IT NEWS

2023 State of Malware Report: What the channel needs to know to stay ahead of threats

The channel, comprising managed service providers (MSPs), Systems Integrators (SIs), value-added resellers (VARs), and more, plays a vital role in providing cybersecurity for companies around the globe today. But as malware evolves and cyberattacks become more common, keeping up with the top threats to the channel can be difficult.

With a plethora of cyberthreats out there, which ones should channel partners focus on in 2023?

Malwarebytes addresses this question in the 2023 State of Malware Report, identifying the five most potentially damaging malware threats that MSPs, SIs, VARs, including their clients, should prioritize.

Key channel threats in the 2023 State of Malware Report

One example of threats the channel should prepare for is the email-borne Emotet Trojan, a notorious threat that continues to plague businesses. The report also highlights the growing issue of ransomware attacks, 39% of which target service providers according to Kaseya’s 2022 MSP Benchmark Survey.

A particular focus is on the ransomware group LockBit, which was responsible for the majority of ransomware attacks in 2022. In February 2023 alone, the group published 126 victims on its leak page. LockBit affects companies of all sizes, from hospitals to small and large businesses.

Our report serves as a valuable resource for channel partners, helping them optimize defense strategies and take both proactive and reactive measures in the fight against the most damaging malware threats of the year. By using the insights from the report, the channel can better protect their own organizations as well as their customers’.

The role of channel partners in cybersecurity

The channel is pivotal to helping their clients adapt to the ever-changing threat landscape and avoid falling victim to devastating cyberattacks. As channel partners make their way into 2023, they can stay ahead of the curve by keeping these tips in mind:

  • Prioritize the top five malware threats identified in the Malwarebytes report and implement targeted defense strategies to protect clients against these risks.
  • Read our Threat Intelligence blog to keep informed about the latest cyberthreats, such as the activities of ransomware groups like LockBit, to ensure your clients are prepared for emerging risks.
  • Educate your clients about the evolving threat landscape and help them develop a culture of security awareness within their organizations.
  • Continuously evaluate and optimize your security offerings to ensure they meet the needs of your clients and protect against the latest threats.

Channel partners are uniquely positioned to guide companies through the complex cybersecurity landscape. As trusted advisors, they play a crucial role in educating businesses about the latest threats, providing tailored security solutions, and ensuring that their clients—and themselves—can continue to operate securely and efficiently. Read the full report below to learn more.

Get the full 2023 State of Malware report for the channel

Pre-ransomware notifications are paying off right from the bat

CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023.

Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.

In order to develop the pre-ransomware notifications, CISA established the Joint Cyber Defense Collaborative (JCDC) to “unify cyber defenders from organizations worldwide”. The team proactively gathers, analyzes, and shares actionable cyber risk information.

The success of the operation relies on a few key factors:

  • Sharing intelligence by the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.
  • Getting that information to the victim organization and providing specific guidance about containing the threat.
  • The time cybercriminals take from the initial security breach to the full-fledged ransomware attack.

Basically, the more information organizations give about early-stage ransomware activity, the better the information the JCDC can provide. This information also helps to keep lists like the known to be exploited vulnerabilities catalog up to date and helps create ransomware vulnerability warnings which inform organizations that a vulnerability used by ransomware threat actors is present on their network.

But how do pre-ransomware notifications work in real life?

Let’s take the fake IRS mail we reported about last week as an example. My colleagues found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. In reality, the attachment contains a malicious macro. Enabling the content of the attachment will result in Emotet being downloaded onto the system.

The JCDC can in turn share this information with potential victims. “Have you seen this mail? Did anyone open the attachment? Did they use the “Enable Content” button? Here is what you can do to prevent your systems from getting encrypted. These are the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) you need to look for. And this call-to-action can be pretty specific because they know that any potential victims should be looking for Emotet.

For many non-profit organizations that can’t afford their own security team or an external Managed Detection and Response (MDR) service, this is very helpful and, as CISA concludes, has proven its usefulness. While the pre-ransomware notifications service is aimed at US organizations, JCDC works with international Computer Emergency Readiness Team (CERT) partners to enable a timely notification when it concerns a company outside the US.

The more information we share, the better the information JCDC can provide gets. Any organization or individual with information about early-stage ransomware activity is urged to contact Report@cisa.dhs.gov. If your organization is interested in participating in these collaborative efforts to stop ransomware, please visit cisa.gov/JCDC-faqs or email cisa.jcdc@cisa.dhs.gov.

Every US ransomware incident should be reported to the US government. You can find information on reporting at stopransomware.gov.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Big changes to Twitter verification: How to spot a verified account

Twitter has made some fairly major changes to how its verified checkmark status works, and it’s already causing some confusion. If you rely on the checkmark symbol for confirmation that the individual or business tweeting is actually the real deal, your regular process is now different.

How verifying identity on Twitter used to work

Previously, the blue checkmark indicated a number of factors. The individual may have been “notable” in terms of work, celebrity status, or some other aspect. Primarily, it was a way to confirm someone or something was real, accurate, and true. An identity had been verified, typically via Government issued identity documents like a passport. If you sent a message to John Cena (with the verified blue checkmark), you were absolutely sending a message to John Cena. If Mark Hamill replied, you were absolutely having a conversation with Mark Hamill.

Hovering over the checkmark on one of the originally verified accounts used to say this:

Twitter verified

“This account is verified because it’s notable in government, news, entertainment, or another designated category”.

Changing the checkmark system with Twitter Blue

Recently, this process underwent some change with the introduction of Twitter Blue, a subscription service that costs a minimum of $8 a month to gain additional features over non-paying users. Controversially, Blue accounts gained the same visual checkmark as verified accounts despite not using the same identity verification process. This resulted in an early wave of imitation accounts causing confusion.

Shortly after the Blue launch, the original verified accounts had their hover text altered to say this:

Legacy verified

“This is a legacy verified account. It may or may not be notable”.

Twitter Blue subscribers, who had paid their $8 a month to gain a checkmark, had this for their hover text:

“This account is verified because it’s subscribed to Twitter Blue”.

This was already somewhat confusing, as there’s a difference between confirming identity via Government issued ID and obtaining a tick associated with identity verification by paying $8 a month. However, users would be put through even more changes.

We’re not losing a tick, we’re gaining…confusion?!

Twitter recently announced that all legacy accounts would lose their checkmark on April 1. It seems as though it may have been too difficult to do this, and a new needlessly confusing solution has been put in place overnight.

All accounts with a checkmark of any kind now say this:

“This account is verified because it’s subscribed to Twitter Blue or is a legacy verified account.”

There is now no easy way to tell at a glance if what you’re looking at is (for example) the real Lady Gaga, a law enforcement agency, an emergency alert system, or anything else. A perfect example of this happened earlier today when well-known UK personal finance expert Martin Lewis flagged up an imitation Twitter account promoting a bogus website.

This is a screenshot of the fake account in question. Notice that it is using a photo of the real Martin Lewis as its own profile picture, and that, while the actual Twitter handle is different, the display name shows, simply, “Martin”:

Fake Martin Lewis

Note that the faker has disabled replies, to make it harder to call out the imitation in the thread itself.

The fake account sports 25.7k followers, has been around since 2013, and to many people would reasonably enough look like the real thing.

Both the imitation and the real account present users with the “This account is verified because it’s subscribed to Twitter Blue or is a legacy verified account” messaging.

The site the imitation linked to has already been shut down but was something to do with cryptocurrency.

This isn’t great for Twitter users. What can you do about it?

Some tips for establishing Twitter authenticity

There are still a few ways to know for sure if an account is subscribed to Blue, or has one of the originally verified checkmarks. A caveat: these may eventually stop working, and as we’ll see further down, there are limits to how well some of these tricks may work.

  1. Look for the @Verified Twitter account. If the Verified Twitter account follows the individual or entity you’re interested in, then that account was verified pre-Blue and had some form of actual identity verification confirmed.
  2. Browser extensions can help. A number of extensions still display the status of the accounts you look at. For example, here’s one called Eight Dollars for Chrome. If a checkmarked account is pre-Blue, it’ll say “Verified.” If not, it’ll say “$Paid.” Again, please note that functionality for extensions like these may stop working at some point.
  3. Use Twitter search. Certain kinds of search string will still (for the time being) reveal if a user is legacy or paid

Using the extension as an example, we can now see the difference between the real Martin Lewis and the faker. Here’s the real Martin Lewis while running a checkmark focused extension:

The real Martin Lewis

Here’s the fake Martin Lewis while running the same extension:

Fake Martin Lewis

The difference is clear. One of these accounts belongs to the originally identity verified Martin Lewis, and the other is a paid Twitter Blue subscription.

But there’s one more case to look at to understand Twitter verification today and likely into the future—and where this current reliance on browser extensions fails.

The New York Sign of the Times

We currently have a former Simpsons writer pretending to be the New York Times. Bill Oakley is likely doing this because Elon Musk directly removed the NYTimes checkmark after the publication said it wouldn’t pay for Twitter Blue.

Because of his account having been originally verified as himself, we now have a situation where a fake New York Times account says this:

Bill Oakley as the NYTimes

The profile is tagged as potentially being a legacy verified account or subscribed to Twitter Blue. Meanwhile, the account shows as “Verified” with one of the browser extensions as a result of Oakley already having been verified as himself. For a time, Twitter did not allow legacy verified accounts to change their display name but that no longer seems to be the case. We can also deduce that this is definitely not the New York Times because you can see “thatbilloakley” is the username just underneath the Verified Account popup. Even so: a “verified” fake New York Times account, tagged as the real deal by a verification confirmation checking browser extension.

Confusing? You bet!

It’s worth pointing out that some originally verified legacy accounts will have since subscribed to Twitter Blue. It’s impossible to say how browser extensions would deal with that situation, so unless the Twitter Verified account is following the account you happen to be looking into, you may be out of luck.

For now, it’s a case of keeping your wits about you and not taking anything you see on social media for granted. This is good advice at the best of times, and it’s definitely worth sticking to at present. Another simple rule of thumb? If a celebrity is suddenly hawking cryptocurrency or some other too-good-to-be-true deal, they’re likely to be running a scam. Stay safe out there!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

New macOS malware steals sensitive info, including a user’s entire Keychain database

A new macOS malware—called MacStealer—that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple’s password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware.

And while MacStealer appears to be the mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes’ director of core technology. “There is no persistence method, and it relies on the user opening the app,” he adds, considering the foreseeable features the developer wants to add to MacStealer in the future.

MacStealer uses channels in Telegram as its command-and-control (C2) center. The malware has been promoted on a dark web forum since the beginning of March. According to the developers, it’s still in the early beta stage, thus lacking a builder and panel. These are also why the developers distribute MacStealer as a malware-as-a-service (MaaS), selling at a low price of $100 and promising more advanced features in the future.

MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system’s temporary folder (TMP).

The malware then proceeds to collect and save the following also within the TMP folder:

  • Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave
  • Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)
  • Keychain database in its encoded (base64)form
  • Keychain password in text format
  • Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB)
  • System information in text form

MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels, alerting the threat actor that new stolen data is available for download.

easset upload file13057 262665 e
A data summary of what has been stolen by MacStealer. The threat actors receive this on their personal Telegram bot. (Source: Uptycs)

MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes’ Reed. “Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it.”


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A week in security (March 27 – April 2)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

TikTok: What’s going on and should I be worried?

Since 2020, several governments and organizations have banned, or considered banning, the immensely popular social media app TikTok from their staff’s devices.

With all these alarming bells ringing, we thought it might be handy to break down what we know and see if we can plot a sensible strategy from there. So, if your hair is on fire, extinguish it and consider this with a cool head.

If you prefer listening over reading, we covered this topic in a recent LinkedIn Live.

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s received explosive growth since it first appeared in 2017, and now it claims to have well over 1 billion users, an estimated 150 million of them in the US.

In 2020, India was the first country to ban TikTok, along with some 200 other Chinese apps that were all blocked from operating within the country. The decision came two weeks after a Chinese military operation in India’s northern border lead to the death of at least 20 Indian soldiers.

In the same year, retail giant Amazon sent a memo to employees telling them to delete the popular social media app from their phones. Even earlier, in December of 2019, the US Army banned the use of the app on government-issued phones.

Other US agencies and other governments have followed suit since then, or are planning to do so. During a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that “America’s TikTok-addicted youth is playing with a loaded gun.”

We can break down the potential problems with TikTok in 3 main categories:

  • The data
  • The algorithm
  • The app itself

Let’s start by saying that all of the above categories are present in many other social media apps. The differentiating factor for TikTok is that it is owned by a Chinese company called Bytedance. It’s these ties with China and the ruling Chinese Communist Party (CCP) that have created so much concern among nations and their government agencies. 

The data

In general, it is safe to say that every free social media app makes money by using and selling the data of large groups of people for advertising purposes. The more specific to smaller groups these data can be refined, the bigger the privacy concern. Can TikTok be used to spy on certain groups of people? Definitely! TikTok has admitted that employees used its own app to spy on reporters as part of an attempt to track down the journalists’ sources. The company fired 4 employees for doing so.

We have seen similar cases in other social media apps. For example, a Twitter employee that was sentenced to more than three years in prison for spying for Saudi Arabia. With the amount of readily available information, there will always be those that use it for their own purposes, good or bad.

The algorithm

Control of the algorithm provides an opportunity to be an influencer. By the algorithm we mean the code in the app that tries to optimize the time you spend on the app, by showing you videos that it has determined you might be interested in. Knowing which reels show up on your feed tells us something about you. If nothing else, it will tell us what you prefer watching. Be it kittens, fails, or dance routines. What worried Christopher Wray, the Director of the FBI, is the possibility that the CCP might take control of the TikTok algorithm to conduct hard-to-detect influence operations against Americans. By deciding what you see, the Chinese government might influence your opinion about matters.

Again, neither the algorithm nor the utilization for influence are exclusive to TikTok. International state actors are increasingly leveraging social media platforms to spread computational propaganda and disinformation during critical moments of public life. Last year, we discussed some stats provided by YouTube about their battle against misinformation.

The app

Most people will install TikTok on their personal devices, especially now that many organizations have or are considering a ban for the app on company-provided devices. And, so far, nobody has found anything malicious in the app. But as an app it has access, although limited, to information on your device and about other devices on the same network. This information could be used for nefarious motives, but there has been no proof of that. Another worry is that this behavior could change with one update, and whether that next update will be secretly malicious. But this is true for any app, whether the developer introduces the malicious code or whether it comes as part of a supply-chain attack.

Should I be worried?

The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern. On the other hand, if the app, or any other app, is not needed for work purposes, why would you allow it on a corporate device? Using Mobile Device Management (MDM) can go a long way in keeping risks and distractions away from corporate devices.

Banning the app from personal devices that are used in a work environment is a whole different matter. Your employee satisfaction might even be a bigger concern than TikTok potentially spying on you.

During a recent congressional hearing, TikTok’s CEO Shou Chew said they were doing everything they could to accommodate the US:

“Our commitment is to move their data into the United States, to be stored on American soil by an American company, overseen by American personnel. So the risk would be similar to any government going to an American company, asking for data.”

I think we can agree with that last sentence. Until proof is provided that TikTok is worse than other social media apps, there is no compelling reason to treat it differently. But all social media apps should be regarded with reservations when it comes to privacy.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer

Researchers at Orca Security disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer.

The vulnerability was reported to the Microsoft Security Response Center (MSRC) with responsible disclosure and was included by Microsoft in their March 2023 Patch Tuesday round. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This newly-discovered vulnerability is listed as CVE-2023-23383 with a CVSS score of 8.2 out of 10.

This vulnerability was dubbed Super FabriXss and it’s a vulnerability that exists on Azure Service Fabric Explorer version 9.1.1436.9590 and earlier.

The researcher’s story is interesting as it shows that it is possible to find new Cross-Site Scripting (XSS) vulnerabilities in weathered and complex systems like Azure. And it’s frightening because the Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.

Azure Service Fabric Explorer (SFX) is an open-source tool for inspecting and managing Azure Service Fabric clusters. A Service Fabric cluster is a network-connected collection of virtual or physical computers where your microservices are deployed and managed. A cluster can have thousands of nodes.

An XSS vulnerability is a flaw in a web application that allows an attacker to inject code, (usually HTML or JavaScript) into the contents of a website. As a possible consequence, a visitor of that website will execute that code in his browser and it will be treated (read: trusted) as if it originated from the site they visited. By exploiting this, the attacker can bypass the browser’s same origin policy and is able to steal private information from a victim associated with the website. Depending on the site, it allows the attacker to masquerade as a victim visitor, and carry out any actions that the user is able to perform, and to access any of the user’s data.

What the researchers found after some testing is that when the Node name is modified in the SFX UI, it is reflected in the Node’s independent dashboard. So they set out to try some different names to observe how the server handles non-existent and/or modified values for different variables.

By trying some simple HTML code like a H1 tag that is often used to display the main topic on a web page in a larger font size, they found that clicking on Cluster in the options on the Events tab resulted in a new title being displayed as a large title, due to the effect of the <h1> tag.

proof that HTML code can be injectedImage courtesy of Orca Security

While this is no serious attack, it shows that there are ways to circumvent the input sanitation that takes place, or should take place and it might be possible to inject more complex HTML code.

How can we use this in a full-fletched attack?

For a full analysis, feel free to ready the blog by the researchers which goes into more detail. But, roughly, the attack would work like this:

The attacker sends a crafted URL to the Service Fabric Administrator. This URL includes an iframe that uses a simple fetch request to trigger an upgrade of a Compose deployment. The upgrade process overwrites the existing deployment with a new, malicious one. This new deployment includes a CMD instruction in its Dockerfile that will download a remote .bat file.

The .bat file retrieves a second file that contains an encoded reverse shell. This reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted. By taking control of a legitimate application in this way, the attacker can then use it as a platform to launch further attacks or gain access to sensitive data or resources.

Update

If you have automatic updates enabled, no action is needed. However, for those who choose to manually update and you are on version 9.1.1436.9590 or earlier, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

3 tips to raise your backup game

Happy World Backup Day everyone!

What, you didn’t know it was World Backup Day? Hmmm, perhaps that’s not a surprise. If there was an award for “most overlooked really important thing in computing”, backups would win. Every year.

So let’s put that right this year and spend a minute or two of World Backup Day thinking about backups. Backups are great! Having backups is like having a do-over for your mistakes, and who hasn’t wished for that? And they can keep you safe too. Good computer security means creating layers of protection that overlap and cover each others’ backs. The final layer is your backups. They’re a “get out of jail free” card you can play if any of your files are destroyed, deleted, or corrupted by malware.

To get you off on the right foot we’ve got three tips: A beginner tip, an intermediate tip, and an advanced tip.

1. Make backups

Yes, our first tip really is “make backups”. Why? Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone intends to do, that nobody actually does.

You need to floss your computer, every day. We don’t care how you do it: You can use the cloud, put your files on a USB stick, plug in an external hard drive, burn your data to a disk (ask your parents), copy them to an FTP site (ask your grandparents), or print them out and bind them in a book for all we care. All we ask is that you make a copy of your data, and then make making copies of your data a habit.

The only backup you’ll ever regret is the one you didn’t make.

2. Make them automatic

Once you decide that you’re going to make regular copies of your data you are, in all likelihood, going to get bored of doing it and slip up on your rigorous, well-intentioned schedule. Humans just aren’t good at doing the same thing, the same way, every day. But you know what is? A computer.

So, our intermediate tip is to let the computer take the strain of remembering what you want to backup and when. They love that stuff.

Windows and macOS both come with backup software included, each of which is perfectly on-brand for your platform of choice. The Windows backup solution has a boring and sensible name. It’s called Backup and Restore. On Mac you’ll be using a Time Machine, because Apple lets its marketing department in the room when things are being named. As you’d expect, if you’re a Linux user there are a bewildering number of options to choose from. If you’re blinded by overchoice, check out Amanda.

3. Make sure they work

If you’ve followed tip two and automated your backups then you can sit back and relax right? Sure, you can. But if you want to know for sure that your backup solution will be there for when you need it most, you need to test it. After all, a backup is only as useful as the data you can actually restore from it.

Anyone who works with computers knows that assumption is the mother of all f*** ups, so don’t assume your backups work, prove they do. Pick a file you really care about and go get a copy of it from your backups. Better yet, if you have a directory where you keep lots of important files, restore that. Not only will that prove to you that your backups can dig you out of trouble if they ever need to, you’ll get a feel for how slow that process can be if you’re backing up over Wi-Fi. Understanding that restoring a lot of files from a backup can be a lengthy process will help you set your expectations and manage your stress levels if you ever need to.

Pat yourself on the back

Whether you made it all the way to rolling out tip three, or you stopped at one, we applaud you. Your digital life is now more resilient than it was, which means you’ll be better able to weather hardware failures, accidental deletions, and malware outbreaks. 


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

3 tips for creating backups your organization can rely on when ransomware strikes

Backups are an organization’s last line of defense against ransomware, because comprehensive, offline, offsite backups give you a chance to restore or rebuild your computers without paying a criminal for a decryption key.

Unfortunately, many organizations don’t realize how important it is to make backups until it’s too late. And it’s all-too-common for those that do take regular backups to discover too late that they aren’t fit for purpose.

Why? Because backups are hard to get right.

In September 2021, Malwarebytes spoke with Matt Crape from VMWare to find out why backups are so hard, why they fail, and what to do about it. This World Backup Day, we thought we’d revisit his advice for creating a more consistent, stable, and resilient backup process. Here are three essential things every organization can ponder today.

1. Know what you’re trying to achieve

Good backups start with a clear understanding of what your organization needs them to do. From that, you can determine what needs to be backed up, why, how frequently, and for how long. The answers to those questions will depend on how much data you have, how often it changes, whether you can live without any of it, whether you have remote employees, the implications of legal requirements such as GDPR, and a wide range of other factors.

Every organization is different, so the “right” answers to those questions will be unique for each. Organizations also change over time so decisions about what you need from your backups need to be reviewed often enough to keep up.

When thinking about ransomware, a good starting point is to imagine what you would need to do if all of your computers were rendered useless and you had to rebuild them from scratch. What’s your approach, will you restore everything from backups, or recreate applications and operating systems from a “golden” disk image? If that’s your plan, do you know how long it will take to reinstate every computer in your organization? Can your business survive that much downtime?

2. Keep a backup offline and offsite

Modern ransomware attacks are carried out by gangs who break into company networks, prepare the ground for their attack, and then run their ransomware manually. Gangs can spend weeks inside a network looking to increase the chances of their attack succeeding, and backups are a prime target. If the attackers can find them, they will delete them.

That’s exactly what happened when a ransomware gang attacked the Northshore School District in Washington state. In an instructive and painfully honest episode of our Lock and Code podcast, Systems administrator Ski Kacoroski told us “we find out, at about 4 or 5 hours after the attack, that our backup system is completely gone.” Without effective backups, Kacoroski was left with a mountain to climb: “It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it. That part really, really hurt us.”

The lesson of the Northshore attack and many others is that it’s vital to keep at least one recent copy of your data offsite and offline, beyond the reach of an attacker who has domain administrator access to your network

CISA recommends the tried and tested 3-2-1 rule of backups: 3 copies of your data, on 2 different media, with 1 held offsite, which provides resilience against a range of different risks, including ransomware.

3. Test your backups

A backup is only as useful as the data that can be successfully restored from it. So while it’s useful to know that your backup solution is running and recording data, the only way to be sure it works is to try reading data from it.

A true acid test is to prove to yourself that in the event of a ransomware attack, natural disaster, fire or flood, that you can restore your critical business systems from scratch. Simply having the data may not be enough. Companies grow organically and unless they are very new, their networks are likely to have been built over time rather than in one go. This can create interdependencies where system A requires system B and system B requires system A, and so on.

And keep in mind that the best judge of whether data has been restored successfully is the person who relies on that data—so keep them engaged during the testing.

Learn more

To learn more about why backups fail when you need them, and how to improve your chances of success, listen to the full podcast with Matt Crape, embedded below.

 


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Steer clear of this EE phish that wants your card details

Watch out for this piece of spam lurking in mail boxes and claiming to be from the EE mobile network.

Fake EE mail

The mail, titled “We were unable to renew your monthly plan” with a likely random reference number alongside it, reads as follows:

Due to a problem with your card, we were unable to charge your next monthly payment automatically until you verify your billing details. To renew your contract, please use this link to update your payment information.

Failure to complete the process in a period of 7 business days may result in a disconnection of service.

The clickable link leads to an imitation EE site which asks for the visitor’s email address and password.

Fake EE login

Subsequent pages ask for the kind of details typically covered by any phishing scam, such as name, date of birth, and email address. The final page asks for you card details:

Fake payment request

If you fill those card details in, you are likely to soon become much lighter of pocket, as the criminals will use the details to take money from your card.

If you think you’ve accidentally filled in a form on a phishy site, contact your bank or card provider immediately so they can put it right. And follow the tips below on how to avoid phishing attacks.

How to avoid phishing attacks

  • Don’t take things at face value. Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Take action. If you receive a phishing attempt at work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
  • Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
  • Use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW