CyberheistNews Vol 7 #40 The Notorious Dark Overlord Mafia Escalates Their Ransomware Threat and Terrorizes Whole Valley

CyberheistNews Vol 7 #40
The Notorious Dark Overlord Mafia Escalates Their Ransomware Threat and Terrorizes Whole Valley

News has surfaced that the overseas DarkOverlord cyber mafia struck again and penetrated the Columbia Falls School Board system. They sent a seven-page ransom letter filled with all kinds of sensitive details to the members of the school board and superintendent, demanding between 75,000 and 150,000 dollars in Bitcoin.

DarkOverlord did not stop there, and must have decided to go on a shock-and-awe campaign. They reinforced their demands by terrorizing the whole valley with:
  • sending graphic text messages to specific individuals
  • threats to publish sensitive student information
  • threats of physical harm to people in large numbers
  • doing a local newspaper interview, asserting their demands
“If you decide to not entertain us and agree to one of our win-win business propositions, we will escalate our use of force in a tiered process that will involve an ever increasing level of damage and harm for you,” DarkOverlord stated.

The threats prompted widespread school closures across Flathead County on Sept. 14 and Sept. 15 and impacted roughly 15,700 students. Extracurricular activities and athletic events were canceled through the weekend.

The hackers obtained information about past and present students, parents and staff members, including names, medical records, confidential reports, all email correspondence, phone numbers and addresses.

“This person is only trying to gain power and self satisfaction through fear and intimidation,” Columbia Falls police officials said in an announcement. More detail, and a link to the redacted 7-page letter, I think this is the first time that a DarkOverlord ransom demand has been published in full:
New Survey: IT Security Spending Is up, but Security Is Not. Ransomware Is the Biggest Worry

Actually, two new surveys, both very interesting reading. The first focuses on the SMB space. The second report is about the same area, but focuses on large enterprise and has, as expected, a different outcome. You should check out both surveys, there is very good budget ammo in each.


The second-annual Cyren-Osterman Research U.S. security survey shows a significant disconnect between rising IT security spending and a low level of confidence in current protection, among many topics covered in the 24-page report, IT Security at SMBs: 2017 Benchmarking Survey.

Security Budgets Up Sharply

On average, survey respondents reported that IT security budgets grew a robust 17% during the past 12 months. That’s on top of a 21% increase reported one year ago in the first annual Cyren-Osterman Research survey. However, sixty-eight percent of businesses reported one or more breaches or infections during the prior 12 months, and significantly less than half believe they are well prepared to meet priority threats like ransomware, phishing and zero-day exploits.

The survey focuses on the current web and email security status and priorities of IT and security managers at organizations with 100 to 3,000 employees. The survey results allow security personnel to benchmark their own security posture and planning against their peers.


Details of the "IT Security at SMBs: 2017 Benchmarking Survey" questions and responses follow; summarized here are some of the key takeaways from this year’s research:
  • Security breaches are prevalent. Slightly more than two-thirds of the organizations surveyed – 68 percent – reported that they had experienced one or more breaches or infections during the past 12 months, with 29 percent reporting a successful phishing attack and 18 percent a ransomware infection that had gotten past their security defenses.

  • Ransomware is the #1 concern. Ransomware surged from fourth place in the 2016 Cyren-Osterman Research survey to the top of the heap of issues about which IT and security managers are concerned or extremely concerned (62 percent), slightly edging phishing (61 percent), and data breaches (54 percent).

  • Security concerns rule, controlling employees doesn’t. While threat categories are the top concerns among U.S. SMB security decision makers, only 24 percent expressed concern about shadow IT, with even fewer giving importance to controlling employee web behavior.

  • Security effectiveness trumps cost – and everything else. Security effectiveness (85 percent) and speed of defense against new threats (74 percent) markedly outdistanced all other capabilities that were rated (reporting, user experience, management ease, etc.). Cost considerations were among the lowest-rated factors in evaluating a security solution.

  • Stopping threats in HTTPS is a priority. Fifty-nine percent rated as highly or extremely important the ability to perform SSL traffic inspection for threats, ranking it fourth among desired features in a web security solution. Fifty five percent indicated they have deployed an SSL inspection capability, which contrasts with a far lower deployment rate of 19 percent found in a similar survey in the UK in February 2017.

  • Few think highly of their current protection. Most SMB decision makers believe that the security deployed for their organizations is not doing well, with the largest “security gaps” around the threats of greatest concern. For example, while 61 percent rate phishing a top concern, only 39 percent rate their protection highly.

  • IT security investment is exploding at SMBs. Presumably driven by the poor opinion of current security, and the reality and risk of recurring infections and breaches, SMB IT security budgets jumped significantly for the second year in a row, rising 17 percent on average in the past year, following a 23 percent increase reported in the 2016 Cyren-Osterman Research survey.

  • SMBs have limited IT security staff. Respondents indicated that they generally have a low number of dedicated IT security staff members available to deal with security issues. We found that over half (52 percent) of the organizations surveyed have two or fewer security staff members, with the figure rising to 80 percent for the smallest cohort, with 100-500 employees.

  • Mobile device security is lagging behind. While 70 percent protect remote offices and roaming laptop use, only half protect company owned mobile devices, dropping to one-fifth providing protection of BYOD mobile devices, even if they connect to the corporate network.

  • Preference growing and nearly equal for cloud-based SaaS vs. on-premises. The preference in terms of deployment model for security solutions is now nearly equally divided, with 32 percent preferring on-premises solutions, and 29 percent preferring cloud-based SaaS – with the latter up sharply from 21 percent in the 2016 Cyren-Osterman Research survey.

  • Email security is now predominantly done in the cloud. Fifty-seven percent of SMBs rely on SaaS security for their email, considering together those who subscribe to a SaaS Secure Email Gateway (28 percent) and those who rely on the security provided by their SaaS or hosted email service provider (29 percent).

  • Cloud-based web security is moving up the adoption curve. Eighteen percent of SMBs reported that they subscribe to SaaS web security, with another 16 percent reporting deployment of “hybrid” cloud and on-premises solutions, and six percent relying on a hosted virtual appliance.

  • Security breaches cost significant staff time (and money). After a security breach, organizations reported an average of 152 person-hours in IT staff time devoted to addressing the problem.
Download the full report here:
New Phishing Report: 90% of IT Execs Worry Most About Email Threats

Our colleagues at PhishMe released the results of their US Phishing Response Trends Report, which looked at the phishing response strategies of two hundred senior IT security decision-makers across a variety of large industries in the United States.

The report shows that businesses are still the most worried about and least prepared for phishing attacks. In fact, most organizations feel they have little, if any, expertise in anti-phishing and many feel their phishing incident response processes are weak.

Aside from mass-distributed general phishing campaigns, hackers continue to target key individuals in the finance or accounting departments through Business Email Compromise (BEC) scams or CEO email fraud.

By impersonating chief-executives or finance officers, attackers attempt to solicit money transfers or fast wires of cash from unsuspecting targets and will also use those scams to deploy dangerous malware or ransomware.

According to the FBI's Internet Crime Complaint Center (IC3), BEC attacks have generated more than 5.3 billion USD in actual and attempted losses, affecting more than 131 countries world-wide.

More than 50% of businesses that responded have revenues exceeding 1.5 billion dollars and represented a wide variety of industries, including business services, high tech, healthcare, retail, telecom, manufacturing and more.

Key findings of the report:
  • One third of respondents see more than 500 suspicious emails weekly.

  • Yet, only 26% of surveyed IT executives have a dedicated inbox for suspicious emails.

  • 100% of respondents have layers of security solutions in place to help them combat email and phishing threats.

  • Two thirds of surveyed IT executives have dealt with a security incident originating with a deceptive email.

  • 90% worry most about email-related threats: spear phishing, phishing in general or whaling.

  • Half of respondents say their biggest challenge is too many threats and too few responders.

  • 43% of respondents say their phishing response ranged from "totally ineffective" to "mediocre.

  • 80% of surveyed IT execs plan to upgrade their phishing prevention and response.
This is excellent ammo to get (more) IT Security budget. Press Release:
Don’t Miss the October Live Demo... What Is the New Mystery Feature?

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

We have added a brand new feature that you want to see!

Join us this Wednesday, October 11, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform. See the latest features and how easy it is to train and phish your users:
  • NEW For the first time, see our Smart Groups feature, where you can use each employees’ behavior and user attributes to tailor and automate your phishing, training and reporting.

  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!

  • Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.

  • Access to the world's largest library of awareness training content through our innovative Module Store.

  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.

  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 13,000+ organizations have mobilized end-users as their last line of defense. Register Now:
How Did the Ukraine Become a Hotbed of Criminal Hacking?

The New York Times came out with a great backgrounder why the Ukraine is such a hotbed for cyber criminals like Gennadi Kapkanov, 33, a Russian-born Ukrainian hacker, the man suspected of leading a gang accused of stealing more than 100 million dollars.

He was arrested Nov 30, in Poltova, Ukraine, but the following day, Kapkanov had been set free and immediately disappeared. Whether Kapkanov’s flight was the result of corruption, incompetence or a mix of the two has not been clearly established.

This incident illustrates the hacking mess in Ukraine. Here are the five most important points, and at the end is a link to the NYT article with much more detail. Full story at the KnowBe4 Blog:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"Choose a job you love, and you will never have to work a day in your life." - Confucius

"America was not built on fear. America was built on courage, on imagination and an unbeatable determination to do the job at hand." - Harry S Truman

Thanks for reading CyberheistNews
Security News
Find out How Vulnerable Your Network Is Against 3 NEW Ransomware Scenarios

We’ve added three new test scenarios to our Ransomware Simulator "RanSim", giving you a quick look at the effectiveness of your existing network protection against these additional nasty ransomware strains that are in the wild:
  • CitroniVariant - A specific scenario designed to simulate the distinct file encryption activity of Critroni/CBT ransomware.
  • Collaborator - An advanced scenario that spawns multiple processes to carry out encryption routines.
  • VirlockVariant - One of the more complex scenarios, designed to simulate a variant Virlock that uses watchdog processes to keep encryption processes restarted.
RanSim will now simulate a total of 13 ransomware infection scenarios and show you if a workstation is vulnerable to infection. Here's how RanSim works:
  • 100% harmless simulation of a real ransomware infection
  • Does not use any of your own files
  • Tests 13 types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye-opening experience for many IT pros. Download Your Complimentary Copy of RanSim Now:
New Report: 7 In 10 Employees Lack the Awareness Needed to Prevent Common Cyber Incidents

Seven in 10 employees lack the awareness to stop preventable cybersecurity incidents, according to the second-annual State of Privacy and Security Awareness Report, released by our colleagues at MediaPro.

For the second year in a row, the average survey respondent achieved a "Novice" score, showing they are dangerously close to one wrong decision or mistake leading to a security or privacy incident.

MediaPro once again surveyed more than 1,000 employees across the U.S. to quantify the state of privacy and security awareness in 2017. Respondents were asked a variety of questions based on real-world scenarios, such as correctly identifying personal information, logging on to public Wi-Fi networks, and spotting phishing emails.

Based on the percentage of privacy- and security-aware behaviors correctly identified, survey takers were assigned to one of three risk profiles: Risk, Novice, and Hero. Last year's Report found that nearly nine in 10 employees lacked awareness to stop preventable cyberthreats. While 2017's report has shown improvement, the numbers still reflect the concerted effort needed to increase employee awareness.

Notable findings for this year's report include:
  • Nearly 20 percent of respondents scored low enough to warrant a "Risk" profile, up from 16 percent in 2016, by exhibiting behaviors that put their organizations at serious risk for a privacy or security incident.

  • 30 percent of respondents were given a "Hero" profile, up from 19 percent in 2016. This is encouraging, as it indicates an improved knowledge of security and privacy best practices.

  • 19 percent of respondents chose to take risky actions related to working remotely, such as connecting their work computer to an unsecured public Wi-Fi hotspot.

  • 12 percent of respondents failed to recognize common signs of malware when presented with real-life examples, such as a sluggish computer or anti-virus software unexpectedly switching off.

  • 24 percent of employees surveyed took potentially risky actions when presented with scenarios related to organizational physical security, such as letting strangers in without identification.

  • 20 percent of employees showed a lack of awareness related to safe social media posting, choosing risky actions such as posting on their personal social media accounts about a yet-to-be-released product of their employer.
I think all can agree with MediaPro that training end-users is urgently needed. Link to Press Release with more detail:
How a Productive IT Department Improves Data Security In the UK

Have you thought seriously about the ramifications that could happen to a business due to a data security breach? Such an event damages reputations, can be extremely costly and usually causes stress for employees and affected stakeholders.

Here is an interesting article how an IT team that’s working at or near peak productivity actively shields itself from incidents related to compromised content.

Businesses often view employees as huge assets. However, they could also pose substantial data security risks. A survey conducted by HANDD, a global security firm, polled more than 300 IT professionals in the United Kingdom and found 21 percent considered employees a formidable challenge to data security.

Bearing that in mind, a security-savvy IT department instructs employees on do’s and don’ts related to keeping data safe. Many people may not even realize their actions are risky, so training is a great way to clarify:
  • IT Thoroughly Trains Employees
  • IT Stays on Top of Current Threats
  • IT Remains Highly Efficient
  • IT Observes Employee Work Habits and Responds Accordingly
  • IT Ensures Employees Truly Understand Their Roles in Minimizing Problems
Here is the full article with a link to more resources:
Multi-Stage Spear Phishing – Bait, Hook and Catch

Cybercriminals are now taking an “enterprise” approach. Similar to B2B enterprise sales, they go after a smaller number of targets, with the goal of extracting a much greater payload with highly personalized attacks.

Spear phishing, highly targeted attacks that leverage impersonation of an employee or a popular web service, have been on the rise, and according to the FBI, these attacks have proven to be extremely lucrative for cybercriminals.

The latest iteration in social engineering involves multiple steps. The sophisticated cybercriminals don’t try to target company executives with a fake wire fraud out of the blue. Instead, they first infiltrate the organization, and then use reconnaissance and wait for the opportune time to trick their targets by launching an attack from a compromised mailbox.

Step 1: Infiltration

Most phishing efforts are easy for individuals that receive cyber security training (executives, IT people) to sniff out because they contain weird addresses, bold requests, or misspelled words that raise red flags. However, we are seeing a rapid increase in personalized attacks that are exceedingly difficult to spot, especially for people who lack security awareness.

If you take a look at the image below, the message itself doesn’t appear to be suspicious. It seems to be coming from Microsoft to alert you that they need to reactivate your Office 365 email account. The full article with the rest of the steps is warmly recommended:
When Phishing Starts From the Inside

Interesting post from Trend Micro. "A growing concern of security pros is internal phishing attacks – phishing emails sent from one trusted user to another of the same organization. Internal phishing emails are used in multi-stage attacks in which an email account is owned either by controlling the users device with previously installed malware or by compromising the account credentials of the user.

"Internal phishing emails are used in both targeted attacks, where the aim is to steal information or commit extortion, and common with Business Email Compromise (BEC) schemes designed to steal money. Because the sender is an internal and trusted user, the recipient is more likely to take action on the email.

"A first step in reducing internal phishing attacks is to implement multi-factor authentication (MFA) to reduce the risk of an attacker gaining control of stolen account credentials. But even with MFA enabled, internal phishing attacks can occur if a user’s device is compromised with malware.

"What many people don’t realize is that email gateway security solutions, which scan inbound and outbound SMTP email traffic, don’t see internal email.

"To scan internal email, you can use either a journaling based solution or solution which integrates with your mail service or mail server. The best solutions can look for all types of email threats by scanning email content, attachments, and URLs." More:
Interesting News Items This Week

The biggest data breaches and hacks of all time:

Mass-Scale Ransomware Attacks Providing Hackers the Ability to Earn Quick Money:

Ransomware is the top threat facing computer users as Interpol reveals massive 2017 cybercrime 'epidemic':

The Challenge of Training AI to Detect Unique Threats: How a missing smiley foiled a 70,000 dollar email fraud:

KnockKnock campaign targets Office 365 corporate email accounts:

Brazilian banking trojan uses legit VMware binary to bypass security:

Phishing attacks attacking more businesses than ever:

Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense:

Bulletproof hosts stay online by operating out of disputed backwaters:

Interview with ‘catch me if you can’ scam artist Frank Abagnale has a warning for today’s consumers: trash your checkbook, it's fraud waiting to happen:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Phishing Security Test

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews