An9ther day, an9thr rans9mware attack. Russians again(revil?)

UltraTaco

Limp Gawd
Joined
Feb 21, 2020
Messages
150
https://www.nbcnews.com/tech/securi...-70-million-say-locked-1-million-dev-rcna1339 he hacker gang behind an international crime spree that played out over the Fourth of July weekend says it has locked more than a million individual devices and is demanding $70 million in bitcoin to set them all free in one swoop.

The gang, the Russia-connected REvil, is best known for previously having hacked JBS, one of the world's largest meat suppliers, briefly halting its operations across much of North America. But this attack's potential scope is unprecedented, some cybersecurity experts said.



REvil began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Because many of Kaseya's customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil locked each victim computer as a standalone target and initially asked for $45,000 to unlock each one.

President Joe Biden told reporters Sunday that he has "directed the full resources" of the government toward investigating the problem.

210705-coop-sweden-mc-1315-8ffe9f.jpgA shuttered Coop supermarket store in Stockholm on Saturday during a cyberattack against organizations around the world. Ali Lorestani / AFP - Getty Images
The Swedish grocery chain Coop is the largest known victim; it closed most of its about 800 stores all day Saturday. Its registers were controlled online by Visma Esscom, a Kaseya customer, and locked up and rendered unusable.

Exactly how many systems have been infected is unknown, although the number is likely to be sizable. The cybersecurity firm Huntress, which is helping Kaseya's response, said it was aware of more than 1,000 businesses that had been affected.


REvil's claim that it has compromised more than a million devices is impossible to prove, because few victims are speaking publicly and no government or company has a database of everyone who was hit. But that number is plausible, said Mikko Hypponen, a researcher at the cybersecurity company F-Secure, given that this strain of ransomware infects each device individually.

"Think about a retail chain, like grocery retail," Hypponen⁩ said. "Every single cashier system is an endpoint. Every laptop. Everybody in the sales has a system, multiple servers. Two hundred stores, 300 stores, they alone would have thousands of endpoints. And if a thousand Coop-like companies were infected, yes, you would have a million endpoints."

Recommended​

210705-coop-sweden-mc-1315-8ffe9f.jpg

SECURITYHackers behind holiday crime spree demand $70 million, say they locked 1 million devices

Regardless of the actual number of victims, it's extremely difficult to imagine victims banding together to jointly pay $70 million, said Allan Liska, an analyst at the cybersecurity firm Recorded Future.

"Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed," Liska said.


A million victims that each paid $45,000 would yield $45 billion, he noted.

"They are lowballing themselves at $70 million," he said
 
Such an easy solution to these things: stop paying ransoms. Especially for software, it's not like you could trust the attacker to 1: actually decrypt after you pay or 2: not embed another virus into the decryption. You're restoring a backup either way, and if people don't pay ransoms, ransomware goes away.
 
Such an easy solution to these things: stop paying ransoms. Especially for software, it's not like you could trust the attacker to 1: actually decrypt after you pay or 2: not embed another virus into the decryption. You're restoring a backup either way, and if people don't pay ransoms, ransomware goes away.
okay and if you don't have backups, you're fucked. Sometimes it makes sense to pay the ransom.
 
Such an easy solution to these things: stop paying ransoms. Especially for software, it's not like you could trust the attacker to 1: actually decrypt after you pay or 2: not embed another virus into the decryption. You're restoring a backup either way, and if people don't pay ransoms, ransomware goes away.

Easier solution: Stop trading convenience for security. All of these stupid millennial companies with edgy names trying to provide convenience as a service where they have no business belonging.

If you have a business that is entirely reliant on core functions of your business being performed by third parties, and your business will fail if those services stop working for any reason, you shouldn't be in business.

Hacks like this show how badly managed many businesses are becoming. I would never in a million years rely on a cloud based payment processor as my only source of processing client payments, that's just dumb. Hell, I'd even avoid it for any sort of payment processing. All of these convenience services nickel and dime you to death on fees of all descriptions, which add up to huge sums of money. It leads to substantial increased cost of goods businesses serve customers.
 
Such an easy solution to these things: stop paying ransoms. Especially for software, it's not like you could trust the attacker to 1: actually decrypt after you pay or 2: not embed another virus into the decryption. You're restoring a backup either way, and if people don't pay ransoms, ransomware goes away.

An easier fix would be to disconnect from Russian, Chinese and any other ISP that hosts these criminals. Probably would be easier with Russian ISPs as the Chinese already have their hooks in the United States.
 
Man I work in the solutions industry and you will be amazed how companies simply ignore security.

There are companies simply ignore endpoints. Oh we are going to keep finding ways to tell ourselves we don't need it, then they pretend like they are the victims when all along they were ignorant. I bet you the ransomware got on to the network which was easily avoidable but hey the company was probably too lazy to have the checks it needed in place.

Then there are 2 out of 10 companies I meet wont even be that big but they will have their shit in row, and I am blown away how they have their end points managed and secured so well.

Then I meet the companies they want to basically let employees run business on their personal cell phones, I mean huge company lol with 0 protection. I am like wow just wow!!! Their reasoning is they just don't want to deal with company phones too much work so they will just pay employees stipend and they don't have to stress! I am like but you trust them to handle all business on their personal phones with their kids clicking on whatever links they want? hmm.

Its just human nature, no one wants to do shit until they have to react to it. It's the same thing if you weren't forced to buy car insurance most people likely won't buy it either, just the way we are in our nature. Most companies just refused to take on the role of managing security they would rather deal with it after it happens, they will just pray it won't bankrupt them though.
 
If you don’t have backups you were fucked before you started. It might have been ransom ware it could have been a lighten strike or a fire instead. If you have no backups then the end cause is irrelevant.

I agree but you might be shocked to see how many companies don't have any disaster recovery plans.
 
I agree but you might be shocked to see how many companies don't have any disaster recovery plans.

Absolutely. Everytime I ask whats your plan if you were to get hit by something their response is usually something stupid like we aren't important enough to be hacked or something like that. I am like so you have no plan lol.
 
I agree but you might be shocked to see how many companies don't have any disaster recovery plans.

Absolutely. Everytime I ask whats your plan if you were to get hit by something their response is usually something stupid like we aren't important enough to be hacked or something like that. I am like so you have no plan lol.
I would not be surprised at all, I mean everybody has a plan until you get punched in the face and you realize your plan was shit.
Companies constantly skirt good security for convenience, and completely fail to include bad actors in their backup process. Most places can be brought down to their knees by some pretty low level staff who just want to say FU on their way out the door. I’ve said it in a few places but corporate networks need to police their internal and outgoing traffic to a far more rigorous degree than their internal traffic.
Hackers aren’t sitting their hammering your external ports trying to find a way in. They just blanket the Internet hoping to get access to unpatched tablets, phones, and laptops then see where those bring them. Those devices have untold riches in terms of usernames and passwords, and they get carried into all sorts of locations and connected to all sorts of networks. From those networks they use the device as a staging location and have it infect what it can and repeat the process until the hackers find something jucy and they focus in and pounce when they think they’ve got them by the squishy bits.
 
Easier solution: Stop trading convenience for security. All of these stupid millennial companies with edgy names trying to provide convenience as a service where they have no business belonging.

If you have a business that is entirely reliant on core functions of your business being performed by third parties, and your business will fail if those services stop working for any reason, you shouldn't be in business.

Hacks like this show how badly managed many businesses are becoming. I would never in a million years rely on a cloud based payment processor as my only source of processing client payments, that's just dumb. Hell, I'd even avoid it for any sort of payment processing. All of these convenience services nickel and dime you to death on fees of all descriptions, which add up to huge sums of money. It leads to substantial increased cost of goods businesses serve customers.

news flash, it is not just millennials sorry it is companies of all ages and run by old people as well..
 
I would not be surprised at all, I mean everybody has a plan until you get punched in the face and you realize your plan was shit.
Companies constantly skirt good security for convenience, and completely fail to include bad actors in their backup process. Most places can be brought down to their knees by some pretty low level staff who just want to say FU on their way out the door. I’ve said it in a few places but corporate networks need to police their internal and outgoing traffic to a far more rigorous degree than their internal traffic.
Hackers aren’t sitting their hammering your external ports trying to find a way in. They just blanket the Internet hoping to get access to unpatched tablets, phones, and laptops then see where those bring them. Those devices have untold riches in terms of usernames and passwords, and they get carried into all sorts of locations and connected to all sorts of networks. From those networks they use the device as a staging location and have it infect what it can and repeat the process until the hackers find something jucy and they focus in and pounce when they think they’ve got them by the squishy bits.

yep. Always bringing it up to them as a valid concern. they are totally ignorant to the mobile devices it seems. I mean how many times we touch them is crazy and one can easily click on something even if they didn’t mean to. Had an organization who has well over 3000 employees just didn’t wanna bother managing company devices so they just pay stipend and employees use their personal phones for work with 0 oversight. It’s amazing how totally ignorant they are for the sake of not having to invest any man power on it. “We certainly like the security features of the mobile device management and phishing detection etc but we will implement at a later date” 🤷‍♂️ Lol.
 
yep. Always bringing it up to them as a valid concern. they are totally ignorant to the mobile devices it seems. I mean how many times we touch them is crazy and one can easily click on something even if they didn’t mean to. Had an organization who has well over 3000 employees just didn’t wanna bother managing company devices so they just pay stipend and employees use their personal phones for work with 0 oversight. It’s amazing how totally ignorant they are for the sake of not having to invest any man power on it. “We certainly like the security features of the mobile device management and phishing detection etc but we will implement at a later date” 🤷‍♂️ Lol.
Honestly this reason alone is why we’ve gone primarily Apple for our mobile at work. They have their security issues for sure but at least their patching schedule and support for devices is pretty robust and their available MDM solutions are great. Android just has too many ways to “customize” and get things in there and they don’t do nearly enough to police their stores. I’ve had 2 major incidents in 10 years and both of them came from Android devices either because the user was running an old OS “but the phone worked awesome!” or they side loaded a chat app so they could talk with family. And in both cases it resulted in my dummy REHL instances being locked.

On one of my VLans I have two servers that just send and receive what looks like financial transactions to a SQL database but really it’s garbage traffic generated by some old desktops. That equipment lives on their own VLAN so it looks like an admin network and just acts as a honey pot. So if I get something weird going on there I know I’ve got an issue.
 
okay and if you don't have backups, you're fucked. Sometimes it makes sense to pay the ransom.
If you as a company don't have backups you fucked yourself. You don't even need ransomware for a disaster to hit. And you can't pay the storage to turn back on after it dies :D
 
Easier solution: Stop trading convenience for security. All of these stupid millennial companies with edgy names trying to provide convenience as a service where they have no business belonging.

If you have a business that is entirely reliant on core functions of your business being performed by third parties, and your business will fail if those services stop working for any reason, you shouldn't be in business.

Hacks like this show how badly managed many businesses are becoming. I would never in a million years rely on a cloud based payment processor as my only source of processing client payments, that's just dumb. Hell, I'd even avoid it for any sort of payment processing. All of these convenience services nickel and dime you to death on fees of all descriptions, which add up to huge sums of money. It leads to substantial increased cost of goods businesses serve customers.
But its all in the cloud, which is better for business! No infrastructure costs, so obviously that makes it better! /s
 
But its all in the cloud, which is better for business! No infrastructure costs, so obviously that makes it better! /s
Yeah, the cloud is an awesome totally great service model that works excellent with Americas' excellent 3rd world internet! Totally nothing bad can ever happen.
 
I agree but you might be shocked to see how many companies don't have any disaster recovery plans.
or those that do...and never test their DR! ;)
seen that one too...a few times. yes we have backups....uhhhhhhh we cannot read the backups...now what?
 
Hmm, as "predicted" by the World Economic Forum. I guess it´s just a matter of time till they start regulating the internet while throwing around the good old "it´s for your own good" excuse.
 
or those that do...and never test their DR! ;)
seen that one too...a few times. yes we have backups....uhhhhhhh we cannot read the backups...now what?
It also doesn't help that they live in the system for weeks waiting until they are sure they have compromised all the backups they can find before they pull the trigger, Dell was recently advertising their stealth backup appliances recently I couldn't make time for the meeting but supposedly it's not network addressable or something like that so the methods used to find it on a network don't work so the crypto viruses and such can't spread to it.
 
We use Kaseya and shut down our VSAs and the AD accounts to prevent intrusion Friday. So far we haven't seen any evidence that it was passed on to us but we are monitoring constantly. Yep, made a long weekend for a few people sadly. Stupid Russians.
 
It also doesn't help that they live in the system for weeks waiting until they are sure they have compromised all the backups they can find before they pull the trigger, Dell was recently advertising their stealth backup appliances recently I couldn't make time for the meeting but supposedly it's not network addressable or something like that so the methods used to find it on a network don't work so the crypto viruses and such can't spread to it.

The Dell/EMC CyberVault / CyberRecovery with their Data Domain? Yeah, we own it, its great for an AIR Gap, but the performance is terrible, and software is buggy. We are counting the days till we remove it from our environment. It takes us 5 hours to mount an image online in the vault.....
 
If you as a company don't have backups you fucked yourself. You don't even need ransomware for a disaster to hit. And you can't pay the storage to turn back on after it dies :D
Backups won't protect you with many Ransomwares. Unless the storage is air-gaped, many have had their storage encrypted by ransomware where the backups go too.
 
If you don’t have backups you were fucked before you started. It might have been ransom ware it could have been a lighten strike or a fire instead. If you have no backups then the end cause is irrelevant.
As I mentioned to someone else above, Backups won't protect you with many Ransomwares. Unless the storage is air-gaped, many have had their storage encrypted by ransomware where the backups go too.
 
As I mentioned to someone else above, Backups won't protect you with many Ransomwares. Unless the storage is air-gaped, many have had their storage encrypted by ransomware where the backups go too.
It doesn't necessarily have to be air gapped, but it certainly should not be write accessible with the same credentials from the same network as the live data.
 
It doesn't necessarily have to be air gapped, but it certainly should not be write accessible with the same credentials from the same network as the live data.

If the ransomware was monitoring the systems to gain access with whatever creds the storage had, it can attack it. Also, from a Rogue user too, its best to have a air gapped environment. That is why they make Air Gapped systems like we have which we just spent a million on. Who's to say the ransomware doesn't hijack the software Veeam or CommVault for an example and use it to gain access to the backup data too. It has happened.
 
If the ransomware was monitoring the systems to gain access with whatever creds the storage had, it can attack it. Also, from a Rogue user too, its best to have a air gapped environment. That is why they make Air Gapped systems like we have which we just spent a million on. Who's to say the ransomware doesn't hijack the software Veeam or CommVault for an example and use it to gain access to the backup data too. It has happened.
Yeah I’ve been looking at various “Air gapped” solutions for a while and I just don’t have the budget for it. Honestly probably just going to order a small desktop that has a 5&1/4 hot swap SSD bay in the front and run a 10g fibre run to it. Get some 12 2TB SSD’s and label them 1-12. Then just work with accounting so at the 1’st of the month they put in the appropriate disk and run a backup scrip. Those disks can then just live in their vault. Out office is an old bank so there is a literal vault.
 
Yeah I’ve been looking at various “Air gapped” solutions for a while and I just don’t have the budget for it. Honestly probably just going to order a small desktop that has a 5&1/4 hot swap SSD bay in the front and run a 10g fibre run to it. Get some 12 2TB SSD’s and label them 1-12. Then just work with accounting so at the 1’st of the month they put in the appropriate disk and run a backup scrip. Those disks can then just live in their vault. Out office is an old bank so there is a literal vault.
Basically how tapes worked, just using disks instead. It'll do the job. Much better than spending 1 million like we had too.

What you could do too, just as an option as it should work as I do it at home. Synology Nas, connects to backblaze and backs up the data daily with many incremental backups. I have 6TB on backblaze and its only like 3 bucks a month. It only connects when it needs to backup so technically that could work as an airgap. I am not sure how immune the synology would be to the network from preventing ransomware, but at least its a little bit of an airgap.
 
Basically how tapes worked, just using disks instead. It'll do the job. Much better than spending 1 million like we had too.

What you could do too, just as an option as it should work as I do it at home. Synology Nas, connects to backblaze and backs up the data daily with many incremental backups. I have 6TB on backblaze and its only like 3 bucks a month. It only connects when it needs to backup so technically that could work as an airgap. I am not sure how immune the synology would be to the network from preventing ransomware, but at least its a little bit of an airgap.
Well, most of our stuff is encrypted and redundant in SharePoint online with our A5 O365 licenses, so I am not worried about that. AD would be a pain to lose but I could rebuild it easily enough from scratch in a week with some clerical helping with data entry, but our HR/Accounting software has records going back to the 1920s and much of the original hard copies have physically rotted or just been lost to time so that system is pretty irreplaceable, and yes we often get pensions calling us for records going back to the 40's and 50's and the government requires us to keep records for at least 99 years, so if I lost that we would honestly have to consider paying the ransom if I couldn't get functional backups in place. But even if I had to pull out the database from 2-3 months prior that would be far better than paying a ransom.

Side note you can still buy tapes, they are still an active product sold by Dell, and HP, probably others too but Dell and HP have at least tried to sell me on their tape backup solutions in recent months.
 
Last edited:
Well, most of our stuff is encrypted and redundant in SharePoint online with our A5 O365 licenses, so I am not worried about that. AD would be a pain to lose but I could rebuild it easily enough from scratch in a week with some clerical helping with data entry, but our HR/Accounting software has records going back to the 1920s and much of the original hard copies have physically rotted or just been lost to time so that system is pretty irreplaceable, and yes we often get pensions calling us for records going back to the 40's and 50's and the government requires us to keep records for at least 99 years, so if I lost that we would honestly have to consider paying the ransom if I couldn't get functional backups in place. But even if I had to pull out the database from 2-3 months prior that would be far better than paying a ransom.

Side note you can still buy tapes, they are still an active product sold by Dell, and HP, probably others too but Dell and HP have at least tried to sell me on their tape backup solutions in recent months.
Oh, I bet tapes are still available with ransomware getting worse. It’s the cheap viable option for smaller companies for sure.
We are a bank and only need to keep records for 7 years. So backups are kept that long as well on certain servers. Most are 3 years but the handful is 7. But with that Synology I’d backup to it with your software then let it sync it to the cloud backblaze. If I still worked for a non profit I’d probably do it that way.
 
because most people in IT are not as clever as they should be!
Because companies hire their workers at a discount from India. Because it's cheaper to not spend money to maintain security and to pretend it isn't an issue. Its not like the vectors that ransomware takes isn't known. Fact is companies pay the ransom and then do nothing afterwards to fix the vulnerability. So of course they get attacked again like 80% of the time because again they refuse to spend money to fix the vulnerability and upgrade their security. Basically nobody wants to spend money.
 
It doesn't necessarily have to be air gapped, but it certainly should not be write accessible with the same credentials from the same network as the live data.
Bingo, and that is the #1 mistakes 99% of companies and IT people make. It is all on the same network under the same domain....

Backups should be "pulled" to your systems, not pushed from the systems being backed up, this allows greater control on permissions and ACLs and what is even visible at the OS level / virt layer.
 
Easier solution: Stop trading convenience for security. All of these stupid millennial companies with edgy names trying to provide convenience as a service where they have no business belonging.

If you have a business that is entirely reliant on core functions of your business being performed by third parties, and your business will fail if those services stop working for any reason, you shouldn't be in business.

Hacks like this show how badly managed many businesses are becoming. I would never in a million years rely on a cloud based payment processor as my only source of processing client payments, that's just dumb. Hell, I'd even avoid it for any sort of payment processing. All of these convenience services nickel and dime you to death on fees of all descriptions, which add up to huge sums of money. It leads to substantial increased cost of goods businesses serve customers.
Way to fit the hate on millenials in there. Well done.
 
Back
Top