Tag: ransomeware

The cyber-war era: the rapid growth of the threat landscape

Posted on by Teila Hurlock

cyber security skull banner

 

In this blog we explain what you should be looking out for in the cyber-war era, and how you can best protect the cyber-security of your organisation.

 

The threat landscape is accelerating faster as global tensions grow over the Russia Ukraine conflict. The Cyber-war is well underway, with Ukraine rallying troops for the frontline of the cyber battleground

Cyber-war era: as cyber security threats rise, what should you look out for?

Amid the tensions of early 2022 cyber-attacks were already on the rise, with threat actors targeting both Ukrainian organisations and their government. Although there are still questions around who may be responsible for some of these attacks, Ukraine firmly believes Russian state actors are responsible – and evidence would strongly suggest that is the case.

Since the Russian invasion began in Ukraine on 24th February 2022, businesses and government institutions globally are on high alert for state-sponsored cyber threats – with banks, energy companies and airlines undertaking additional work to strengthen their defences against such attacks. There is an underpinning fear that this could be the new era of global cyber-war.

DDoS attacks

Cyber-attacks on state-owned digital assets such as the Ukrainian Defense Ministry and Military websites increased in February, as they were hit with DDoS (Distributed Denial of Service) attacks, along with two large Ukrainian banks – PrivatBank and Oschadbank. In this case, the websites were flooded with traffic to the point that they crashed, making the websites unusable.

FoxBlade

Microsoft has issued a Security Intelligence advisory about FoxBlade, a novel trojan. This trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.

Malware

HermeticWiper / FoxBlade (aka KillDisk)

At the end of February, there was the discovery of the new wiper malware that had been unleashed – dubbed HermeticWiper by some and FoxBlade by others. As well the as DDoS attacks mentioned above, it was designed to wipe the hard drives/system storage of the systems infected, corrupting all the data in the drive – making the data unrecoverable – then initiating a system shutdown. It has been found on Ukranian computers, as well as on machines in Latvia and Lithuania.

Furthermore, a “worm component” dubbed HermeticWizard, has been discovered that could be used to spread the HermeticWiper in local networks.

FoxBlade (HermeticWiper) also downloads and installs other programs – including other malware – onto infected systems, Microsoft has advised.

IsaacWiper

Cybersecurity experts identified a second wiper cyber-attack, named IsaacWiper, targeted at Ukrainian governmental networks according to a report on Tuesday 1st March. The second wiper attack was detected on 24th February and is described to be a lot less sophisticated than HermeticWiper.

Cyclops Blink malware

The UK’s NCSC (National Cyber Security Centre) and the US CISA (Cybersecurity and Infrastructure Security Agency) have released details about a new malware targeting network devices, which they attributed to Sandworm – a threat actor previously attributed to the Russian GRU’s Main Centre for Special Technologies (GTsST).

Cyclops Blink is a new piece of malware that targets network devices – supposedly being used by the Sandworm threat actor – a replacement for the VPNFilter malware 2018. The malware collects device information, sending it to a command-and-control server. It can download and execute files, as well as getting additional modules at a later date.

Cloned websites

Researchers have identified a web service hosting cloned copies of websites. A number of Ukrainian government websites were cloned, along with the main webpage of the Office of the President. These sites were filled with malware links, that once clicked, would download on to the user’s computer.

 

What does this cyber-war era mean for nations other than Russia and Ukraine?

 

Whenever one nation launches a cyber-attack against another, it doesn’t just increase cyber risk for the nations involved. It also impacts global cyber risks. The Cyber Attack Predictive Index (CAPI) tool, created by Johns Hopkins Information Security Institute, has hit its highest possible threat likelihood level, at a score of 25 (out of 25) under the current situation.

While the aforementioned attacks aren’t particularly sophisticated, and can be mitigated with the right cyber protection measures, these types of attacks have previously been used as a diversion tactic in order to lay groundwork for more damaging, sophisticated attacks.

Exposure or risk

As the EU, UK and the US impose sanctions on Russia and Belarus there is greater chance of being at risk of targeted cyber-attacks, as retaliations make take place from the Russian and respective forces. Companies across Britain have been warned to prepare for a heightened security risks as the UK placed sanctions on three of Russia’s wealthy allies.

UK organisations have been urged by GCHQ’s National Cyber Security Centre (NCSC) ‘bolster their online defences’ and warned that there has been an ‘historical pattern of cyber-attacks on Ukraine with international consequences’.

According to Laurance Dine, global partner, X-Force Incident Response, IBM, businesses need to start operating under the assumption of compromise, and put in place the proper controls and measures necessary to defend their environment and critical data.

The UK government may well be taking their own measures to defend the cyber security of the nation, as secretary of state for defence, Ben Wallace, told parliament in reference to the National Cyber Force: “I am a soldier, and I was always taught that the best part of defence is offence… What is good for the goose is good for the gander, and that if necessary we could use cyber warfare to give as good as we get back to Russia.”

High alert for the energy sector

This week (28th February 2022) the UK Business Secretary, Kwasi Kwarteng, is holding talks with the chair of National Grid amid anticipation of a surge in state-sponsored cyber-attacks from Russia. A wise move considering that, in a recent report published by IBM Security, the UK’s energy sector was the target of 24% of all cybersecurity incidents in the country last year. It is also thought that Russia was most likely responsible for the SolarWinds and Colonial Pipeline attacks of 2020 and 2021.

We recommend:

  • It may seem obvious but evaluate the controls you have in place against cyber-attacks, particularly ransomware.
  • Pay close attention to the news cycle in relation to this situation.
  • Pay attention to the types of attacks that are coming through via security feeds.
  • Keep everything patched.
  • Watch out for any suspicious traffic that may be coming from outside of the country.

At QuoStar we are committed to helping you and your business remain secure. Our experienced industry professionals are here to give you measured and realistic advice.

Evaluate your protection against currents risks, book a complimentary initial cyber security review session with our Head of Security David Clarke.

 

The ransomware risks to law firms and how to protect against them

Posted on by Robert Rutherford

Ransomware risks to law firms

Ransomware risks are the largest threat that faces law firms today.

Ransomware attacks have increased by 288% in 2021. And, Reuters doesn’t expect this to slow down any time soon – comically suggesting that “Like ‘Terminator’, high-tech cybercrime is expected to keep coming.”

Any business can become a target to cyber criminals, but law firms are one of the top targets globally. Even a listed UK Law firm was hit by cyber-security a incident this year. It’s obvious that law firms are lucrative and have access to money, so they are often able to pay a ransom where other types of businesses might not.

However, cash flow is not the only reason firms become a target. Law firms have many interaction points and are in effect a service business – service businesses live and die by their reputation. That’s why they are a prime target.

 

Ransomware risks to law firms: why are they a great target for Ransomware attacks?

They have some great data, and that fits with the Ransomware business model. Ransomware is a revenue generator for cybercriminals. Ransomware encrypts your practice’s electronic data, and takes a copy of the data, which can then be:

  • Sold to other cybercriminals
  • Held to ransom over public release of sensitive information
  • Assumes control of your social media and broadcasts your data and failings
  • Sell the exploit details to another cybercriminal
  • Use the same exploit again and ask for another ransom

 

Are law firms financially protected from cyber-attacks?

Typically, a paid ransom will be reimbursed by Insurance, but of course only if the right controls are in place from a cyber-security / risk perspective in the first instance.

Many firms think they are protected financially by simply having insurance in place to reimburse a ransom payment. However, if there isn’t the right security in place, then insurance won’t pay out.

 

Money isn’t the only loss a firm faces when hit

Greater threats are posed, here are some other ransomware risks to law firms.

Some ransom groups will demand a ransom, but that will only be after they’ve posted all of the firm’s sensitive data, and client data onto the dark web.

The firm may be able to get operational again, but the real damage goes beyond that, as their client’s data is in effect spread globally for anyone to access. It’s easy to see that the ransom payment is just a fraction of the real cost a firm could face.

A breach means letting clients know their data is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. That’s big, it will seriously hurt the firm and all those they work with.

Regulators want to try to compound that damage. A firm is now looking at huge fines from the regulators, such as the ICO and the SRA. It’s a horrible place to be, hence the focus from those in the global ransomware business, which is now bigger than the drugs trade (the global cybercrime economy generates over $1.5 trillion).

This year 4 New Square Chambers took an unusual approach this year after they were attacked mid-June. For damage limitation purposes they took out a court order demanding the criminals not to share the stolen data. The mystery hackers were ordered to hand over any information they may have obtained by 27 September 2021 or face possible contempt of court proceedings – but only time will tell how well this has worked.

 

Risk and IT security are not separate entities

Too many in the legal industry view the ransomware risks to law firms and IT security as separate entities. They simply put being secure from a cyber perspective and all those risks down to the IT team. That’s just not going to wash with regulators, clients and very likely the media. Risk is a board responsibility/accountability, not IT’s.

Of course, the IT team plays it part. However, like every important functional operation in a firm, you need governance. The whole firm needs to be aware of its role in controlling risk, especially as most IT breaches come from an employee doing something they shouldn’t. The biggest threat to a firm’s security is more often that not going to come from something simple such as someone unsuspectingly clicking a link or giving information out over a phone.

 

IT can only so go far

New and emerging threats are often targeted at the end-user sat at their laptop or on their phone. Sure, technology has its risks, such as unpatched software or a lost laptop, but people are always the weakest link. Although employees pose one of the largest risks with one of the biggest impacts, the threats are of course much wider.

The other big risk is vulnerabilities within IT systems that face the Internet, both those run internally and through third parties, such as a website host, an IT supplier, or some form of partner organisation that links into a firm’s systems. Every link into a firm is risk. they need to be evaluated and tested. A firm should certainly penetration test their own systems, but they should also look at those they interface with, to ensure they also deal with their part of the wider risk piece.

 

So, how can the ransomware risks to law firms be avoided?

There are most certainly the basics that should be dealt with, especially where ransomware is concerned, such as:

Have you got an air gap in your backups?

Ransomware attackers want to encrypt your data. That may take you down for a few days. However, if your backups are also on the same network as your data they will be looking to ensure they are also encrypted. That leaves a firm dead in the water with no chance of recovery.

Do you have a rigid patch management policy?

Many businesses patch once a week, many once a month. That’s not enough. The IT team needs to be continually aware of brand new threats and needs to deal with them quickly, or they need to rely on a specialist IT security partner to deal with it.

Do you use a VPN to protect endpoints on public networks?

Too many firms allow their staff to connect at home or in other locations, such as hotels, over unprotected networks. That’s a risk that needs to be controlled via a VPN.

Do you consistently train and test your users how to spot suspicious email or call?

Again, staff are the weakest link and need to be able to spot suspicious behaviours online.

Do you control USB ports to ensure non-approved storage devices can’t be installed?

You can’t allow staff to plug anything into a work machine or a machine that accesses work machines without controls in place. For example, a Rubber Ducky Attack cyberattack, where a custom USB device emulates a USB keyboard to attack a workstation.

Do you have an email security protection system in place?

You do need an advanced email security protection system in place that checks both links in email and the attachments. You can’t generally rely on email provider systems, not even Microsoft’s.

Do you have next generation antivirus in place?

Traditional antivirus systems aren’t enough to protect against ransomware. Once they’ve detected it with a scan it’s too late. You need NGAV (Next Generation AntiVirus) which can spot ransomware before it does its damage.

Do you have 2-factor authentication in place?

This is probably one of the biggest protections against ransomware available. A third party can steal a password, but they cannot get access to systems without a known device.

Do you have a SIEM and a 24x7x365 SOC?

A SIEM is a Security Information and Event Management system. A SOC is a Security Operations Centre. If you’ve done the other points, then you need a system that looks for suspicious behaviour (a SIEM looks for it) and a team that can take that alert and respond (a SOC). These systems can be expensive, so you need to really make a judged call on how far you should go.

So how do you decide how far you take your IT security?

Well, first you really need to understand the all the risks you face. You need to understand what the likelihood of those risks being exploited, and you need to understand the likelihood of it happening. How do you do that?

You need a system, you need a framework. Too many firms think they have Cyber Essentials so they are secure. That’s not the case. Cyber Essentials is the very basic and doesn’t make you secure, especially not from the ransomware risks to law firms.

Have a plan for resiliency.

The only way a firm, particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). If you have an ISMS you are doing the right thing from a leadership perspective. You can know your risks, you know the controls of those risks and you can make a call on what you need and want to do – based on real knowledge.

An ISMS, such as ISO 27001 will give you complete knowledge of your risks and how you deal with them. It will also let you manage all of your suppliers and third parties, ensuring they don’t pose a risk you are unaware of.

At Quostar we have a process called “Chain of Resiliency” which highlights the weakest links in your critical systems whether cloud or traditional server-based. This is so you can estimate the cost of lack of resiliency per system appropriate to your law firm, and do a cost-benefit realisation.

 

In short, a strong Executive action plan will:

  • Copy what the big tech companies do.
  • Enforce Backup and restore process (The important bit is the restore)
  • Implement an Information Security Management System (ISMS)
  • Use risk as a management tool not as a list
  • Implement Governance over risks with key stakeholders
  • Follow best practice

 

If you’d like any advice from our CISO on your firms cyber security set up get in touch today.