Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Ransomware pandemic: This is getting ridiculous

Richi Jennings Your humble blogwatcher, dba RJA

Ransomware attacks are ten-a-penny now—all over the world. Are we getting blasé about the problem?

Public school systems and universities are closing, banks are turning away customers, and PII of healthcare patients is leaking. And that’s in just the past week.

Something must be done! This week’s Security Blogwatch, is … something.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 5 life lessons.

Schools and banks and healthcare—oh my

What’s the craic? Tara O’Neill before Zod—Computer virus delays first day for Hartford public schools:

A ransomware virus has prompted the city’s public schools to delay their first day back … since the COVID-19 pandemic closed schools in March. … Officials said there would be no in-person or online learning after a ransomware virus “caused an outage of critical systems and the restoration of those systems are not complete,” the letter said.

It’s unclear whether the ransomware attack will impact the rest of the schedule for returning students. Officials said parents, staff and students will be updated when the school district has more information.

And those aren’t the only northeastern schools in trouble. Gareth Corfield circles the story in the UK—Newcastle University [and] Northumbria hit by ransomware attacks:

A cyber attack at Newcastle University has turned out to be a ransomware infection courtesy of the Doppelpaymer gang. … The university said in a statement on its website that it would take “several weeks” to repair its systems.

Northumbria University, which is located in Newcastle but not part of that city’s eponymous further education institution, also confessed … it had fallen victim to a “cyber incident.” … Professor Peter Francis, Northumbria’s deputy vice-chancellor, … said: “Since we became aware of the incident, we engaged a group of dedicated, external specialists [and] took immediate action … to mitigate the impact.” … The university said in a statement: “The investigation is still at an early stage and we are currently assessing the scope of the incident.”

Are we surprised? xXNorthXx isn’t:

Unfortunately not surprised, IT in many school districts is often very understaffed.

1. keep all systems patched
2. isolate as many servers from each other
3. don’t run services with admin accounts
4. 3-2-1 the backups …
5. take a look at snapshots as a possible fast rollback method

Never pay ransomware. Learn from it and don’t make the same mistakes twice. Lastly, share some details with peer districts so they know what to audit themselves.

Other universities are in trouble, too. So says this Anonymous Coward:

I work at Durham and we have been notified internally that we are also being attacked - no idea how successfully but at least some of our websites have been taken down.

And not just .edu, neither. Catalin Cimpanu calls Chile—All BancoEstado branches will remain closed … following ransomware attack:

Details about the attack have not been made public, but a source close to the investigation told [me] that the bank's internal network was infected with the REvil (Sodinokibi) ransomware. … Investigators believe that [it] originated from a malicious Office document received and opened by an employee. The malicious Office file is believed to have installed a backdoor on the bank's network.

While initially, the bank hoped to recover from the attack unnoticed, the damage was extensive, according to sources, with the ransomware encrypting the vast majority of internal servers and employee workstations. … It appears the bank had done its job and properly segmented its internal network [so] the bank's website, banking portal, mobile apps, and ATMs were untouched.

Ah, the old “malicious .docx file” shenanigans. sjames vents frustration:

A document should be data, not code. There was a time when documents didn't carry a risk of running malicious code.

Yikes. It’s long past time to get serious. Andy Greenberg finds an angle—Facing looming election threats and a ransomware epidemic, [FBI] has revamped its process:

FBI officials never explicitly admitted to a failure in the case of the DNC's botched notification. But they … nonetheless described a bureau that has revamped its practices to warn hacking targets faster, and at a higher level of the targeted organization—especially in cases that might involve the upcoming election or the scourge of ransomware costing companies millions of dollars.

The epidemic of ransomware hitting US companies has … forced the FBI to improve and accelerate its warnings to hacking victims. … The FBI has developed a so-called "emergency lead notification" process that bypasses the bureau's usual internal consultations and immediately notifies a cybersecurity-focused agent in a field office who can warn a victim, hopefully before the hackers deliver their ransomware payload.

"We want them to be reaching out to the C-suite level, to senior executives," says … Steven Kelly, the FBI's chief of cyber policy. … "To make sure they're aware of what's going on and that they're putting the right amount of calories into addressing the issues."

But an unsympathetic Excelcia blames the victims:

Anyone actually affected by ransomware is … just pure Darwinism at work. … Ransomware should be exactly no different from a hard drive failure.

You restore from last night's image, and you move on. The ground-zero computer you take more precautions with, in case it had been infected earlier, but even then you shouldn't have to go back more than a week.

With the proper and correct backup procedures in place, ransomware just isn't a threat. … It boggles my mind that ransomware perpetrators are the ones treated as to blame. The internet is a sewer, and … weaponized vulnerability exploits are out there for your average dummy to access.

Lest we forget, Ransomware isn’t just about restoring encrypted data. Lisa Schencker underscores the risks—NorthShore health system says personal information of 348,000 people potentially exposed in data breach:

NorthShore recently sent a letter to those affected saying information including their full names, birth dates, addresses, phone numbers, doctors' names, doctors' offices and dates of admission and discharge may have been exposed … in a breach involving one of the health system’s vendors. … The vendor, Blackbaud … provides software services to NorthShore’s foundation as well as 35,000 other nonprofit fundraising organizations, NorthShore said in the letter to those affected.

The Blackbaud breach was the result of a ransomware attack … Blackbaud said in a statement on its website. … Blackbaud said in a statement it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

Meanwhile, algaeman chows down on a delicious ’memberberry

Remember back when kids would just call in fire drills to get out of exams?

The moral of the story?

Consider blocking complex file types in incoming email. Pentest and redteam. Segment your networks. Test your DR strategy.

And finally

Five life lessons from my grandmother

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Tobias Heine (via Pixabay)

Keep learning

Read more articles about: SecurityInformation Security