CyberheistNews Vol 11 #36 [EYE OPENER] The Number Of Daily Ransomware Attacks Skyrockets Nearly 1,000% In 2021

CyberheistNews Vol 11 #36
[EYE OPENER] The Number Of Daily Ransomware Attacks Skyrockets Nearly 1,000% In 2021

New analysis of cyberattack data by security vendor Fortinet sheds light on not only how much ransomware is really being experienced, but who’s being attacked the most.

Just when I think I’ve seen it all, yet another stat from a new report shocks me. This time it comes from Fortinet’s FortiGuard Labs 1H 2021 Global Threat Landscape Report and revolves around the currently-observed state of ransomware. According to the report, ransomware is increasingly being felt by more and more organizations:
  • The weekly average number of ransomware attacks detected in June of 2021 was more than 149,000. A year prior, it was only 14,000 – making an increase of 966%
  • Over one-third of businesses in the Automotive, MSSP, Government and Telecommunications industries and one-quarter nearly all other sectors experienced ransomware attacks
  • The report noted that “the key takeaway is that ransomware is a clear and present danger regardless of industry or size.”
This data not only corroborates previously observed increases this year in the number of ransomware attacks, but helps to substantiate the kinds of organizations (the Fortinet report list more than 20 industry verticals) that are consistently being targeted and – therefore – should be proactively putting protective measures in place.

This should include security awareness training to enable your users to stop email-based attacks that successfully make it past a layered set of security filters designed to stop phishing, social engineering and malware in its tracks.

NIST recently updated Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, adding some critical new language to the sections covering security awareness. The relevant language is within Section 3.2.

The updated NIST standard now includes providing frequent simulated social engineering testing. Specifically, their language states, “Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.”

This is a significant addition from NIST and is a formal recognition that phishing simulation vendors, like KnowBe4, are providing a much-needed security control. This behavior-based training is the key to building your effective last line of defense.

So, let’s examine the NIST recommendation in detail. CONTINUED:
A Master Class On Cybersecurity: Roger Grimes Teaches Data-Driven Defense

Even the world’s most successful organizations have significant weaknesses in their cybersecurity defenses, which today’s determined hackers can exploit at will. There’s even a term for it: Assume Breach.

But assuming you’ll be hacked isn’t an option for you. Your organization can’t afford a loss of assets or downtime. And nobody knows this more than Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

With 30+ years of experience as an IT security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against quickly-evolving cybersecurity threats. He wrote the book on it, literally - A Data-Driven Computer Security Defense.

Join Roger Grimes for this thought-provoking webinar where he’ll share the most common reasons for data breaches and a data-driven approach to determining your organization’s specific weaknesses.

You’ll walk away from this session understanding:
  • What most organizations are doing wrong and how to fix it
  • How to build an action plan to improve your cybersecurity effectiveness
  • Why a strong human firewall is your best last line of defense
Start creating your data-driven defense plan today and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, September 15 @ 2:00 PM (ET)

Save My Spot!
Be Wary Of Unrequested Disc Images

Microsoft’s recent announcement that the new version of Microsoft Windows, Microsoft Windows 11, will be released soon is capturing headlines around the world. Microsoft will allow Windows 11 to be downloaded and installed to qualified user computers.

It is a great news event to remind security awareness advocates of the high likelihood of phishers to use this event, and especially the download image capabilities, to phish people into installing malware. Certainly, Microsoft’s download process will not be a direct, “here is a URL link in an email” process.

Microsoft’s processes and licensing verification processes will ensure that the actual downloading offering service is sophisticated and safe.

The same cannot be said of phishers. They will no doubt send out tens of millions of emails claiming to be from Microsoft, service providers and IT departments, claiming that the targeted receiver MUST immediately download and install Windows 11 using the provided URL link under some threat of penalty or disruption.

You know it is going to happen. You know that some small percentage of users will fall for it. Hackers would not do it if a small percentage of people were not prone to these sorts of phishing attacks.

It is a great time to remind users about how newsworthy events, like the release of Windows 11, will be used by scammers and phishers. It is a great time to create simulated phishing campaigns based around Microsoft’s announcement and other newsworthy events (e.g., COVID, earthquake, celebrity deaths, global news, etc.) and see who could be susceptible to a real phishing attack using the same tactics.

It is also important to remind users to be very suspicious of any unexpected links to software install disc images. This applies to image file format extensions including ISO, IMG, BIN, MDF, VM, VMDK, VMX, and VHD. Most the phishing attacks will claim to link to disc image files, but really point to executables (e.g., EXE, ELF, DLL, etc.), archive file types (e.g., ZIP, ARC, etc.), scripts (e.g., PS, CMD, BAT, etc.) and commonly used document types (e.g., DOC, DOCX, PDF, etc.).

But many of the links will point to real, but maliciously used, disc image file formats. This is because many computer defenses do not block them by default and many people do not understand what those image files are and can do. Many antivirus programs do not scan them before they launch.


Attacks are in the wild already:
[New PhishER Feature] Turn The Tables On The Cybercriminals With PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature, which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, September 22 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, September 22 @ 2:00 PM (ET)

Save My Spot!
Conti's Ransomware Playbook Includes Recon For Users With Privileged Access

Researchers at Cisco Talos have translated a playbook used by the ransomware-as-a-service group Conti. The playbook contains detailed instructions for how to gain administrator access, including searching social media to find employees to target.

“The adversaries list several ways to hunt for administrator access once on the victim network,” the researchers write. “They use commands such as Net to list users and tools like AdFind to enumerate users with access to Active Directory, and even OSINT, including the use of social media sites like LinkedIn to identify roles and users with privileged access.

They note that this hunting process is particularly easy in U.S. and EU networks because of how they are structured and how roles and responsibilities are commonly detailed in comments.” The researchers note the gang is fairly well-organized and educated on corporate network structures.

“References to team leads, chats and conferences indicate that the group is at least somewhat well-organized,” the researchers write. “They also display a familiarity with corporate network environments, such as where prized assets are located and how to access them.

This is particularly true for U.S. and European networks, which they note have enhanced documentation that provides for easier targeting. Of note, the only ‘geographical’ mention by the adversaries was the mention of U.S./EU active directory (AD) structures. Their instructions, which are meticulous and easy to follow, also demonstrate that they are efficient and methodical.”

Talos also stresses that the manual allows less-technical criminals to carry out sophisticated ransomware attacks. “One of the biggest takeaways during the translation was the overall thoroughness and detail of these playbooks,” the researchers write. “The level of detail provided could allow even amateur adversaries to carry out destructive ransomware attacks, a much lower barrier to entry than other forms of attacks. This lower barrier to entry also may have led to the leak by a disgruntled member who was viewed as less technical (aka ‘a script kiddie’) and less important.”

New-school security awareness training enables your employees to thwart sophisticated social engineering attacks.

Blog Post with links:
Don’t Miss Kevin Mitnick, The World’s Most Famous Hacker At KB4-CON EMEA 2021

Ransomware attacks are surging like never before. The sophistication of phishing emails is increasing at an alarming rate. And resulting data breaches are more costly than ever. So how should you, the ever-vigilant IT professional, respond?

Luckily Kevin Mitnick, KnowBe4’s Chief Hacking Officer and The World’s Most Famous Hacker, is on your side! Attend his session at KB4-CON EMEA where he and Colin Murphy, KnowBe4’s Chief Information Officer, will dive deep into the strategies cybercriminals are using to raise the stakes.

In this session they’ll share:
  • Weaknesses they’ve discovered by running penetration tests on some of the world’s most successful organizations
  • Thoughtful recommendations to help you turn your organization into a hard target
  • Eye-opening hacking demonstrations that will show you how bad actors work
During the event you’ll hear from some of the world’s greatest security minds. Plus you’ll have the chance to network with security experts and your peers while gaining access to a variety of free tools and resources. Register now!

Date: Thursday 23 September, 2021

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Appreciation is a wonderful thing: It makes what is excellent in others belong to us as well."
- Voltaire, Philosopher (1694 - 1778)

"An optimist may see a light where there is none, but why must the pessimist always run to blow it out?"
- Rene Descartes, Mathematician (1596 - 1650)

Thanks for reading CyberheistNews

Security News
A Look At Phishing Keywords

Researchers at Expel offer a useful list of the top keywords used in phishing emails. First on the list is the word “invoice,” which is a general term that will be relevant to most organizations.

“Generic business terminology doesn’t immediately stand out as suspicious and maximizes relevance to the most potential recipients by blending in with legitimate emails, which presents challenges for security technology,” the researchers write. “Most people are also inclined to respond promptly to communications from co-workers, vendors or clients if they believe action is required, like returning an invoice.”

The word “new” is another potential red flag, since it will grab a user’s attention. ‘New’ is commonly used in legitimate communications and notifications, and aims to raise the recipient’s interest,” Expel says. “People are drawn to new things in their inbox, wanting to make sure they don’t miss something important.”

Another common word used in phishing emails is “required,” which preys on a user’s sense of urgency. “Keywords that promote action or a sense of urgency are favorites among attackers because they prompt people to click without taking as much time to think,” the researchers write. “‘Required’ also targets employees’ sense of responsibility to urge them to quickly take action.”

Expel notes that multi-factor authentication (MFA) is an important layer of defense against phishing attacks. While MFA isn’t foolproof, it makes it more difficult for an attacker to breach an account even if they have the account’s credentials.

The researchers add that employee education is another important layer of defense. “Another important thing orgs can do to prevent successful phishing campaigns is to develop comprehensive phishing education programs,” Expel says. “Orgs should stay up-to-date on the latest phishing trends to update their policies and educate employees when new tactics are at play.

Beyond training sessions, regularly test employees with mock phishing emails (and provide feedback on what in the email was suspicious) so they continue to learn, hone their detection skills, and know how to report suspicious emails in their inbox.” We could not agree more.

Expel has the story:
Phishing For The Bundestag

The German government has called out Russia for carrying out phishing attacks against German politicians ahead of the country’s upcoming parliamentary elections, the Associated Press reports. Germany’s Foreign Ministry spokeswoman Andrea Sasse stated that a campaign known as Ghostwriter has been “combining conventional cyberattacks with disinformation and influence operations” to target Germany.

She noted that these attacks have been ongoing “for some time now.”

Ghostwriter tends to launch anti-NATO cyber operations, and has targeted other European countries in the past. Sasse said Ghostwriter is associated with Moscow’s military intelligence service, the GRU.

“The German government has reliable information on the basis of which Ghostwriter activities can be attributed to cyber-actors of the Russian state and, specifically, Russia’s GRU military intelligence service,” Sasse said.

It “views this unacceptable activity as a danger to the security of the Federal Republic of Germany and for the process of democratic decision-making, and as a severe strain on bilateral relations.”

Sasse stated, “The federal government strongly urges the Russian government to stop these unacceptable cyber activities with immediate effect.” She also noted that the phishing activity may be intended to launch disinformation operations surrounding the elections.

“These attacks could serve as preparations for influence operations such as disinformation campaigns connected with the parliamentary election,” Sasse said. She added that the attacks “are of course completely unacceptable, and that the German government reserves the right to take further measures.”

Germany’s elections take place on September 26th, so these attacks can be expected to continue in the coming weeks. The Associated Press notes that phishing is used by both low-level criminals and sophisticated state-sponsored actors because it works so well.

Spear phishing is even more effective, since it targets users with content they’re expecting to receive.

The Associated Press has the story:
What KnowBe4 Customers Say

"Hello Stu, I am a happy camper! The content, training has been exceptional. And LoganF has been a fantastic CSM. His communication is outstanding, his knowledge of the resources is outstanding. Walking me through the setup of campaigns and training is outstanding. So am I a happy camper? Yes! For a small non-profit this isn't is a stay at a 5-star hotel. :-D Thank you and keep up the good work!"
- S.D., IT Manager
The 10 Interesting News Items This Week
    1. What it was like inside Microsoft during SolarWinds, the worst cyberattack in history:

    2. Article in WSJ: "How Hackers Use Our Brains Against Us". The basics of social engineering:

    3. Microsoft shares temp fix for ongoing Office 365 zero-day attacks:

    4. This is the perfect ransomware victim, according to cybercriminals:

    5. “FudCo” Spam Empire Tied to Pakistani Software Firm:

    6. Interesting...ransomware gang threatens to release stolen data if victim contacts law enforcement or uses a professional negotiator:

    7. Chinese spammers are learning from the Kremlin:

    8. REvil ransomware's servers mysteriously come back online:

    9. 91% of IT teams have felt 'forced' to trade security for business operations:

    10. Dark Covenant: Connections Between the Russian State and Criminal Actors:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews