ransomware

Bad Rabbit Ransomware

October 29th, 2017

The United State Computer Emergency Readiness Team (US-CERT) has issued a warning against a campaign called Bad Rabbit which seams to be a variant of the Petya ransomware.

”US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored,” US-CERT stated in an alert. “Using unpatched and unsupported software may increase the risk of proliferation of cyber security threats, such as ransomware.”

Ukraine and Russia appears to be leading target. The affected entities includes Russian media groups Interfax and Fontanka, the Kiev Metro, Odessa International Airport and Ukraine’s Ministry of Infrastructure.

As per Sophos researchers, Bad Rabbit ransomware is distributed through media websites asking users to install fake Adobe Flash.

“Once it infects a computer, the ransomware attempts to move laterally using a list of hardcoded credentials, featuring predictable user names such as root, guest and administrator, and passwords straight out of a worst passwords list,” Sophos’ Bill Brenner wrote. “Another reminder, if one were needed, that all of your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.”

STEALTHbits Technologies vice president of product strategy Gabriel Gumbs mentioned that this ransomware uses open source tool Mimikatz to harvest credentials.

“This could simply be to widen its reach internally for the purpose of further encrypting the files of users with elevated privileges, it may be used to hide inside compromised networks, or the ransom itself could be a decoy from the attack’s real purpose,” Gumbs said. “What we can definitively say today is the only reason you would package Mimikatz with ransomware is for the purpose of further exploiting internal networks — not simply to ransom files.”

VASCO Data Security CISO Christian Vezina mentioned, it’s important to keep in mind that Bad Rabbit uses social engineering tactics to spread. “By teaching your users not to simply click on any link that is presented to them, you may be able to limit your exposure,” he added.

David Zahn, general manager of the cybersecurity business unit at PAS mentioned that it is serious threat to important facilities. “The engineers who manage the industrial control systems that are at the heart of critical infrastructure — namely power generation, oil and gas, and more — are chiefly concerned with maintaining reliability and process safety,” he said. “Ransomware presents a particular risk to both as encrypted systems in a facility can mean loss of view into volatile processes or production disruptions.”

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted.

Malicious email and data breach

May 11th, 2016

Mayfield Brain and Spine may have suffered data breach due to malicious emails. It has notified some patients about the healthcare ransomware incident. According to OCR reporting tool, the breach has affected 23,341 individuals.

According to the statement, Mayfield Brain and Spine medical center mentioned that an unauthorized entity accessed its account related to outside vendor. After accessing the database it has sent a fraudulent email. The modus operand was simple. When email recipients opened the attachment, malware gets downloaded.

“The vendor receives only email addresses from Mayfield,” said Mayfield Clinic Inc.’s Vice President of Communications Thomas Rosenberger. “No other health or financial information is shared. In this incident, no Mayfield systems were involved, and no patient health or financial information was compromised.

Facility works with vendor to email Mayfield information, such as newsletters, educational information, invitations, and announcements. The vendors also send the emails to patients, business associates, event attendees, website contacts, and other people associated with Mayfield Clinic Inc.

“Mayfield’s first priority is always the well-being of our patients. Once we learned of the incident, we immediately communicated with recipients by email, by social media, and on our website, including both notification and instructions on how to remove the virus.”

Mayfield Brain and Spine guided recipients to resolve the issue by downloading free software to eliminate the malware.  Also, it has collaborated with the vendor’s compliance office to analyze the situation. The facility is also working with computer virus protection service to nullify the virus.

“We are continuously monitoring the situation,” continued Rosenberger. “With all of the action taken to date, we do not believe that recipients of the fraudulent email need to take any additional steps at this time.”

According to the statement:

Mayfield Brain & Spine is the full-service patient care provider of the Mayfield Clinic, one of the nation’s leading physician organizations for neurosurgical treatment, education, and research. With more than 20 specialists in neurosurgery, interventional neuroradiology, physical medicine and rehabilitation, and pain management, Mayfield Brain & Spine treats 20,000 patients from 35 states and 13 countries in a typical year. Mayfield physicians specialize in the treatment of back and neck pain, sciatica, Parkinson’s disease, essential tremor, NPH, epilepsy, brain and spinal tumors, stroke, moyamoya, brain aneurysms, Chiari malformation, scoliosis, kyphosis, facial pain, facial twitch, trauma, concussion, spinal cord injury, and carpal tunnel. As leading innovators in their field, Mayfield physicians have pioneered surgical procedures and instrumentation that have revolutionized the medical art of neurosurgery for spinal diseases and disorders, brain tumors, and neurovascular diseases and disorders.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Ransomware and Data Breach

April 21st, 2016

“Is ransomware considered a health data breach under HIPAA?”. The answer is explored in the recent issue of Forbes magazine by author Dan Munro. He researched healthcare and compliance domains.

According to the information presented, a ransomware attack should not be considered data breach as per PHI disclosure restrictions in HIPAA. It is more about the message of lax security that’s being broadcast to cyber-criminals around the world. But Dan believes otherwise.

Ransomware attacks should be considered as unauthorized exposures of private information. It is same as the outright theft of the laptop, desktop, or server breach.

Acccording to the records of Office of Civil Rights (OCR) in 2015, there were more than 300 disclosed healthcare breaches. One-third are due to the loss or theft of some piece of equipment like laptop, desktop, server, or other portable electronic device.

The report also states that more than 100 of the disclosed breaches were due to attack like ransomware. The breaches affected more than hundreds of thousands of records.  It is believed that the records under the hands of criminals can cause breach.

HIPAA rules states that the notification letters to be sent to affected individuals because the systems and the PHI are not under control of the healthcare provider.

Ransomware Attacks

Types of Ransomware –

Few attacks takes control of machine and lock it down. This action blocks the access to legitimate users. The system is unlocked only paying after ransom amount and clearly the system is under the control of criminals.

Few attacks involves remote access control by criminal. They awaits the Bitcoin payment to unlock and reconfigure the system.

Common form of ransomware includes a software which encrypts certain important files with certain password. The process includes accessing the files and encrypting and storing the files  in the same place. Once the payment is done, files are unlocked.

Now a days, ransomware attacks to extort money are on the rise.

There’s more and more documented evidence that this is going on,” says Ori Eisen, founder and chief innovation officer of fraud prevention company 41st Parameter. “It’s more prevalent in the United Kingdom, which is sort of a staging or testing ground. It’s starting there and getting more momentum.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Hospitals and Ransomware

March 28th, 2016

The Ottawa Hospital, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital was recently infected with ransomware.

As per Kentucky Methodist Hospital, “Methodist Hospital is currently working in an internal state of emergency due to a computer virus that has limited our use of electronic Web-based services. We are currently working to resolve this issue, until then we will have limited access to Web-based services and electronic communications.”

“It did cause significant disruptions of our IT systems,” Fred Ortega, spokesman for Prime Healthcare Services, which operates Chino Valley Medical Center and Desert Valley hospital, told BBC News. “However, most of the systems and the critical infrastructure has been brought back online.”

Locky ransomware was delivered by email and spread from the initial infected computer to others on the network. Jamie Reid, Kentucky Methodist’s information systems director mentioned in the statement.

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” David Park, an attorney for Kentucky Methodist, told Krebs.

Attackers demanded four bitcoins (approximately $1,600) to decrypt the files.

Canada’s Ottawa Hospital was also infected. Around 9,800 computers were infected with ransomware. “The malware locked down the files and the hospital responded by wiping the drives,” hospital spokeswoman Kate Eggins told the National Post. “We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.