Torrance Memorial Medical Center began notifying some patients Monday that email accounts containing “work-related reports” and personal data were breached at the hospital.
The so-called phishing attack occurred on April 18 and 19, according to medical center spokesman Ed Finn, who said facility personnel, working with third-party forensic investigators, launched an investigation “to determine the nature and scope of the incident.”
“The investigation determined that personal information for certain individuals was present in some impacted emails, but it remains unclear whether emails or attachments containing the information were accessed by an unauthorized person or persons,” Finn said.
The breach, first revealed publicly Monday, was reported to the California Department of Public Health, the U.S. Department of Health and Human Services and the FBI, he said.
“To date, Torrance Memorial has no evidence of any actual or attempted misuse of information as a result of this incident,” Finn said. “However, the email accounts that were accessed through this incident contained sensitive personal information including names, dates of birth, address information, telephone numbers, medical record numbers, Social Security numbers, health insurance information, and other clinical/diagnostic information.”
Notice letters mailed to “potentially impacted individuals” include offers of no-cost credit monitoring and identity theft protection services for one year, Finn said.
“Torrance Memorial encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor free credit reports and explanation-of-benefits forms for suspicious activity,” Finn said.
The number of potentially affected patients was not immediately disclosed.
Here is the Torrance Memorial – Notice of Data Privacy Event: https://www.torrancememorial.org/Notice_of_Data_Privacy_Event.aspx
CoreRecon Cyber Security – 1.800.955.2596 Continue Reading
South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them.
According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files.
However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted.
The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers.
According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.
Since the hosting servers were running on Linux kernel 220.127.116.11, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system.
“The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note.
“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”
Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.
“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.”
The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key.
According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.
So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.
Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources. Moreover, ensure that your systems are running the latest version of installed applications.
Article by: Mohit Kumar – Hacker, Entrepreneur, Speaker Continue Reading
A ransomware named Samas or SamSa made nearly $450,000 in ransom payments for its creators. And all of this is only in the past year, according to Palo Alto Networks researchers.
This was first discovered back in March this year, but its origins were traced back to the fourth quarter of 2016. That is when the Microsoft discovered that this ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers discovered.
The SamSa actors have been targeting the healthcare industry with their attacks, and Palo Alto Networks researchers say that they made around $450,000 in ransom payments over the past 12 months. The estimation is based on the malware samples that have been identified to date, which amount to 60 unique samples.
Compared to more common ransomware such as Locky, Cerber, and CryptoMix, SamSa has a very small number of samples, but Palo Alto Networks explains that this makes perfect sense, given the type of targets this actor is after. While most ransomware families are looking to infect a large number of users to increase profits, SamSaonly is only targeting specific organisations.
Active for around a year, the ransomware has seen a series of changes, some of which were intended to make analysis and reverse-engineering more difficult. During this time, the ransomware’s authors have used various internal .NET project names for SamSa, including Mikoponi, RikiRafael, showmehowto, gotohelldr, WinDir, among others.
Most of these modifications occurred after April, and they were accompanied by changes to the encrypted filename extensions that are appended to files after encryption took place. The format of the encrypted file header was changed too, as well as the dropped helper HTML file that is used to provide victims with information on what happened to their files.
Another active threat was discovered, Jaff is a new ransomware family that appeared just days before the WannaCry outbreak.
The new family of Jaff was discovered by Brad Duncan (a security researcher) that has a new design for the ransom note and a new WLU extension for encrypted files. Same to the first variant of Jaff, this new version continues to be spread through spam campaigns that use malicious documents to download infect computer with ransomware.
The ransomware was adding the .jaff extension to the encrypted files and requesting around 2 Bitcoin for the payment. The infection vector was .PDF files sent as attachments in spam emails.
But now the ransomware appends the .wlu extension to the encrypted files and uses a new note with green fonts on a dark background. The researcher also said that the ransomware creators ask for a 0.35630347 Bitcoin for the payment now.
The new ransomware attack is being spread through messages that appear to be invoices. Victims receive emails with subjects like such as Copy of Invoice 99483713 or Invoice(58-0710), and they include an evil PDF attachment.
Unfortunately, there is no any decryption tool to decrypt .wlu files that encrypted by the Jaff Ransomware.
Earlier this year, administrators at Hollywood Presbyterian Hospital suddenly discovered they had lost access to their computers. Doctors were locked out of their patients’ medical records, and they couldn’t access their own reports. Their system data had been encrypted by malicious software. While all this data was being held hostage, staffers had to direct sick people to other hospitals. After two weeks of writing everything down on paper, the hospital paid a $17,000 ransom in Bitcoin to regain access to their computer systems. Ransomware not only cost money; it endangered lives.
If you told me a few years ago that executives would be scrambling to digital currency exchanges to pay malware distributors, I wouldn’t have believed it. However, that’s exactly what has happened. Individuals, businesses, and larger institutions alike have all fallen prey to this growing type of cyberattack. C-suite executives now find themselves hostage to these data hijackers.
Ransomware — the term comes from “ransom” and “software” — is a type of computer virus that prevents users from accessing their systems until a sum of money is paid. Preying on human error, cybercriminals trick users into activating this malicious software. Often disguised in email as HTML links or attachments, ransomware encrypts data using a private key only the attackers possess. Users are locked out of their machines; ransom is demanded. To evade law enforcement, these attackers are using anonymous payment methods such as Bitcoin.
Ransomware distributors, the criminals overseeing these attacks, have figured out a pricing strategy that works. The average demand for consumers and small business owners is between $300 and $500. That’s a sum many can deliver when faced with the possibility of losing all their valuable digital assets.
Of course, there are more costly and dangerous situations, such as Hollywood Presbyterian Hospital’s experience. The FBI estimates cost of ransomware could reach $1 billion in 2016 in the United States, thanks to a surge in cases. The agency says more than 4,000 cases of ransomware occur daily, quadruple the rate from last year.
My company, Carbonite, has been tracking a massive uptick, too. Our customer care team has implemented a new system to track and respond to incidents. We store customers’ and clients’ data online, in the cloud. When those customers are hit by a ransomware attack, many reach out to us for help to restore a backed-up copy of their data that’s being held hostage. Our team saw the biggest spike in ransomware help calls in March, likely due to the spread of the Locky ransomware strain.
It’s not just the rapid rise of ransomware that’s so alarming; its targeting is, too. A new global survey finds that nearly half of United States organizations report ransomware attacks in the past year. Of those, 43% affected middle managers and 25% affected senior and C-level excutives. (These rates are lower in other countries.) The two industries most commonly targeted globally are financial services and health care.
Because ransomware is so pervasive and the damage can be so costly, I’m always surprised when I talk to C-levels who have not put it on their radar. Many times, they have relegated ransomware prevention to IT. But I encourage the executives who ask me for advice to make ransomware prevention a central piece of their cybersecurity strategy, to review that strategy at least once a year with their board of directors, and to engage their entire organization in education and prevention.
Our company provides employees across the company with online, interactive tools for identifying suspicious malware. We arm our workers with the resources they need to be security-aware, and then hold them accountable for protecting their data. This goes for all employees, including me and my executive team.
Why are ransomware attacks increasing?
One reason ransomware attacks are spreading is because fraudulent email containing links or attachments for the unsuspecting user to click on have become much more sophisticated. These so-called phishing emails (called whaling emails when they target C-suite executives) are no longer sent from self-described dispossessed potentates from faraway lands looking to bequeath you a portion of their ancestral wealth once you have provided some sensitive information.
Nowadays, infections arrive via well-written, typo-free emails, often disguised as official documents with corporate logos and signatures. Some look like typical business correspondence or legitimate reminders to upgrade applications. One attorney received a polished email with a promising resume attached.
Even scarier, user interaction is not always required. Instead, ransomware can spread through gaps in security systems or un-patched, outdated applications. There’s a new type of ransomware each week, it seems, and the number of ways that ransomware infiltrates systems continues to grow.
Another factor in the spreading phenomenon is access to the digital currency Bitcoin. The ease of anonymously collecting payments from afar has boosted the ranks of cybercriminals. These days, you don’t have to know that much about ransomware to use a do-it-yourself kit. The deal is, you agree to share your earnings with the large syndicates.
Law enforcement is responding to the growing cybercrime, and in the U.S. the FBI takes ransomware seriously. The agency has published prevention guidelines for CEOs and for CISOs. It also discourages victims from paying the ransom, noting that payment incentivizes repeat attacks.
Some defenses against ransomware are improving. In testing labs, researchers have developed software that detects some variants of ransomware. Computer security companies such as Kaspersky Lab have deployed decryption tools to help victims unlock their data after an attack. At Carbonite, we launched FightRansomware, a website dedicated to informing small businesses about the ways ransomware works and the most effective methods for protecting your data.
Cybercriminals have figured out how to wreak havoc even at companies that take the right precautions, and detection and decryption tools don’t always work. Still, there are some things you can do.
Ransomware readiness and responsibility
Whether we are small business entrepreneurs, IT advisors, or C-level board members, we are all vulnerable. That makes us responsible for adequate ransomware education and prevention for employees at all levels, and responsible for an action plan that can be followed without confusion if and when our systems are attacked.
Education is key to making sure our employees and systems don’t become victims. Protect your company’s perimeters with firewalls and solid network security. Use antivirus software and make sure it’s updated on schedule. Unfortunately, human error accounts for the majority of ransomware distributions. So take additional safeguards. One way to render a ransomware attack ineffective is by storing a duplicate of your data. Ransomware becomes meaningless if you can quickly restore your systems and data to a time before the infection.
If you are victimized, I tell colleagues, do not be embarrassed. Instead, be prepared. As soon as you’re aware of an attack on your computer, file server or network, immediately shut down all file sharing activity and alert the proper people in your company. Use your antivirus software to determine where the infection happened. If you can’t do that with the antivirus software, examine the infected file’s properties to find out the last user or computer to make changes to the file — this will tell you where the infection originated. Then, assess the extent of the infection and the damage, and remove the virus by deleting all infected files. Hopefully you have a backup service in place, so you can recover clean versions of the infected files.
Ransomware may be spreading, but so is awareness. Cybercriminals have more sophisticated tools than ever, but we all have access to security and backup technology that can keep computers and companies running. Yes, we are all vulnerable, but we can take responsible steps to make ransomware attacks as rare and ineffective as possible.
Article from: Harvard Business Review – www.hbr.org Continue Reading