The BBC, British Airways, Boots and Aer Lingus are among a growing number of organisations affected by a mass hack. Staff have been warned personal data including national insurance numbers and in …
Hacking the hackers: Gootloader is a long-running cyber-criminal operation based on an “initial access-as-a-service” model: the gang behind the malware infects organizations. Then it sells access to “customers” looking for an entry point to go deeper into the victim’s network. To successfully thwart the operation, researchers fought fire to with fire.
The Gootloader malware originated from the Gootkit banking trojan, which has been active against European targets since 2010. The malicious operation allows third-party criminals to put their malware (especially ransomware) into a compromised network. The gang behind it has been particularly successful over the past several years.
Security researchers at eSentire have tracked recent Gootloader activities and are now explaining how it works and what’s needed to fight it. The Gootloader operation uses SEO poisoning techniques, luring potential victims to an “enormous array” of compromised WordPress blogs.
The operation is tailored to exploit victims more inclined to pay a ransom to get their data back. The blogs are populated with bait content, including links to malicious documents, templates, and other generic forms. When the target clicks these links, they unintentionally infect Windows with the main Gootloader malware.
Gootloader’s most common victims are professionals working for law firms and corporate legal departments. The analysts explain that bad actors use blog posts about legal agreements and contracts to lure people in those positions into downloading their malicious code. Legal professionals have essentially been the primary target of the Gootloader gang for the past 15 months, with 12 different organizations targeted between January and March 2023.
The eSentire researchers created a specialized web crawler to keep track of Gootloader-related web pages and previously infected sites. They found around 178,000 live Gootloader pages and another 100,000+ previously infected sites. The researchers collected evidence that links Gootloader to the infamous Russian REvil gang, which regularly partnered with the malware’s network between 2019 and 2020 to infect, encrypt, and scam compromised organizations.
An RSA Conference speaker argued that despite the stigma associated with paying ransomware gangs, it’s sometimes better to negotiate with terrorists.
In his session at the 2023 RSA Conference on Monday, Brandon Clark, CEO of Triton Tech Consulting in Denver, proposed a ransomware response process that works to squeeze out emotive instincts that are often tangled in the decision-making.
“It is absolutely critical that you do take as much of the emotion out of this as possible by looking at some of this ahead of time,” said Clark during the session, titled “Negotiating with Terrorists: The High Stakes Game of Ransomware Response.”
Clark suggested that ransomware victims often make detrimental decisions based upon emotional and moral instincts. He prefaced his response plan with a reference to the 1973 hostage crisis at the Saudi Arabian Embassy.
In that incident, three Western diplomats among 10 others were taken hostage at the embassy by the Black September group. Former President Richard Nixon refused to negotiate with the terrorists and publicly announced the U.S. would not pay the demanded ransom. The terrorists later killed the Western hostages while the remaining hostages were released and returned to their home in Sudan, which had negotiated with the group.
Clark related this piece of history to the life-threatening events that follow a ransomware attack on a hospital or an air traffic controller or other critical infrastructure targets. He stated that aversion to negotiate with terrorists was a polarizing mindset, “entrenched in our mental framework,” that has induced poor decision-making.
“If I’m not able to understand a patient’s history, if I can’t see what their allergic to and they’re given medication that sends them into anaphylactic shock, I would argue that’s probably worse and more evil than me paying $50,000 to get our systems back and running,” said Clark.
There’s also a financial component to the equation. Clark used the 2018 ransomware attack on the city of Atlanta as “a great example of what not to do,” because the city government refused to pay a $50,000 ransom and ended up paying more than $3 million in remediation and recovery costs.
“It doesn’t…
Highlights:
Barracuda international survey finds 73% of organizations experienced a successful ransomware attack in 2022 — 38% were hit more than once.
42% of those hit three times or more paid the ransom to restore encrypted data — compared to 31% of victims hit just once.
69% of ransomware attacks began with an email.
27% of organizations feel underprepared to tackle ransomware.
CAMPBELL, Calif., March 28, 2023 /PRNewswire/ — Barracuda Networks, Inc., a trusted partner and leading provider of cloud-first security solutions, today published its 2023 Ransomware Insights report, which shows that 73% of the organizations surveyed report being hit with at least one successful ransomware attack in 2022 — and 38% say they were hit twice or more. The organizations that were hit multiple times were more likely to say they’d paid the ransom — 42% of those hit three times or more paid the ransom to restore encrypted data, compared to 31% of victims of a single attack. They were also less likely to use a data backup system to help them recover.
The survey, conducted by independent research firm Vanson Bourne and commissioned by Barracuda, questioned IT professionals from frontline to the most senior roles at companies with 100 to 2,500 employees, across a range of industries in the U.S. and EMEA and APAC countries.
There were significant variations in the industries targeted by ransomware. For example, 98% of consumer services and 85% of energy, oil/gas, and utility organizations experienced at least one ransomware attack. The energy, oil/gas, and utility industry was also the most likely, at 53%, to report two or more successful ransomware incidents.
The findings show that for 69% of organizations, the ransomware attack started with a malicious email, such as a phishing email designed to steal credentials that would allow the attackers to breach the network. Web applications and traffic are in second place and represent an area of growing risk as part of an ever-expanding threat surface.
Organizations with cyber insurance were more likely to be affected by ransomware — 77% of organizations with cyber insurance were…