US, WASHINGTON (ORDO NEWS) — Hackers in the first quarter of this year have mastered a new extortion tactic, which is much more dangerous than the previous ones, Check Point experts report. Now cybercriminals are adding an additional step to their attack: before encrypting the victim’s databases, attackers extract large amounts of commercial information and threaten to publish it if a ransom is not paid.
A similar case was recorded by security experts at Allied Universal back in November last year, when victims refused to pay a ransom of 300 bitcoins (approximately $ 2.3 million). Attackers promised to use confidential information, as well as stolen email and domain name certificates, to conduct a spam campaign on behalf of Allied Universal.
To prove their intentions, the attackers published a sample of stolen files: among them were contracts, medical records, encryption certificates and much more.
Other cybercriminal groups also began to adhere to new tactics and created their own pages to publish stolen information for the same purposes.
Attackers using the Sodinokibi Ransomware ransomware virus (also known as REvil) have published details of their attacks on 13 victims, as well as confidential information from these companies. The last victim was the American National Association for Eating Disorders.
First, screenshots of the information received serve as a means of convincing victims to pay a ransom. If the payment was not made on time, the attackers realize their threat and put confidential information in the public domain.
Hackers use stolen data as trump cards: they know that companies will have to pay huge fines for leaking information, according to the legislation of the GDPR. For example, on the eve of 2020, 5 GB of sensitive customer data was stolen from Travelex, including birth dates, credit card information, and national insurance numbers.
Hackers gave Travelex two days to pay $ 6 million, after which they promised to double the amount of the ransom and sell the entire database if they did not receive any payment within a week. Travelex had to disconnect from the network for three weeks to recover from the attack.
Attackers began to attack and mobile devices. Recently, the virus disguised itself as a coronavirus infection tracking application for Android devices. In fact, the application encrypted user data and threatened to post personal information from social networks.
Check Point experts report that the main targets of such attacks are hospitals. Especially now, given their work with coronavirus patients. Attackers have attacked more than 1 thousand medical organizations in the United States alone since 2016.
According to recent estimates, spending totaled more than $ 157 million. In 2017, dozens of British hospitals were hit by WannaCry, leading to thousands of canceled appointments and the closure of some emergency departments. In 2019, several US hospitals had to refuse to accept patients after a series of attacks using ransomware.
Check Point experts advise backing up data and files regularly, preferably using cloud storage. The most common infection methods used in ransomware campaigns are still spam and phishing emails. Very often, literate users can prevent an attack by simply not opening an email or downloading a malicious attachment.
Therefore, it is important to educate employees in basic cyber hygiene rules and ask them to report suspicious emails to the security service.
To minimize the damage from a successful ransomware attack on an organization, you can enter access control for different categories of employees. This greatly reduces the likelihood that a ransomware attack spreads across the entire network.
From the point of view of information security, it is certainly useful to regularly update antivirus and other signature-based protection tools.
In addition to traditional signature-based security features such as antivirus and IPS, organizations need to use additional layers to prevent new unknown threats that do not have known signatures.
The two key components that should be used are threat extraction (file cleaning) and threat emulation (extended sandbox). Each element provides a separate protection, which when used together offers a comprehensive solution for protection against unknown malware at the network level and directly on the end devices.
Contact us: [email protected]