This Week in Ransomware: New Mexico, Portugal, Hospitality Chain, More
In one attack, hackers sent a fake news alert about the Portugal president's removal from office.
![Ransomware Ransomware](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltd16c295ab4c9a26c/6524391e813f7d696b4ae794/3-Ransomware.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
The cities of Albuquerque, Los Ranchos and Tijeras, New Mexico, were shut down Wednesday by a ransomware attack. Officials in Bernalillo County disclosed the attack, saying they had taken affected systems offline and severed network connections.
Most county buildings had to shut down and employees are working remotely to try to maintain services during the system outage. However, because employees can’t access the public databases, there is little they can do for now. The name and type of the ransomware used in the attack is unknown.
Sam Jones is vice president of product management at Stellar Cyber.
“Ransomware is getting easier and easier to orchestrate as an attacker,” he said. “Operational downtime to critical public services will be the gravest byproduct of these attacks, especially as they become more rampant. State and local governments are unfortunately perfect targets for attackers.”
Garret Grajek is CEO of YouAttest.
“No company, county or organization is too obscure or too off the beaten path for the attackers,” he said. “To the hackers, the sites are simply targets of opportunity. The automatic scanning they are doing is looking for vulnerabilities — regardless of where the target will eventually end up. The Palo Alto Networks Cortex Xpanse team has researched the scanning and has showed the hackers are scanning within 15 minutes of a known vulnerability, where most companies are not patching and updating for 12 hours. The solution is a proactive approach to security such as zero-trust networks and active identity governance — knowing who has what and triggering on identity changes.”
Impresa, which owns the largest television station and newspaper in Portugal, suffered a ransomware attack just after New Year’s Day. The suspected ransomware gang behind the attack goes by the name Lapsus$.
The attack included Impresa-owned Expresso newspaper and television station SIC.
According to a Jan. 5 Expresso article: “This attack has seriously hampered the mission of our media and, as it is limiting our ability to inform, results in a serious attack on press freedom. It has required from all the group’s professionals an extraordinary effort to try to overcome the technical difficulties imposed.”
In addition, the hackers sent a fake news alert about the Portugal president’s removal from office.
Jake Williams is co-founder and CTO at BreachQuest.
“The Portugal media attack is from a relatively new and relatively inexperienced ransomware gang called Lapsus$,” he said. “The group used public shaming tactics on Twitter to continue to embarrass the company even after they restore services. This was characterized by some as demonstrating that the organization still had access to the victim network, but in reality it’s more likely that the victim simply had not yet reset the passwords for all external accounts, including social media.”
Dave Pasirstein is chief product officer and head of engineering at TruU.
“Ransomware is not going away,” he said. “It’s a lucrative business that is nearly impossible to protect all risk vectors. However, it is made easy by enterprises failing to take enough precautionary steps. Those steps must include zero-trust approaches, active patching, endpoint and email protection, employee culture/training/testing, and very strong authentication such as modern multifactor authentication (MFA), ideally a passwordless MFA that is not based on shared-secrets and thus, cannot easily be bypassed by a server compromise.”
Pacific Northwest hospitality chain McMenamins confirmed internal employee data dating back to January 1998 was compromised in a ransomware attack it blocked Dec. 12.
Stolen data potentially included: names, addresses, telephone numbers, email addresses, dates of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security numbers, health insurance plan elections, income amounts and retirement contribution amounts. The attackers also may have accessed files containing direct deposit bank account information as well, but McMenamins does not have a clear indication they did so.
The company said no customer payment data was impacted. It’s cooperating with the FBI and working with a cybersecurity firm to identify the source and full scope of the attack, as well as implement security enhancements.
John Bambenek is principal threat hunter at Netenrich.
“Ransomware operators continued to operate over our holidays attacking organizations large and small,” he said. “These attacks show no one is safe from their reach and that newer groups are starting to form to get into the space. These breaches will continue until governments solve the fundamental problem, that if you live in certain parts of the world, you can attack others without fear of consequences.”
Photography company Shutterfly was the victim of a Conti ransomware attack, according to Check Point Research’s latest threat intelligence bulletin.
Some 4,000 devices were encrypted as well as 120 VMware ESXI servers. The stolen data includes legal agreements, bank account information, login credentials, spreadsheets and customer credit cards information.
Matthew Warner is CTO and co-founder at Blumira, a provider of automated threat detection and response technology.
“The double extortion tactic that Conti used in the Shutterfly attack is happening with many ransomware groups today,” he said. “It’s not a good situation to be in when the attackers have taken all of your data and everything is encrypted. A better conversation to have is, ‘they’ve encrypted all of our data and they want money to decrypt it.’ If you don’t have visibility into that data, then your attack is likely to not be covered by cyber insurance, either. The natural evolution of holding data for ransom is to continue that into blackmailing for data exposure. This is one of the main reasons that paying the bounty is almost never a good idea and should be avoided at all costs. Organizations have no way to know that data won’t be exposed after paying. Expecting integrity from criminals is a dangerous game.”
It’s extremely important that organizations focus on detecting the first three steps of a ransomware attack, Warner said. Those are discovery, gaining a foothold and escalating privileges.
“Detection, in addition to being aware as to what data you hold, will allow you to quickly respond to attacks and worst case be sure of post-exploitation handling of a ransomware event,” he said.
Vietnamese crypto trading platform Onus was hit with a ransomware attack leveraging the Log4j flaw on its payment system, according to Check Point Research’s latest threat intelligence bulletin.
Cybercriminals demanded a $5 million ransom in a double extortion scheme, it said. Onus refused to pay, so the threat actors published for sale records of 2 million Onus customers.
Last month, researchers discovered a zero-day exploit in log4j, the the popular Java logging library. It results in remote code execution (RCE) by logging a certain string. Since then, additional vectors have been discovered.
Yaniv Bar-Dayan is CEO and co-founder at Vulcan Cyber.
“The integrated IT security industry is not very good at effectively mitigating known vulnerabilities, and Apache vulnerabilities are no exception,” he said. “As an industry, we need to get better at sufficient mitigation of known vulnerabilities or we will see more of what we saw with the SolarWinds exploit, but with the new vulnerability of the day used instead. We need to do much better as cybersecurity pros to identify the vulnerabilities that matter to our businesses and organizations by assessing and prioritizing associated risk. Then we need to take control and orchestrate the mitigation effort while measuring our ability to drive cyber hygiene and attain acceptable levels of risk.”
Jim Gogolinski is vice president of research and intelligence at iboss. He said ransomware will continue to get more sophisticated and ransoms will keep increasing. He also predicts more class-action lawsuits will emerge against companies that are breached.
Every nation is jockeying for power and as a result upping their game when it comes to advanced persistent threats (APTs), he said. Cyber mercenary organizations will continue to grow in prominence as they often conduct APT attacks on behalf of nations, to give the nation-states a degree of deniability.
Jim Gogolinski is vice president of research and intelligence at iboss. He said ransomware will continue to get more sophisticated and ransoms will keep increasing. He also predicts more class-action lawsuits will emerge against companies that are breached.
Every nation is jockeying for power and as a result upping their game when it comes to advanced persistent threats (APTs), he said. Cyber mercenary organizations will continue to grow in prominence as they often conduct APT attacks on behalf of nations, to give the nation-states a degree of deniability.
This week in ransomware, cybercriminals unleashed a fresh onslaught of attacks targeting a wide variety of organizations.
The increasing volume of ransomware attacks has prompted our new feature, this week in ransomware. We’ll list the latest attacks along with commentary from cybersecurity experts.
Bitglass, a Forcepoint company, on Thursday announced findings from its 2021 Malware and Ransomware Report. It shows ransomware has become the No. 1 priority on the minds of IT and security leaders, and they expect the cyber threat to get worse. Compounding this problem is that IT and security teams are still trying to figure out how to deal with the rapidly proliferating ransomware threat.
The report, a joint venture with Cybersecurity Insiders, surveyed hundreds of cybersecurity professionals across numerous industries.
Ransomware a Growing Threat
According to the findings, 75% of respondents believe malware and ransomware will be a larger cyber threat to their organization in the next 12 months. As a result, organizations are tackling the malware and ransomware problem head on with increased spending (50%) and changing IT security strategies (40%).
Further insights from the report include:
Sixty-eight percent said they would not pay the ransom to recover data affected by a ransomware attack.
Lack of budget (50%), evolving and sophisticated attacks (49%) and growing proliferation of threats (36%) are obstacles IT security teams now face.
Cybercriminals continue to use classic social engineering techniques to get their ransomware into an organization. Those include phishing emails (61%), email attachments (47%) and user visiting malicious websites (39%).
Holger Schulze is founder of Cybersecurity Insiders.
Cybersecurity Insiders’ Holger Schulze
“With high-profile malware and ransomware attacks capturing recent headlines, organizations have elevated this problem to a top priority,” he said “However, our research shows that IT and security teams face an uphill battle as they continue to struggle to figure out how to effectively deal with the looming ransomware threat.”
Scroll through our slideshow above for the latest ransomware news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like