Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 10 #46 [Eye Opener] Almost Half Of Ransomware Attacks Now Involve Data Exfiltration And Extortion

    CyberheistNews Vol 10 #46
    [Eye Opener] Almost Half Of Ransomware Attacks Now Involve Data Exfiltration And Extortion

    CyberWire reported that for the third quarter of 2020 nearly half of ransomware attacks now involve data exfiltration and extortion. Worse, the security firm Coveware says it's identified instances of ransomware gangs leaking data after victims paid the ransom, or returning to demand additional payment:

    "Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data.

    The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / not leaked:
    • "Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
    • "Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.
    • "Netwalker: Data posted of companies that had paid for it not to be leaked.
    • "Mespinoza: Data posted of companies that had paid for it not to be leaked.
    • "Conti: Fake files are shown as proof of deletion."
    Coveware advises against paying the ransom, but concludes that victims should treat these incidents as data breaches from the start, regardless of whether or not they decide to pay:

    "Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting.

    Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.

    Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set."

    Emsisoft's Fabian Wosar agrees with this view, telling KrebsOnSecurity, "Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated."

    For more, see the CyberWire Pro Privacy Briefing:
    https://thecyberwire.com/newsletters/privacy-briefing
    [New Webinar] Top 5 IT Security Myths Your CISO Believes Are True… BUSTED!

    Facts are facts, but what happens when IT security pros take myths at face value?

    That got us thinking… what if we whip out our magnifying glasses, pull out the trench coats and use our research skills to differentiate fact from fiction? Join us for this interactive webinar where we’ll help you decide how to invest your time and money wisely, how to implement worthwhile defenses, and what holes to plug so your organization gets the best bang for your security budget buck.

    Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, and Erich Kron, KnowBe4’s Security Awareness Advocate, as they uncover the truth behind these 5 top IT security myths. They’ll be stating facts and slinging stats.
    • Good data backups will save you from ransomware
    • Long passwords are safer than short passwords
    • Running an obscure OS keeps your network safe
    • Every organization needs antivirus and firewalls on endpoints
    • End users can’t be trained; technology is your only defense
    Roger and Erich will present each side. Then YOU DECIDE whether each myth is confirmed or BUSTED in a live vote! Join us to let your voice be heard and earn CPE credit for attending.

    Date/Time: THIS WEEK, Wednesday, November 11 @ 2:00 PM (ET)

    Save My Spot!
    https://event.on24.com/wcc/r/2811526/51349D9DB344D4CE4CB4DBCCEDA4B259?partnerref=CHN2
    [SCAM OF THE WEEK] Sean Connery's Final Wish Is Revealed

    After the sad passing of famous actor Sir Sean Connery, Yahoo News released an article that revealed his final wish after he passed away peacefully with his family at his side.

    “He had dementia and it took its toll on him. He got his final wish to slip away without any fuss," Micheline Roquebrune said in a statement to MailOnline.

    This unfortunate celebrity death will be prime real estate for the bad guys to be exploiting this in a number of ways. It's important to alert your users immediately that this scam could arise as a social engineering tactic. Make sure to give your users a heads-up that they need to Think Before They Click.

    I would send your employees, friends and family something like the following. Feel free to copy/paste/edit.
    "Today, news came out about the passing of famous actor Sean Connery's final wish before he passed away, so please be careful with anything on anything related to Sean Connery's death: emails, attachments, any social media, texts on your phone, anything. There will be a number of scams related to this, so please remember to Think Before You Click! "
    For KnowBe4 Customers, there is a new simulated phishing template in the Current Events campaign: "Yahoo! News: Wife reveals Sean Connery's final wish before death" that I suggest you send to everyone more or less immediately.
    NEW Tool: Is Your Organization Ready For The New CMMC Compliance Audit? Find Out Now!

    You already have challenging compliance requirements and having enough time to get your audits done is a continuous problem.

    According to the most recent Thomson Reuters Regulatory Intelligence Survey, continuing regulatory change remains one of the biggest challenges for compliance teams. The new Cybersecurity Maturity Model Certification (CMMC) framework, required by the U.S. Department of Defense (DoD), presents another set of challenges.

    If you’re trying to wrap your head around how to best meet compliance requirements for the CMMC, you likely have a lot of questions. You want answers and need guidance on how to best meet the requirements to get your organization ready for an audit - fast.

    Find out your organization’s audit readiness now!

    KnowBe4’s new Compliance Audit Readiness Assessment (CARA) is a complimentary web-based tool that helps you gauge your organization’s readiness in meeting compliance requirements for the CMMC. The assessment guides you through the CMMC Maturity Level 1 requirements to help you identify areas within your current environment that may need attention. CARA then provides an analysis of your results with guidance to help you create and implement controls to help get your organization ready for an audit.

    Here’s how CARA works:
    • You will receive a custom link to take your assessment
    • Rate your readiness for each requirement as Met, Partially Met, or Not Met
    • Get an instant analysis of potential gaps in your cybersecurity preparedness
    • Use the custom report to help you define controls you need to have in place
    • Results in just a few minutes!
    Take your first step towards understanding your organization's compliance audit readiness now.
    https://info.knowbe4.com/compliance-audit-readiness-assessment-chn
    [Heads-up] New Phishing Links Sent Via Legitimate Google Drive Alert Emails

    Scammers are abusing a Google Drive feature to send phishing links in automated email notifications from Google, WIRED reports. By mentioning a Google user in a Drive document, the scammers can cause Google to generate a notification that will be sent straight to the user’s inbox, bypassing spam filters.

    “The smartest part of the scam is that the emails and notifications it generates come directly from Google,” they explain. “On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document.

    If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.”

    WIRED says this technique has been observed frequently over the past few weeks, so users should be on the lookout.

    “The scammers are working their way through a huge list of Gmail accounts, with scores of people reporting similar versions of the attack in recent weeks.” Google said it’s working on new ways to detect malicious activity, but David Emm, a principal security researcher Kaspersky, told WIRED that this could be a challenge.

    “It’s difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create,” Emm said. “Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren’t expecting to receive it and don’t know the sender, don’t respond.”

    In this case, the messages are clumsily written and would make many users suspicious. However, a more talented attacker could easily craft a much more convincing scam using this method. This attack is particularly insidious in the organizational context, where co-workers commonly share their work product using Google Docs.

    New-school security awareness training can help your employees avoid falling for new and unexpected phishing techniques.

    Blog post with links:
    https://blog.knowbe4.com/phishing-links-sent-via-legitimate-google-drive-notifications
    [NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster with PhishRIP
    Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

    PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

    Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

    Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

    See how you can best manage your user-reported messages.

    Join us Wednesday, November 18 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
    • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
    • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
    • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
    • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
    • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
    • Easy integration with KnowBe4’s email add-in, the Phish Alert Button, or forwarding to a mailbox works too!
    Find out how adding PhishER can be a huge time-saver for your Incident Response team!

    Date/Time: Wednesday, November 18 @ 2:00 PM (ET)

    Save My Spot!
    https://event.on24.com/wcc/r/2774981/B80596E023E56D9B57E3EA753FFD0A8B?partnerref=CHN1


    Let's stay safe out there, with tens of millions working from home.

    Warm Regards,

    Stu Sjouwerman
    Founder and CEO
    KnowBe4, Inc



    Quotes of the Week
    "Many forms of Government have been tried, and will be tried in this world of sin and woe. No one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of Government except for all those other forms that have been tried from time to time."
    - Winston Churchill, Statesman


    "A lady asked Dr. Franklin Well Doctor what have we got a republic or a monarchy. A republic replied the Doctor if you can keep it."
    - Published Notes from James McHenry, A Maryland delegate to the Constitutional Convention


    Thanks for reading CyberheistNews
    Security News
    JavaScript Obfuscation on Phishing Pages Continues to Rise by 70%

    The use of JavaScript to obfuscate phishing pages increased by 70% in the ten months between November 2019 and August 2020, according to researchers at Akamai. Attackers use this technique to make it harder for security technology to detect their phishing sites.

    The vast majority of this activity involves content escaping (or URL encoding), but other less common techniques have skyrocketed.

    “The research focused on five obfuscation techniques that were explained in our previous blog,” Akamai says. “There was a significant increase in four of the monitored techniques between November 2019, and August 2020. The techniques that increased the most during the recorded period are content escaping obfuscation techniques (72%), Base64 encoding (800%), hex encoding variable name obfuscation (86%), and eval execution obfuscation (400%).”

    The researchers note that this activity began rising dramatically around the beginning of May 2020, which Akamai believes was due to an increase in phishing activity due to the pandemic.

    Most of the impersonated brands were in three sectors: high technology (29.2%), financial (21.4%), and social media (20.6%). Phishing scams impersonating media, e-commerce, and dating companies were also common.

    Akamai believes these techniques will grow more common as attackers try to stay ahead of the security industry. “We anticipate the use of JavaScript obfuscation techniques will continue to be adopted, as those techniques give the upper hand to threat actors and enable phishing and scamming websites to become evasive and undetected, thereby increasing these scams' efficiency,” the researchers write.

    “Moreover, we believe that, as the human factor is still considered the weakest link in the chain, educating and creating awareness of such scams and evasion techniques should guide us as we move forward. In addition, we believe that security controls need to be able to detect and eliminate such evasive techniques.”

    Blog post with links:
    https://blog.knowbe4.com/javascript-obfuscation-on-phishing-pages-continues-to-rise-by-70
    Thinking Skeptically About Smishing

    Organizations need to train their employees to be on the lookout for SMS phishing (smishing), according to Jennifer Bosavage at Dark Reading. Bosavage explains that attackers exploit normal human behavior to gain access or information from employees.

    “Cyberattackers leverage the way people typically respond to certain social situations to trick them into disclosing sensitive information about themselves, their businesses, or their computer systems,” Bosavage writes. “Even the smallest amount of data can be useful to hackers who are trying to complete a profile that will enable them to get access to credit, banking, and other sensitive information.

    So the first thing to do is to train employees to recognize their telltale but often subtle signs, as well as how their information can be used in a social engineering attack.”

    Bosavage quotes April Wright, a security consultant at ArchitectSecurity.org, as saying that attackers can easily obtain open-source information to make their phishing messages appear legitimate.

    “With both smishing and vishing, the source may have some information that makes them seem credible – names of co-workers, a boss' name, phone numbers, department names, etc.,” Wright said. “These are the seemingly trivial information they have gained via intelligence gathering, [smishing], phishing, or vishing. The most important thing we can do is verify.”

    Wright added that employees need to have a healthy sense of suspicion in order to recognize these scams. “We need to realize that not everyone is good and be on the lookout for questions people don't normally ask, for that feeling when ‘something isn't right,’” Wright said. “That feeling has kept humans alive and safe for hundreds of thousands of years, and we should listen to it. It's there to alert us to danger.”

    New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to avoid falling for these attacks.

    Dark Reading has the story:
    https://www.darkreading.com/edge/theedge/teach-your-employees-well-how-to-spot-smishing-and-vishing-scams/b/d-id/1339271
    What KnowBe4 Customers Say

    "Hi Javvad, your presentation was simultaneously informative, and also terrifying! One of the best wakeup calls I’ve seen about many topics."
    - R.S., Application Consultant

    "Hi Stu, I just wanted to say that we are a new user for your products and really love it. It seems to be helping our staff (some more than others lol) try to look out for phishing emails. I mostly wanted to say that I have been dealing with BlairD and he has been wonderful to deal with.

    I have missed or been late to two calls with Blair since he has been helping us. I feel really bad for this and Blair has done nothing except make me feel that it is OK and he understands. He walks me through the steps and makes getting to know your product very easy. Blair is a great person to have on your team. Thanks again to all at KnowBe4."
    - S.K., HR Administrator
    The 12 Interesting News Items This Week
      1. Premium-Rate Phone Fraudsters Hack VoIP Servers of 1200 Companies:
        https://thehackernews.com/2020/11/premium-rate-phone-fraudsters-hack-voip.html?

      2. Justice Department Seizes $1 Billion of Bitcoin Tied to Silk Road Website:
        https://www.wsj.com/articles/justice-department-seizes-1-billion-of-bitcoin-tied-to-silk-road-website-11604612072?mod=markets_lead_pos6/

      3. Why Paying to Delete Stolen Data is Bonkers:
        https://krebsonsecurity.com/2020/11/why-paying-to-delete-stolen-data-is-bonkers/

      4. US seizes more domains with ties to suspected Iranian influence campaign:
        https://www.cyberscoop.com/more-domains-seized-iran-doj/

      5. How to defend your organization against social engineering attacks:
        https://www.techrepublic.com/article/how-to-defend-your-organization-against-social-engineering-attacks/

      6. OUCH. Private Prison Operator GEO Group Discloses Data Breach:
        https://www.securityweek.com/private-prison-operator-geo-group-discloses-data-breach

      7. Keep your friends close; keep ransomware closer:
        https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html

      8. KnowBe4 Launches Free Compliance Tool. Check It Out Here:
        https://www.infosecurity-magazine.com/news/knowbe4-launch-free-compliance-tool/

      9. Ransomware Hits Dozens of Hospitals in an Unprecedented Wave:
        https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/

      10. Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee:
        https://unit42.paloaltonetworks.com/domain-parking/

      11. The ‘New Normal’ State of Cybersecurity:
        https://www.bitdefender.com/files/News/CaseStudies/study/378/Bitdefender-Whitepaper-2020-Business-Threat-Landscape-Report.pdf

      12. Newly discovered 'RegretLocker' ransomware targets Windows virtual machines:
        https://siliconangle.com/2020/11/04/newly-discovered-regretlocker-ransomware-targeting-windows-virtual-mahines/
    Cyberheist 'Fave' Links
    This Week's Links We Like, Tips, Hints and Fun Stuff
    FOLLOW US ON: Twitter | LinkedIn | YouTube
    Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews