Three Hospitals in Ontario hit by Ransomware.

In Brief:

Toronto East General Hospital ( now called Michael Garron Hospital) and 2 others in South Western Ontario were attacked by the Ryuk malware strain, that encrypts data and demands a ransom to un-encrypt it. Prior to the encryption, data compromise is a possibility.

This malware can affect systems that are unpatched or simply rarely updated, as in Hospital proprietary software. It helps to have a professional from Cloudsilicon aggressively work through your network to discover and close any weak areas that put your entire network at risk.

Here is the CBC article on Toronto East General Hospital’s challenges recently.

https://www.cbc.ca/news/technology/ransomware-ryuk-ontario-hospitals-1.5308180

Think SAP was only for the largest Enterprises? Think again.

SAP Business One for Small to Medium Sized Businesses. Grows with your organization. Affordable too.

SAP Business One helps you grow your client base, manage finances, optimize procurement and vendor management to increase your profitability and fund business growth. Isn’t it time you looked at SAP for your small to medium sized business?

Deploy in the Cloud, on-premise or mobile. SAP is highly recommended for growing small businesses in the Retail, Logistics and Professional Services space.

Call us to find out more. SAP Business One could be just right for you.

Over 50% of Ransomware attacks target Small Business. Here is why:

Small business owners believe they are too small for hackers to be concerned about them;

Most small businesses only hear about the large businesses being attacked; they never hear about the smaller organizations and, therefore, do not recognize the risk;

They often lack an understanding of potentially how they can be attacked via phishing or through imposter websites;

Many small business owners find it too complicated and overwhelming to figure out what to do to protect their business. They also perceive the costs of protection as being too expensive;

Small businesses generally do not backup data properly, making ransomware attacks easy.

“The best defence against ransomware and other vulnerabilities is to acknowledge that you can be exploited—then educate yourself,” explains Jutla.

Ransomware can spread many ways, from taking advantage of a system’s vulnerability to luring potential victims through phishing attempts or free software. Once data is encrypted, there are only three ways to remedy this:

Pay the ransom;

Restore the data from backup (after cleaning all your equipment);

Start over.

There are several ways ransomware can be avoided:

Backup all your critical data onto devices that are not online all the time;

Receive training on what and how to prepare for ransomware attacks;

Patch (update) your IT equipment regularly (workstations, servers, network gear, and mobile devices);

Disconnect any infected device as soon as possible; and

Have a professional run a vulnerability scan and then test your systems.

“Businesses of all sizes should have awareness training in place,” says Jutla. “This training should include policies on how to identify phishing attempts, validate websites and how to choose strong passwords. Sometimes secure networks are breached because of a weak policy, as what happened to the UK healthcare system.”

Furthermore, businesses should commit to operating a strong network by having anti-virus and host-intrusion prevention systems; firewalls at entry points into networks; and email filtering services. Ensure you subscribe to daily alert messages such as those from US-CERT, which publishes known vulnerabilities.

Jutla strongly advises small business owners who aren’t necessarily tech savvy to obtain consulting help or hire a services partner to manage all the potential complexities.

United States Department of Justice indicts hackers that crippled Atlanta.

THE PORT OF San Diego. The city of Atlanta. Kansas Heart Hospital. Those are just a few of the more than 200 municipalities, universities, hospitals, and other targets that have fallen victim to SamSam, a pernicious strain of ransomware that has spent the past three years rampaging throughout the US. On Wednesday, the Justice Department indicted two Iranian men allegedly behind the attacks.

The six-count indictment (embedded in full below) alleges that Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, both Iranian nationals, created SamSam and deployed it to devastating effect. In all, the Justice Department estimates that the hackers collected around $6 million in ransom payments from victims, while causing $30 million of damage.

“SamSam ransomware is a dangerous escalation in cybercrime,” said US Attorney Craig Carpenito at a Wednesday press conference announcing the charges. “This is a new type of cybercriminal. Money is not their sole objective.”

SamSam Scam

At the very least, the way the SamSam hackers went about acquiring that money sets them apart from the typical ransomware attacker. "Most ransomware is delivered via a phishing email with a malicious attachment,” says Jake Williams, founder of cybersecurity firm Rendition Infosec. “We don’t see that with SamSam. SamSam does something a little bit different.”

Rather than blast out phishing emails and passively wait to see who bites, the indictment alleges that Savandi and Mansouri conducted reconnaissance on specific targets—like hospitals and cities—that a systemwide shutdown would impact the most. They then took advantage of lacking cybersecurity hygiene, like passwords that could be guessed with a brute force attack, to get an initial foothold into a system.

“We’ve never been aware of [the SamSam attackers] using social engineering or traditional malware attacks to gain access to systems. It’s either been through vulnerabilities in web applications or weak authentication, stuff that does not require action on the part of the victim,” says Keith Jarvis, senior security researcher at SecureWorks, a cybersecurity firm that has tracked SamSam infections.

Not only does that show the relative sophistication of the SamSam hackers, it also makes the attacks much harder to defend against. Rather than infect a single workstation, the ransomware can seize up a dozen or more critical servers. Think of it as the difference between a robber who walks down the street knocking on every door to see who opens it, and one who takes the time to pick the lock and dismantle the security system.

“They will silently move through the network and locate additional machines for exploiting inside that network. We’ve seen a couple of cases where they’ve targeted online backups and deleted those online backups before they begin the encryption process,” says Williams. “They’re not the only group that does it, but they’re definitely the best known group that does it.”

Why the extra effort? Because a hospital in that situation would be that much more likely to pay up. The FBI recommends that ransomware victims hold out, but that’s not always practical when you have, say, an entire city to run.

Slipping Up

Wednesday’s indictment doesn’t contain that much more information about SamSam than was previously known, aside from the identity of the alleged perpetrators. Even that may not be as salacious as it seems; despite a recent uptick in state-sponsored Iranian cyberattacks, the pair have no apparent government ties.

Of more interest may be the hints at how the feds traced the crimes back to their origins. While details there are scant, the indictment does indicate that investigators acquired not only chats between the alleged malware perpetrators and the bitcoin exchanges in which they laundered their proceeds, but also the specific bitcoin addresses associated with the attacks. In a first, the Treasury Department Wednesday imposed sanctions against those addresses, which combined had processed more than 7,000 transactions.

“The criminals believed they were masking their identities on the dark web. However, this case shows that anonymizers may not make you as anonymous as you think you are. They used bitcoin to avoid detection, but this case shows that the digital currency can be traceable,” said FBI executive assistant director Amy Hess at a press conference Wednesday.

It remains to be seen whether the indictment actually stops or even slows SamSam attacks. “In the past, it’s been shown that without both a legal action and a technical operation against them, cybercriminals are more likely to continue their attacks,” says Jarvis. “In this case there really wasn’t any sort of technical operation that stops them from committing these crimes now or in the future.”

Because the US has no extradition treaty with Iran, the pair seem unlikely to be apprehended. And given that their targets comprised Iranian adversaries—the attacks overwhelmingly hit the United States, with scattered examples in the UK and Canada—it’s unclear whether Iranian law enforcement will go out of their way to interfere with their efforts. Jarvis says SecureWorks has seen fresh SamSam infections as recently as four days ago.

That doesn’t make the indictment just for show. Regardless of the impact on the alleged SamSam hackers specifically, the Justice Department made a statement that should resound among cybercriminals who rely on bitcoin and the dark web for anonymity.

“It absolutely adds a chilling effect,” Jarvis says. “It says you can make millions of dollars, and you can go untouched for years, but eventually you’re going to get named.”

Town of Midland and Wasaga Beach pays ransom to ransomware criminals.

The town of Midland says it has returned to normal operations less than a month after its systems were infected with ransomware and held hostage by cybercriminals.

According to an update released by the town on Monday, “substantive progress” has been made on restoration efforts and on the ongoing forensic investigation into the incident.

The town’s network was illegally accessed and infected by ransomware on Sept. 1, when cybercriminals used malware to encrypt several town systems, rendering them unusable.

On Sept. 6, the town began the process of paying an undisclosed ransom amount, demanded in bitcoin, to the cybercriminals in exchange for the encryption keys to unlock the systems.

A spokesperson for the town was unable to say if all of the town’s systems have been restored, but said the “relevant systems” have been decrypted and the town has returned to normal operations.

While the investigation is ongoing, the town’s spokesperson was unable to provide Global News with the amount paid to the cybercriminals, saying those numbers are expected to be released when a report is presented to town council at a later date.

The town of Wasaga Beach’s computer system was compromised in a similar incident back in April. The town paid just under $35,000 to decrypt its system and once the cost of internal staff overtime and internal productivity losses were added to the bill, the total cost of the incident amounted to more than $250,000.

Despite speculation that the incidents may have been connected, the town of Midland’s spokesperson says it is not aware of any evidence that suggests the attack was in any way related to the incident in Wasaga Beach.

Bitdefender cracks the latest Gandcrab Ransomware version.

Last week, Bitdefender cracked the latest Gandcrab ransomware version, thereby covering all versions of this annoying malware that has affected tens of thousands of businesses.

You can download the latest toolset to rid yourself of Gandcrab up to the latest 5.1 version here.

Bitdefender Labs on the Case

When GandCrab started spiking on the threat map in January 2018, Bitdefender released the first free decryptor to help victims take their digital lives back. More than 2,000 home users, companies and non-profits used it to retrieve their lost data and avoid paying millions in ransom.

Ten months later, we released another decryptor to expand support to GandCrab versions 1, 4 and 5 up to 5.0.3. Ever since, we been contacted by and keeping in touch with thousands of victims seeking help.

While this is the third time we have defeated GandCrab encryption in the past year, our celebration will be short-lived. We’ll be back to work tomorrow, as GandCrab operators will no doubt change tactics and techniques.