CyberheistNews Vol 8 #23 [Heads-Up] Ransomware Insurance Expert: "Bad Guys Do More Damage Than They Used To."

CyberheistNews Vol 8 #23
[Heads-Up] Ransomware Insurance Expert: "Bad Guys Do More Damage Than They Used To."

The ransomware plague is not letting up and rapidly getting more technically sophisticated. New strains are popping up every month, using innovative methods to spread. Worse, the ransom demands themselves are skyrocketing at the same time.

This week, cyber insurance experts reported incidents with ludicrous 1 million dollar extortion attempts after attackers were able to encrypt some very important data. The fact that the criminals felt able to demand a king's ransom is telling.

Global data recovery firm Proven Data provides ransomware assistance, data recovery and digital forensic services to companies worldwide. It works with insurers, brokers and individual companies to minimize downtime after cyber incidents and restore business functionality as quickly as possible.

Victor Congionti, CEO of Proven Data told Insurance Business: “Ransomware is only going to become more sophisticated, we expect hackers to start using machine learning and artificial intelligence to develop ransomware variants that evade anti-virus with ease."

Linda Hamilton, client operation manager at Proven Data said: “In the past, hackers used to prefer RDP brute-force attacks where they would enter a system, locate back-ups, encrypt with a variant of ransomware and then leave. The attacks were relatively simple and straightforward.”

They’re generally doing a lot more damage than they used to

Hamilton continued: “That’s not the case anymore. We’re seeing more and more hackers moving laterally within systems. They’re getting smarter, turning off anti-virus systems, and creating domain controller accounts to gain complete access to systems. They’re generally doing a lot more damage than they used to.”

Cyber criminals are also getting smarter in specifically targeting who to extort. Manufacturers, hospitals, government agencies and schools are particularly susceptible to an attack, especially if they hold sensitive personal information that hackers can exploit to demand more money.

Targeting larger organizations demanding higher ransom fees

“Hackers are targeting larger organizations because they’re able to demand a higher ransom fee,” said Mark Congionti, Proven Data's president of operations. “They’re also tending to target countries where they think they can extort more money, so places like the US, the UK and Canada where there are higher costs of living, higher wages and so on.”

A British enterprise stared at a million pound ransom demand

The source for the tale is Graeme Newman of CFC Underwriting, whose company traces its roots back two decades and is proud to have pioneered cyber-insurance years before the first weapons-grade strain of ransomware CryptoLocker had even been invented.

CFC says it has recently started seeing ransom demands for 100K and 200K pounds from clients, part of an uptick in claims connected to targeted extortion as well as that other big scam CEO fraud, also known as Business Email Compromise (BEC).

"This is the largest ransom demand we have seen to date in the UK and follows a current trend of increasingly targeted extortion demands, with increasingly large amounts demanded," says Newman.

The role of cyber-insurance, should they pay the ransom?

For small and medium organizations, Newman said, "cyber-insurance is a short cut to help at a time of crisis." With a cyber-insurance provider involved, "they'll have a lawyer on hand, a forensics company, a notification provider, a PR consultancy, and an incident-response manager who can manage the whole project end to end. It's peace of mind of having somewhere to turn to."

However, if an organization's backups turn out to fail, paying the ransom is the preferred insurer's option because it's cheaper—consider just the downtime alone—than restoring all systems manually.

A potentially unintended consequence, becoming a target

It's a pessimistic analysis: having a ransomware extortion insurance policy might make an organization more likely to be targeted. Cyber criminals would attack and try to figure out if their mark is covered for extortion, so in a network-wide infection where all machines are locked at the same time, an insurer might pay quickly.

High-risk organizations in that case would be the insurance company themselves, their brokers, and employees in Legal, Accounting and C-level positions who would know about cyber security insurance policies. Allied Market Research predicts that the sector will grow into a 14 billion dollar global market by 2022.

The most effective way to protect your network against ransomware infections

Here are the three ways most organizations fend off ransomware attacks:
  • Weapons-grade backups, ideally hourly snapshots that are easy to roll back.
  • Religious patching of both the OS and all third-party apps.
  • New-school security awareness training with frequent phishing tests.
Cyber risk managers worldwide agree that people are the weak link when it comes to an organization's exposure to malware–and hackers use social engineering tactics to exploit the people problem.

Stepping all employees through new-school security awareness training is an absolute must "piece of the defense-in-depth puzzle" to protect your network.

Users become your last line of defense and your essential, additional security layer: an effective human firewall.

Blog post with links and ransomware defense whitepaper:
[Live Webinar] Fear the Machine: How Criminals Are Using Artificial Intelligence to Social Engineer Your Users

A new survey by Webroot shows that 86% of security professionals worry that artificial intelligence (AI) and machine learning (ML) technology could be used against them. That worry is well founded.

If we look at history, we are quickly reminded that all progress comes with unintended consequences. And, while there is a lot of societal good that can come from AI and ML, we also need to understand and prepare for the misuse and abuse of such technologies.

Join Stu Sjouwerman, KnowBe4’s founder and CEO, and Perry Carpenter, Chief Evangelist and Strategy Officer, for Fear the Machine: How Criminals are Using Artificial Intelligence to Social Engineer Your Users. We will take a fascinating dive into the shadowy world of how AI and ML are being weaponized today and what the next wave(s) of weaponization will likely look like.

This webinar will cover:
  • Cyber crimes using Artificial Intelligence and Machine Learning
  • The next wave of weaponization
  • How to protect your organization with a Human Firewall
Date/Time: Wednesday, June 20th at 2:00 PM ET. Register Now!
Hacking Humans—A New Cyberwire Podcast Covering Social Engineering Launched This Week

Cyberwire announced: "Each week the CyberWire’s Hacking Humans podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that make headlines and take a heavy toll on organizations around the world.

We talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two).

We also hear from people targeted by social engineering attacks and learn from their experiences. Trust us: check out the first episode and subscribe today."
Yahoo! Spearphisher Baratov Gets 5 years

A Russian government conspiracy that resulted in compromising 500 million if not simply all Yahoo! accounts has landed a twenty-three-year-old Canadian man born in Kazakhstan a five-year prison term.

Karim Baratov pleaded guilty to spear phishing web mail accounts belonging to eighty “individuals of Interest” to Russian intelligence, FSB. Once he was in possession of passwords, Baratov sent them to a co-conspirator in exchange for cash.

Baratov also allegedly hacked 11,000 webmail accounts prior to his March 2017 arrest. While Baratov was not directly responsible for the massive Yahoo breach, his co-conspirators and his fellow hacker, Alexsey Belam, were.

The persons Baratov helped the FSB monitor included Russian and US officials and journalists. FBI special agent John Bennett noted the unprecedented nature of a foreign government using “hackers-for-hire” to launch a massive cyberattack.

Bennett said the sentence handed down served as an example that the FBI is committed to prosecute cyber actors in spite of efforts to conceal their identities. The FBI has often invited organizations to get to know their local Bureau Field Office. It's good advice. Stay close to them and don't hesitate to contact the Special Agents when you think you've been the victim of cybercrime.

The Bureau is committed, it says, to treating victims of phishing and other social engineering scams as crime victims. They interested in helping you with your case, however, if the damage is less than a million dollars, they do not have the resources to do much. Infosecurity Magazine has the story:
Don’t Miss the June Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, June 6, 2018, at 2:00 p.m. (ET) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users.
  • [NEW] Delegated Permissions now part of the Security Roles feature allows you to create custom admin roles for Target Groups in your organization
  • Improved Vishing (voice phishing) feature supports domestic and international dialing with 10 commonly used vishing templates.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting, with great ROI.
Find out how 18,000+ organizations have mobilized their end-users as their last line of defense.

Register Now
What's Getting Through Your Mail Filters? Find out for a Chance to Win!

Spoofed domains, malicious attachments and executables to name a few... With email still the #1 attack vector, do you know if hackers can get through your mail filters?

KnowBe4 can help you find out if this is the case with our free Mailserver Security Assessment test. Plus, you'll be entered for a chance to win an awesome GoPro Hero5 with Karma Grip!

Find out now if your mailserver is configured correctly, many are not!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"I look only to the good qualities of men. Not being faultless myself, I won’t presume to probe into the faults of others." - Mahatma Gandhi

"The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails."
- William Arthur Ward

Thanks for reading CyberheistNews
Security News
Pretexting Human Resources

If the human is often an organization's weakest link, it seems reasonable that Human Resources should be a very weak chain indeed. Criminals have recognized that HR departments are high-value targets. Not only do they hold a great deal of valuable information, but the nature of their work requires them to interact with many people, known and unknown, and often to do so by email.

If any unit in an organization is likely to open an attachment received by email, it's probably HR, with Recruiting coming in a close second.

HR departments also deal with a number of odd and imperfectly predictable matters, personal problems, complaints, requests for help, and do on. Criminals have found that "pretexting"—a social engineering technique in which a scammer creates a bogus situation an organization must deal with—can be a particularly successful approach to an HR department.

Verizon has found that pretexting rose by more than 400% over the past year. Part of the answer is crafting HR policies in the light of the threat of social engineering—consider, for example, the security implications of the channels you create to provide employees help.

A bigger part of the answer lies in creating a security culture in your organization, one in which keeping the organization and its employees safe is seen as enabling and not punitive. New-school interactive training in the latest social engineering techniques and approaches can help build that culture. TechHQ has the story:
Bank Robbery While-U-Wait

A bank in the UK, TSB, has had issues changing over to a new IT platform. That is putting it mildly, the upgrade has been a dumpster fire.

This has produced higher than usual rates of attempted fraud and cybercrime against its customers. ActionFraud, the UK police agency that deals with scams, notes that phishing attempts have increased tenfold since TSB began the unexpectedly difficult process of transitioning its customers' data to their new system.

Too much of the phishing has been successful. Customers have lost tens and even hundreds of thousands of pounds sterling after scammers induced them to give up their credentials in response to the persuasive social engineering of well-crafted fraudulent emails.

The bank is aware of this, and has been struggling to provide the kind of help its customers need during the transition. It has in particular established a helpline customers can phone into when they think someone's trying to steal from them.

Everyone knows how being placed on hold can be frustrating. The holds at TSB seem to have been quite long. One customer, Ben Alford of Weymouth, sat waiting, and looking at his account while doing so, for four hours. He was calling because he'd discovered that someone had taken out a loan in his name.

As he waited on hold to report the bogus but successful loan application, he witnessed in real time two separate unauthorized withdrawals from his account. The withdrawals totaled £9000 pounds.

Alford wasn't the victim of phishing, although many other customers were. Instead, he suffered a successful sim-swap scam: someone impersonated him to his mobile carrier and convinced them to transfer his phone number to a sim card they controlled.

A sim-swap can in some cases give scammers access to the victim's banking codes or to compromise two-factor authentication.

There are several lessons here, apart from the obvious ones about being wary of phishing attempts. First, recognize that IT transitions are periods of risk. Recognize that and take steps to minimize those risks. Second, if you're a mobile carrier, develop policies to help reduce the prospect of sim swaps.

Train your employees to recognize that particular form of social engineering. And finally, if you set up a voice hotline for customers to report security issues, you've got to resource it adequately. Fraud won't be as easy as a worried customer to place on hold.

Addressing these issues through policy, resources, and training will also save your organization money. It's worth noting that TSB is doing the right thing, and has said it will make good on losses for customers who were victimized as a result of the bank’s IT issues. But better not to be in that position. WeLiveSecurity has the story:
85% of Organizations Report They Could Not Survive for Longer Than Four Weeks Without Mission Critical IT Systems, Warns Databarracks

Six weeks since the TSB crisis and new research from business continuity and disaster recovery provider, Databarracks, has revealed that 85% of organizations say they would struggle to survive if there was a loss of mission critical IT systems for longer than a month.

This data was taken as part of its Data Health Check survey, which investigates views and opinions from over 400 IT decision-makers on a range of subjects relating to IT.

The findings illustrate the reliance organizations have on IT systems. Delivered effectively, technology streamlines processes, improves productivity and delivers cost savings across a business, but when systems are unavailable, major problems can ensue.

The TSB banking crisis was a testament to this, with an estimated 1.9 million customers unable to access their accounts following a poorly coordinated IT upgrade, provoking much scrutiny and backlash for the bank. Full story at:
Facebook Admits It Was Too Busy Dealing With Phishing Attacks to Protect Your Data

We’re months into a privacy scandal that already forced Facebook’s CEO Mark Zuckerberg to testify before lawmakers in the U.S. and Europe.

But even after all this time, there are still several important questions the social network hasn’t addressed. Fortunately, we got a few answers from the company’s COO Sheryl Sandberg on Tuesday at Recode’s annual Code Conference.

When asked how Facebook failed to protect users from Cambridge Analytica, Sandberg explained that the company was focused on other threats at the time. Citing the Sony Pictures hack of 2014, the exec claims Facebook didn’t have the same problems other companies did earlier in the decade.

As it focused its attention on more common attacks, like phishing scams, “we didn’t see coming a different kind of more insidious threat,” Sandberg said. Continued:
What KnowBe4 Customers Say

"Thank you very much for the follow up. I’m very happy with the product.

For reasons I didn’t expect.

When I first took the training myself, I thought it a little too simple and basic. That was until the deluge of congratulations on picking such a great training tool by participants and management.

Being in IT, I can sometimes forget the level of computer knowledge of those I serve. I trained my audience the same way I have been trained at boot camps; depth and breadth of knowledge in a short timeframe.

These bite sized morsels seem to do a better job than my emails, discussions and training classes.

What I am trying to say is that you know my employees better than I do and I am sold on your products and services.

The ability to then test those new skills makes selling KnowBe4 to management one of the easiest sales pitches I have ever made. Please pass on my thank you to the staff. - B.J., IT Manager

"I absolutely LOVE the KnowBe4 services! I’m especially a fan of the ASAP feature that has been instrumental in keeping me on track with implementation.

Since I’m a one-man IT dept, I get pulled in a million directions and it’s easy for projects to get started and then fall by the wayside as I get pulled away to other things.

ASAP has been a great resource for keeping things rolling as I implement our new Security Awareness Policy.

I’m also very happy to see the new HR training modules. I’m working with our HR Director to see if I can get her on board for us to add this to our KnowBe4 subscription. - W.S., Director of Information Technology

Here is an updated one-page PDF of the Training Content by Subscription Level. KnowBe4 has by now grown into the "Netflix" of security awareness training:

Check out all this content for yourself. No need to talk to anyone:
Interesting News Items This Week
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews