CyberheistNews Vol 12 #23 | June 7th, 2022
[Heads Up] Our Global Ransomware Damage Will Be More Than 265 Billion by 2031
Cybercrime Magazine just reported: "It has been five years since a report from Cybersecurity Ventures predicted ransomware damages would cost the world $5 billion (USD) in 2017, up from $325 million in 2015 — a 15X increase in just two years.
"The damages for 2018 were predicted to reach $8 billion, for 2019 the figure was $11.5 billion, and in 2021 it was $20 billion — which is 57X more than it was in 2015.
"Ransomware has evolved and expanded dramatically in the interim — and despite authorities' recent success in busting several ransomware gangs, this particular breed of malware has proven to be a hydra — cut off one head and several appear in its place.
"All signs are that the coming decade will be even worse as ransomware gangs continue to refine and intensify their attacks, vastly outflanking organizations that are juggling the need for ransomware defenses with a broad range of security, data protection, privacy, and corporate risk priorities.
"Ransomware will cost its victims more around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, with a new attack (on a consumer or business) every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. The dollar figure is based on 30 percent year-over-year growth in damage costs over the next 10 years.
"Yet even those estimates may prove to be conservative, given that the recently released 2022 update to the Verizon Data Breach Investigations Report (DBIR) found that the number of ransomware attacks increased by 13 percent between 2020 and 2021 — a larger jump than the past five years combined.
"This growth was severe enough to be labelled 'alarming' by a security analysis team that has spent the past 15 years watching cybercrime attacks grow and morph — and has seen human-generated risk, in particular, continue to dominate infection mechanisms.
"Indeed, the human element was responsible for 82 percent of attacks analyzed during 2021, according to the DBIR, with 25 percent of breaches caused by social engineering attacks.
"The continuing surge in ransomware infections points to ongoing challenges around security awareness training, a corporate capability that has become so important that the market is expected to surge to be worth $10 billion annually just five years from now."
Cybercrime Magazine has the full story, which KnowBe4 sponsored:
https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, June 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Support for QR-Code Phishing Tests
- NEW! Security Culture Benchmarking feature lets you compare your organization’s security culture with your peers
- NEW! AI-Driven training recommendations for your end users
- Did You Know? You can upload your own SCORM training modules into your account for home workers
- Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 50,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, June 8 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3713729/BD8F8A0FE3D2CE20F847A5BDA6B2BFDA?partnerref=CHN3
[Eye Opener] Why We Recommend Your Passwords Be Over 20-Characters Long
KnowBe4 just released its official guidance and recommendations regarding password policy. It has been a project in the works for many months now, but we wanted to make sure we got it right. We wrote a blog post with an infographic illustrating our official password recommendations.
The summary of our recommended password policy compared to NIST is:
- Use phishing-resistant MFA where you can. If you cannot use MFA, then:
- Use a password manager to create long and complex passwords wherever you can
- If you must create your own passwords, make them 20-characters or longer
The optimal recommendation is a scenario where everyone would have one or two human-created long passphrases/pass-sentences, if needed, and use a password manager or MFA for everything else. The human-created passphrases/pass-sentences would be the ones needed to log into your device(s) and your password manager (if needed for those instances).
The full blog post with links and Infographic is here:
https://blog.knowbe4.com/we-recommend-passwords-over-20-characters
We also have a brand-new 41-page e-book here that you can download:
https://info.knowbe4.com/wp-password-policy-should-be
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us TOMORROW, Wednesday, June 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
- Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due
Date/Time: TOMORROW, Wednesday, June 8 @ 1:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3714144/AD2312CF5D51664B6E34DCB6118D9449?partnerref=CHN3
U.K.'s National Health Service Becomes the Latest Victim of a Credential Harvesting Phishing Operation
Part of a six-month attack, email accounts on the NHS's Microsoft 365 instance were compromised, resulting in over 1,100 targeted email attacks used to obtain more credentials.
According to security researchers at email protection vendor Inky, the 139 compromised NHS accounts were being misused from October 2021 until March of 2022 as the cornerstone of further phishing attacks attempted to either harvest credentials to major online platforms, or to trick victims into providing banking details.
Emails were likely sent using two IP addresses serving as SMTP relays for the NHS' 27,000+ users, allowing attackers to work remotely. What may have allowed this attack to remain undetected for six months was the number of emails being sent:
Blog post with graphs and screenshots:
https://blog.knowbe4.com/nhs-credential-harvesting-phishing-victim
Understanding the Threat of NFT and Cryptocurrency Cyber Attacks and How to Defend Against Them
A growing number of organizations worldwide are utilizing cryptocurrency for a host of investment, operational, and transactional purposes. Seemingly overnight, technologies like non-fungible tokens (NFTs) emerged and just as quickly, cybercriminals learned how to capitalize on organizations' naivete for their own benefit.
Are you still not sure about the ins and outs of NFTs and cryptocurrencies? Should your organization even care? The answer is YES, and we are here to help you make sense of it all. Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, as he shares what you need to know to defend yourself in this new age of Web 3.0.
Roger will cover:
- The business impact of NFTs and cryptocurrencies: What are they and why should you care
- The various and increasingly popular attacks against NFT and cryptocurrencies
- How you can best defend yourself and your organization from becoming the victim of an attack
- The projected future of NFTs and cryptocurrencies
Stay up-to-date on the latest technologies and their hidden threats! Plus, earn CPE for attending this event.
Date/Time: Wednesday, June 15 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3808653/26F4784C86D918E01E028B0029CCD40D?partnerref=CHN2
WSJ: "Russia-Linked Ransomware Groups Are Changing Tactics to Dodge Crackdowns"
Here is some excellent ammo for your C-Suite! The WSJ just reported that ransomware gangs are splitting into smaller cells and using different malware to obscure their identities and evade sanctions. They said:
"After the U.S. in 2019 put sanctions on a Russia-based group known as Evil Corp, which Washington accused of stealing over $100 million from more than 300 banks, hackers believed to be affiliated with the gang switched its operating model, according to a report published Thursday by security firm Mandiant Inc. The individuals ditched Evil Corp’s bespoke malware and rotated between several related variants, ultimately renting access to ransomware produced by another group.
"Hackers' attempts to obscure their identity could make it more difficult for victims to know whether they are complying with rules prohibiting ransom payments to sanctioned entities. These changes in tactics have helped some loosely connected criminal groups extend lucrative hacking sprees that have disrupted energy companies, manufacturers and other firms in recent years, cybersecurity experts say. Fourteen of the 16 critical infrastructure sectors in the U.S. were hit with ransomware last year, according to the Federal Bureau of Investigation."
Send this link to the full article to your C-level exec who owns the InfoSec budget strings:
https://www.wsj.com/articles/russia-linked-ransomware-groups-are-changing-tactics-to-dodge-crackdowns-11654178400
Did You Register for the RSA Conference 2022 Yet? Get Your Free Expo Pass!
Check out all the activities KnowBe4 will be doing at RSAC:
Expo Pass: Receive your complimentary Expo Pass on us by using the code 52EKNWBE4XP when registering on the RSAC official website.
See a Demo, Receive a Free Hat: Join us to see a demo of the innovative KnowBe4 Security Awareness Training and Simulated Phishing Platform to train and phish your users to receive a free hat!
Meet The Team: Our team of security experts are excited to see you in-person! Stop by the KnowBe4 Booth S-1143 to hear about the latest updates and new features.
Get your pass!
https://www.rsaconference.com/usa/passes-and-rates
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: Your KnowBe4 Fresh Content Updates from May 2022 with a 'Did You Know?':
https://blog.knowbe4.com/fresh-content-updates-may-2022?
PPS: Yours truly in Security Magazine "Four Ways Cybercriminals Can Hack Passwords":
https://www.securitymagazine.com/articles/97736-four-ways-cybercriminals-can-hack-passwords
- William Arthur Ward - Writer (1921 - 1994)
- Democritus - Philosopher (460 – 370 BC)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-23-heads-up-our-global-ransomware-damage-will-be-more-than-265-billion-by-2031
Phishing Campaign Targets QuickBooks Users
Accounting software provider Intuit has warned of a phishing scam targeting its customers, BleepingComputer reports. The phishing campaign affected users of Intuit's QuickBooks product, informing them that their account has been put on hold.
"Intuit has recently received reports from customers that they have received emails similar to the one below," the company said in an alert. "This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit. Please don't click on any links or attachments, or reply to the email. We recommend you delete the email."
If a user has clicked on a link or downloaded something from the email, Intuit offers the following recommendations:
- "Delete the download immediately.
- "Scan your system using an up-to-date anti-virus program.
- "Change your passwords."
The phishing emails appear convincing and contain good grammar, stating, "Dear Customer, We're writing to let you know that, after conducting a review of your business, we have been unable to verify some information on your account. For that reason, we have put a temporary hold on your account.
"If you believe that we've made a mistake, we'd like to remedy the situation as soon as possible. To help us effectively revisit your account, please complete the following verification form. Once the verification has completed, we will re-review your account within 24-48 hours."
The email contains a button that says "Complete Verification." If a user clicks this link, they'll either be asked to download a malicious file or taken to a site designed to steal their information. Intuit notes that users can verify if they've received a legitimate email from Intuit by signing into their account and checking to see if they've received the same message online.
It's a familiar spoofing approach, this one a bit better constructed than many. New-school security awareness training can teach your employees to recognize the hallmarks of social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/phishing-campaign-targets-quickbooks-users
Phishing Attacks Rise 54% As the Initial Attack Vector Across All Threat Incidents
If you were an attacker, the challenge with getting initial access is that most methods have a limited window of time for success. Buying an account off the dark web is only good until the password is changed. Use of a third-party vulnerability or a zero-day exploit will eventually be patched.
But phishing users…well, there's plenty of those to go around, right? Whether you are spear phishing to target specific individuals within an organization, or broadly phishing anyone who'll engage with your malicious email content, it seems like there will always be someone willing to "help."
According to new data from Kroll's Q1 2022 Threat Landscape report, we find that threat actors have – at least for the first quarter of this year – shifted initial access tactics and put a lot of emphasis on phishing, used in 60% of all attacks. This is a 54% increase from Q4 2021's number, where only 39% of attacks leveraged phishing.
If this trend continues – and, really, even if it doesn't – attackers know there are plenty of fish in the "phishing sea." That is, unless you put that same kind of limitation on the viability of an initial attack vector on phishing.
And just how do you do that?
Unlike the other three attack vectors mentioned in the report (and above), phishing doesn't have a limited lifespan; users can repeatedly be used as pawns in the next attack and the next. That is, unless you minimize the viability of users assisting phishing attacks by enrolling them in security awareness training designed to educate them on how phishing attacks work, what to look for to avoid assisting the attacker, and keep them abreast of the latest campaigns, trends, and uses of social engineering.
Blog post with links:
https://blog.knowbe4.com/phishing-attacks-rise-54-percent
What KnowBe4 Customers Say
"Hi Stu, Thanks for checking in, we're very happy with your platform! The phishing training was very well received, stand out mentions from users include:
- "That KnowBe4 training was the least worst compliance type training I have done in a long time!"
- "Guys- this phishing training has made my day. ADORABLE. Consider this a solid testimonial- love a pirate, love fish."
"Just getting ready to roll out our next phishing test, I have had great support from our account manager, KirstyD."
- L.J. ITM
- FBI director blames Iran for 'despicable' attempted cyberattack on Boston Children's Hospital:
https://www.cnn.com/2022/06/01/politics/fbi-blames-iran-hospital-cyberattack/index.html - FBI warns U.S. colleges of widespread VPN credential leaks on Russian cybercrime forums:
https://therecord.media/fbi-warns-us-colleges-of-widespread-vpn-credential-leaks-on-russian-cybercrime-forums/ - Three BEC Suspects Arrested in "Killer Bee" Sting:
https://www.infosecurity-magazine.com/news/bec-suspect-arrested-killer-bee/ - US ran offensive cyber ops to support Ukraine, says general:
https://www.theregister.com/2022/06/02/nakasone_us_hacking_russia/ - Exceptionally well-crafted RuneScape phishing steals accounts and in-game item bank PINs:
https://www.bleepingcomputer.com/news/security/runescape-phishing-steals-accounts-and-in-game-item-bank-pins/ - What The West (Still) Gets Wrong About Putin:
https://foreignpolicy.com/2022/06/01/putin-war-ukraine-west-misconceptions/ - Microsoft disrupts Bohrium hackers' spear-phishing operation:
https://www.bleepingcomputer.com/news/security/microsoft-disrupts-bohrium-hackers-spear-phishing-operation/ - Clop ransomware gang is back, hits 21 victims in a single month:
https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/ - This Phishing Campaign Delivering Three Fileless Malware Strains:
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two - VentureBeat: "45% of cybersecurity professionals have considered quitting the industry.":
https://venturebeat.com/2022/06/02/cybersecurity-professionals-stress/
- Your Virtual Vaca to SPAIN this week! The Top 10 Places To Visit:
https://www.youtube.com/watch?v=IftfIk-pRwI - Second Virtual Vaca to New York City 4K Aerial Tour:
https://www.youtube.com/watch?v=oTKRNs5b9yo - Best Of The Week is back with another mind-blowing round of ordinary people pushing the limits of what is possible:
https://www.flixxy.com/people-are-awesome-best-of-the-week-109.htm?utm_source=4 - How Many Earths Can Fit Into Jupiter? Spectacular graphics:
https://www.flixxy.com/how-many-earths-can-fit-into-jupiter.htm?utm_source=4 - The Lock Picking lawyer: "This lock isn't picky". You can open it with practically anything. Yikes:
https://www.youtube.com/watch?v=H5PD5Rrg3W4 - The $4BN Museum War. These two cities are spending billions to be their country's cultural capital:
https://www.youtube.com/watch?v=DnP-oO1bMok - Top Gun: Maverick brings the dogfight to the UK Silverstone racetrack:
https://www.youtube.com/watch?v=Rqb0_fphvJ4 - This Base Jumping includes a Red Bull Air Delivery:
https://www.youtube.com/watch?v=PjOvR8SEK60 - GoPro Awards: High-Speed Downhill Skating in the Mediterranean:
https://www.youtube.com/watch?v=3n7N9Dkd9js - SOFIC Jetsuit Tactical Demo Flights Tampa Florida. I want one:
https://www.youtube.com/watch?v=GaFQZqyHW8k - Growing TOMATO Plant From Tomato Slice. Fascinating 120-day TIME LAPSE:
https://www.youtube.com/watch?v=cLz3lsqfpMA - Pure Car Lust. Mercedes-AMG ONE: An F1 car for the road! Only 2M (!) pounds:
https://www.youtube.com/watch?v=ml6YBdk8xOM - For Da Kids #1 - Sad Looking Cat Gets Adopted And Purrs For The First Time Ever:
https://www.youtube.com/watch?v=TJc0h1885AM - For Da Kids #2 - Shelter dog realizes he's been adopted:
https://www.youtube.com/watch?v=B7yOO4oKMVc - For Da Kids #3 - The owner received noise complaints, set up a nanny cam. This is what they saw LOL:
https://www.youtube.com/watch?v=6Hgz8aH9zJQ - For Da Kids #4 - Cat Who Loves Tupperware More Than Anything Gets A Special Delivery:
https://www.youtube.com/watch?v=--Le-wk1IBM - For Da Kids #5 - Rescued Tiny Gosling Thinks This Bull Terrier Is Her Mom:
https://www.youtube.com/watch?v=rs3YFYBT12c&t=12s