IT NEWS

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

It seems like LockBit wasn’t content with having us merely crown them as one of the five most serious cyberthreats facing businesses in 2023. In February, the most widely used ransomware-as-a-service (RaaS) posted a total of 126 victims on its leak site—a record high since we started tracking the leaks in February 2022.

Known ransomware attacks by country, February 2023

Companies attacked along LockBit’s warpath last month include financial software firm ION Group and Pierce Transit, a public transit operator in Washington state. LockBit claimed that ION Group had paid the ransom and demanded $2 million from Pierce Transit.

Speaking of ransom demands, it seems like that’s another area where LockBit broke records last month.

In early February LockBit tried to get $80 million out of the UK’s Royal Mail—the largest demand since asking Continental for $50 million in 2022. Royal Mail rejected the demand, calling it ‘absurd’, and LockBit consequently published the files it stole from the company—but not without also leaking a chat history showing the negotiations between the two parties, which featured the unusual sight of a Royal Mail negotiator giving the feared ransomware gang the runaround.

Confirmed attacks by Vice Society, the ransomware gang infamous for wreaking havoc on the education sector, reached their three-month low last month. The apparently Russian-based group tallied just two victims on its leak site in February, but—true to their modus operandi—both of them were educational institutions: Guildford County School, a specialist music academy in London, and Mount Saint Mary College, a liberal arts college in New York. Needless to say, we’re not banking on this persistent education sector threat going away anytime soon.

After LockBit, ALPHV (aka BlackCat) and Royal again topped the list of most known victims last month. But as it turns out, these two groups have more in common than just their high placements: Both are considered big dangers to healthcare organizations. The US Department of Health and Human Services (HHS) even released a detailed report on Royal and ALPHV in mid-January 2023 outlining the dual threat to the US health sector. Last month, however, Royal and ALPHV apparently only attacked one healthcare organization between them—ALPHV’s attack on the Pennsylvania-based Lehigh Valley Health Network. Their combined 48 leaked victims last month were across a range of industries, mainly centered around manufacturing, logistics, and services. It just goes to show that just because ransomware is used to target one sector in one month that doesn’t necessarily mean it won’t be used against a different industry in another month.

Ever since we first reported on it in November 2022, witnessing the emergence of the Play ransomware gang over the months has been one of those “Aw, they grow up so fast (and evil)” type of situations. After their surge in December activity fell by about 76 percent in January, it made something of a comeback last month with 11 known victims, including the City of Oakland, where an attack shutdown many of the city’s services. In fact, the situation was so bad in Oakland that the Interim City Administrator declared a state of emergency shortly afterwards.

New ransomware groups

Medusa

Not since we introduced Royal ransomware in November 2022 have we seen a new gang burst onto the scene with as much activity as Medusa did in February. The group published 20 victims on its leak site, making it the third most active ransomware last month. Among its victims are Tonga Communications Corporation (TCC), a state-owned telecommunications company, and oil and gas regulator company PetroChina Indonesia.

V is Vendetta

V is Vendetta is a newcomer that published three victims in February on a site that follows the not-so-new practice of branding itself with imagery ripped from a particular mid-2000s dystopian action film. The site is noteworthy not only for its awful “teenager’s bedroom” design but also for using a subdomain of the Cuba ransomware dark web site.

DPRK’s ransomware antics

In early February, CISA released an alert highlighting the continuous state-sponsored ransomware activities by the Democratic People’s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital infrastructure sectors.

The agencies have reason to believe cryptocurrency ransom payments from such operations support DPRK’s “national-level priorities and objectives.” The report states:

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks,

In the last few years, two new ransomware strains from DPRK have surfaced: Maui and H0lyGh0st.

US Marshal Service ransomware attack

It seems ransomware attackers are going after the big fish again.

At least, it’s been a while since a federal agency like the US Marshals Service (USMS) was hit with ransomware. In late February 2023 a threat actor managed to infiltrate the agency and to get hold of sensitive information about staff and fugitives.

It’s far from rare to see a ransomware attack on governments, to be sure. State, Local, Tribal, and Territorial (SLTT) governments were hammered by ransomware throughout 2022. Attacks on the federal government, however, remain few and far between.

If there’s one thing this attack taught us, it’s that no organization is safe from ransomware—but that’s not all. It’s also the most eye-catching attack on the fabric of the US since the Colonial Pipeline attack by the DarkSide ransomware gang. There is no word about who is responsible for the attack or whether or not there has been a ransom demand.

If this is the work of a regular ransomware gang rather than a political statement, it’s a surprise that they’re this bold (or frankly, stupid, for thinking the federal government would ever pay them). Attacking a federal government paints a huge target on their backs.

We know there have been times where affiliates of ransomware gangs go rogue and attack an organization that’s off-limits according to the gangs’ rules—but until more information is released, many details about the USMS breach remain speculative.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

GET THE RANSOMWARE EMERGENCY KIT

As part of its StopRansomware effort, the Cybersecurity and Infrastructure Security Agency (CISA) has published a Cybersecurity Advisory (CSA) about Royal ransomware.

Royal ransomware is a Ransomware-as-a-service (Raas) that first made an appearance in January 2022. In September of that year, it began calling itself Royal ransomware, and then in November it really made a name for itself by boldly taking the lead in our monthly statistics.

After November, it handed back top place to Lockbit, but has remained one of the top five most prevalent ransomware strains. 

According to the CSA, the group behind Royal:

• Have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.
• Are known to disable anti-virus software on the affected systems.
• Have targeted numerous critical infrastructure sectors including manufacturing, communications, healthcare, and education.
• Steal data from infiltrated networks which they threaten to publicize on their leak site to increase the leverage on the victim.

Royal ransomware leak site

The Initial Access Brokers that cater to Royal are reported to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. Other methods that are used to gain initial access to victim networks are:

• Phishing, by using emails containing malicious PDF documents, and malvertising
• Remote Desktop Protocol (RDP), by using compromised or brute forcing login credentials
• Exploiting public-facing applications. This could be through websites or other applications with internet accessible open sockets by exploiting known vulnerabilities or common security misconfigurations.

For those interested, the CSA contains a wealth of Indicators of Compromise (IOCs) and techniques used by Royal to gain persistence and for lateral movement.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The Play ransomware gang has begun partially publishing data they stole from the City of Oakland, California. The data were in multiple archive files with a collective file size of 10GB. According to the ransomware gang, the files contain “[p]rivate and personal information data, financial information. IDs, passports, employee full info, human rights violation information.”

“If there is no reaction full dump will be uploaded,” the gang wrote in a comment on their leak site. They also hinted that each file could be used independently.

Play ransomware gang’s leak page for the City of Oakland, California

Following the release of the data, the City of Oakland said in an updated statement:

“While the investigation into the scope of the incident impacting the City of Oakland remains ongoing, we recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly.

We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity.”

The City of Oakland, California was attacked four weeks ago, bringing several City services to a standstill. This pushed Interim City Administrator G. Harold Duffey to declare a state of emergency. The Play ransomware group claimed responsibility for the attack.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Europol has released information about the arrests of two suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware. On 28 February 2023, the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized equipment to determine the suspect’s exact role in the structure of the ransomware group.

DoppelPaymer is a ransomware group that has been linked to Russia, the EvilCorp group, and Emotet. DoppelPaymer is a mostly enterprise-targeting ransomware with targets including healthcare, emergency services, and education. They have been around since 2019. Last year they claimed responsibility for a high-profile ransomware attack on Kia Motors America.

According to the Europol statement DoppelPaymer relied on Emotet to infiltrate target networks. Emotet is a modular type of malware that can be used to drop other malware on infected systems. At Malwarebytes we have also seen usage of the modified Dridex malware 2.0, for both initial access and lateral movement.

DoppelPaymer was responsible for the attack on a German hospital that led to the death of a patient that could not be admitted. They were also responsible for the costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked by DoppelPaymer in the past, include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

The law enforcement agencies used operational analysis, crypto-tracing, and forensics to find the suspects and to determine where the suspects fit into the organizational structure of the DoppelPaymer group. These investigations may lead to further arrests.

Recently we have seen an increased number of take-downs and arrests in ransomware, and related, cases. Better and more effective investigational methods, backed by a shorter time-frame in which cyberincidents have to be reported, and already dwindling ransomware revenue, may significantly bring down the amount of damages caused by ransomware attacks.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The best way to keep your devices safe when you’re travelling is to be unplugged. If you don’t need it, don’t take it with you. But since that is not always an option, here are some tips to keep you safe while you travel.

1. Backup before you go

The consequences of losing your device or having it stolen are worse when you are outside of your own environment. So make sure that you have recent backups of your important data, and don’t keep the backups on the devices you are taking.

2. Turn on Find My device

Both Android and iOS offer options to track your device. So turn this on before you go, and if you lose your device you can remotely wipe it, or even leave a message on the screen for whoever finds it.

3. Consider your connections

The router that handles the Wi-Fi in your home keeps the individual devices shielded from a lot of undesirable traffic. But when you’re out and about, a mobile firewall can manage the flow of traffic in and out of your device.

Disable the auto-connect options shortly before you leave and have your devices forget the network SSIDs in their lists. Threat actors can abuse these features for machine-in-the-middle attacks. Also disable the Bluetooth on your devices whenever you’re not using it.

4. Protect your devices

Use a fully updated anti-malware solution for all your devices. Most anti-malware solutions will update automatically, but it’s worth double checking their settings to check that’s being done.

5. Patch and update

Your security software is not the only thing that should be kept up-to-date. Check if there are updates for your operating system (Windows, Android, iOS, or whatever you’re using), banking apps, and anything else which is privacy sensitive and you use on a daily basis. Updating them while you are travelling can be slow and tedious.

6. Use a password manager

Don’t forget to take your password manager and your 2FA device with you. Nothing can kill the buzz like having to go through umpteen “I forgot my password” routines. Talking of passwords, it goes without saying that all your devices should be protected with a PIN or password.

7. Careful what you post on social media

We know it’s hard, but usually it’s better to wait till you get back home before you show the world how beautiful the scenery was at your travel destination. Don’t announce your absence from home or burglars might get drawn to your home. Speaking of which, a little automation of the lighting can make it seem as if there is someone home watching the place.

8. Public Wi-Fi and computers

Simple. Don’t use them if you can avoid them. And if you have to, be thoughtful of the fact that they are indeed, public. Avoid sites where you need to login, sites with sensitive info (banking, healthcare, etc.), and especially stay away from making purchases over an unsecured connection. Use a VPN with strong encryption. After using a public computer, delete your cookies and maybe your browser history as well.

Don’t let all this ruin the fun

While most of the things mentioned above are precautions we (should) take every day, they are not the first ones that come to mind when you are planning that awesome trip you have worked for all year. But as always, it’s better to be safe than sorry. Safe travels!

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The US Government has been working on the National Cybersecurity Strategy Document 2023 for some time now, and it’s finally been released. The strategy document, which replaces the last such piece of work from 2018, attempts to indicate the general direction of the US approach to cybercrime and security for the next few years.

While you don’t necessarily need to take immediate action on the points raised, there’s a lot of talk about liability for poor security practices for larger organisations, better ratings for IoT devices, and a greatly improved hiring strategy for unfilled security vacancies. If these are areas of concern for you, we highlight the important parts below.

 As per the WSJ, the five primary areas for action are:

• Defending critical infrastructure
• Disruption and dismantling of criminal gangs
• Shape market forces
• Investing in a resilient future
• Forge international partnerships

One large part of this new strategy is that organisations potentially most well equipped to fend off attacks must step up and do more:

The most capable and best positioned actors in cyberspace must be better stewards of the digital ecosystem…we must ask more [across both the public and private sectors] of the most capable and best positioned actors to make our digital ecosystem more secure and resilient. In a free and interconnected society, protecting data and ensuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.

With this in mind, then, let’s highlight some of the standouts from relevant sections.

Defending critical infrastructure

Expanding the use of minimum cybersecurity requirements in critical sectors

If you work in a critical sector of industry, you can expect to see new requirements heading your way in the near future. “Existing authorities” will set new requirements for cybersecurity, and where gaps exist in statutory authorities to create minimum standards, the Administration will work with congress to close them. Regulations will be performance based and make use of existing security frameworks—no reinventing the wheel here. A focus on driving better practices in the cloud industry is also evident.

Update Federal response plans

You can expect better processes should you need to contact Federal authorities after a cyber incident, with the aim of creating a “unified, coordinated, whole of government response” with organisations able to quickly and easily find out who to contact, and when. The National Cyber Incident Response Plan (NCIRP) will be updated through this work, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require specific entities in critical infrastructure sectors to report incidents to CISA “within hours”.

Disruption of criminal gangs

Engaging the private sector in disruption activities

The Government wants to combine the “unique insights and capabilities” of the private sector with the ability to take decisive action by Federal agencies. There’s a strong desire here to have private sector partners organise through non-profit organisations serving as hubs for operational collaboration with the Federal government.

Virtual collaboration platforms will be used for these activities and information sharing processes, with the Government looking after the necessary security requirements and records management activities. In other words: if your organisation casts a wide security net, gathers data on attempted attacks, blocks and catches interesting files, wards off ransomware, and spots dubious network traffic, then there’s something approaching an Avengers initiative waiting in the wings.

Shape market forces

Promoting privacy and the security of personal data

Making large organisations accountable for failing to be responsible stewards of data is a key thread running throughout the strategy document. This is because the costs are often passed on to everyday people, with the biggest impact being felt on vulnerable populations.

Internet of Things devices can expect to fall under “IoT security labelling programs”, which will allow consumers to compare security protections offered by devices. The idea here is to create a market incentive for better security across the IoT space, but this is reliant upon people understanding that these labels exist, and what they mean in practice.

Shifting liability for software products and services to promote secure development practices

If you know someone who works for an organisation playing fast and loose with data, security practices, and compliance, they should be warned: there’s a liability storm coming. The Administration is going to be working with Congress and the private sector to develop legislation establishing liability for software products and services, along with a “safe harbour” for those securely developing and maintaining products and services.

Investing in a resilient future

Develop a national strategy to strengthen our cyber workforce

The hundreds of thousands of vacancies in cybersecurity positions nationwide are a sore point for this Administration. If you’re short on security workers yourself, then the proposed development of a National Cyber Workforce and Education Strategy may be what you’ve been looking for. Critical infrastructure is once again a key talking point, and it aims to improve hiring among underrepresented groups of candidates. This plan aims to make use of several already existing schemes, and also take inspiration from successful hiring practices in other nations.

What’s the response so far?

There is some criticism for the plans, mainly on the basis that plans come and go but rarely manage to keep pace with the actual speed of changing technological threats. As Bloomberg Law points out, the plan itself has no regulatory teeth and it’s now mainly up to various agencies to take the ball and run with it in terms of making new changes.

New strategies for tackling cybercrime and protecting critical infrastructure are always welcome, but it remains to be seen how much practical impact the Biden Administration’s 2023 National Cybersecurity Strategy will have over the next few years.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Microsoft has released out of band updates for information disclosure vulnerabilities in Intel CPUs. The normal gut reaction would be to install out of band updates as soon as possible. Microsoft wouldn’t be releasing the updates ahead of the regular cycle without good reason, would it?

Well, maybe there are good reasons, but the number of users that would have to worry about these vulnerabilities is relatively small. And there are known performance issues related to applying the updates or disabling the Intel Hyper-Threading Technology. So please read on before you rush to update your system(s).

The vulnerabilities

Microsoft issued a security advisory about these vulnerabilities on June 14, 2022. Intel’s advisory about the same four vulnerabilities came out the same day, which triggers the question, why did it take so long to release the updates? We can only speculate that a lot of time was spent on figuring out how to address these vulnerabilities most effectively.

The vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities. In shared resource environments (for example in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. Under normal circumstances, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The MMIO CVEs are listed as:

• CVE-2022-21123 – Shared Buffer Data Read (SBDR) 
• CVE-2022-21125 – Shared Buffer Data Sampling (SBDS)
• CVE-2022-21127 – Special Register Buffer Data Sampling Update (SRBDS Update)
• CVE-2022-21166 – Device Register Partial Write (DRPW)

The underlying cause for these vulnerabilities is that Virtual Machines (VMs) share a portion of the physical processor (CPU). MMIO uses the processor’s physical-memory address space to access I/O devices that respond like memory components. Due to the incomplete cleanup in specific special register read and write operations, or shared buffers an authenticated user could potentially gain information disclosure through local access.

There is a long list of affected processors which shows the impact of transient execution attacks and select security issues on currently supported Intel® products, including recommended mitigation where affected.

Should you update?

As with many threats, the risk you are running very much depends on your threat model. If you are not running virtual machines in shared environments, I wouldn’t worry about these updates. If you are, then the ball is for a large part in the park of the provider of the cloud services, since it’s their physical machines that may or may not have the affected CPUs.

If any action needs to be taken, I would consider it their duty to let you know what needs to be done on your end.  

Mitigation for these vulnerabilities includes a combination of microcode updates and software changes, depending on the platform and usage model. Microcode updates should be issued by the original equipment manufacturer (OEM). For more information, see INTEL-SA-00615.

Microcode is the name for the internal code that implements support for the processor’s instructions set.

The Windows updates are being released as manual updates in the Microsoft Update Catalog:

• KB5019180 – Windows 10, version 20H2, 21H2, and 22H2
• KB5019177 – Windows 11, version 21H2
• KB5019178 – Windows 11, version 22H2
• KB5019182 – Windows Server 2016
• KB5019181 – Windows Server 2019
• KB5019106 – Windows Server 2022

Another option is to disable Intel Hyperthreading, although we need to note that Intel Hyperthreading improves the overall performance for applications that benefit from a higher processor core count. So disabling it may have a negative impact, depending on the usage of the system.

According to VMWare, ensuring that no virtual machine has a PCI passthrough (VMDirectPath I/O pass-through) device configured is a viable workaround that will prevent any exploitation. VMDirectPath I/O allows a guest operating system on a virtual machine to directly access physical PCI and PCIe devices connected to a host.

Sometimes Microsoft really fails in providing a clear explanation about who needs to install an update, or even about how to do it. We get that it’s complicated when there are other vendors and OEMs involved, but referring users to highly technical third-party sites isn’t very helpful.

We do hope we have at least made clear that most of you do not have to worry about these.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Last week on Malwarebytes Labs:

• Fighting online censorship, or, encryption’s latest surprise use-case, with Mallory Knodel: Lock and Code S04E05
• How to work from home securely, the NSA way
• TikTok probed over child privacy practices
• iPhone users targeted in phone AND data theft campaign
• US Marshals Service hit by ransomware and data breach
• LastPass was undone by an attack on a remote employee
• Crushing the two biggest threats to mobile endpoint security in 2023
• AI voice cracks telephone banking voice recognition
• Ransomware led to multiple DISH Network outages
• Internet Explorer users still targeted by RIG exploit kit
• YouTube under fire for allegedly gathering children’s data
• LockBit ransomware demands $2 million for Pierce Transit data

Stay safe!

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The Pierce County Public Transportation Benefit Area Corporation (Pierce Transit) has fallen victim to a cyberattack using LockBit ransomware. Pierce Transit is a public transit operator in Washington state.

The attack began on February 14, 2023, and required Pierce Transit to implement temporary workarounds, to maintain the service of the transit system which transports around 18,000 people every day.

Based on the number of known attacks, Lockbit has been the most widely used ransomware-as-a-service (RaaS) for some time now. It accounted for almost a third of all known RaaS attacks last year, peaking at almost half of all known ransomware attacks in September 2022. The largest ransom demand it made in 2022 was a staggering $50 million. And it hasn’t tempered its ambitions in 2023—last month it tried to get $80 million out of UK’s Royal Mail, but was politely shown the door by its negotiator.

On February 28, the LockBit ransomware group published details of the attack on Pierce Transit, along with a public demand for just shy of $2 million in return for the stolen data. Publishing data like this is normally a sign that negotiations have broken down or that the victim does not intend to pay. The ransomware group claims to have stolen contracts, client information, non-disclosure agreements, correspondence, and more, all of which are now on sale.

The eye-watering ransom demand is just one of the costs of an attack like this. Even if a ransomware victim pays for a decryption key, it takes time to restore systems and the total damages are almost always a multiple of the ransom.

According to The Record, The incident has been reported to law enforcement agencies, and forensic experts were brought in to investigate the nature and scope of the event. If it turns out that LockBit managed to steal and leak client information, the company intends to let them know.  A spokeswoman stated:

“We are dedicated to informing our community, as appropriate, as our inquiry progresses.”

The majority of its operations have now been fully restored and Pierce Transit says it plans to implement new cybersecurity monitoring tools and security measures.

Public transportation is an essential service and any long-term disruption of its internal networks could have a devastating effect on the people who rely on it to get to school, their work, or medical appointments.

Thankfully, Pierce Transit managed to keep operations going, but undoubtedly there will be financial losses resulting from system failure and damage restoration in the short- and long-term.

Ransomware-as-a-service is the most lucrative and dangerous form of cybercrime. Individual attacks can bring entire organizations to a halt and raise multi-million-dollar ransoms. You can learn more about LockBit and the danger it poses to your organization in our 2023 State of Malware report.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The UK’s children’s code, introduced three years ago by the Information Commissioner’s Office (ICO), is all about ensuring that companies make children’s privacy a primary consideration when creating sites and services, games, and toys. The code, also known as the Age Appropriate Design Code (AADC), may now be stepping into the digital privacy ring. Duncan McCann, who works for child advocacy group 5Rights, has lodged a complaint with the ICO about YouTube.

The Children’s code applies to UK-based companies and also companies outside the UK involved in processing the personal data of UK children. In short, if an app or website is likely to be accessed by children, then there’s a good chance the code applies.

The complaint focuses on how YouTube collects children’s data and alleges that it is being handled poorly. If the allegations are true we could see the ICO ordering Google to stop collecting the data, Google could by in line for a large fine.

McCann claims that YouTube has broken the law by collecting “the location, viewing habits and preferences” of anything up to five million children. He wants YouTube to change how the platform is designed, and to delete the data which it has gathered. The Guardian also mentions that another part of the complaint asks the ICO to consider ordering YouTube to rollback or delete any machine learning systems trained on this data.

That’s quite the request, and McCann says that the ICO has three months to let him know whether or not it will take on the investigation.

Children uner 13 are, in theory, banned from using YouTube, and are supposed to use YouTube Kids instead, which is stricter about data collection. For example, there are no personalised ads on YouTube Kids, and no sensitive video categories. This is not the case on the main site. You may have seen for yourself how easy it is for videos on YouTube that are about one thing to autoplay their way into content which is about something quite different, including content that is not suitable for those under 13.

Child data is a prominent topic for Google. Back in 2019, YouTube was fined $170m due to the collection of children’s data without their parent’s consent.

Setting up YouTube Kids

If your children are making use of YouTube Kids, it’s a good idea to check out some of the security and privacy settings available to you. Assuming you are signed in, you can:

• Block channels. If there’s some YouTube Kids approved content which you’re still not happy with, this is the way to go.
• Enable specific content. If you want control over every aspect of viewing behaviour, you can force YouTube Kids to display only content which you’ve personally approved for viewing.
• Turn off the search feature. Although in theory nothing bad should come up via search in YouTube Kids, you can still turn this off if needed. Do this by changing the “Allow Searching” option to “Off” in Settings.
• Disable Autoplay. Again, this feature shouldn’t result in content you wouldn’t want randomly popping up. Even so, the option is there should you desire it. Change this setting by clicking your profile picture, selecting “Settings”, then “Parental Settings”. Select the child’s account, and then change “Disable autoplay” to “On”.
• Review watch history. You can pull up a list of watched videos through the “Watch it Again” option at the top of the home screen on a tablet, or navigating to the option on desktop or laptop by selecting the child’s profile picture to view the relevant videos.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED