ransomware - Banking & Finance - Red Sky Alliance2024-03-29T14:38:05Zhttps://redskyalliance.org/Finance/feed/tag/ransomwareWhat Keeps a CFO Awake at Night?https://redskyalliance.org/Finance/what-keeps-a-cfo-awake-at-night2021-06-30T17:05:36.000Z2021-06-30T17:05:36.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9180993488,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9180993488,RESIZE_400x{{/staticFileLink}}" alt="9180993488?profile=RESIZE_400x" width="250" /></a>The average cost of a ransomware attack in 2020 was approximately $761,000. The average cost of remediating a ransomware attack has more than doubled in the last 12 months. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of approximately $761,000 in 2020 to approximately $1.85 million in 2021.<a href="#_ftn1">[1]</a> </p>
<p>The importance of cybersecurity is no secret to anyone who uses a computer or an iPhone. Senior executives at businesses of all sizes understand all too well that today’s global economy is still not adequately protected against cyberattacks, despite years of effort and spending in the multi-billion dollar range each year. But until recently, many CFOs may not have been considered an integral part of an organization’s security team or understood how to respond to security risks and the implications for their organizations. But times have changed and many CFOs are being called upon to help promote cybersecurity and identify threats.</p>
<p>Some uncomfortable concerns for CFOs in 2021:</p>
<ul>
<li>Can you afford this risk and pay for the recovery of data, lawsuits, system repairs, and now fines imposed by state agencies, such as The State of California’s Prop. 24, where fines can assess as high as $7,500 for the loss of each personal information file? How about compliance assessments and ongoing required cyber threat protection?</li>
<li>Will your cyber insurance cover these losses? With increasing premiums, policy cancellations, and excluded industry segments?</li>
<li>Can your organization survive these costs, loss of business, and reputation? Sophos “State of Ransomware 2021” Reveals that only 8% of businesses pay a ransom to get back all their data. 54% say cyber-attacks are too advanced for their IT teams to handle on their own.</li>
</ul>
<p>CFOs have a major role to play in the daily running of an organization. Besides having the uncomfortable role of having to tell staff members that there is no budget for their constant requests, they work directly with financial analysts and have concerns over loss of control over their financial reporting. Of course, they are also concerned with the potential loss of funds either through good, old-fashioned theft or as a direct result of another third party’s misfortune. What if a major supplier or customer suffers losses, can you handle them? What if they have unknowingly passed malware to your organization?</p>
<p>Finance chiefs have good reason to be concerned. The information that the CFO controls and uses on a daily basis is some of the most sensitive and important that can be found in an organization. The CFO must understand where the information is at all times, how it’s secured, who might want to steal it, and how hackers might gain access to it. What about dark web mentions or databases or confidential information that could be for sale? Perhaps most importantly, the CFO has a duty to provide plain, true, and complete disclosure to the board on a wide range of issues. Today, many would argue that they should include the potential impact of cyberattacks on the financial standing of the organization.</p>
<p>As a member of the C-Suite, your risk is shared by all members as they are held jointly and individually to meeting the organization’s goals and answer to the shareholders. How can the entire team do a better job against cyber threat actors and state-sponsored cyber terrorists? </p>
<p>At Red Sky Alliance, we can help these teams with services beginning with cyber threat notification, analysis, and complete elimination of cyber threats from both the inside and outside of networks. We have our own CFO with over 25 years of experience in finance and cybersecurity, who would be happy to hold a brief call with your CFO to help them better prepare for cyberattacks, malware, and ransomware. And what if this call led to savings in current duplicated services and forecasted need for additional personnel? </p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.sophos.com/en-us/press-office/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year.aspx">https://www.sophos.com/en-us/press-office/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year.aspx</a></p></div>Cyber Dye Packhttps://redskyalliance.org/Finance/cyber-dye-pack2021-06-10T14:12:27.000Z2021-06-10T14:12:27.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9073810482,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9073810482,RESIZE_400x{{/staticFileLink}}" alt="9073810482?profile=RESIZE_400x" width="250" /></a>A few days after the Colonial Pipeline was attacked, a former law enforcement source close to the company told Red Sky Alliance that law enforcement officials used a cyber type ‘dye pack’ to track the Bitcoin Colonial ransom payment. A traditional dye pack is used in banks to be used during a bank robbery. The robbers take the cash bundle with the dye pack and within minutes, the dye pack ignites and paints the robber with a dye, so responding police can identify the fleeing felon. The federal law enforcement cyber cops basically did the same thing. Very clever indeed. </p>
<p>The US Department of Justice announced earlier this week the recovery of $2.3 million, about half, of the ransom that was collected by hackers last month in the Colonial Pipeline cyber-attack. Cyber experts say it was a surprising outcome to an increasingly frequent and severe crime. "Ransomware is very seldom recovered," said the Institute for Technology Law and Policy at Georgetown Law, who described it as "a really big win" for the government. "What we don't know is whether or not this is going to pave the way for future similar successes."</p>
<p>That's because there are several unexplained factors that contributed to the operation's success. A new cyber task force holds the key to this success. Top US federal law enforcement officials explained that the money was recovered by a recently launched Ransomware and Digital Extortion Task Force, which had been created as part of the government's response to a surge of cyberattacks.</p>
<p>To resolve the attack on Colonial Pipeline, the company paid about $4.4 million on 8 May to regain access to its computer systems after its oil and gas pipelines across the eastern US were shutdown by ransomware.</p>
<p>Victims of these attacks are given very specific instructions about when and where to send the money, so it is not uncommon for investigators to trace payment sums to cryptocurrency accounts, typically Bitcoin, set up by the criminal organizations behind the extortion. What is unusual is to be able to unlock those accounts to recoup the funds.</p>
<p>Court documents released in the Colonial Pipeline case say the Federal Bureau of Investigation (FBI) got in by using the encryption key linked to the Bitcoin account to which the ransom money was delivered. However, officials have not disclosed how they got that key (nor will they). One of the reasons criminals like to use Bitcoin and other cryptocurrencies is the anonymity of the entire system, as well as the idea that funds in any given cryptocurrency wallet can be accessed only with a complex digital key. "The private key is, from a technology perspective, the thing that made it possible to seize these funds," a researcher said. Cyber-attackers will go to great lengths to guard any information that could lead someone to associating the key with an individual or organization: "They're going to really try and cover their tracks."</p>
<p>Officials likely got the private key in one of three ways: One possibility is that the FBI was tipped off by a person associated with the attack. Either the person or group behind the scheme or someone associated with DarkSide, a Russia-based ransomware developer that leases its malware to other criminals for a fee or a share of the proceeds. A second possibility is that the FBI uncovered the key thanks to a careless criminal. There is a saying in law enforcement, “you don’t always catch the smart ones.” Deputy FBI Director said that the bureau has been investigating DarkSide since last year. It is likely that in their surveillance, agents and analysts may have had search warrants that enabled them to access the emails or other communication by one or more of the people who participated in the scheme. "And through that, they were able to get access to the private key because maybe somebody emailed something to help them track down," they explained. A final likelihood is that the FBI tracked down the key by leveraging information it got from Bitcoin or from the cryptocurrency exchange where the money had been bouncing from one account to another since it was first paid.</p>
<p>It is not known whether any of the exchanges have been willing to cooperate with the FBI or to respond to the agency's subpoenas. But if they are, it could be a dramatic game changer in fighting ransomware attacks. Yet, a caution is provided that the good guys can never underestimate the bad guys.</p>
<p>What is not likely is that the FBI somehow hacked the key on its own. While some admits it is theoretically possible, "the idea that the FBI would have, through some sort of brute-force decryption activity, figured out the private key seems to be the least likely scenario." Regardless, if law enforcement authorities are able to consistently remove the profits from the attacks, they will ‘likely’ eliminate the crime.</p>
<p>Of interest is that following the money did not take long. The attackers made an unusual error in this case by failing to keep money moving. The $2.3 million that ultimately was recovered was still sitting in the same Bitcoin account it had been delivered to. You really do not see that with cybercrimes. Was this done on purpose, or through carelessness? </p>
<p>Another scam where a company is tricked into submitting a payment using phony instructions. Funds get wired to accounts at legitimate banks. The banks do not realize that the account was set up by a fraudulent actor. And as soon as those funds hit the account, they are wired back out of the account by the criminals almost instantly. Within 72 hours, those funds are gone and very hard to track or trace. </p>
<p>Red Sky Alliance cannot over state the obvious that, “We are living in perilous cyber times.” An ounce of prevention is ALWAYS worth a pound of cure. Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice and very important, however, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. </p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><span style="font-size:8pt;">source: </span></p>
<p><span style="font-size:8pt;"><a href="https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac">https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac</a><br /> <a href="https://www.clevescene.com/scene-and-heard/archives/2011/05/20/pic-of-the-day-heres-what-it-looks-like-when-a-dye-pack-explodes-on-a-robber">https://www.clevescene.com/scene-and-heard/archives/2011/05/20/pic-of-the-day-heres-what-it-looks-like-when-a-dye-pack-explodes-on-a-robber</a><br /> </span></p>
<p> </p></div>Country: RU Russian 'Evil Corp' Criminals Possibly Evolved Into Cyber Spieshttps://redskyalliance.org/Finance/country-ru-russian-evil-corp-criminals-possibly-evolved-into-cybe2021-05-26T20:44:20.000Z2021-05-26T20:44:20.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8989665473,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8989665473,RESIZE_400x{{/staticFileLink}}" alt="8989665473?profile=RESIZE_400x" width="250" /></a>The infamous cybercrime organization known as Evil Corp may be running cyberespionage operations on behalf of a Russian intelligence agency, security consulting company Truesec reports. Active since at least 2009 and also referred to as TA505, the hacking group is known for the use of the Dridex banking Trojan, but also for ransomware families such as Locky, Bart, Jaff, and BitPaymer, along with the more recent WastedLocker and Hades.</p>
<p>Evil Corp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who was charged by the United States in 2019. In addition to deploying financial malware and causing tens of millions in losses, Yakubets has been working for Russian intelligence since at least 2017, the indictment said. New evidence that Truesec security researchers have uncovered validates the assumption of a close relationship between the cyber-crime group and the Kremlin and even suggests that Evil Corp might have evolved into a cyberespionage group that is using ransomware attacks to disguise its true intentions. Truesec Group is a leading Swedish cybersecurity and secure infrastructure provider.</p>
<p>Analysis of a ransomware incident involving Evil Corp has revealed the use of tools, techniques, and procedures (TTPS) previously associated with the sophisticated cyber-espionage group SilverFish, which was recently associated with the SolarWinds attack. The attack, Truesec analysts reveal, started with a drive-by download that led to the installation of a backdoor that provides attackers with complete control of the victim machine, and resulted in the Cobalt Strike implant being deployed as a second-stage only minutes later.</p>
<p>Network discovery started minutes later and the adversary “achieved full infrastructure compromise within four hours from the initial breach.” Common vulnerabilities were exploited as part of the attack, with manual operations started minutes after initial compromise, which is “remarkable, considering that the attack vector was a drive-by attack,” Truesec analysts note.</p>
<p>Although the adversary was able to leverage access to Active Directory within hours, internal reconnaissance and data discovery only started a week later. During this phase, the threat actor uninstalled security software, with the Wasted Locker ransomware being deployed only a month after the initial compromise. “During the last two weeks, the threat actor focused the reconnaissance on methodically gathering data from network shares, user profiles, browser history of IT admins, cloud-based mailboxes, and eventually identified credentials and locations of the cloud-based backups in use which were then deleted,” Truesec researchers note.</p>
<p>The actor behind the attack used the same Cobalt Strike beacon that threat intelligence firm PRODAFT associated with the SilverFish group’s operations, suggesting that the same adversary might have been involved in both, despite the use of different attack vectors: drive-by download vs the SolarWinds breach.</p>
<p>Truesec’s researchers believe that Evil Corp’s close ties with Russian intelligence might have resulted in the already sophisticated threat actor evolving from a financially motivated cybercrime organization into a cyberespionage group. Despite still deploying ransomware in attacks, the group no longer appears enticed by financial gain and, unlike other ransomware operators out there, does little to compel victims into paying the ransom.</p>
<p>“It is possible that the entire Wasted Locker/Hades ransomware campaigns have been run as just a ‘maskirovka’, the Russian word for deception, to hide a cyberespionage campaign. The reason why they seem to be careless about extracting the ransom could simply be that it is not important to them. They just need to keep up the appearance,” Truesec analysts note.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has been helping companies since 2013 with proactive approaches to cybersecurity. We have been tracking Russian hackers for many years. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><strong><br /> Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p></div>