.
It’s your complete office in the cloud.
We have helped leaders at the most influential companies over the last 20 years remove complexity from technology while empowering people to connect from anywhere.
https://www.youtube.com/watch?v=UfBGtfcHXQ8 You won’t hear a lot of cyber security companies like ours talking about it, you wouldn’t guess it from the news, but Ransomware attacks are actually on the decline. The first couple years of ransomware’s popularity it was everywhere and was growing fast. Few were prepared for it, so attacks could be carried out on a massive scale and be effective. 2017 saw a 70% decline in its use. So does this mean, ransomware is going the way of the floppy disc drive? Unfortunately, ransomware attacks are still the modern-day shakedown that organizations of all sizes face. That’s because while the quantity of the attacks has declined sharply, the quality has become downright scary. Attacks have gone from random widely-cast nets preying on only the companies and individuals that would fall for their social engineering attacks to laser-beam focused smart attacks that only require one employee to make a single mistake over the course of weeks or even months of relentless and varied attacks. How did a big city like Atlanta get breached? Facts around precisely how Atlanta was breached and if they’ve paid the $51,000 ransom to regain their data yet are unclear. However, we serve a variety of government clients and we see attacks that if successful could bring similar damage to the Atlanta attack constantly. These are attacks that cybersecurity experts look at and wonder if even they would fall for them, much less the least technology savvy employee in a government office. The fact is, compared to most organizations, government agencies have more data and less resources to protect it with. Having worked with government of various sizes and around the world, we get what the obstacles are, and while it can sometimes be frustrating as a taxpayer, those obstacles are totally valid. Perpetrators of ransomware attacks are increasingly large organized crime syndicates instead of random individuals. If they want to get a password to a critical system out of your most gullible employee, they are going to. What you must do as a city leader is ensure that even with a password, the criminals can’t do much damage. What can I do? Multi-factor authentication like I wrote about last week, is one of the best ways to make sure only authorized users can get in, but there are also systemic protections like Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) from Microsoft. ATP blocks harmful messages from being received in the first place, and identifies information leaving your business, and alerts you when something sensitive is sent, or prevents it from being sent. Also, be sure that your email domain has an SPF record set up for it. In general, it’s important to know that an ounce of prevention is way better than a pound of cure when it comes to ransomware. There are plenty of tools to help keep your organization safe, you just need a partner or employee with experience using them to find a place between absolute protection and balancing that imperative with making it usable for users without being too onerous. PSA: don’t pay the ransom if you can help it. It only makes the problem worse for everyone and more than half the time you don’t get your data back after paying a ransom anyway. Did you know that breeches like the one that happened in Atlanta last for a mean duration of 140 days. What could someone learn about you company if they had access to your email for 140 days?
ATLANTA — Atlanta police officers initially had to write reports by hand. Residents still can’t pay water bills online. Municipal court dates are being reset. All are fallout from a ransomware attack last week that hobbled the city’s invisible infrastructure. Another ransomware attack hit Baltimore’s 911 dispatch system over the weekend, prompting a roughly 17-hour shutdown of automated emergency dispatching. The Colorado Department of Transportation suffered two attacks just over a month ago. And the North Carolina county that’s home to Charlotte totally rebuilt its system after a December attack. For cash-strapped local governments, paying for robust protection against the invisible menace of a cyberattack can be a hard sell. But cyberattacks continue to proliferate, and experts say preparation and strong defensive measures are necessary to avoid the crippling effects. “As elected officials, it’s often quite easy for us to focus on the things that people see because, at the end of the day, our residents are our customers,” Atlanta Mayor Keisha Lance Bottoms said at a news conference Monday. “But we have to really make sure that we continue to focus on the things that people can’t see, and digital infrastructure is very important.” Although it’s vital to make sure systems are up to date and have the latest patches, malware evolves so quickly that experts also stress the importance of comprehensive backups and a quick response when an attack does happen. “I don’t think any security is flawless,” said Craig McCullough, a vice president at security firm Commvault. “I always approach it from the standpoint of it’s not a matter of if but when, and when it happens, are you prepared? Are you going to be able to get your data back?” Governments, public agencies and companies need to know what data they have and make sure it’s backed up. Software and hardware can be replaced, but data is much more difficult, McCullough said. A quick response can help minimize the damage, said Dmitri Alperovitch, chief technology officer of security firm Crowdstrike. If a threat is detected immediately after it enters the network — for example, when someone clicks on a link in a phishing email or through a vulnerable server — it might be possible to stop before it spreads beyond the initially infected computer, he said. Atlanta officials won’t say whether they’ll pay the $51,000 ransom, though Bottoms has said all options are on the table. Mike Cote, president of Secureworks, a security firm hired by Atlanta, has said they know who’s behind the attack but aren’t releasing that information. Cybersecurity experts say the attack is consistent with the SamSam group, which is known as a sophisticated attacker and negotiator, said Jake Williams, founder of security firm Rendition Infosec. Unlike other ransomware that might raise alarms upon infection, SamSam compromises machines without immediately locking up their files. That access is then used to spread through the network “before they press the encrypt button,” Williams said. “They put you into an extreme pain point position where paying is actually an attractive option,” Williams said He said he regularly tells clients they must make a business decision on whether to pay. He acknowledges that can be more difficult for governments, whose rules might block them from spending public funds on extortion. Although Atlanta’s critical physical infrastructure — including the city’s airport, emergency response systems and water safety and treatment — were not directly affected, other departments are operating manually and some services have been suspended. Nuisances at first, issues caused by the outages could have compounded effects if they persist. The mayor has been cautious, declining to give a timeline for when things might be up and running again after the cyberattack announced March 22. She has repeatedly said the investigation and recovery is “a marathon, not a sprint,” and her focus is on making sure the city’s network is safe moving forward. But the road could be long. The Colorado Department of Transportation was hit by a SamSam attack on Feb. 21 and again on March 1, and it was back to 80 percent functionality by Thursday said Deborah Blyth, the state’s chief information security officer. Luckily, they had strong backups so they didn’t even think about paying the ransom, she said. In the weeks since the attack, they’ve implemented two-factor authentication for remote access and accelerated the implementation of other security measures that were already planned. In Mecklenberg County, N.C., where Charlotte is located, it took a little more than 60 days for things to return to normal after a ransomware attack that began with a phishing email in December. County officials didn’t pay the ransom after consulting with federal authorities and realizing their data was backed up so they didn’t need to pay to get it back, County manager Dena Diorio said. But the process was still tedious as they had to essentially rebuild the system. The county has taken steps to prevent another attack, including making its email system more secure and limiting employees’ internet access. And they have more expensive plans — segmenting their data and moving to a cloud-based system — that will take about two years to implement, Diorio said. Remembering the scary early days, Diorio had advice for her counterparts in Atlanta: “All I can say is: Don’t panic and stay focused.”
Microsoft's 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the ...
Microsoft's 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the disruption of the Gamarue (aka Andromeda) botnet, evolving hacker methodologies, and ransomware. It draws on the data analysis of Microsoft's global estate since February 2017, including 400 billion email messages scanned, 450 billion authentications, and 18+ billion Bing webpage scans every month; together with the telemetry collected from the 1.2 billion Windows devices that opt in to sharing threat data with Microsoft. It is worth noting that Microsoft applies machine learning (ML) artificial intelligence to this data to tune its own security software. Since the efficiency of ML-based endpoint protection relies on both the algorithms employed, and the size of the data pool from which it learns, the implication is that Windows Defender has the potential to become an increasingly effective protection tool. Gamarue Gamarue was one of the largest botnets in the world. From 2011 it had evolved through five active versions and had been involved in distributing Petya and Cerber ransomware, Kasidet (aka the Neutrino bot), the Lethic spam bot, and data stealing malware such as Ursnif, Carberp and Fareit. In partnership with ESET, Microsoft had been researching the Gamarue infrastructure and 44,000 associated malware samples, since December 2015. Details on 1,214 C&C domains and IPs, 464 distinct botnets and more than 80 malware families were collected and handed to law enforcement agencies around the world. On November 29, 2017, Gamarue's C&C servers were disconnected and replaced with a sinkhole. Since the disruption, the sinkhole has collected the IP addresses of 23 million infected devices. Microsoft has watched the number of Gamarue-infected devices reduce month by month, from around 17 million in December 2017 to 14 million in January 2018, and less than 12 million in February. Johnnie Konstantas, senior director with the Microsoft Cybersecurity Enterprise Group, told SecurityWeek, "The team reached out to ISPs, law enforcement agencies and identified companies, and told them about the infected IPs. Those organizations could identify the individual infected devices and organize the mitigations -- which is what reduces the number of infected devices still connecting to the sink-hole." Microsoft does not use the botnet to directly warn the infected users; but ESET comments, "at least no new harm can be done to those compromised PCs." Hacker routes Over the last few years -- not least because of the introduction of machine learning techniques -- security protections have improved, and direct hacking has become more difficult and time-consuming. While still employed by well-resourced actors -- such as nation-state affiliated groups -- hackers in general have diverted their attention to the 'low-hanging fruit'. The SIR describes three of these routes: social engineering, poorly-secured cloud apps, and the abuse of legitimate software platform features. Social engineering attacks are largely synonymous with phishing attacks. The SIR notes "a significant volume of phishing-based email messages at the very end of the year 2017. Phishing was the #1 threat vector (> 50%) for Office 365-based email threats in the second half of calendar year 2017." There are various tools available to help detect phishing, but some academics doubt that even machine learning techniques will be unable to solve the problem. Microsoft stresses the value of user awareness training. While users are often called 'the weakest link', they are also the first line of defense. Every well-trained user is effectively an individual human firewall. The second of the low-hanging fruits is poorly secured cloud apps. "We studied about 30 of them," said Konstantas, "looking at the security measures they employed. First you want header security, to prevent attacks like cookie poisoning or cross-site scripting that take over the session. Then you also want encryption of data in motion between the end device and the cloud, and finally encryption of data at rest." Microsoft found that about 79% of storage apps, and 86% of collaboration apps did not have all three measures. "They may have had one or two of the three," she continued, "but not all three. This is a big deal, because you're talking about potentially valuable corporate data accessible to adversaries, and also the possibility of malware infection coming back to the device." The problem is intensified by shadow IT -- companies may not even be aware that staff are using these insecure apps. "Mitigation here," she said, "is focused on cloud access security brokers (CASBs) that can apply all three security measures to traffic going to the cloud, can monitor what is going on in the cloud, and can identify what unsanctioned cloud apps are being used by staff." The third of the low-hanging fruits is the abuse of legitimate services. The SIR gives just one example: the exploitation of DDE in October and November 2017. In one quoted example, an attached Word document was able, through DDE, to download and run malicious payloads such as the Locky ransomware. Surprisingly, however, there is no mention of the abuse of PowerShell. PowerShell, activated from within weaponized Office attachments, is increasingly used by hackers to deliver 'fileless' attacks. McAfee's Q4 2017 Threat Report -- also published this week -- reports, "In 2017, McAfee Labs saw PowerShell malware grow by 267% in Q4, and by 432% year over year, as the threat category increasingly became a go-to toolbox for cybercriminals. The scripting language was irresistible, as attackers sought to use it within Microsoft Office files to execute the first stage of attacks." Operation Gold Dragon, in December 2017, is an example of the use of PowerShell by hackers. Ransomware Ransomware is, not surprisingly, the third major topic discussed in SIR 23. Last year will always be remembered as the year of three particular global ransomware outbreaks: WannaCry, NotPetya and Bad Rabbit. The first two of these rapidly became global in extent using an exploit known as EternalBlue; an NSA 'weapon' stolen and publicly released by the Shadow Brokers. One of the disturbing aspects of these outbreaks is that Microsoft had already patched the vulnerability used by EternalBlue to spread from machine to machine. Konstantas confirmed to SecurityWeek that the first Microsoft knew about the EternalBlue exploit used in WannaCry was when it was released by Shadow Brokers; that is, Microsoft was not informed by the NSA that this exploit had been stolen by Shadow Brokers prior to it entering the public domain. This demonstrates both the speed with which Microsoft handles serious vulnerabilities, and the slowness with which large numbers of users take advantage of available patches. Azure customers were automatically protected, confirmed Konstantas. According to the SIR, the three most commonly encountered ransomwares in 2017 were Android LockScreen, WannaCry and Cerber. LockScreen is interesting since it is Android malware that crosses to Windows devices when users sync their phones or download Android apps, usually side loading from outside of the Google Play store, via Windows. The report has five primary recommendations to counter the threat of ransomware: backup data; employ multi-layered security defenses; upgrade to the latest software and enforce judicious patching; isolate or retire computers that cannot be patched; and manage and control privileged credentials. A new survey from Thycotic demonstrates just how poor many organizations are at managing privileged accounts. There is no mention of a sixth potential recommendation -- if infected with ransomware, immediately visit the NoMoreRansom project website. This project aggregates known ransomware decryptors, and it is possible that victims might be able to recover encrypted files without recourse to the risky option of paying the ransom. For now, Microsoft does not appear to be a partner in this project. Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Previous Columns by Kevin Townsend: Tags:
Petya probably won’t getya, but pay attention, things are getting serious.
Petya probably won’t getya, but pay attention, things are getting serious. The ransomware attack this week referred to as “Petya” (which is called NotPetya by security experts) is a worldwide event causing real damage. Like WannaCry from last month, NotPetya tore across the globe locking major companies out of their data. However, this time there was no realistic way to pay the ransom to unlock the data, indicating that this event was a deliberate attack meant to do damage instead of a petty criminal enterprise. We won’t get into the geopolitical intrigue surrounding the motivations for the attack, the perpetrators are still unknown, but in short NotPetya appears to have been a concerted effort to attack Ukraine. However, unlike WannaCry, NotPetya wasn’t designed to spread outside of the networks it infected. Instead it was delivered using a Ukraine government-mandated tax software. Companies using this software aren’t limited to Ukraine, and include many corporations large and small that do business in the Ukraine. Things are so bad that even the criminal group Janus Cybercrime Solutions, the original creators of Petya which NotPetya is based off of, has resurfaced offering to help the some 2,000 effected companies that have lost their vital company data. Even the criminals who helped develop these cyber weapons are now waking up to the fact that they have opened Pandora’s box and have equipped (even worse) bad actors with dangerous tools. This should be a wake up call to companies that don’t have around the clock monitoring of their IT systems. No matter how well an IT system is set up, no matter how vigorously you vet software (this was spread using government-mandated tax software, after all), attacks like NetPetya will always require close monitoring and quick action to be defended against. There's help to be had This is one of the reasons our Managed IT Security service is so popular right now. It gives companies access to our 24/7/365 network operations center, a suite of antivirus software, around the clock support, and knowledgeable, certified system architects for a fraction of the price it’d cost to do in-house. Unless you are a large company that can afford these measures internally, you need to partner with a company that can provide this assistance. Keeping everything up to date and anti-virus software is no longer enough. Hopefully we and other experts are wrong, but it’s believed that NotPetya and WannaCry are just a testing of the waters. The potential uses for this kind of attack are very troubling. Much more havoc is surely on the way. Please do your part and protect and monitor your systems closely. Like Techy the Cyberbear says “only you can prevent cybercrime.”
Protected Trust’s Exchange, Managed Security and I.T. clients were not affected by this incident, ...
Protected Trust’s Exchange, Managed Security and I.T. clients were not affected by this incident, and are protected from future attacks like this. If you tune into the news whatsoever, you’ve likely seen a lot of news about the WannaCry Ransomware over the past week. This not-at-all-surprising malware attack began sweeping the globe late last week, and estimates indicated that over 50,000 computers in more than 150 countries were infected by the end of the day on Friday. While some heroics from a 22-year-old security researcher slowed the virus down over the weekend, it’s by no means finished doing damage. As of Monday morning, more than 200,000 systems around the world are believed to have been infected. This is an unprecedented attack, but it goes to show just how big the potential for future danger from ransomware attacks is. This attack exploited an already-known vulnerability in the Windows operating system that Microsoft fixed in an update over a month ago. While this attack was at a larger scale than previous ones, it demonstrated just how easy and effective these criminal activities can be executed at a much larger scale, and how important keeping your software and hardware up to date is. One thing is constant throughout the history of the personal computer. There are always going to be software vulnerabilities that are eventually fixed. However, in between the time the vulnerability is discovered, software makers can fix the issue, and users actually install the update (and not just hit “skip” or “ignore” when prompted to update) there is a window for criminals to utterly incapacitate your business. Imagine what would happen if you lost access to all of your company’s data, what your next month would look like. This hasn’t and won’t change. If you are responsible for the IT at your business you must ensure two major components of your company’s cyber defense, no matter what size your business is and where it’s located. The first is around the clock monitoring and updating of your company’s workstations, servers and network with the ability to respond immediately before the problem gets worse. The second is user training. While some networks were deliberately targeted, others were infected by users infecting themselves by falling for simple email attacks. If you think your business is safe just because it wasn’t the target of this recent round of ransomware you are feeling a false sense of security. A recent data breach report by Verizon opened with this sobering thought, “If you haven’t suffered a data breach you’ve either been incredibly well prepared, or very, very lucky. Are you incredibly well prepared?” Just because WannaCry targeted the absolute most vulnerable PCs out there, doesn’t mean that other vulnerabilities won’t be exploited. The fact of the matter is there is always an exploit, and if enough resources are put into it, a vast majority of networks can suffer the same fate as the other 200,000 computers around the world did this past week. It cost businesses $300 this time around. Nothing is stopping that number from climbing $3,000, $30,000 or even $3 million. What’s your business’s continued ability to function worth to you? If you don’t have a team of experts monitoring and updating your systems continually, you are at risk. Even if your primary job function is IT, you still can use some help. What most people don’t know is that managed security services from a company like Protected Trust with an always-on network operations center can provide this security and peace of mind 24/7/365 at the fraction of the cost of a full-time employee.
With the relatively recent development of ransomware, the Department of Health and Human Services' Office has started developing guidance for how to handle ransomware attacks in circumstance in which information that may be protected under HIPAA security rules could be compromised. Currently the recommended course of action is to determine whether or not the information has only been encrypted or if the files were actually copied, infiltrated or extracted in anyway. More information on the development of the relationship between ransomware and HIPAA is located at http://www.healthcareinfosecurity.com/interviews/determining-if-ransomware-attack-reportable-breach-i-3208.
Ransomware is a form of malware that prevents users from accessing certain parts of its system. For healthcare, this means potentially being unable to ensure the safety of patients. There is not one solution that will always keep criminals away, but security awareness and updated software are valuable as mitigation tactics. Read more about what ransomware is and how to take preventative measures at http://www.informationsecuritybuzz.com/study/survey/q1-2016-sees-93-phishing-emails-contain-ransomware/.