Follow this week’s latest cybersecurity headlines to know what security steps you can deploy to ensure ransomware protection for your organization.
Rural Communities in Idaho to Outsource Cybersecurity Measures From BSU
Boise State University (BSU) has collaborated with Stellar Cyber to start a cybersecurity program wherein Idaho’s rural and remote communities can avail free Security-as-a-Service facilities. BSU recently announced that its Institute for Pervasive Cybersecurity had adopted Stellar Cyber’s Open XDR platform, which will function as a teaching tool in its new Cyberdome skill development program. This new alliance of Boise and Stellar Cyber shall also benefit the state-funded agencies and school districts.
Reportedly, this program shall provide free Security-as-a-Service (SaaS) services to over 750 state-funded agencies in Idaho, along with training Cyberdome students on tackling cyber threats through real-world operational experiences. The new platform shall include a variety of security tools that the students are already familiar with. These include endpoint detection and response (EDR), network detection and response (NDR), threat intelligence platform (TIP), security information event management (SIEM), etc.
BSU felt a need for this new program because of the ever-evolving cybersecurity market and its increasing requirement of skilled and efficient cybersecurity personnel who can successfully deal with all challenges. The Cyberdome’s primary clients include people in rural areas, counties, education, or health districts. The City of Sun Valley, Idaho, is the first client of BSU’s Cyberdome skill development program.
FBI and CISA Release Joint Advisory in the Wake of Constant Cyberattacks on Ukraine
Two malware strains – WhisperGate and HermeticWiper have been targeting Ukrainian organizations, and the FBI and CISA have recently released a joint advisory explaining more about the attack vectors. The WhisperGate malware strain first targeted Ukraine in January 2022, and soon after that, the HermeticWiper malware attacked Ukrainian systems. These attack vectors do not pose a threat to US enterprises as yet, but the CISA recommends organizations adopt anti-malware, spam protection, anti-virus, and MFA solutions. The FBI and CISA warn that deadly malware strains like these can quickly spread to firms in other countries.
In addition, a new wiper called IsaacWiper recently targeted a Ukrainian government network. While the attack has not been attributed to any group yet, it is suspected of using attacking tools like Impacket for lateral movement. From the attack timeline, cybersecurity experts suspect IsaacWiper’s alliance with HermeticWiper. However, nothing significant substantiates this finding. While the nation endures military war, Ukrainian organizations are battling destructive cyberattacks every day. Therefore, FBI and CISA’s joint advisory encourages IOCs to assist threat hunters in detecting malware strains in computer networks.
Integrity360 and Caretower Merge to Become One Cybersecurity Service
With their establishment dating back to 2005 and 1998, Integrity360 and Caretower are two leading cybersecurity services companies. Recently, Integrity360 acquired Caretower, and the joined forces of these two companies will now be known as Integrity360 – the larger company. Although the transaction terms have not been disclosed yet, both parties seem optimistic about this merger. With branches in Sofia, Bulgaria, and London, Caretower reported sales of circa £28m (about $31m) in 2021. It is to retain all its employees as it joins hands with Integrity360, and together, the companies expect their sales to exceed £70m (about $77) in 2022.
Individually, both Integrity360 and Caretower have worked with some of the world’s leading cybersecurity equipment and software manufacturers. They are renowned for their customer service ethos and deep cyber expertise. Integrity360’s Executive Chairman disclosed in a statement that they deem acquisition as an exciting and delightful merger and wholeheartedly welcome the cybersecurity team from Caretower to the Integrity360 family. With increasing cyber threats for global businesses, cybersecurity alliances like this are a need of the hour. Caretower also looks forward to this merger and hopes to provide better professional support to customers with the expertise received from Integrity360.
TrickBot Retires to Make Way for More Dangerous Computer Malware
The renowned financial trojan TrickBot, which began its operations in 2016, is in talks of shutting down its functions after a furious journey of breaking networks for five years. Reports of its imminent retirement come after two months of near-inactive malware trails. TrickBot’s retirement is reportedly caused by its inefficiency in targeted intrusions and increased detection rate. TrickBot is owned by a Russian group called Wizard Spider and had emerged from another banking malware called Dyre, which retired in November 2015. TrickBot’s attacks since October 2020 have been largely unsuccessful because of the defensive cybersecurity strategies of the US Cyber Command and other private security companies under the leadership of Microsoft.
Cybersecurity firm Hold Security reported that TrickBot invested over $20 million in its infrastructure and growth. Experts suspect the end of TrickBot to shift the focus towards more recent, improved malware strains like BazarBackdoor or BazarLoader. BazarBackdoor emerged as a part of TrickBot’s modular toolkit arsenal but evolved to become an autonomous malware used by the Conti ransomware gang. Conti operators have recruited the top professionals from TrickBot for strengthening newer malware strains like BazarBackdoor. Therefore, the end of TrickBot cannot be considered one less evil; it might lead to more dangerous malware strains!
Beware of Ransomware (Extortion) Attacks
A common pattern in recent ransomware attacks is the involvement of double or triple extortion in attacks. A global survey of IT decision-makers by Venafi reveals that 83% of successful ransomware attacks involve alternative extortion methods. This could be exposing data on the dark web, using the stolen data to extort customers, or notifying customers about the data breach. Only 17% of the attacks demanded a ransom to release the decryption key, implying that adversaries plan to extort money using other more common methods of extortion. Thus, data backups are not the ultimate shield against ransomware attacks, although they ensure the quick revival of operations and limited loss to a business.
Further, the survey revealed that the stolen data got exposed even after victims paid the demanded ransom (in 18% of the cases). 16% of survey respondents who refused to pay the ransom had their data exposed anyway. In cases when companies refused to pay the ransom, adversaries extorted the customers (8% of the cases), and in a frightening 35% of the cases, victims could not retrieve their data even after paying the ransom – a big loss for those without data backups!
67% of IT decision-makers opine that public reporting of ransomware attacks can slow down their growth. And a commonly agreed point was the need for governments to extend greater support to private organizations to ensure ransomware protection.
Entropy Ransomware Reuses Dridex’s Code
Reusing codes has become a fairly common phenomenon in the malware landscape, and Entropy ransomware is an example of such a strategy. In two recent attacks on a North American media organization and a regional government entity, adversaries deployed the Dridex trojan on the victims’ systems before launching the Entropy ransomware. Both attacks display evidence of using specially crafted versions of the Entropy DLL with the target’s name in the ransomware code. The attacks showed a similar pattern where adversaries used unpatched Windows systems and legitimate tools for lateral spread into the network. Further, cybersecurity experts at Sophos found a striking resemblance between Entropy and the Dridex trojan. It is known to all that Entropy is a new ransomware strain, but Dridex has been operational since 2011.
The similarities between Dridex and Entropy exist in their deployment ways, packer codes, subroutines used to decrypt encrypted data, etc. But there are some differences in their functionalities as well. These include their working methodologies and malware usage. Security experts suggest that despite the nature of the attacks, adversaries can break into systems when there are loopholes in organizational networks. Therefore, implementing MFA and patching vulnerable Windows systems is the key to ensuring ransomware protection.