IT NEWS

Europe threatens to ban Facebook over data transfers to the US

If regulators have their way, data transfers from Facebook and Instagram between Europe and the United States could stop this summer. (WhatsApp, another Meta service, will not be affected by the decision as it has a different data controller within Meta.) This could force Meta, Facebook’s parent company, to undergo some radical changes with the way it handles data from Europe, such as setting up local data centers. Otherwise, it will have no choice but to pull out of Europe.

The Irish Data Protection Commission (DPD) sent a draft of its final decision on Thursday to its European counterparts regarding banning Meta from receiving user data from Europe.

A Meta spokesperson told the Telegraph, “This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved.”

“We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

Ireland is the country overseeing Facebook’s data practices as it is Facebook’s legal headquarters in Europe. Any ruling in Ireland would apply to all of Europe.

In 2020, the Court of Justice of the European Union (CJEU) repealed the EU-US Privacy Shield, a legal framework regulating the transatlantic transfer of European data to the US, calling it invalid as it failed to keep European personal data from being excluded from US surveillance. This event is commonly known as the Schrems II case.

However, data from the EU to the US continue to flow. While the CJEU annulled Privacy Shield, it also confirmed the legitimatimacy of the Standard Contractual Clauses (“SCCs”), which Facebook (and other US businesses) used as an alternative to lawfully transfer data from the EU to the US. Should the regulators’ decision become final, Meta will be forced to stop relying on the SCC as well.

“Suspending data transfers would be damaging not only to the millions of people, charities and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” a Meta spokesperson told SiliconRepublic.com. “A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”

In an interview with The Telegraph, Max Schrems, the privacy campaigner responsible for Privacy Shield getting binned, expected Facebook to use the Irish legal system to delay the implementation of the data transfer ban. He also added that Irish police would need to “physically cut the cords before these transfers actually stop”.

The post Europe threatens to ban Facebook over data transfers to the US appeared first on Malwarebytes Labs.

A week in security (July 4 – July 10)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (July 4 – July 10) appeared first on Malwarebytes Labs.

Microsoft appears to be rolling back Office Macro blocking

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are not being treated as expected in Office.

The shifting sands of macro blocking

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

Is it just me or have Microsoft rolled this change back on the Current Channel?

I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.

Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.

It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

Waiting for more information

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

…based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

North Korean APT targets US healthcare sector with Maui ransomware

State-sponsored North Korean threat actors have been targeting the US Healthcare and Public Health (HPH) sector for the past year using the Maui ransomware, according to a joint cybersecurity advisory (CSA) from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

CISA Director Jen Easterly also announced the CSA on Twitter.

The FBI started responding to incidents involving Maui in May 2021. This ransomware, which threat intelligence firm Stairwell first profiled, is relatively new.

North Korean state-sponsored cyber-actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.

– CSA Alert (AA22-187A)

Unlike the ransomware we usually see, that plagues organizations and regularly hits the news, Maui is never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is, instead, developed and used privately for state-backed actors.

Most notably, attackers operate Maui manually. This is on purpose, so attackers have more control over which files to encrypt when Maui is executed.

“When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters,” Stairwell Principal Research Engineer Silas Cutler wrote in the report. “The only required argument is a folder path, which Maui will parse and encrypt identified files.”

“Embedded usage instructions and the assessed use of a builder is common when there is an operational separation between developers and users of a malware family.”

Maui also has other unusual features—it doesn’t drop a ransom note, and uses a three-layer encryption methodology reminiscent of Conti and ShiOne.

“Instead of relying upon external infrastructure to receive encryption keys, Maui creates three files in the same directory it was executed from containing the results of its execution. These files are likely exfiltrated by Maui operators and processed by private tooling to generate associated decryption tooling,” Cutler said.

The FBI shared the indicators of compromise (IOCs) in its advisory.

Malwarebytes detects Maui ransomware as Ransom.Maui.

Dealing with Maui ransomware

The advisory also provides mitigation steps organizations can to prepare for, or deal with attacks using Maui ransomware. Thankfully, although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:

  • Maintain off-site, offline backups of data and test them regularly.
  • Create a cybersecurity response plan.
  • Keep operating systems, applications, and firmware up to date.
  • Disable or harden remote desktop protocol (RDP).
  • Require multi-factor authentication (MFA) for as many services as possible.
  • Require administrator credentials to install software.
  • Report ransomware incidents to your local FBI field office.

The various agencies involved also made it clear, once again, that they strongly discourage victims from paying ransoms. It does not guarantee you will get your data back, does not free you from recovery costs (because you still have to harden your system against the next attack), and it marks you as a target for repeat attacks.

Stay safe!

The post North Korean APT targets US healthcare sector with Maui ransomware appeared first on Malwarebytes Labs.

4 ways businesses can save money on cyber insurance

So, your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

Indeed, with liability limits ranging from $1 million to $5 million or more, cyber insurance policies can cover a good chunk of the damage caused by a data breach.

But if you’re looking to apply for cyber insurance, there’s a few things you should know first—especially if you want the lowest possible premium. 

Here are four ways your business can save money on its insurance.

How is cyber insurance priced?

Before we dive in any futher, it’s important to understand how cyber insurance policies are priced to begin with.

A 2019 paper published to the Journal of Cybersecurity analyzed over 235 cyber insurance policies from New York, Pennsylvania, and California, as well as policies posted publicly on carriers’ websites. They found that cyber insurance companies price their policies one of in four ways:

  • Base rate. Insurers provide a base premium based on your organization’s annual revenues or assets (or number of employees/students). The basic logic is that more revenue equals more risk, therefore higher premiums, and vice versa.
  • Base rate with security questions. Insurers look at your organization’s security posture to determine the final premium pricing. This was by far the most widely-used approach by insurers (57 percent of policies analyzed). 
  • Fixed rate. Insurers provide a fixed rate regardless of firm or industry. This was most common for smaller businesses.
  • Fixed rate with hazard groups. This is the same as fixed rate, but with a single modifier based on the amount of perceived risk a business has (such as how much sensitive information is stored on its website). Again, typical for small businesses.

How to save money on cyber insurance 

While it’s clear that the size of your business and the industry you’re in can affect costs, still a large portion of cyber insurance providers are looking at your security to determine premiums. 

So, what are some of the security controls that can lower your premium? 

For this article, we looked at security tips from the top five biggest cyber insurance companies—AXA XL, Chubb, AIG, Travelers, and AXIS—and found four commonalities across what they had to say. 

1. Use multi-factor authentication (MFA)

Did you know that, according to Verizon’s 2022 Data Breach Investigations Report, 50 percent of data breaches start with stolen credentials? 

Given this statistic, it’s no surprise that using multi-factor authentication (MFA) could signal to cyber insurers that you’re less of a risk. By requiring you to use multiple forms of authentication, MFA makes it much more difficult for threat actors to pull off brute force attacks, or to use stolen passwords.

2. Implement a cybersecurity training program

If stolen credentials are the most common initial attack vector in data breaches, then phishing is a close second—accounting for about 17 percent of all data breaches, according to the same Verizon report.

This is why implementing a cybersecurity training program for your employees is so important. 

A good training program should inform employees about common threats such as email phishing, spear phishing, and other common social engineering attacks. Cyber insurers are likely to view the implementation of such programs as a mark of high security maturity.

3. Disable Remote Desktop Protocol (RDP) services

In about 50 percent of ransomware attacks, Remote Desktop Protocol (RDP) was the initial attack vector, according to a study by Palo Alto Networks.

RDP is a network communications protocol that allows users to remotely control their devices. Commonly used by remote workers, RDP is also used by IT staff to troubleshoot problems on employees’ devices.

However, hackers can easily search for computers that use RDP and them use a brute force attack to try to guess the password—and from there, they can carry out a ransomware attack. 

Securing RDP with best practices, such as following the principle of least privilege, removes a potential point of access for hackers. Read our article on how to protect RDP for more tips.

4. Deploy Endpoint Detection and Response (EDR)

According to Ponemon’s 2020 State of Endpoint Security Risk report, the average financial loss from endpoint attacks was almost $9 million in 2019.

Not surprisingly, then, both Travelers and Axis cyber insurance explicitly mention endpoint protection as an important prevention measure.

Endpoint detection and response (EDR) is a form of endpoint protection that detects and protects against ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats. Learn more about how EDR can help secure your business.

Better security means better savings

Without cyber insurance, you can expect to pay a lot of cash to cover the cost of a data breach, and many companies are investing in it as a result. In this article, we explained how cyber insurance policies are typically priced, and how your organization’s assessed security posture is a prime consideration for many insurers. 

We also outlined four key processes and technologies that makes you a much more challenging target to attack, and consequetly a considerably less risky proposition for cyber insurers.

With Malwarebytes Endpoint Detection and Response, you can show cyber insurance companies you’re prepared to handle a cyberattack. To find out more, read how Mike Carney Toyota saved on cyber insurance by deploying Malwarebytes EDR.

The post 4 ways businesses can save money on cyber insurance appeared first on Malwarebytes Labs.

Tech support scammers caught by their own cameras

A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and reported them to the police. The video feed of what is going on in that office ends with the arrest of the scammers.

CCTV

The Youtuber, acting under the handle Scambaiter, turned his attention to Punjab in India to spy on a group of Tech Support scammers.

“Scambaiting” means scamming the scammers, often by pretending to take their bait and wasting their time. The reasoning is that while the scammer is busy trying to reel the scambaiter in, they don’t have time to victimize someone else. Which makes it doing a good deed while having some fun.

Scambaiter, goes a little further than simply wasting scammers’ time. He has amassed almost 1.5 million YouTube followers by “hacking back” against the scammers and exposing where and how they work—in this case by using the scammers’ own CCTV cameras against them.

Scambaiter also hacked into some of the systems the scammers were using to defraud US citizens out of thousands of dollars. So, besides footage of the scammers, his hack also included taking screenshots from the laptops that the scammers were using while “at work”.

One thing that jumps out is that this is a very small and badly secured organization. Which came in handy because it enabled Scambaiter to show us several sides of the operation.

The video

Scambaiter condensed a weeks’ worth of footage into a 20 minute clip. In the beginning we see the scammers at work, posing as Best Buy’s Geek Squad tech support employees.

We get a good look at how these scammers are organized and how they operate. If you didn’t know they were talking people out of their money for non-existent services, it would look like any other, legitimate, office.

During the video Scambaiter explains how he found information about the scammers and their physical location, until he had gathered enough evidence to convince the local police to spring into action.

At the end of the CCTV footage you can see the police officers enter the building, shut down the electricity on two floors, and arrest five of the main scammers.

Scambaiter then concludes the video with a police report stating the charges against the scammers, and a selection of the media coverage about the incident.

Follow the rules

In case you want to take part in the fun the past we have posted a guide to get back at spammers safely.

Even though the video by Scambaiter has a happy end, it is important to understand that what Scambaiter did is just as illegal as the Tech Support scammers’ activity. Hacking into computer systems is illegal unless you are equipped with permission (say, the terms of a bug bounty) or a warrant, even if the victims are criminals and the hacking is in a good cause.

Stay safe, everyone!

The post Tech support scammers caught by their own cameras appeared first on Malwarebytes Labs.

How the FBI quietly added itself to criminals’ instant message conversations

Motherboard has disclosed some information about Operation Trojan Shield, in which the FBI intercepted messages from thousands of encrypted phones around the world. These messages are now used in courts across the world as corroborating evidence.

Operation Trojan Shield

The US Federal Bureau of Investigation (FBI), the Dutch National Police (Politie), and the Swedish Police Authority (Polisen), in cooperation with the US Drug Enforcement Administration (DEA) and 16 other countries, carried out one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities with the support of Europol.

We wrote about the 800 arrests that were made with the help of the backdoored phones. Law enforcement agencies around the world have long campaigned for encryption backdoors, so they can see what criminals are saying to each other. End-to-end encryption hides the content of messages from unauthorized readers, so that only the sender at one end and the receiver at the other end (or, more precisely, the sending and receiving devices) can read the content.

Unable to break the encryption of messages as they pass from one device to another, the FBI and the Australian Federal Police (AFP) came up with an ingenious plan. They decided to put themselves on the sending and receiving devices, by creating a phone they could eavesdrop on, and then marketing it to criminals as a secure device ideally suited to the demands of organized crime.

To that end, the FBI became secretly involved in An0m, a company that was working on an early version of an app to enable end-to-end encrypted communication.

New information

Despite several requests from defense lawyers on behalf of some of the arrested suspects, the source code of An0m was kept secret. When asked for comment, the San Diego FBI told Motherboard in a statement that

“We appreciate the opportunity to provide feedback on potentially publishing portions of the Anom source code. We have significant concerns that releasing the entire source code would result in a number of situations not in the public interest like the exposure of sources and methods, as well as providing a playbook for others, to include criminal elements, to duplicate the application without the substantial time and resource investment necessary to create such an application. We believe producing snippets of the code could produce similar results.”

By buying an An0m device from the secondary market after the law enforcement operation was announced, and a copy of the An0m APK as a standalone file, Motherboard started digging into the code.

Without revealing much of the source code, to protect various contributors that very likely had no idea what they were working on, the decompiled source code is described as if it was thrown together in a hurry. Apparently the app was based on an existing messaging app, and freely available online tools were added to complete the intelligence gathering capabilities.

An extra end

What does become clear form the revealed code is how the law enforcement agencies were able to eavesdrop on the end-to-end encrypted messages. They simply added an extra end to each conversation. You could compare this to a BCC contact in an email. Only in this case both the sender and the receiver had no idea that there was another end that was able to read the encrypted messages.

The app uses Extensible Messaging and Presence Protocol (XMPP), an open communication protocol designed for instant messaging, presence information, and contact list maintenance. XMPP works by having each contact use a handle that in some way looks like an email address. For An0m, these included an XMPP account for the customer support channel that An0m users could contact. Another of these was “bot”. And bot was a hidden or “ghost” contact that made copies of Anom users’ messages. Unlike the support channel, bot hid itself from Anom users’ contact lists and operated in the background. In practice the app scrolled through the user’s list of contacts, and when it came across the bot account, the app filtered that out and removed it from view so the end users could not see they were sending extra copies to a third party.

The post How the FBI quietly added itself to criminals’ instant message conversations appeared first on Malwarebytes Labs.

YouTube AI wrongfully flags horror short “Show for Children” as suitable for children

When content creators flag one of their own videos as inappropriate for children, we expect YouTube’s AI moderator to accept this and move on. But the video streaming bot doesn’t seem to get it. Not only can it prevent creators from correcting a miscategorization, its synthetic will is also final—no questions asked—unless the content creator appeals.

This is precisely what happened to Kris Straub, creator of the horror series Local58TV on YouTube. When he checked his account over the weekend, he spotted YouTube’s AI had erroneously marked his 3-minute video, “Show For Children”, as “Made for kids” under its “Policy reason”.

Per YouTube, “Made for kids” means:

This content has been set as made for kids to help you comply with the Children’s Online Privacy Protection Act (COPPA) and/or other applicable laws.

Features like personalized ads and comments are disabled on videos set as made for kids.

Videos that are set as made for kids are more likely to be recommended alongside other kids’ videos.

And YouTube did make it appear along with other child-friendly videos:

show for children
A still captured within the 3-minute clip of “Show For Children”.

Straub didn’t think twice about taking to Twitter to air his disbelief:

Because the video is falsely marked as safe for childred, it could even end up in the “YouTube Kids” app, a separate video service that shows only filtered video clips made for kids from YouTube.

Thankfully, “Show For Children” didn’t appear in YouTube Kids search results when I tested. It’s interesting to note, however, that when I do a search of “Local58TV”, the site shows me pre-filled suggestions, as you can see below:

youtube kids search prefill

Fortunately, YouTube already got back to Straub and resolved the matter. The company also allowed him to mark his video as “not made for kids” when this feature was previously greyed out.

Staud left a question the YouTube team has yet to reply to.

I think we already know the answer to that.

The post YouTube AI wrongfully flags horror short “Show for Children” as suitable for children appeared first on Malwarebytes Labs.

Fake job offer leads to $600 million theft

Back in March, popular NFT battler Axie Infinity lay at the heart of a huge cryptocurrency theft inflicted on the Ronin network. From the Ronin newsletter:

There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions. The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.

These validator nodes act as a means to prevent criminals making off with lots of money. In order to put together a bogus transaction, they’d need to gain access to 5 out of 9 validator nodes. The successful attack happened over 2 stages.

An unwary employee provided one foot in the door. An unrevoked permission elsewhere kicked it wide open.

The trap is set

According to The Block, everything fell into place thanks to a senior engineer at the game developer. Two inside sources claim the engineer was fooled by a fake job offer. In fact, it seems multiple employees were approached and encouraged to put in applications. Scams originating from LinkedIn accounts are popular at the moment. As it happens, this is where scammers tried to persuade various people on the development team.

One individual is all it took to empty out a big slice of cryptocurrency funds. A job offer made after several interviews was enough to convince the victim to get on board. Perhaps the “extremely generous” compensation package offered should have set off some alarm bells. Having said that, anything digital finance related likely has huge amounts of cash available.

We rate this job offer a 4 out of 5

Unbeknownst to the engineer, everything came crashing down once they received the job offer. A booby-trapped PDF granted the attackers access to Ronin systems, and they were able to compromise 4 out of the required 5 nodes.

Just one node remained to be compromised. How did they do it?

Step up to the plate, non-revoked access. When employees leave an organisation, it’s a good idea to remove access to networks and devices. Unknown entities will happily make use of unattended credentials or permissions. Sure enough, that’s what happened here.

Nudging a node

A Decentralised Autonomous Organization (DAO) is a way for people in a community to make decisions on a project. The developers approached an Axie DAO for assistance with transactions in November 2021. Ultimately, this is where the fifth node compromise starts to take shape. The issue isn’t that the DAO exists. The issue is the permissions granted to the DAO.

From the Substack post detailing the attack:

At the time, Sky Mavis controlled 4/9 validators, which would not be enough to forge withdrawals. The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  

This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.

Who takes the blame?

In April, the US Department of Treasury pinned this one on North Korean hacking group Lazarus. Research elsewhere details Lazarus attacks on both the aerospace and defence sector involving bogus job posts. There’s no mention of those attacks having any connection to what happened above. However, the research does highlight further recruitment scams using LinkedIn as the starting point.

Whether you’re operating in a cryptocurrency / web3 realm or not, forgotten permissions could cost you dearly. There’s also the fake job offer approach to consider, too. In recent months we’ve seen other game developers targeted. Deepfakes are now worming their way into the bogus job scene. Malware is rife in this sort of operation, so please be cautious around any promising new offer.

The post Fake job offer leads to $600 million theft appeared first on Malwarebytes Labs.

Report: Brazil must do more to encrypt, back up data

Federal government organisations in Brazil may need to reassess their approach to cyberthreats, according to a new report by the country’s Federal Audit Court. It outlines multiple key areas of concern across 29 key areas of risk. One of the biggest problems in the cybercrime section of the report relates to backups. Specifically: The lack of backups when dealing with hacking incidents.

Backups in Brazil: An uphill struggle

Backups are an essential backstop that can help against several forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware. When networks are compromised and systems are locked up, victims with effective backups can try to restore their systems to a point in time before the attack.

Not having backups leaves victims with very limited options. Assuming the attackers don’t just vanish into the night, the business may decide to pay the ransom and recover the encrypted files. At best, that is a slow, manual process. If things go badly, the decryption tools may be broken and fail to recover data. In some cases, they may not even exist. At this point, an organisation is out of pocket and files.

This is enough to cause showstopping issues for any organisation. And if the affected business performs critical tasks, attacks can have alarming consequences for the community at large. Healthcare and law enforcement are good examples of this.

As a result, getting up to speed on backing up data has become more prominent in recent years. In fact, not just backing up. It’s important that organisations create sensible, organised backups which can be deployed in a crisis. You can’t roll back properly if the files are disorganised and nobody can make sense of which folder goes where.

With this in mind, the statistics don’t make for great reading.

The numbers game

According to the report:

  • 74.6% of organizations (306 out of 410) do not have a formally approved backup policy—basic document, negotiated between the business areas (“owners” of the data/systems) and the organization’s IT, with a view to disciplining issues and procedures related to the execution of backups.
  • 71.2% of organizations that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system.
  • 66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information.
  • 60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective.

Backing up: Not a guaranteed fix

The report notes that various initiatives already exist to get people talking about the need for both encryption and backing up. While any rise in backup numbers is a good thing, it’s not necessarily going to come close to solving problems.

One of the worst offshoots of standard ransomware attacks in the past few year is the rise of “double extortion”, where ransomware authors steal data before it’s encrypted, and then threaten to release it if the ransom isn’t paid. One of the reasons double extortion attacks came about is precisely because backups don’t work against data leaks.

For organizations that do keep backups, the challenge is how to set them up and maintain them so they do what’s expected, when they are needed most. This is surprisingly difficult.

David Ruiz, host of Malwarebytes’ Lock and Code podcast recently spoke to backup expert Matt Crape, a technical account manager at VMWare, to find out why backups often fail when it really matters, and how to ensure they don’t.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Report: Brazil must do more to encrypt, back up data appeared first on Malwarebytes Labs.