Tag Archive for: Ryuk

Ryuk ransomware recovery cost us $8.1m and counting, says Baltimore school authority • The Register

/in


An organisation whose network was infected by Ryuk ransomware has spent $8.1m over seven months recovering from it – and that’s still not the end of it, according to US news reports.

The sum, spent by Baltimore County Public Schools, will doubtless raise some eyebrows and the public breakdown of the costs will be eye-opening for the infosec industry and potential corporate ransomware victims alike.

A spreadsheet obtained by Fox 45 News Baltimore, a TV station, revealed the $8.1m spending and also broke it down into individual line items.

Of the full sum, $2m alone was spent on “ERP cloud transition and recovery” with provider CGI. A Dell (VMware) Carbon Black cloud-based endpoint security licence for one year of Windows protection came in at $699,298, while $606,648 was spent on device monitoring and tracking.

Just $2m of the $8m spend was covered by insurance, the spreadsheet showed, also noting $11,500 in ransomware negotiation costs. There was no line item explaining whether a ransom was paid or if so, how much it was.

As we reported when it first happened, the BCPS network was infected by Ryuk ransomware in November last year. 115,000 children were unable to access remote classes (being held online due to the pandemic) and were cut off from school for a week while administrators rebuilt critical systems.

The attention of news outlets moved on after a few days (possibly a result of BCPS’ $50,000 spend with FTI Consulting on PR advice), but the enduring tech and financial damage is still being felt months later.

Infosec firm Sophos said in April that the average cost of getting over a ransomware attack is $2m, a sum that “has more than doubled in a year”. Last year French-headquartered IT outsourcer Sopra Steria said a Ryuk attack was set to cost it between 40 and 50 million euros after “a previously…

Source…

Amazon faces prospect of EU fine over data privacy. School data breach. A look at Ryuk.

/in


At a glance.

  • Amazon’s European privacy issue.
  • School district data exposed.
  • A look at the Ryuk ransomware operation.

Amazon potentially faces largest GDPR fine ever.

The EU has drafted a decision to fine Amazon $425 million (or roughly 2% of the tech giant’s 2020 net income) for violation of the General Data Protection Regulation (GDPR), the Wall Street Journal reports. The CNPD, Luxembourg’s privacy commission and Amazon’s lead EU privacy regulator (Amazon’s EU headquarters are located in the Grand Duchy), has proposed the sanction for alleged data collection and handling violations. If approved by the EU’s other privacy authorities, this would be the largest fine since the GDPR was implemented in 2018. Though the details of Amazon’s offenses have not been disclosed, the size of the fine signifies a shift in the EU toward holding tech companies to task for their data privacy policies. 

Ireland, which oversees privacy regulations for Facebook, Google, and Apple, also plans to draft decisions for several privacy cases this year.

US school district data exposed in cyberattack.

Union Community School District in the US state of Iowa has disclosed that an intruder gained unauthorized access to its computer systems in April, the Courier reports. The attack temporarily disrupted the district’s servers, and the subsequent investigation found the intruder had accessed school data. “Those documents are currently under review, and the District is committed to providing additional information to the community as quickly as possible,” Superintendent Travis Fleshner explained.

The relentless menace of Ryuk.

The Wall Street Journal offers a profile of the infamous Ryuk ransomware gang, responsible for numerous recent cyberattacks that crippled US medical institutions. The world’s most active ransomware group, Ryuk was tied to a third of the 203 million ransomware attacks in the US last year and raked in at least $100 million in ransom payouts. While some threat groups have avoided targeting vulnerable institutions like hospitals, especially during the pandemic, Ryuk has attacked more than two hundred thirty healthcare providers  (lucrative targets due to their dependence on…

Source…

Ryuk ransomware operation updates hacking techniques

/in


Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.

The trend observed in attacks this year reveals a predilection towards targeting hosts with remote desktop connections exposed on the public internet.

Furthermore, using targeted phishing emails to deliver the malware continues to be a favored initial infection vector for the threat actor.

New trend for initial infection

Security researchers from the threat intelligence boutique Advanced Intelligence (AdvIntel) observed that Ryuk ransomware attacks this year relied more often on compromising exposed RDP connections to gain an initial foothold on a target network.

The actors have been running “large-scale brute force and password spraying attacks against exposed RDP hosts” to compromise user credentials.

Another vector for initial compromise was spear phishing and the use of the BazaCall campaign to distribute malware through malicious call centers that targeted corporate users and directed them to weaponized Excel documents.

AdvIntel researchers say that the Ryuk attackers ran reconnaissance on the victim in two stages. Once, to determine the valuable resources on the compromised domain (network shares, users, Active Directory Organization Units).

The second time, the objective is to find information on the company’s revenue to set a ransom amount that the victim can afford to pay to recover systems.

To enumerate the active directory information, Ryuk ransomware operators rely on the tried and tested AdFind (AD query tool) and the post-exploitation tool Bloodhound that explores relationships in an Active Directory (AD) domain to find attack paths.

Getting financial details about the victim relies on open-source data. AdvIntel says that the actors search on services like ZoomInfo for information about the company’s recent mergers and acquisitions and other details that can increase the profitability of the attack.

Additional reconnaissance is carried out using the Cobalt Strike post-exploitation tool that’s become a standard in most ransomware operations and scans that reveal the security products like antivirus…

Source…

Security News in Review: Ryuk Ransomware Develops Self-Replication Capabilities

/in


News in Review 2021-03-06

In this week’s edition of our roundup of the cybersecurity news, you’ll find reporting on a new trend of ransomware gangs turning to virtual machines, several high-severity vulnerabilities in the Linux kernel being resolved, and some new capabilities in the Ryuk ransomware. 

Read on for the latest Security News in Review, and let us know if we missed anything. 

Ransomware hackers turn to virtual machine software to boost extortion schemes — Ransomware gangs have started to evolve their attack strategies from directly being written for Microsoft Windows machines to targeting the hypervisor that manages virtual machines. This is shown by some recent code designed to affect ESXi, a hypervisor software, with the goal being to infect the hypervisor and propagate their code to virtual machines. 

Ryuk ransomware develops worm-like capabilities, France warns — According to an analysis from the French National Agency for the Security of Information Systems, the Ryuk ransomware has developed worm-like self-replicating capabilities. From a functional perspective, this means that the ransomware can propagate without human interaction. The addition of new capabilities to Ryuk will be of special interest to the healthcare sector, where Ryuk was responsible for 75% of attacks. 

2021-consumer-healthcare-cybersecurity-threat-index

High severity Linux network security holes found, fixed — A set of five critical vulnerabilities in the Linux kernel’s virtual socket implementation were found and fixed recently. The vulnerabilities exist when Linux’s virtual socket multi-transport support is added, which is typically used to facilitate communication between virtual machines and their host. 

Microsoft Releases Out-of-Band Security Patches for Exchange Server — Microsoft released several out-of-band patches for multiple zero-day flaws that are actively being exploited in the wild. Organizations running Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 products should apply these patches right away. The patches relate to the on-premises versions of Exchange Server, and not to Exchange Online. 

Google Chrome update fixes another worrying security flaw — Google released Chrome version 89 recently to patch a…

Source…