Expert(s):
Director feature_status*/ ?>
AT&T Cybersecurity

Comments Dotted : 6
January 13, 2021

Expert Insight On New Ransomware Blackmail Technique
C-level executives similar to the Business Email Compromise type of an attack.

Cybercriminals are more sophisticated than ever, and while the primary purpose of ransomware groups is to make money, there is always a high risk of collateral damage, since attacks stop systems from working. Ransomware groups design their cyberattacks to cause enough disruption and financial distress to not just disrupt file access, but also to reach critical business operations, where harm will be immediately and acutely felt, to justify their plea for quick and high payment. This new tactic

.....Read More

Cybercriminals are more sophisticated than ever, and while the primary purpose of ransomware groups is to make money, there is always a high risk of collateral damage, since attacks stop systems from working. Ransomware groups design their cyberattacks to cause enough disruption and financial distress to not just disrupt file access, but also to reach critical business operations, where harm will be immediately and acutely felt, to justify their plea for quick and high payment. This new tactic of going after the machines of top executives shows the evolution of how ransomware has moved from just volume-based targeting of individuals to enterprises, and now within the enterprise to model the targeting of C-level executives similar to the Business Email Compromise type of an attack. This tactic is preying on the fear of exposure but may not always result in getting paid.

  Read Less
October 29, 2020

Enel Group Hit Again By Ransomware And Netwalker Demands $14 Million
These attacks are essentially a combination of a ransomware attack and a data breach.
Ransomware attack patterns have evolved significantly. Traditionally, ransomware was deployed to encrypt the victim’s data and lock them out of their own files. Had the victim refused to pay the ransom, their files would be destroyed. Ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data but also keeps a copy of the data for.....Read More
Ransomware attack patterns have evolved significantly. Traditionally, ransomware was deployed to encrypt the victim’s data and lock them out of their own files. Had the victim refused to pay the ransom, their files would be destroyed. Ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker would often release small portions of the data online. If the negotiation turns out badly, the attacker would then either publish all of the exfiltrated data or sell them to third parties. These attacks are essentially a combination of a ransomware attack and a data breach. Organizations that are victims of this attack feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information that they would instead have destroyed then published or sold. So, it’s a double threat. It’s easy for the attacker to say they have it. Easy for them to imply they do by releasing a small sample and very difficult to prove forensically because most places don’t have that layer of visibility. This puts another pressure point, and it can be easily validated by the victim that indeed the hackers also downloaded the entire database if the organization has a DLP solution that has been implemented. Since the tactic is relatively new, there are any no real data points for either the attacker or the defender that says it increases the pay-out potential of the victim. More practical advice is to know your data. If you have been compromised assume the data has left your possession. Root cause analysis should be able to help determine if indeed it was done, but that is concluded after the incident is wrapped up and has no bearing on the decision to pay. This tactic is more effective on data that is meant to cause widespread as well as a quick impact. Controversial and sensitive data is usually the target for these types of ransomware attacks. A typical PII or credit card data is not going to be the motive and not going to have the same leverage.  Read Less
September 30, 2020

Insight into Universal Health Services cyberattack
These attacks are essentially a combination of a ransomware attack and a data breach.
If Universal Health Services has been targeted by Ryuk ransomware, it is worth noting how this ransomware has crippled both the public and private sectors. It is known for targeting enterprise organizations with the intention of demanding higher payments for the decryption key. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. A commodity malware, Hermes has been.....Read More
If Universal Health Services has been targeted by Ryuk ransomware, it is worth noting how this ransomware has crippled both the public and private sectors. It is known for targeting enterprise organizations with the intention of demanding higher payments for the decryption key. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. A commodity malware, Hermes has been observed for sale on forums and used by multiple threat actors. The ransomware will typically be dropped by an already compromised system that has been infected by Trickbot or Emotet through a phishing email. Once the Ryuk payload has been successfully dropped and executed, it will encrypt the system’s files and then demand a ransom fee in order to decrypt the victim’s data. Many ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker will often release small portions of the data online. If the negotiation turns out badly, the attacker then publishes all of the exfiltrated data or sells them to third parties. These attacks are essentially a combination of a ransomware attack and a data breach. Organizations that are victims of this attack feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information that they would instead have destroyed then published or sold. So, it's a double threat. By releasing a small sample, it is easy for an attacker to imply they have your data, though very difficult to prove forensically because most organizations don’t have that layer of visibility. This puts on another pressure point, and if the impacted organization has implemented a Data Loss Prevention (DLP) solution, it can be easily validated that hackers have also downloaded the entire database. With that said, since this tactic is relatively new, there are no real data points for either the attacker or the defender that says it increases the payout potential of the victim.  Read Less
March 27, 2020

AT&T Cybersecurity’s Bindu Sundaresan On The Emerging Threats Targeting Telemedicine And Healthcare
Cybersecurity threats to these organisations are real, especially in the wake of a global pandemic.
We think the Covid-19 dynamics are creating more opportunity for malicious actors to target telemedicine and healthcare organisations as a whole. Cybersecurity threats to these organisations are real, especially in the wake of a global pandemic. Healthcare organisations are scrambling to expand their remote system access and management while adequately protecting sensitive information from malicious actors. It is expected that we will see more highly publicised ransomware attacks on hospitals,.....Read More
We think the Covid-19 dynamics are creating more opportunity for malicious actors to target telemedicine and healthcare organisations as a whole. Cybersecurity threats to these organisations are real, especially in the wake of a global pandemic. Healthcare organisations are scrambling to expand their remote system access and management while adequately protecting sensitive information from malicious actors. It is expected that we will see more highly publicised ransomware attacks on hospitals, for example, with patients being diverted to other hospitals and an inability to access patient records to continue care delivery. From small, independent practitioners to large, university hospital environments, cyber-attacks on health care records, IT systems, and medical devices have previously infected many systems. Given this current threat landscape amidst COVID, as healthcare organisations and consumers lean on telemedicine, it’s important to educate people broadly about the risks that come with it. Patients need to understand that their data belongs to them and that no provider safeguards can replace their own responsibility to make smart decisions about how and where they use virtual health services. Communicating that principle is one responsibility of a provider organisation that offers virtual services. So is the parallel responsibility to make sure physicians who use the system approach it with the same understanding. Although telehealth is going to be a sought-after platform given the current situation, practitioners will have to take certain precautions to prevent cyber-attacks. To address this challenge, an organisation needs a robust authentication process before giving access to data externally and offer educational and training programs internally. Specific to telemedicine, we expect threat actors will focus on device security, patient and provider identification as well as access system-level security vulnerabilities.  Read Less
September 25, 2019

Dubai Company Loses $53,000 In Targeted Cyber Attack
Two-way verification helps companies to solve the problem of this type of financial fraud by implementing a company-wide policy.
We continue to see such attacks against businesses whereby emails are sent to trick recipients into sending money or other details. This is a prevalent form of Business Email Compromise and these threats are highly targeted and rely on social engineering rather than malware, meaning that such “Imposter Emails” often evade security solutions that look only for malicious content or behavior. Technology alone cannot offer effective protection. One of the key measures is raising security.....Read More
We continue to see such attacks against businesses whereby emails are sent to trick recipients into sending money or other details. This is a prevalent form of Business Email Compromise and these threats are highly targeted and rely on social engineering rather than malware, meaning that such “Imposter Emails” often evade security solutions that look only for malicious content or behavior. Technology alone cannot offer effective protection. One of the key measures is raising security awareness across the users on how to spot spoofed emails and phishing attempts should be part of EVERY company’s security program. In addition to investing in an advanced email filtering system, organizations should also bolster the process steps. Use Two-Step Verification: Two-way verification helps companies to solve the problem of this type of financial fraud by implementing a company-wide policy of approving transactions before the funds’ transfer. Also, companies should have a two-person check process in place so that one person can't make a new payment without a colleague verifying the authenticity of the payment.  Read Less
September 04, 2019

Fraudsters Exploit New Online Security Checks With Phishing Attacks
Over recent years, hackers have evolved phishing attacks to mimic original brands.
Over recent years, hackers have evolved phishing attacks to mimic original brands or reputable websites to evade detection and, unfortunately, they are proving successful. Ultimately, they are targeted at an individual user so appropriate training and awareness is vital to remind users to remain vigilant to unsolicited or unexpected emails which ask for credentials, payment, or any other action that seems out of the ordinary.