Hospitals under siege: 5 ways to boost cybersecurity as the COVID-19 vaccine rolls out

Quote by CEO of Inverselogic, Ara Aslanian.

In the past several months, we have seen an increase in attackers on our healthcare facilities. With the #COVID-19 vaccine rollout, it is so important that healthcare facilities protect their network and increase their #cybersecurity posture. Here is Ara Aslanian, CEO of Inverselogic and reevert, thoughts on what they can do to improve security.  #cyberattack

Read more about it here.

Don’t Blame the Victim, Blame the Game: The OFAC’s Misstep in Fining Ransomware Payers

Young male frustrated by ransomware attack on desktop screen.

Ransomware attacks have always been a large issue in the cybersecurity world. The victims of ransomware attacks may also be blamed along with hackers.

The Treasury Department’s Office of Foreign Assets Control (OFAC) recently came out with an advisory stating that those who pay the ransom of a ransomware attack may themselves be subject to fines. While this may sound good on paper, in practice this black-and-white approach to a growing cybersecurity problem can be detrimental to all involved.

Popular in many an action movie, the “we don’t negotiate with terrorists” mantra may be thought of as appropriate dogma to cyberattacks. If one pays a bad actor the demanded ransom, then it incentivizes future attacks on others. If everyone refused to pay these ransoms, the method of attack would no longer be a profitable one, and they would move on to another cybercrime. Of course, in the movies, Harrison Ford always gets his plane back and the girl; companies who are unprepared victims of ransomware are seldom that lucky.

What makes ransomware such an effective method of attack is precisely why paying that ransom is not always a bad idea. For most attacks, the ransom is pennies on the dollar compared to what the cost of a recovery would be. For all the ethical debate about rewarding someone for their crime, the reality is that not doing so may cause the most possible damage to the company or individual attacked. The city of Atlanta is an excellent example.

Atlanta was the victim of the SamSam Ransomware in January of 2018. The requested ransom for this attack was $6,800 to unlock a single computer or $51,000 for all the decrypt keys needed to restore the city’s entire system. This attack was the largest successful cyber attack on a U.S. city in history. The attack affected around six million people, interrupting activities such as paying bills and fines, some court-related processing, as well as several internal systems for the city itself. Atlanta decided not to pay the $6,800 or the $51,000 ransom. They did not reward the bad actors for their bad actions and decided to take on the recovery themselves. To do this, Atlanta initially put in $2.7 million to recover everything, but once their systems were finally set back into place, the actual costs to the city were nearly $10 million. Atlanta didn’t let the bad guys win, but at what cost?

$10 million suddenly stripped from a city’s budget does not just mean the problem was fixed, it meant that they were now short of $10 million originally set for other things like salaries, school budgets, road repairs, etc. What could have been a negligible expense ended up costing millions and impacting the city for years to come. The question is what impact does the OFAC advisory really have on protecting U.S. cities and companies from these types of ransom attacks?

The answer unfortunately is, not much. For one thing, this advisory punishes the victim of the attacks. Instead of having to consider the cost of paying the ransom versus the cost of not, they now have to factor in the ransom plus the fine. This makes for some very fuzzy math. Either the fine is so high that it costs a company more to go through a very expensive recovery phase or the fine plus ransom is still less than the cost of recovery.

If the cost of the fine plus ransom is greater than the cost of recovery, under the government’s guidance all ransomware attacks would be exponentially more expensive for the victims. In many cases, it may actually shut down a company that is unable to pay thousands or millions of dollars to recover.

If the cost of the fine and ransom ends up being less than the cost of recovery, then the government is essentially profiting from ransomware attacks. The fiscally responsible move will still be to pay the ransom, but now the government will get a little cut of every attack. Under this model what is the government’s motive to end such attacks?

In both scenarios, the only party to actually suffer is the victim. The government either profits or keeps the status quo, the hacker either gets paid or doesn’t, same as today. The victim is either forced out of business or put in a financially vulnerable spot by the government or simply must pay a “victim’s tax” for being targeted. This would make for a terrible action movie.

If the OFAC advisory isn’t really an effective way of protecting U.S. businesses and cities from ransomware attacks, then what should the government be doing? The answer is in education.

Being a victim of a ransomware attack isn’t an inevitability. Being put into a situation of having to decide whether to pay is not absolute. With the right internal policies, procedures, and technology in place, being the victim of a ransomware attack is entirely avoidable. But you need to know what policies and procedures to have in place. You need to know what tech is available to protect you. The government should expand itself as a resource to help businesses and cities become aware.

Three ways the government can help with ransomware education are:

  • PSA videos – Create short and informative videos that can be incorporated into any HR department’s cybersecurity employee training program. Videos like these can highlight what to look for to identify a phishing scam, how to keep your personal information safe from being a phishing target, and steps to take the moment an attack is apparent.
  • Cyber training classes – The best way to prevent a ransomware attack is to ensure everyone within a network, be it a municipality or a corporation, is aware of all the suggested cybersecurity policies and best practices, as well as how to identify any potential point of attack. Building off the basic information that can be shared through a PSA, these classes presented by the government could go into much greater detail and provide employees with everything they need.
  • Cybersecurity education in schools – Ransomware and other such malicious cyber attacks will always be a threat. It is the nature of a constantly changing digital world. While keeping employees up to date on the latest threats with PSA Videos and Cyber Training classes is vitality important, we need to address these threats at the root. The best way to achieve this is to instill from a young age the threats and dangers of cyberattacks. Teach students how to look at phishing scams or behavioral vulnerabilities with a focused mind, so that as the next generation of workers enters their various fields, they are less likely to fall prey.

The government’s role is to protect its citizens and companies. Punishing the victim should not be one of its tactics to do so. Though it may be counter-intuitive, sometimes paying off a ransom is the best move to make. The best way to prevent these types of attacks is proper education and actions before they occur. With the government’s support of a comprehensive cybersecurity education program that works with today’s generation of workers as well as the next, it will have much greater success in decreasing successful ransomware attacks in the short and long term.

New Trojan Malware Spreads via Word Document

There’s a new trojan malware spreading through malicious Word documents, and cybercriminals are using this virus to steal personal information and sensitive banking details. The malware, Ursnif trojan, attacks Windows operating systems and is popular with hackers since its main source code was leaked, becoming a more widely available option for cybercriminals to take advantage of. This type of trojan has existed in different forms over the years, starting in 2007 when the code first surfaced in the Gozi banking trojan. 

Since the code was leaked, hackers have customized it to their liking, stealing banking account information and other valuable account details. Cybersecurity firm Fortinet has identified a new version of the trojan that spreads through Word documents, it’s file format name: “info_[date].doc.” The hacker attaches a malicious macro script to launch once the document’s macros (a series of operations done through a single command) have been enabled.  

The macros can be enabled by clicking “Enable Content” which releases a VBA code that drops a version of the Ursnif malware onto the victim’s computer. This malware then runs “iexplorer.exe” processes to connect to a command and control server on the hacker’s end. In an effort to sway user suspicion, the host list for the server refers to security companies as well as Microsoft. 

Researchers have stated that the campaign is still operating. Even though these techniques might seem a little basic, an easy phishing email attack could give these cybercriminals a chance to invade networks and initiate an extensive cyberattack. 

As always, be mindful of the emails you receive, especially those with unsolicited document attachments, and check the sender email address to verify if the email is spam. When in doubt, directly contact the company referenced in the email using a phone number provided on the actual website.

Ransomware Attack Hits UK Police Federation

Just announced yesterday, the U.K. Police Federation of England and Wales (PFEW) survey headquarters had been hit with a cyberattack – the ransomware encrypting computer email systems and databases and deleting backup data.

The attack occurred on March 9 and affected this headquarters solely – consisting of approximately 119,000 police officers – as a statement provided by the Federation revealed how 43 branches spread throughout the U.K. and Wales were not affected.

In a tweet yesterday morning, the Police Federation explains how “[t]here is no evidence at this stage that any data was extracted from our systems but this cannot be discounted.”

Officers of the National Cyber Crime Unit have begun their investigation and are in contact with PFEW to determine the nature of the attack and the extent of damage. According to the PFEW, the attack was likely done as part of a much larger campaign set to cause further havoc.

The incident was reported to the data protection regulator in the U.K. within three days as part of European ordinance, although the PFEW announced the attack 12 days after it first occurred.

Norwegian Aluminum Producers Norsk Hydro Hit by Cyber Attack

Norsk Hydro, one of the largest Norwegian aluminum providers, partly shut down their operations due to a large scale ransomware attack. The company has been trying to neutralize the attack this week, as they were unaware of how significant the damage was on their operations. The main cause of the attack has now been identified (due to LockerGoga ransomware), and the company is currently working with external partners to restore full systems operations.

When the attack hit, Norsk Hydro stated their switch to manual operations. Their shares went down about two percent while aluminium prices went up 1.5%. There have been a lot of breaches that caused both data loss and other infrastructural issues. In the past, cybercriminals have managed to hack into companies such as Anthem, Yahoo!, and Marriott International just to name a few.

Norsk claimed to Business Insider, “We are working to [further] contain the situation and reduce impact, aiming to resume normal operation.”

On Thursday, March 21, Hydro’s specialists found what the source of the problem was and has been working to get their systems back to the way it was – in its pre-infected state. Safety issues have not been announced since the ransomware attack first struck on Tuesday, March 19. Manual operations are still being used, but the company had announced that “most operations are [now] running.” It is still unclear how long full restoration to normal IT operations will occur.

UPDATE 3/27/19: Norsk Hydro reported financial losses of up to $40 million based on the ransomware’s impact from last week. While the company is now running almost all its operations normally, the Extruded Solutions business division is still in recovery mode. The Building Systems unit is still “at a standstill,” as said in a press release. Delays are expected, but Norsk Hydro announced that this unit will “gradually ramp up production and shipments during the week.”

1-800-FLOWERS Affected by Undetected Credit Card Breach Over Four Year Period

In a recent filing with California’s Attorney General Office, 1-800-FLOWERS was revealed to be the victim of a silent malware attack that affected the business within a four year period. As the filing explains, customer credit card information was stolen from the Canadian branch’s website, while the main website was unaffected.

What is interesting to note is how the malware affected the site for four years without any detection. During the time frame between August 15, 2014 and September 15, 2018, consumers’ first and last names, as well as card numbers, expiry dates, and security codes were all accessed by the unknown hacker(s).

The report did not disclose the number of consumers affected by the breach, but the company is required to inform its customers of the incident when a breach affects more than 500 people, this according to California law.

Interestingly enough, 1-800-FLOWERS was the second company to report a four-year long breach, as the Marriott was also affected within a four-year period when hackers stole 500 million guest records.

For now, the company recommends that all its customers keep a close watch on their payment records and to report any suspicious charges to their bank or issuing card company.

Surviving a Ransomware Attack

The rate of ransomware attacks may have gone down, but does that mean there were fewer attacks? The rates have shown a slight decrease from the previous year, with 1,783 attacks in 2017 compared to a whopping 2,673 reported in 2016. Yet, while such numbers may indicate this catastrophic cybercrime is on the decline, the reality surfaces as most attacks being under-reported, leaving many to wonder how frequently the attacks occur and how the cost will affect businesses.

According to Ms.Smith of CSO reporting, Verizon analytics have found that ransomware incidents have actually doubled. Researchers have found that attackers usually demand a cryptocurrency payment to be able to release an affected user’s files, but there is no assurance to do so after payment is received. Through such ransomware attacks, cybercriminals are always thinking of ways to maximize their profit.

As former Whitehouse CIO who is now president and CEO of Fortalice Solutions explains, “We used to hear very often that it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal.” Attackers have a strategy to target all businesses utilizing the internet for their needs, raising a corporate concern of impending cyberattacks.

In 2017, the WannaCry, NotPetya, and BadRabbit strains didn’t simply upset business forms; rather, the attacks greatly impacted universal brands like FedEx from a functional operation. This took the ransomware danger vector to a “totally new level,” using worms to proliferate through frameworks and affecting 300-400,000 gadgets around the world, says Steven Wilson, leader of Europol’s EC3 digital wrongdoing focus. The cyber-threat further continues with cheap off-the-rack shelf kits sold online, allowing an attacker to access ransomware tools necessary to carry out another business damaging strike.

“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”

Raising Awareness

While ransomware such as WannaCry is still very much prevalent, cybercrime attacks like these helped raise awareness of any more possible strikes. From ongoing evidential trends, ransomware is here to stay. Fortunately, there are cyber-hygiene steps you can acquaint yourself with to prevent attacks from happening in the future.

Having up to date computer operating systems is the first step to preparedness, as the latest versions of anti-malware software can assist in the case of an attack. In the event of a major ransomware strike, it is always best to keep and regularly update backup storage of all files for recovery.

As Payton explains, “Organizations should also consider network segmentation and introduce kill switches to prevent malware from moving laterally, as WannaCry did.” [It’s always best to] practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” Payton further suggesting that organizations also perform test runs on full restores.

How can the technology community help?

Through public and private bodies working together and familiarizing themselves with program vulnerabilities, ransomware disasters can surely be prevented. Working as a key to inform decryptors of dangerous ransomware, NoMoreRansom, for instance, pools assets crosswise over associations and can help the technology community be one step ahead of the next crippling attack.

For more on ransomware preparedness strategies, please click here to learn more about preventing ransomware.

Blue Screen of Death? Beware- It Might Be a Scam


If you’re purchasing security software, you’d think what you’re buying is safe, right? Well, think again. Reports are showing that scammers are tricking innocent people into buying a fake security software for $25. Isn’t that crazy?

They use two different ways to scam the victims: the first one is by sending fake Blue Screens of Death (BSOD), and the other way is sending a phony “Troubleshooter for Windows” pop up. The supposed security application they try to sell is called “Windows Defender Essentials. By the name, we would assume that it’s a legitimate product since it sounds like “Windows Defender,” an actual Microsoft product. Right off the bat, this throws unsuspecting victims off from realizing it’s a fake software.

A Malwarebytes researcher discovered that the app they are using to distribute has a cracked software install which shows an unexpected error instead of the normal “troubleshooting” pop up. This message displays an error which states, “Missing .Dll registry files resulting in computer failure.” When the victims click “Next,” they fall right into the scammers’ trap. They believe they are going to see what the issue is, but little do they know, they are being scammed.  They are led to a list that shows fake problems and says the troubleshooter couldn’t fix the problem – But this is where the scammers get smart. The message follows, “It will be resolved by clicking a “Recommended” link to “Buy Windows Defender Essentials,” which ultimately leads the victims to send $25 to the scammer’s PayPal account in order to “solve the issue.” After they’ve paid, the screen unlocks to once again to their normal screen.

A Microsoft representative has confirmed that this was a scam and they recommend users to follow advice on how to protect themselves against similar tech support scams. If you think it’s too good to be true, it is. You can read about the scams in their April 3rd and November 20th blogs.

This warning also goes for the “Click to Call” functionality on a fake website, which leads you to calling a bogus support hotline – don’t fall into the trap!

According to the tech support site Bleeping Computer, there is a way to shut down the program without having to pay. All you need to do is hit Ctrl+O to open a dialogue box and then enter a code which you can find here. This makes the program think that you have paid the $25, and it stops automatically.  

Here are some more instructions on how to remove the false troubleshooting messaging. 

Hopefully this will help you stay safe from the scammers in 2018!

Adobe Hacked

In a blog post today, Adobe Chief Security Officer, Brad Arkin announced a major security breach affecting 2.9 million customers. The attackers accessed customer IDs, encrypted passwords, ancrypted debit and credit card numbers, and other customer-related order information.


Adobe has ensured that they have reset relevant customer passwords and are in the process of contacting all customers affected by the attack.