Ransomware is getting scarier RYUK Ransomware is getting scarier even if you don’t know it yet.  It appears that the lull we enjoyed through the last bit of 2018 may be over.  Not only are the incidents increasing but the mechanisms and ransom demands are changing.  Yes, no matter how we looked at it we had to say ransomware is getting scarier than it has been since the beginning of 2018.

HIPAA For MSPs by David Sims Ransomware Is Getting Scarier
00:00:00 00:00:00

Lately, there has been a rash of cyber news and breach announcements. First, we start with some specific stories that relate to things we talked about recently.  Then, we will get to the meat of today’s discussion.

That’s What We Said

University of Washington Medical Center announced a data breach.  This once involved 974,000 individuals. Guess what caused it. Go ahead guess what caused this breach. Misconfiguration of a database opened a web server to the public internet.

This article explains the situation based on UW Medical information released. They interview a security expert who says that they should have IT do a checklist for security.  That is what we have said in several ways in other episodes.

Password Manager Security Leaks

Before anyone complains about password managers be sure you know the fill details not just the headline of the latest security announcement.  I really like the Last Pass quick response to the thing and the transparency about the problem.  This is exactly why I use them.  No one is perfect but they don’t worry about making any kind of spin when this stuff comes out.  They worry about addressing the problem and getting out a statement about it ASAP.

Password Managers Leave Crumbs in Memory

Ransomware Is Getting Scarier

We talked before about how the cyber attackers will adjust to any of our defenses.  It is a cyber war and that is part of the process, after all.  Everyone who thought ransomware might be easing up on the world needs to check the news.  They are still pounding away and now the targets are becoming more frequently businesses.

11 Takeaways: Targeted Ryuk Attacks Pummel Businesses

Ryuk (pronounced Ree-you-k) ransomware is upping the ante with higher ransom prices than the ones that had been around before.

By targeting businesses and demanding sky-high ransoms, it’s no surprise that Ryuk has been raking in bitcoins.

In January they apparently brought in $3.7 million in bitcoins in 52 separate transactions.  What is even worse they apparently suck at writing the decryptor program.  According to Coveware, “Ryuk decryptors only appear to work 60 percent of the time, compared to the industry average of 95 percent”.  That alone made me say out loud that ransomware was getting scarier which prompted this episode.  Even if you pay you are screwed.  How scary is that thought?

Ransomware in 2019 and beyond: Don’t get complacent

A recent report from Singapore-based Cyber Risk Management (CyRiM) project found healthcare would be one of the worst affected industries by a theoretical global ransomware attack, with losses approaching $25 billion.

In addition to the financial havoc, ransomware can cause, critical equipment can also be rendered useless, which severely impacts a facility’s ability to care for patients and in worst-case scenarios calls for reverting back to paper.

Also, as we mentioned last week, they are targeting MSPs to get to the businesses they support.  David learned about it on Reddit but word spread throughout the community.  Ransomware Attack Via MSP Locks Customers Out of Systems

Recently, threat actors, some sponsored by nation states, have begun targeting MSPs in an attempt to get to the networks of their clients. APT10, a threat group believed to be working for the Chinese Ministry of State Security’s Tianjin State Security Bureau, is one of the best-known operations targeting MSPs. For the past few years, the group has been conducting a broad cyberespionage operation called Cloud Hopper to steal data from organizations in banking, manufacturing, consumer electronics, and numerous other sectors by attacking their MSPs.

This isn’t a totally new issue.  In fact, Cybersecurity and Infrastructure Security Agency (CISA) has been making announcements about it for months.  Advanced Persistent Threat Activity Exploiting Managed Service Providers was in October but way back in April 2017 they noticed something happening and released an earlier alert (Intrusions Affecting Multiple Victims Across Multiple Sectors).  The first one was later updated to say that China was the source of the attacks.

CISA Alerts for IT Providers

These threat actors are actively exploiting trust relationships between information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers.

Awareness Briefing slide deck

The slide deck includes some good information.

You can outsource your operations, but you cannot outsource your risk.

Cyber is the top threat to national security.

Key takeaways listed about understanding the threat:

    1. This is a serious actor with resources and they require a firm resolve by the defenders.
    2. This actor sweeps up collateral targets of opportunity, in addition to their primary targets of interest.
    3. This actor lives off the land, and they may use commonplace tools found in your network environments and turn them against you.

An article in Krebs on Security posted Jan 2, 2019, reported that Data Resolution was “struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve”.  It appears that some customers were spared the attack because they shut things down.  However, several got hit with the Ryuk ransomware.

We got an email this week that really brought all of this home.  Thanks to Chris Dix for sending us the update.  Chris just filed a complaint on behalf of one of his clients against Data Resolution LLC, of California, a cloud hosting provider.   Unfortunately, one of those clients hit at Data Resolution was one of Chris’s clients in Jacksonville, FL.  Here is what he shared with us:

Attached is a complaint filed recently in my neck of the woods a Jacksonville-based company called First Coast Security Services (security guards), whose cloud-based data hosting vendor, Data Resolution, LLC, suffered a ransomware attack over the Christmas holidays.  According to the complaint, all of First Coast Security’s customer information was encrypted and Data Resolution has not yet paid the ransom or otherwise decrypted First Coast Security’s data.   First Coast Security is alleging damages in excess of $300,000.

I think the Data Resolution incident (which serves approximately 30,000 businesses worldwide) is different than the one you mentioned in Episode 191 of your podcast (affecting 80 clients), but this is just another example that reinforces all of the things that you both preach on your podcast week in and week out re: risk analysis, incident response, and the constantly changing landscape of cybersecurity threats.

Thanks for continuing to produce such a fantastic podcast!

BTW, Chris Dix is an attorney with Smith Hulsey & Busey and a HIPAA Boot Camp alum.  We thank you, Chris, for being a loyal listener and sending us such great information from time to time.

It is not the time to become complacent or rest on your laurels as they say.  Ransomware has not gone away it only took a sabbatical while Bitcoin prices made it more lucrative to do other things.  By making sure you have a plan of action and stay vigilant you will not be in the mess that many others tend to be in because they were no prepared.  Ransomware is getting scarier because people continue to pay big money.  As long as that happens, ransomware will not go away any time soon.  If you can’t be down then you better be on your toes and make sure you never get hit.