CyberheistNews Vol 11 #43 [HEADS UP] Nuclear Ransomware 3.0: It Is About To Get Much Worse




CyberheistNews Vol 11 #43
[HEADS UP] Nuclear Ransomware 3.0: It Is About To Get Much Worse

As an intro to the quintuple-extortion article just below, we asked Roger Grimes to give us his (scary) perspective.

"If you think ransomware is bad, it is about to get much, much worse. What will ransomware gangs do? Just everything. I have been writing about computer security for over 27 years. And each year, as the year comes to an end, I am often asked questions about what I think the future computer security and cybercrime trends will be. They boil down to will the attacks get worse next year or will the computer security industry finally start to make a dent in cybercrime and actually decrease overall malicious hacker and malware activity?

And year after year, looking at all the evidence from prior years, I have always had to conclude that it is going to get worse… and that the cybersecurity industry is not yet capable of implementing a robust defense to even slow the continued increase in cybercrime, much less actually lessen it. Year after year, cybercrime just gets worse. Many times, however, what is going on today seems so bleak and huge that I cannot see how it could possibly get worse the next year. But so far, it always does.

The ransomware problem is a great example. A few years ago, ransomware was already extorting billions of dollars a year, exploiting any company it wanted to, taking down hospitals, taking down consortiums, holding entire cities for ransom. I was asked if it could get worse. I said, “Yes.” To be honest, I could not believe what I was saying, but based on my experience and seeing no signs that the good side was doing a significantly better job at preventing cybercrime, it was the only thing I could conclude – that ransomware was going to somehow get worse. And it did. Far worse than I could have predicted.

Nuclear Ransomware 2.0 Quintuple Extortion

Starting in late 2019, ransomware started routinely exfiltrating data, in what is now commonly known as “double extortion.” I wrote about it on January 7, 2020 on the blog. I shared that beyond traditional encryption, ransomware programs and gangs were also doing the following:
  • Stealing Intellectual Property/Data
  • Stealing Every Credential It Can – Business, Employee, Personal, Customer
  • Threatening Victim’s Employees and Customers
  • Using Stolen Data to Spear Phish Partners and Customers
  • Publicly Shaming Victims
The most important thing about these five new ransomware activities, beyond the issue that there are now six things to worry about instead of one, is none of the new ones can be mitigated by a good backup. Before Ransomware 2.0, a good, secure backup could possibly save you. Once the ransomware gangs routinely started doing all of the new actions, a good backup was just one piece of the possible solution. I started to give what became one of my most popular presentations of my career, called Nuclear Ransomware 2.0, to warn people.

I have presented it hundreds of times now and I’m still surprised by how many attendees don’t understand how bad ransomware has become."

CONTINUED. This is an important 5-minute read:
https://blog.knowbe4.com/nuclear-ransomware-3.0-it-is-about-to-get-much-worse
[Live Demo] Ridiculously Easy Security Awareness Training And Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, November 3 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, November 3 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458435/95D6D7245C6AC6CD8D15B37583BEE915?partnerref=CHN2
New Ransomware Strain Announces the Dawn of the Era of “Quintuple-Extortion”

A ransomware gang with a new variant is trailblazing us towards the future of ransomware by making threats that go well beyond the simple ransom transactions of yesterday.

First we had plain old ransomware – hold your data for hostage and ask for a ransom. Then came the double extortion, where data was exfiltrated and a threat was made to publish it if the ransom wasn’t paid. Then REvil and others began to offer an additional service where customers, partners and the press were called if the ransom wasn’t paid. Then came DDoS attacks (to keep a victim from being to communicate about their response to the attack) as a fourth mode of extortion.

And now, according to security researchers at Symantec Threat Hunter Team, a new ransomware variant – dubbed Yanluowang – includes an additional threat. Once infected, victims are instructed not to contact law enforcement or ransomware negotiation firms.

If the attackers’ rules are not followed, Yanluowang says they will not only start distributed denial of service (DDoS) attacks against the victim org, as well as make “calls to employees and business partners,” but also add on a fifth form of extortion – threatening to repeat the attack in a few weeks and simply delete all the victim’s data.

I fear this is only going to get worse; threat actors merely need to figure out additional ways to further put pressure on organizations once ransomware has infiltrated a network in order to turn this five-time extortion game into something so unbearable that organizations will have no choice but to pay the ransom.

The silver lining here is no ransomware of late has figured out a way to deploy itself beyond the big three initial attack vectors: vulnerabilities, remote desktop access and phishing. security awareness raining takes care of phishing, by training users to be on their toes with security top of mind.

Vulnerabilities require patching at a minimum and vulnerability management for more mature organizations. And remote desktop services – c’mon you know those should just be turned off and traded in for a SASE solution.

Ransomware *is* going to continue to get worse. Prepare accordingly.

Please forward this blog post to your friends:
https://blog.knowbe4.com/new-ransomware-variant-brings-with-it-the-dawn-of-the-era-of-quintuple-extortion
See How You Can Get Audits Done In Half The Time, Half The Cost And Half The Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, November 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, November 3 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458400/7DC7CFBF986BD90F7C33AEC21D31C613?partnerref=CHN2
Russian SolarWinds Hackers Newly Attack Supply Chain With Password-Spraying and Phishing

Researchers at Microsoft have observed an attack phishing campaign by Russia’s SVR that’s targeting resellers and managed service providers. Microsoft tracks this threat actor as “Nobelium,” and notes that this is the same actor that was behind the SolarWinds attacks.

“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Microsoft stated. “This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers. Microsoft says at least 140 entities have been targeted in this campaign, with 14 being compromised.

“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community,” Microsoft says. “Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium. We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”

The researchers note that Nobelium isn’t using sophisticated techniques to gain access, and is simply relying on phishing and password spraying.

“The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access,” Microsoft says.

“We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach.”

Again, informed and trained users are your best last line of defense against attacks that rely on social engineering.

Blog post with links:
https://blog.knowbe4.com/russian-solarwinds-hackers-newly-attack-supply-chain-with-password-spraying-and-phishing
Hacking Your Organization: 7 Steps Cybercriminals Use to Take Total Control of Your Network

The scary fact is that the majority of data breaches are caused by human error. With so many technical controls in place hackers are still getting through to your end users. How are they so easily manipulated into giving the cybercriminals what they want? Well, hackers are crafty. And the best way to beat them is to understand the way they work.

In this webinar Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will take you through the "Cyber Kill Chain" in detail to show you how a single email slip up can lead to the total takeover of your network.

Roger will show you:
  • How detailed data is harvested using public databases and surprising techniques
  • Tricks used to craft a compelling social engineering attack that your users WILL click
  • Cunning ways hackers deliver malicious code to take control of an endpoint
  • Taking over your domain controller and subsequently your entire network
But not all hope is lost. Roger will also share actionable strategies you can put in place now to greatly reduce your risk. Find out how to protect your organization before it's too late and earn CPE credit just for attending.

Date/Time: Wednesday, November 10 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3494648/743FB36BAFF45AFC0DD60785A3628219?partnerref=CHN

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc


Vote for KnowBe4 in the 2021 Computing Security Awards!

Has your team benefited from our security awareness training and simulated phishing? Share your success with us by voting for KnowBe4 in the Computing Security Awards! We have been nominated for six different categories this year:
  • Security Company of the Year
  • Security Education and Training Provider of the Year
  • SME Security Solution of the Year
  • Customer Service Award -- Security
  • Anti Phishing Solution of the Year
  • Anti Malware Solution of the Year
You have until Nov. 19 to vote for your favorite security company and winners will be announced Dec. 2. Every vote counts!

Vote here: https://computingsecurityawards.co.uk/?page=knowbe4_csa2021vote

 



Quotes of the Week
"The snow goose need not bathe to make itself white. Neither need you do anything but be yourself."
- Lao Tzu - Philosopher (604 - 531 BC)


"Why fit in when you were born to stand out?."
- Dr. Seuss - Writer (1904 - 1991)

Thanks for reading CyberheistNews

Security News
Cybercriminals Are Using Craigslist Email Notifications To Send Phishing Links

Cybercriminals are using Craigslist email notifications to send phishing links, according to Roger Kay at INKY. The emails contain links to download a document with malicious macros.

“In early October, several INKY users received real Craigslist email notifications informing them that a published ad of theirs included 'inappropriate content’ and violated Craigslist’s terms and conditions,” Kay writes.

“The notifications gave false instructions on how to avoid having their accounts deleted. In our analysis, we learned that a common thread among recipients of this particular phish was the fact that they were active Craigslist users. The notifications were ‘real’ in the sense that they really did come from a Craigslist domain, but they were fake in the sense that Craigslist itself, either its humans or its machines, did not intend to send them.

Without verification from Craigslist, we can't be sure, but it appears as if Craigslist was compromised since the recipients were not random (they posted ads on the platform) and the emails originated from Craigslist.”

Kay notes that the abuse of Craigslist’s platform allowed the messages to avoid detection by security filters. “The phishers were able to manipulate the Craigslist email system to send a fake violation notification to that individual,” Kay says. “Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors.”

Kay concludes that people should be wary of unsolicited emails that ask them to click a suspicious link. “Recipients should be on the lookout for unusual requests,” Kay says. “A red flag ought to go up right away if a violation notice comes in that doesn’t correspond to any recipient behavior on the platform in question.

Another red flag is the mixing of platforms. It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive. Recipients should also be suspicious about the indirect way they are being asked to sign the form.

Proper protocol would have the form attached directly to the email rather than requiring a trip up to OneDrive and an additional link-click there.” And, sadly, urgency should always raise our suspicions. “Act now” can appeal equally to fear and greed, and those two emotions are seldom conducive to cognitive clarity or situational awareness.

New-school security awareness training can give your employees a healthy sense of skepticism so they can avoid falling for social engineering attacks.

INKY has the story:
https://www.inky.com/blog/urgency-mail-relay-serve-phishers-well-on-craigslist
SEO Poisoning as an Aid to Social Engineering

Researchers at Menlo Security describe a malware campaign that’s abusing search engine optimization (SEO) to push malicious websites to the top of search results. The attackers set up websites that trick users into downloading a PDF file that contains a link to install the SolarMarker backdoor.

“The SolarMarker campaign employs SEO poisoning,” the researchers write. “Attackers commonly use this technique to artificially increase the ranking of their malicious pages. They do this by injecting the malicious website with keywords that users search for. Across our customer base, we have seen a wide variety of search terms that led to malicious pages. We have observed over 2,000 unique search terms that led to malicious websites.”

The researchers explain that the attackers use large file sizes to avoid being flagged by security technologies. "We observed payloads with three different payload sizes being downloaded in this campaign,” Menlo Security says. “The smallest payload we saw was about 70MB, while the largest was about 123MB.

The large sizes of the malicious payloads exceed file size limits defined by sandboxes and other content inspection engines.” Menlo Security notes that this campaign is part of a broader trend to target individuals with social engineering attacks.

“In addition to SolarMarker, the Menlo Labs team has seen a rise in attacks designed to target users, as opposed to organizations, bypassing traditional security measures,” the researchers write. “These types of highly evasive attacks have been seen before, but the velocity, volume, and complexity of this new wave has increased in recent months.

Bad actors are exploiting the new world order in which the lines between business and personal device use are blurred. In these attacks, threat actors turn advances in web browsers and browser capabilities to their advantage to deliver ransomware, steal credentials, and drop malware directly to their targets.”

New-school security awareness training enables your employees to avoid falling for social engineering attacks and make smarter security decisions.

Menlo Security has the story:
https://www.menlosecurity.com/blog/holy-seo-poisoning/
What KnowBe4 Customers Say

"As Director of Training and Enablement Systems, I am extremely happy with the KnowBe4 engine, its capabilities, and its support. JeannineK, our KnowBe4 customer support person, has been incredibly helpful, providing setup instructions and documentation, answering questions, solving issues and meeting with us on a regular cadence. She has been a godsend and as a result, we currently have an in-house phishing protocol, and have created 2 training campaigns using learning objects from the KnowBe4 Modstore library.

It is truly a learning process but we continue to educate ourselves with the capabilities of the KnowBe4 engine, and we are happy and fortunate to have Jeannine guide us through this process.

I also asked our IT Director for his feedback and he submitted this below as well: 'The IT department has been extremely pleased with the training content as well as the PhishER capabilities. We believe the training continues to strengthen our security posture as we continue to education our end users.'

Also, we deal with a lot of different vendors on a variety of products and solutions. I can’t overstate the impact JeannineK has had on the positive feelings we have about KnowBe4 and our relationship with your company. She is an absolute joy to work with and has provided us with a level of service our other vendors should strive to achieve. Thank you, again."
- H.T., Director of Training and Enablement Systems



"Yes the team and myself are very happy. After the first training campaign we've seen a great improvement in the second phishing campaign results. We're just starting to work the PhishER and LexieN has been a big help with the whole process."
- S.S., Network Engineer
The 10 Interesting News Items This Week
    1. Russian SolarWinds hackers have a new target: the global tech supply chain:
      https://fortune.com/2021/10/25/russia-solarwinds-hackers-nobelium-microsoft-target-global-tech-supply-chain/

    2. These ransomware criminals lost millions of dollars in payments when researchers secretly found mistakes in their code:
      https://www.zdnet.com/article/cybersecurity-researchers-secretly-cost-ransomware-criminals-millions-of-dollars-after-finding-mistakes-in-their-code/

    3. Ransomware Has Disrupted Almost 1,000 Schools in the US This Year:
      https://www.vice.com/en/article/4awyvp/ransomware-has-disrupted-almost-1000-schools-in-the-us-this-year

    4. Microsoft warns over uptick in password spraying attacks:
      https://www.microsoft.com/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/

    5. Senate Committee Chair: ‘Ransomware Has Changed the Equation’:
      https://www.nextgov.com/cybersecurity/2021/10/senate-committee-chair-ransomware-has-changed-equation/186408/

    6. HM Treasury Hit by Five Million Malicious Emails in Past Three Years:
      https://www.infosecurity-magazine.com/news/treasury-five-million-malicious/?&web_view=true

    7. Ransomware: It's a 'golden era' for cyber criminals - and it could get worse before it gets better:
      https://www.zdnet.com/article/ransomware-its-a-golden-era-for-cyber-criminals-and-it-could-get-worse-before-it-gets-better/

    8. Police arrest criminals behind Norsk Hydro ransomware attack:
      https://www.bleepingcomputer.com/news/security/police-arrest-criminals-behind-norsk-hydro-ransomware-attack/

    9. TrickBot malware dev extradited to U.S. faces 60 years in prison:
      https://www.bleepingcomputer.com/news/security/trickbot-malware-dev-extradited-to-us-faces-60-years-in-prison/

    10. Palo Alto warns of BEC-as-a-service:
      https://www.zdnet.com/article/palo-alto-warns-of-bec-as-a-service-finds-average-wire-fraud-attempted-is-567000-with-peak-of-6-million/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews