Tag Archives: cyber criminals

ransomware

Ransomware: Growing Threat for SMBs

Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016.

In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.

Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms.

That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools.

Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients

Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets.

Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars.

Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front.

Fewer are immune to attack

Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.

Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Menlo Security chief technology officer 

 

Kowsik Guruswamy, chief technology officer at Menlo Security, says that, unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system.

“Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”

Related video: A case for making software more resistant from the start

Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.

The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total.

DIY kit for bad guys

Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.

“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”

Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.

Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves.

Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.

SMBs have limited defenses

“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”

One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom.

Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price.

There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.

“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”

This article was written by Third Certainty’s Jaikumar Vijayan.

Cloud Apps Routinely Expose Sensitive Data

An alarming number of cloud-based apps used by enterprise employees don’t encrypt data at rest or require two-factor authentication.

And an astounding number of employees are still uploading highly sensitive data to the cloud and sharing files on unsecured platforms, according to the Cloud Adoption Risk Report Q4 2014 from cloud security vendor Skyhigh Networks.

Security & Privacy News Roundup: Stay abreast of key developments on cybersecurity and online privacy topics

The recent breach of 80 million records at health insurer Anthem was an example of how cloud services that don’t encrypt data leave personal records exposed to savvy cybercriminals.

The Q4 report was based on usage data from 15 million employees at 350 companies worldwide. It found that the average company used 897 cloud services in the fourth quarter of 2014, up from 626 the year before.

Data at Risk

While the number of cloud providers that have invested in key security features more than doubled last year, still only 11% encrypt “data at rest” — inactive files stored in data bases. Only 17% have multifactor authentication.

“In light of the recent breaches, that’s alarming,” says Kamal Shah, Skyhigh’s vice president of products and marketing.

“The Anthem breach is a great example of how, if you’re not careful, cloud services can be used to exfiltrate data out of the organization,” he says.

More than a third of users uploaded at least one file with sensitive information to a file-sharing cloud service, Skyhigh found. Some of that information included customer Social Security numbers (SSN), date of birth, credit card or bank account numbers and personal health records.

Skyhigh also found that 22% of files uploaded to cloud-based file sharing apps had sensitive or confidential information. At the same time, 11% of documents were shared outside the enterprise, and 18% through third-party email services like Gmail, Yahoo and Hotmail, which don’t encrypt data at rest.

File-Sharing Exposure

The growing trend in file sharing is driven by the limitations of email, Shah says. Besides having size constraints as files get larger, email is a static environment.

“File-sharing is much more active — a living, breathing space,” he says.

Less surprising in the study was the number of compromised identities — especially given the record number of breaches and vulnerabilities in 2014. Skyhigh found that 92% of companies have compromised credentials, with 12% of users affected, on average, at each company.

“A lot of people use the same passwords for their work life as they do for their personal life, and when they’re compromised, those credentials can be used to steal corporate data,” Shah says.

The trends driving the rapid cloud adoption are driven by legitimate business needs, Shah notes. Which means the old way of doing business — by simply restricting app usage — no longer works for IT managers.

“Shadow IT is not bad because employees are using these cloud services for the right reasons,” he says. “The old way of blocking services is no longer effective.”

What that means for IT administrators is the need to educate their employees about the risks of apps that are not enterprise-ready, he says. (Skyhigh’s definition of enterprise-ready includes cloud services that rank one to three on a scale to 10 based on attributes like encryption, two-factor authentication, legal condition of service and so on.)

Despite all the breaches, the use of cloud adoption will continue to accelerate rapidly, Shah says.

“For enterprises, there’s urgency to take action before it’s too late,” he says. “If you don’t act now, the problem will get bigger and bigger.”

This article was written for ThirdCertainty by Rodika Tollefson.

Stunning Patterns Found in the Dark Net

One of the most powerful technologies for spying on cyber criminals lurking in the Dark Net comes from a St. Louis-based startup, Norse Corp.

Founded in 2010 by its chief technology officer, Tommy Stiansen, Norse has assembled a global network, called IPViking, composed of sensors that appear on the Internet as vulnerable computing devices. These “honeypots” appear to be everything from routers and servers, to laptops and mobile devices, to Internet-connected web cams, office equipment and medical devices.

When an intruder tries to take control of a Norse honeypot, Norse grabs the attacker’s IP address and begins an intensive counterintelligence routine. The IP address is fed into web crawlers that scour Dark Net bulletin boards and chat rooms for snippets of discussions tied to that IP address.

Analysts correlate the findings, and then IPViking displays the results on a global map revealing the attacking organization’s name and Internet address, the target’s city and service being attacked and the most popular target countries and origin countries.

Stiansen grew up tinkering with computers on a Norwegian farm, which led him to a career designing air-traffic control and telecom-billing systems. After immigrating to the U.S. in 2004, Stiansen began thinking about a way to gain a real-time, bird’s-eye view of the inner recesses of the Dark Net. The result was IPViking, which now has millions of honeypots dispersed through 167 data centers in 47 countries.

Norse recently completed a major upgrade to IPViking, which has led to some stunning findings. Stiansen explains:

Tommy Stiansen - NorseCorp

3C: Can you tell us about your most recent milestone?

Stiansen: We have managed to do a tenfold (increase) to where we can now apply millions of rules in our appliance.

3C: So more rules allow you to do what?

Stiansen: It allows us to have a lot more threat data and apply a lot more intelligence to a customer’s traffic. We can start applying more dynamic data. Our end goal is to apply full counterintelligence onto traffic. Meaning when we see a traffic flow coming through our appliance we will be able to see the street address, the domain, the email address used to register this domain. We can see who a packet is going to, and the relationship between the sender and receiver, all kinds of counterintelligence behind actual traffic, not just for blocking but for visualization.

3C: That level of detail was not available earlier?

Stiansen: Nope. This is something we’ve pioneered. This is our platform that we built so we can enable this (detailed view) to actually happen.

3C: So what have you discovered?

Stiansen: We’re learning that traffic and attacks coming out of China isn’t really China. It’s actually other nations using China’s infrastructure to do the attacks. It’s not just one country, it’s the top 10 cyber countries out there using other countries’ infrastructure.

3C: So is China getting a bad rap?

Stiansen: Correct.

3C: Who’s responsible? Russia? The U.S.? North Korea?

Stiansen: Everyone.

3C: What else are you seeing?

Stiansen: We’re also seeing how hackers from certain communities are joining together more and more. The hacking world is becoming smaller and smaller. Iranian hackers are working with Turkish hackers. Pakistani and Indian hackers, they’re working together. Indonesia hackers and Iranian hackers are working together.

3C: Odd combinations.

Stiansen: It’s weird to see these mixes because there’s no affiliation, there’s no friendship between the countries on a state level. But the hacker groups are combining together. The borders between hackers have been lifted.

3C: What’s driving them to partner, is it money or ideology?

Stiansen: All of the above. That’s the thing, the people who have similar ideologies find each other on social media and start communicating with each other. And the people with the financial means and shared goals meet each other, that’s the evolution. And when they do that, they become really powerful.

A Case For Cyber Insurance

The Need Is There

There were more than 26 million new strains of malware released into circulation in 2011, the last year with solid data on malware. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records.  The Ponemon Group whose Cost of Data Breach Study is widely followed every year indicated a total cost per record of $194 in 2011, an increase of over 40% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent.  NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability” forum the results of their analysis of 153 data or privacy breach claims paid by insurance between 2006 and 2011.  On average, the study said, payouts on claims made in the first five years total $3.7 million per breach.

And, attacks simply don’t target large companies. According to Symantec’s 2010  SMB Protection report (again the last report with good data on SME), small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report’s opinion that 96% of such breaches could have been prevented with appropriate controls.

Seemingly, not a week goes by without a reference to cyber risk hitting the mainstream press. Recently, a cyber attack was successfully launched against ATMs in 27 countries withdrawing over $40 million in over 30,000 transactions in less than 10 hours.  The New York Times recently reported that universities are facing a rising barrage of cyberattacks, mostly from China.1   And last year saw a number of denial of service attacks against financial institutions brought by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against the U.S. infrastructure.

All This Has Prompted Insurers To Enter The Market (And Make A Nice Profit To Boot)

Cyber-insurance began in earnest in 2000 when American International Group’s AIG eBusiness Risk Solutions unit launched AIG netAdvantage. Starting from scratch, premium jumped to over $100 million by the time the unit was merged into larger subsidiaries of AIG, just four years after its creation. AIG eBusiness was extremely profitable with estimates of loss ratio in the extremely low double digits.

Fast forwarding to today, the cyber-insurance market, according to the 2012 Betterley Report is “in the $1 billion range” in terms of premium (up from $800 million in the 2011 report) with close to 40 insurance carriers providing a standalone insurance policy.  Premium continues to increase with most carriers, accordingly to Betterley, reporting increases from 25% to 100% year over year.  Hard profit figures are difficult to come by; however, strong anecdotal evidence suggests that this line of insurance continues to be highly profitable.  Third party litigation continues to be slow to develop outside the privacy arena and first party claim losses, outside of breach funds, is non-existent.

From an underwriting point of view, some attention should be paid to theft of personal identifiable information (PII), especially with respect to first party costs associated with forensics and customer notification costs.  However, there are established methods to manage this risk successfully for the underwriter.  Indeed, in a widely followed report, Verizon reports that 90% of all breaches can be prevented with proper risk management guidelines.   Of course, like any other portfolio of business, care must be taken with respect to avoidance of catastrophic exposure, adverse selection and moral hazard.  There are underwriting guidelines and processes that can be developed to manage these exposures.

Yet The Market Still Has Plenty Of Room To Grow

Despite the increased attention to cyber incidents, most reports indicate only a minority of companies currently purchase cyber-insurance.  According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about cyber risk. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy. A risk area with a high level of concern but little purchase of insurance? That’s an insurance carrier’s dream

It is unclear why there aren’t more buyers, but most of the industry believes it’s a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber is covered under their general corporate liability.

Regardless of the reason, with respect to foreign corporations whose securities are traded on U.S. exchanges, a recent “Guidance” report2 published by the U.S. Securities and Exchange Commission on October 13, 2011 is likely to increase sales.  The report begins simply enough:

For a number of years, registrants (companies who register their securities with the SEC) have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity has also increased … As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

The “guidance” report goes on to specify five “suggested” disclosures that may be “appropriate” to companies trading with securities registered with the SEC.  The fifth suggestion is the one that caught the eye of the insurance industry.  It reads simply:

Description of relevant insurance coverage.

This is the first time that I am aware that the SEC included insurance in one of their guidance reports.  The SEC tends to start investigations 18-24 months after issuing a guidance report. It is difficult to imagine how a general counsel would be able to meet this disclosure without an investigation, at least, of specific cyber insurance.  This is especially true given that over the course of the last few years, general liability underwriters have continued to tighten up any language in a general liability policy to a point where an insured would be foolish to even think the policy applies to cyber risks.3

Thus, it is then perhaps not surprising that the Betterley 2012 market report stated “we think this (cyber) market has nowhere to go but up.”  Although, they quickly qualified,  “as long as carriers can still write at a profit.”

And With A Private-Public Partnership There Is Even More Potential

Unlike many other countries, 80% or more of the critical infrastructure of the United States is in private hands.  As we have seen in the last year, cyber attacks are increasingly being brought by companies associated with hostile nation states.  Cyber-terrorism – even cyber-war – is close at hand and, in some minds, is already here.  The insurance industry can and should play a vital role in providing private sector incentives to foster increased network security in the critical infrastructure.  However, the insurance industry cannot do this alone.  The answer lies in a private-public partnership between the insurance industry and the federal government.  Productive discussions are already underway between the Department of Homeland Security and the insurance industry with specific proposals to safeguard and enhance our country’s security being reviewed.

For more details on the need for this public-private partnerships, and what is going on to bring it about, stayed turned for our next article.

1 Universities Face a Rising Barrage of Cyberattacks

2 Cybersecurity

3 While from time to time, this is tested by insureds (see Sony vs. Zurich), almost all commentators have admitted that the “die is cast.”

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”