Posts

Ransomware Attack: What if this were your Billion $ mistake?

No one has ever heard of your company. Let’s call it, COMPANY X. And you like it that way. In 57 years, you’ve never once shut down your mission-critical operations that fuel the US economy. YOU are an honest, satisfied employee of Company X, and although your security team hounded you with preachy posters in every ELEVATOR to never use the same password twice (because passwords are like dirty underwear), you still did. You used the same totally UNGUESSABLE 10-character password for your work login and hotel loyalty program. Which got breached. You changed the stolen password on the hotel website, but forgot about your work login. And your company doesn’t require two-step logins, even though they bought the technology after a dashing keynote speaker SCARED the crap out of them.

In mid-February, you receive a promotion, and with it, a new login to the system. In spite of a $200 million per year IT budget, your company never decommissions your old login credentials, leaving access as wide open as the BACK DOOR into a college-town liquor store.

On April 27, DARKSIDE, (yes, even hackers have a sense of humor) a ransomware attack ring protected by EMPEROR PUTIN, buys your stolen loyalty credentials for approximately five cents and uses artificial intelligence to insert them on every login page on the Company X website, which they know you work at from your snappy LinkedIn profile. While outdated on the hotel site, your username and password still work for your vacated role at Company X.

By April 29, DarkSide has loaded ransomware onto your computer, which happens to be in the master control room of Company X. Company policy states that any sign of ransomware triggers an automatic shutdown of all operations, which suggests that Company X isn’t clear on how closely their business I.T. systems are tied to their operational or O.T. systems. PARTY FOUL.

And that’s how Colonial Pipeline, supplier of 45% of the East Coast’s fuel supply, shut down all operations for 6 days. 2.5 million barrels of fuel per day, stuck in Texas because of your single password that opened the company to ransomware attack. Ok, I realize this isn’t really your fault, but what if it was? What if you were the one who caused FLORIDIANS to queue at gasless gas stations as if KRISPY KREME and In & Out Burger had just merged?

Colonial chooses to defy the FBI DIRECTIVE to never pay a ransom (research says that doing so just invites the cybercriminals to come back for seconds) and pays DarkSide $4.4M dollars in untraceable bitcoin to get their pipes back in the game. Well, not totally untraceable, as the FBI HELPS Colonial retrieve half of its bitcoin. But don’t expect them to come to your rescue, as you probably don’t supply the East Coast with half of its carbon emissions. Even after the blackmail is complete, fuel doesn’t flow for 6 more days. Which causes Billions in damage to the US economy and Millions in reputational damage to Colonial. Because of a password. From one person.

Here’s what this ransomware attack means for you:

  • Every employee matters: One weak password can bring an organization to its knees
  • Don’t let your company get cocky, because it CAN happen to you.
  • The ransomware get-out-of-jail price tag is now often in the tens of millions.
  • Security is an obsessive, continuous pursuit, so make a long-term game plan.
  • Never forget to deactivate old user accounts.
  • Require two-step logins to minimize the impact of poor passwords.
  • Have a foolproof, off-site, offline backup of your data.
  • None of this works without a healthy underlying culture of security.

If you’re confused about how to prepare for a ransomware attack, consider a leadership crash course in cybersecurity. Because one small cyber mistake, and everyone will know your company.

_____________________________

John Sileo hosts cybersecurity crash courses that target the human element of cybersecurity. His clients include Amazon, the Pentagon and Charles Schwab, but his most fulfilling engagements are for smaller organizations and associations that can affect immediate change. 303.777.3221

 

Were Lebron’s Darkest Secrets Exposed by Hackers?

Grubman Shire hack

Grubman Shire Hack: REvil Scores a Blackmail Slam Dunk

How much is basketball megastar Lebron James brand worth to hackers? 

When you calculate it, Lebron’s name earns him more than his game. And to the cybercriminals who orchestrated the Grubman Shire Hack, that kind of payday is worth jumping through some hoops.

Consider what James makes off of his reputation alone, including endorsement deals with Nike, Coke, Beats and others: $55 million/year in endorsements vs. $37 million/year to play ball, to be exact. Yes, those sponsorship deals hinge on his superiority at basketball, but would be worth little if they weren’t backed by a stellar reputation. Just ask Tiger Woods, who lost most of his earning potential when his reputation crashed into a distasteful sex scandal. 

Because James’ reputation is his greatest financial asset, you can imagine the court lengths he goes to in order to defend it. For this reason, celebrities tend to be uber private with their personal lives – homes that are more like secret compounds, contracts and non-disclosure agreements (NDAs) to legally shield sensitive information, sophisticated data security tools to protect digital assets and most relevant to our discussion today, high-priced lawyers to handle all of the highly-confidential details. 

But Lebron James didn’t get hacked. 

His lawyers did. And with them, his highly-confidential, potentially damaging details. Grubman Shire Meiselas & Sacks, a high-powered law firm to the stars, also had the contracts, NDAs (ironic!), home addresses, mobile numbers, private emails and correspondence of Lady Gaga, Madonna, Bruce Springsteen, Cam Newton and yes, even Run DMC, electronically hijacked as well. I can just picture the hackers, adorned in parachute pants, chanting the lyrics: “CAN touch this!”

The ransomware crime ring known as REvil (Are Evil) demanded a $42 million payoff after the Grubman Shire hack to NOT expose the data on all of its clients. So Grubman Shire had the unenviable job of choosing to lose $42 million overnight versus the much more expensive and long-term cost of watching disgruntled superstars take the bench because of the breach. 

But the attorneys clearly have to take responsibility and pay up for the Grubman Shire hack.

It was beyond question that Grubman Shire, like many companies before them, would pay the ransom to robustly defend the incredibly sensitive data, not to mention their profitable relationships, with their best “players”. 

But they didn’t. 

The law firm chose not to pay the ransom and thumbed their nose at the cybercriminals. I’m not sure how Lebron and the Lady felt about that, but the decision was wise, because even if you pay their demands, you’ve only secured a pinkie promise from a dishonest criminal; who’s to say that they won’t expose the data after they’ve cashed the Bitcoin? Steal, extort and share is the latest Dark Web craze.  

So which secrets of Lebron’s were inevitably exposed? 

None (yet), because the hackers weren’t done with their game. Remember, REvil’s goal is to make money, not to give away the product of their work for free. So they took their demands directly to the stars, baiting them with ugly consequences…

“Show business is not [just] concerts and love of fans only. Also, it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery.” 

The hacking group, also known as Sodinokibi, were upping the stakes, threatening to expose lurid details that could defeat even the most popular of athletes.

In doing so, REvil added a new twist to the old ransom game – they divided the information into files about individual celebrities and listed them for sale on an Internet auction to the highest bidder. It was like Southby’s for Scammers. 

Now Lebron, Bette Midler and The Boss were the masters of their own fate, simply needing to hand over $600,000 to $1 million each via cryptocurrency to keep their private data private. 

What did Lebron pay? Lady Gaga, Mariah Carey and Mr. DMC? That’s the problem with cyber blackmail – we never get to know the outcome, because no one in their right mind admits to being successfully blackmailed, extorted, and humiliated, for fear of attracting copycats. We will never know if they paid or what they paid. 

Clearly, none of the celebrities were at fault, and had little control over the situation, so what’s the point? There are three:

  1. You always have some control over the situation, but by the time your business data is hacked, it’s too late to keep it from being exposed.
  2. Preventing a cyber intrusion before it happens has the greatest ROI.
  3. Most specifically, your organization MUST immediately vet the security measures of all 3rd parties who have access to your sensitive information. This is especially true for organizations that store sensitive data on cloud servers, deploy 3rd-party software apps or utilize outside vendors like lawyers and accountants (with potentially lax security postures).  

Island hopping, which means gaining access into one entity’s systems in order to exploit the downstream systems of their constituents (clients, vendors, employees, voters), is the name of the latest cybercrime game, and it is quickly coming to an arena near you. 

What secrets would ransomware gangs go after in your business, and in the systems that support your partners? What’s your brand worth and how much should you spend to protect it? Because, for the record, most corporate reputations are worth far more than Lebron James’. 


John Sileo is a cybersecurity expert, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and around the world and is the CEO of The Sileo Group, a technology think tank based in Colorado

RobbinHood Ransomware Attack Brings Down Baltimore

Since May 7, Baltimore has been dealing with a ransomware attack that brought many city systems to a standstill. Hackers seized parts of the computer systems that run Baltimore’s government. A classic ransomware assault, the attack used malware known as “RobbinHood”. City workers’ screens suddenly locked, and a message in broken English demanded over $100,000 in Bitcoin to free their files. Obtained by The Baltimore Sun, it said, “We’ve been watching you for days. We won’t talk more, all we know is MONEY! Hurry up!”

The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading. Unfortunately, by then, it had already affected voice mail, email, a parking fines database, real estate sales, and a system used to pay water bills, property taxes, and vehicle citations. It could take months of work to get the disrupted technology back online.

Experts don’t believe that hackers sought out Baltimore specifically. In fact, Lawrence Abrams, the creator, and owner of Bleeping Computer, a technology news site said: “I think it was purely an opportunistic attack”.

In April, officials in Greenville, N.C. discovered they were also victims of RobbinHood. The city declined to pay the ransom, and the attack remains under investigation by the F.B.I.

Controversy Over Blame

RobbinHood is a relatively new ransomware variant. Now a controversial debate has begun over who is to blame as accusations have arisen that the National Security Agency, or N.S.A., developed a vital component of the malware.

It seems that in 2017, the N.S.A. lost control of the hacking tool EternalBlue. State hackers in North Korea, Russia and, more recently, China have all picked up this tool. The still-unidentified group called the Shadow Brokers are the ones who released it online. Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the Shadow Brokers episode “the most destructive and costly N.S.A. breach in history”. He says it’s more damaging than the better-known leak in 2013 from Edward Snowden, the former N.S.A. contractor. Additionally, Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, paralyzing local governments and driving up costs.

The tool exploits a vulnerability in unpatched software that allows hackers to spread their malware faster and farther than they otherwise could. The hackers in the Baltimore case paired RobbinHood with EternalBlue, which allowed the malware to circulate more efficiently. The N.S.A. denies any responsibility. Rob Joyce, N.S.A. Senior Adviser, suggested that organizations have had two years to update their systems to protect against EternalBlue, and the N.S.A. should not be responsible for any of those hacks in 2019.

Ransomware: Cyber Security Expert’s Next Big Threat

Ransomware: A Vital Course on the Next Big Cyber Threat

Ransomware is pretty much exactly what it sounds like: it holds your computer or mobile phone hostage and blackmails you into paying a ransom. It is a type of malware that prevents or limits users from accessing their system and forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back.

It’s been around since about 2005, but earlier this year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims.

Crowti (also known as Cryptowall), and FakeBsod are currently the two most prevalent ransomware families. These two families were detected on more than 850,000 PCs running Microsoft security software between June and November 2015. Another to take note of is known as Fessleak, which attacks Adobe Flash flaws. It is a “malvertising” trend that pushes fileless exploit into memory and uses local system files to extract and write malware to disk from memory.

How Ransomware Paralyzes Your Computing

There are different types of ransomware. However, all of them will prevent you from using your computer normally, and they will all ask you to do something (pay a ransom) before you gain access to your data. Ransomware will:

  • Lock your desktop or smartphone and change the password or PIN code
  • Encrypt important files so you can’t use them (photos, taxes, financials, My Documents, etc.)
  • Restrict your access to management or system tools (that would allow you to clean the computer)
  • Disable input devices like your mouse and keyboard
  • Stop certain apps from running (like your anti-virus software)
  • Use your webcam to take a picture of you and display it on screen or on a social network
  • Display offensive or embarrassing images
  • Play an audio file to scare you (i.e. “The FBI has blocked your computer for a violation of Federal law.”)

Common Ransomware Demands

  • Generally they demand money in order to unlock your system. Usually, they demand payment through an anonymous payment system like Bitcoin or Green Dot cards, and promise to give you the key if you pay the ransom in time (for example, $17,000 to be paid within 72 hours was the demand given to the Hollywood Presbyterian Hospital, which had all of it’s life-critical medical records frozen)
  • Sometimes the ransomware shows a “warning from the software company” telling you that you need to buy a new license to unlock your system. Other times, ransomware will claim you have done something illegal with your computer, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your computer and files.

How to Prevent Ransomware Blackmail

The best way to avoid downloading malware is to practice good computer security habits:

  • Create an offsite backup of your files. Seriously, right now. And make it automatic, so that it happens at least once a day. An external hard drive is one option, but be sure to disconnect it from the computer when you are not actively backing up files. If your back-up device is connected to your computer when ransomware strikes, the program will try to encrypt those files, too. If you have a secure cloud back service that encrypts your files before sending, consider using that as an offsite backup.
  • Don’t click on links or open attachments in an email unless you know who sent it and what it is. Instead type the URL of the site you want directly into your browser. Then log in to your account, or navigate to the information you need.
  • Make sure your software is up-to-date.
  • Don’t download software from untrusted sources.
  • Minimize “drive-by” downloads by making sure your browser’s security setting is high enough to detect unauthorized downloads. For example, use at least the “medium” setting in Internet Explorer.
  • Don’t open “double extension” files. Sometimes hackers try to make files look harmless by using .pdf or .jpeg in the file name. It might look like this: not_malware.pdf.exe. This file is NOT a PDF file. It’s an EXE file, and the double extension means it’s probably a virus.
  • Install and use an up-to-date antivirus solution.
  • Ensure you have smart screen (in Internet Explorer) turned on.
  • Have a pop-up blocker running in your web browser.

If you Become a Victim of Ransomware

  • Stop work! TURN OFF YOUR COMPUTER! Shut down your entire network, if possible until help arrives. You can do this by turning off your switches or routers inside of your premises. Ask your IT professional before taking this step if you think that you might be interrupting service.
  • Contact an IT Security firm that can visit your office (or home) in person. Handling this type of problem over the internet is not advised, as it could exacerbate your problem.
  • If you have an offsite backup of your data, have the IT Security firm reinstall your backup and clean it of any ransomware before putting the data and computers back on the network.
  • Alert other people on your network, as any work completed after infection will be overwritten when the backup is restored.

There is conflicting advice regarding paying ransom. Truly, there is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again. Paying the ransom could also make you a target for more malware. On the other hand, if you have not backed up your files, you may have little choice. Almost 90% of the companies that we have studied as victims of ransomware end up paying the ransom to have their systems unlocked – but only about 50% of them ever receive the unlocking code promised. It’s a gamble, but if you don’t have an off-site backup, it’s probably one you are going to need to take.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.