Ransomware epidemic and its impact on organisations around the world

Ransomware epidemic and its impact on organisations around the world

It’s boomtime for ransomware and the cybercriminals making easy profits using this virulent strain of malware. The ransomware epidemic will not come as a surprise to the NHS, who recently had thousands of computers frozen by the WannaCry virus.

What can we learn from the spread of ransomware around the world? And what can organisations do to resist the onslaught of attacks?

A ransomware infection often starts with spam. Hackers use social engineering to nudge users into saving attachments or clicking links that look genuine. Emails may appear to be a request from the CEO, a parking fine notification, or a penalty notice from HMRC. Users are often scared into action, believing that something bad will happen if they don’t act quickly. But not all infected computers are the result of user error. In the case of the NHS and WannaCry, hackers exploited a known vulnerability in Microsoft Windows to gain entry into unpatched systems.

A popular exploit kit used by cybercriminals, called Angler, allows for drive-by downloads, in which malware is downloaded automatically when a user visits an infected site. The download happens in the background, without the user’s knowledge. These kinds of technologies are not just the preserve of expert hackers or international criminal gangs; anyone with criminal intent can access ransomware-as-a-service offerings on the underground Tor network, making cyber-crime as easy as setting up a website.

This demonstrates how unsophisticated some hackers are. These are rarely master criminals; they are often just chancers who recognise an opportunity for making easy money. And because web technologies allow ransomware to be deployed and utilised remotely, with money collected using anonymous crypto-currencies like Bitcoin, there is the lure of consequence-free crime. Why risk jail time for the takings in a petrol station when you can work from home and watch your Bitcoin wallet slowly fill? Of course, some of these perpetrators are caught and tried; there is no such thing as the perfect crime.

The ease of use of these tools might be one reason for their proliferation, and may explain why ransomware is on the rise. Security software company Sophos detected thousands of new pages booby-trapped with Angler every day in May 2015. And in their annual security survey, SonicWall reports that ransomware attacks increased by 167x year-on-year and was “the payload of choice for malicious email campaigns and exploit kits”.

The rapid rise of ransomware does pose new threats for organisations, but many of the treatments are familiar. Organisations must start with fully patched and up-to-date software and systems. Every uninstalled update is a potential backdoor for an opportunist cyber-crook.

Security systems must also be in place to limit the spread of any infections that take place, and to alert administrators to their existence before they do lasting harm. Backups provide protection against encrypted files and frozen machines. Training is the best way to ensure employees understand the evolving risks. And given the high stakes of IT security, this training should be regularly refreshed so all staff understand the vital role they play in digital defence.

Is your organisation safe from the ransomware that crippled the NHS?

Is your organisation safe from the ransomware that crippled the NHS?

On 12 May, hundreds of NHS employees turned on their computers, only to be greeted by a message stating that their files had been encrypted and could only be unlocked by paying $600. Their computers had succumbed to WannaCry, a particularly vicious type of virus known as ransomware. The on-screen message that now dominated the screen could only be removed by transferring $600 worth of Bitcoin to a given address. Instructions for obtaining Bitcoin were also provided.

Forty-eight NHS organisations were affected by this cyber-attack, leading to cancelled appointments, operations and more. Patients were asked to stay home because staff did not have the means to receive or treat them. The NHS was held to ransom by unseen forces.

WannaCry and the threat to computers

The WannaCry software might be dangerous, but its spread is usually checked because it requires people to download a dodgy attachment or click a suspicious link. The virus typically spreads slowly, gradually, in fits and starts. What happened on 12 May was very different. The doctors, nurses, surgeons and administrators who found their machines frozen that day may not have been to blame for the virus overtaking their machine. WannaCry had found its way to their desktop through a backdoor that exists in older Microsoft Windows machines.

Remarkably, this backdoor is alleged to have been developed – and utilised – by America’s National Security Agency (NSA). This vulnerability, known as EternalBlue, was stolen from the NSA by a group of Russian hackers called ShadowBrokers and then shared online. EternalBlue was used to inject WannaCry onto a huge number of machines in a synchronised attack. Infected machines were then used to spread the ransomware onto other networked machines.

In a story with many startling elements, perhaps one of the most shocking parts is the fact that Microsoft had released a patch to close this vulnerability in March. The only computers affected by this attack where those that had not been updated. In the case of the NHS, it seems that the government chose not to renew a multimillion-pound security package which would have protected against this threat. This meant that the NHS attack also became a political issue in the middle of a general election.

The WannaCry attack was only halted by an intrepid IT security consultant who noticed that the malware was trying to connect to a non-existent web domain. Marcus Hutchins immediately registered the address, an act which killed the virus immediately and meant that hundreds of NHS organisations could get back to work.

While the usual advice on digital security is to raise awareness among staff, the WannaCry incident is a good reminder that employee training will only protect your organisation if your technology is up-to-date. Effective digital security must be holistic, protecting against a wide range of evolving threats with a mixture of training, processes, hardware, software and company culture.

How VinciWorks can help

Our vast and expanding cyber security training suite prepares users for all cyber risks. It includes hours of training, hundreds of micro-learning modules and topics from social media to IT security. These courses and micro-learning units can easily be configured into a multi-year training plan.

Are your employees equipped to use the Internet and email securely?

How certain are you that your employees understand the risks posed by their use of the Internet? And do you trust that your employees know how to minimise risks – and what to do when they discover a threat?

We all rely on the Internet and email for marketing, communications and essential business operations – but how often do we step back and assess the risks?

Evolving risks

Hackers and fraudsters are constantly looking for vulnerabilities. Businesses are regularly assailed by financially-motivated agents, as well as state-funded hackers in search of intellectual property and the disruption of commercial activity.

The threat from within

In recent years, organisations have discovered that digital security and processes are not enough to prevent hacks, malware and data loss, because even the most robust systems can be swiftly neutered by an untrained (or disgruntled) employee. This has brought a renewed focus on employee training and the need to defend against internal threats. So, what can your organisation do to help employees use the Internet and email securely?

Assess your technology risks

Before you consider what kind of training your employees require, you must evaluate the potential threats to your business. For example, you might have a database of customer data, precious intellectual property or product designs, vital systems, online resources or costly digital infrastructure. Does your business have any compliance requirements? Are these being met – and protected? Once you have identified the threats, you can devise a strategy for mitigating and managing risks.

Security policy

Does your organisation have an up-to-date security policy? It’s important that your employees read the policy and understand everything it covers, such as:

  • Safe IT usage
  • Acceptable software
  • BYOD – can employees use their own devices?
  • Data protection and sharing
  • Removable media – can employees use USB drives and other media?
  • Password practices
  • Dealing with suspicious emails and content
  • Keeping back ups
  • Digital vigilance and reporting

Training is clearly a core component of modern digital security. Your employees represent a significant risk – whether intentional or accidental – and regular training is the best way to ensure that every individual recognises the threats and their role in preventing a security breach. Training should be mandatory and regularly refreshed to cope with the changing nature of digital security. Employee training programmes should form the core of a comprehensive security setup.

Why the insider threat to your IT security may be your biggest weakness

Why the insider threat to your IT security may be your biggest weakness

The Insider Threat Spotlight Report (2016) has a number of compelling findings for any organisation that produces, stores or transmits sensitive data. The survey of 500 cybersecurity professionals suggests that the threat of insider agents – both malicious and unintentional – is growing by the day.

The insider threat is doubly dangerous because insiders have the opportunity and the means to steal, corrupt and otherwise damage data and systems. Citibank learned this lesson the hard way, when Lennon Ray Brown, a disgruntled Citibank computer engineer, decided to take revenge for a disappointing performance review by erasing the configuration code in nine servers. His actions caused 90% of Citibank networks across the US to lose connectivity.

According to the Insider Threat report, “Seventy-four percent of organizations feel vulnerable to insider threats. However, less than half of all organizations (42 percent) have the appropriate controls in place to prevent an insider attack.”

Of course, preventing insider attacks is easier said than done. As Guy Bunker of Clearswift explained in an interview with Infosecurity, “The genie of company data is out of the bottle. In the old days company data sat on a server in the data center protected by access control and perimeter defenses. Now it’s everywhere.”

Employees expect freedom, autonomy and control. Employees want to bring their own devices to work and continue working when they get home. Employees unwittingly carry sensitive data onto trains, planes and taxis. The simple mistake of losing a smartphone becomes a potentially devastating act of corporate sabotage.

While the insider threat is difficult to manage, the potential financial penalties are highly motivating. “Over 75 percent of organizations estimate insider breach remediation costs could reach $500,000. Twenty-five percent believe the cost exceeds $500,000 and can reach in the millions.”

A recent data breach affecting French naval contractor DCNS has lead the Indian government to shelve a planned order for three submarines, resulting in many millions of lost revenues.

So what can organisations do to reduce the risks that come from within? According to the survey, 62% of respondents think employee training – and greater awareness – is part of the solution. In fact, 72% of respondents are already offering training to employees on how to identify security risks.

Cyber security breach could have poisoned water for millions

Cyber criminals were able to hack a water treatment plant and gain access to not only the personal and financial records of up to 2.5 million customers, but the system that controls the levels of chemicals used to treat drinking water.

Cyber security firm Verizon Security Solutions reported that the hackers may have changed the chemical levels of the tap water provided by the unnamed water plant (nicknamed Kemuri Water Company (KWC) in the report) up to four times during the attack. The report suggested that the hackers may not have realised the extent to which they had infiltrated the plant’s system, or that they had never intended to commit any harm, as there is no evidence that the personal and financial records accessed were exposed or otherwise monetised. Fortunately, the water company was able to identify and reverse the alterations made to the chemical levels before the drinking water was affected, but the cyber-attack could easily have posed real danger to the community.

“KWC’s breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA (industrial control system / supervisory control and data acquisition) KWC and the local community could have suffered serious consequences,” Verizon’s report found.

Commenting on the report, Monzy Merza, Splunk’s director of cyber research and chief security evangelist, said that: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”

Outdated operating systems vulnerable to attack

The breach happened because the water company had been using an operating system that was a decade old (some speculated it was Windows XP) and relied on a single IBM Application System server that was released in 1988. The hackers took advantage of vulnerabilities in the company’s web-accessible payments system, and because the payment system was on the same server as the water treatment facility’s operational technology, they were then able to access the water supply and metering water usage systems. The company’s vulnerability was further compounded by the fact that just one employee was able to deal with the archaic system.

“Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice,” continued Merza. “Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”

It is vital that companies maintain up-to-date technology and follow robust cyber security best practices in order to avoid a potentially catastrophic cyber-attack.

About VinciWorks

Cyber-security starts with organisational culture. VinciWorks can raise cyber awareness in your organisation with eLearning courses including Information Security and Data Protection. Get in touch today and protect your business from cyber-crime.

Would these social engineering techniques fool your employees?

To celebrate the release of two new cybersecurity Take 5 modules, Understanding Social Engineering and Phishing Awareness, we help you determine your company’s social engineering risk level.

Cybercrime is big business. Hacked or leaked datasets go for £1000s on the dark web’s black markets, and that’s just those containing names and email addresses. A recent McAfee report shows that more sensitive records – with addresses, passwords, national insurance numbers, bank or credit card details – are sold for upwards of £25 each.

This makes your business data a potentially lucrative target for cybercriminals – and with fines for data breaches soaring lately, you simply can’t ignore cybercrime risks.

When you think of cybersecurity, the first things that come to mind are probably hardware and software, and while it’s true that hackers would be quick to exploit any vulnerability found there, they have a far higher hit rate when focusing on exploiting people through social engineering.

Wondering if your organisation is at risk? Ask yourself the following questions to determine how well versed on social engineering your employees are…

Q: Would your employees download software, plug in USB sticks or insert DVDs without confirming they’re from a trustworthy source?

If yes, they’re at risk of baiting, a technique hackers use to trick people into downloading malware, which can then capture confidential information.

Q: Would employees verify their identities by providing sensitive information such as password, date of birth or national insurance number over email, text or telephone in order to fix an urgent issue?

If yes, they’re at risk of phishing, which involves hackers using official-seeming communications to attempt to gain confidential information.

Q: Would employees question a communication that was personally directed to them and included details their like address, phone number or date of birth to back up its authenticity?

If yes, they’re at risk of spear phishing, a technique which targets individuals or organisations with tailored communications including personal information, often obtained via other social engineering techniques, in order to seem more trustworthy.

Q: Would employees challenge someone phoning them up from the bank, payroll, HR or the government and asking them to update their records?

If not, they’re at risk of pretexting, which is what it’s called when hackers pretend to be someone else in order to obtain information they can use to steal people’s identities.

Q: Would they try and fix their computer themselves if they received an error message telling them of issues with it?

If yes, they’re at risk of scareware, which displays an alert telling users they need to download software to fix issues. While there aren’t any issues to begin with, there certainly are once the ‘fix’ is downloaded.

Social engineering poses multiple risks, and hackers are always coming up with new techniques. To prevent your employees becoming victims, you need to increase awareness and create an alert, vigilant culture. Follow these steps to protect your business from social engineering:

    1. Install and regularly update antivirus software
    2. Install, configure and regularly update a firewall
    3. Make sure employees read all emails carefully before responding; especially those containing links or attachments
    4. Train employees to identify when a link is pointing to a different website to the one it should do
    5. Ensure employees don’t click links or open attachment until they have confirmed they are safe
    6. Encourage employees to use search engines to access web links, rather than clicking them directly in emails
    7. Train employees to recognise falsified email addresses and verify emails by contacting the sender via their switchboard
    8. Make sure employees never give out financial or sensitive information over the phone
    9. Encourage them to ignore all requests for financial help or requests claiming they can help them financially
    10. Discourage them from sending sensitive information electronically without a secure connection, to a known person, using encryption where possible.

Following these steps will reduce the risk that social engineering poses to your organisation, as well as your employees.

DeltaNet

We now offer two new Take 5 micro-learning modules to protect your business from social engineering. Understanding Social Engineering provides awareness of the various techniques which put your organisation’s information at risk. Phishing Awareness goes into more detail about the various tactics hackers use to attempt to access confidential information that could be used to steal employees’ identities and compromise your data. Both modules feature an end-of-module assessment to test learners’ knowledge, and can be completed in just five minutes.

Is your business safe from a cyber attack?

Is your business safe from a cyber attack?

When we think of hacking, we tend to imagine global banks being attacked to the tune of billions – but according to a study by cyber security firm Symantec, companies with fewer than 250 employees now account for a third of all cyber attacks. Small businesses are often woefully underprepared when it comes to cyber security – and this puts them in the crosshairs.

Small businesses are attractive targets for cybercriminals because they usually lack the cybersecurity precautions of larger organisations. The consequences of these attacks can be extremely costly, from lost productivity to company reputation.

This is why, according to Toni Allen, UK head of client propositions at the British Standards Institute, “SMEs are now being pinpointed by digital attackers.”

A cyber attack can wreak havoc on a small company’s finances: a UK government survey reported that for small and medium sized business the average cost of the worst breach is between £75,000 and £310,800. Furthermore, when the EU’s new General Data Protection Regulation comes into force in 2018, allowing security breaches to compromise customer data could result in companies being fined 4% of their annual turnover, up to €20m.

Finances may recover in time, but the damage to a brand’s reputation for dependability and customer security may well be irreparable. It is vital that small businesses take steps to prevent such attacks from happening.

“Burying your head in the sand may save money in the short term,” Alex Fenton, a digital business expert and lecturer at Salford University told The Guardian, “but the cost of hacking could range from minor inconvenience, reputation damage, loss of customer data, fines and ultimately company closure.”

Instituting a secure password policy (never the same password for more than one account, use at least three random words) and ensuring that your cyber security software is business-grade and up to date are simple steps that could protect you.

However, the most essential step towards cyber-security is staff training. Many hacks come about because of vulnerability created by simple human error: the wrong link clicked in an email, some malware hidden in innocuous seeming MP3 software. Educating all staff to practise good digital hygiene could mean the survival of your business.

“You don’t want your first breach to be a learning exercise,” security expert Lawrence Pingree says. “Your brand, even your company, may not survive to learn from those lessons.”

How can VinciWorks help?

VinciWorks’ online cyber security training help keep businesses remain secure against ever-evolving cyber threats. Courses available range from digestible, five-minute Take 5 micro-learning modules to in depth, detailed eLearning courses covering multiple topics within a subject area.