2019 Year-End Cyber Security Review; 2020 Prediction
Only a few days left until 2020 arrives, LifeLabs disclosed that it paid ransom to cyber attackers to “retrieve” the personal information of its15 million customers – affecting nearly half of the population in Canada.
This data breach, the largest to date in this country, gives a glimpse of what the cyber security situation in 2019 looked like and what lies ahead in 2020.
LifeLabs Data Breach
President and CEO of LifeLabs Charles Brown, in a statement, said that personal information of approximately 15 million customers wasillegally accessed on the company’s computer systems, with the vast majority of the affected customers from British Columbia and Ontario. Brown said that stolen personal information includes name, address, email, login, passwords, date of birth and health card information. He added that laboratory test results of 85,000 customers in Ontario from 2016 or earlier have also been stolen by cyber attackers.
“Retrieving the data by making a payment,” the President and CEO of LifeLabs said was one of the several measures undertaken by the company to protect customer information.
The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia, in a joint statement, said that LifeLabs informed the two offices about the data breach last November 1st.
“LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom,” said the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia.
Ransom and Ransomware
While LifeLabs admitted to paying ransom and that the attackers “penetrated the company’s systems, extracting data and demanding a ransom”, there was no mention that this cyber-attack is via ransomware – a type of a malicious software (malware) that encrypts data and demands from victims ransom in exchange for the decryption key that would unlock the encrypted data.
In 2019, three types of ransom campaigns have been observed. The first type of ransom campaign as shown in the case of the LifeLabs data breach involves data theft, that is, data extraction followed by a ransom demand in exchange for the extracted or stolen data.
The second type of ransom campaign refers to the ransom campaign that uses a malicious software, specifically ransomware. The third type of ransom campaign, meanwhile, uses a 2-stage attack: the first attack involving the deployment of a ransomware and the second stage, involving threatening ransomware victims that sensitive data stolen before the ransomware attack will be publicly disclosed.
Maze ransomware is an example of a ransomware that uses a 2-stage ransom campaign. When one of the Maze ransomware victims, Allied Universal refused to pay 300 bitcoins then valued at nearly $2.3 million USD, the group behind the ransomware published online the stolen data from Allied Universal.
The group behind Maze ransomware told BleepingComputer that prior to encrypting any data on the victims’ computers, they always extract data first in order for this data to be used as future leverage for the victims to pay the ransom. The group behind REvil ransomware, also known as Sodinokibi, recently announced in a hacking forum that they will also publish or sell the stolen data from ransomware victims who refuse to pay.
In its “2020 Threats Predictions Report”, McAfee Labs said that in 2019, ransomware groups used pre-infected computers from other malware campaigns or used remote desktop protocol (RDP) as an initial infection point for their ransom campaign – attacks that were made possible through the partnership among different groups of cyber attackers. McAfee Labs said that this collaboration among different groups of cyber attackers resulted in the number of successful targeted attacks.
“For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks,” McAfee Labs said. “In the first stage cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.”
In paying the ransom to get back the stolen data, however, there’s no guarantee that the attackers, on their end, will destroy any copy of the stolen data or whether the stolen data hasn’t been shared or sold with other malicious actors.
Network Infrastructure Security
Network infrastructure security plays a big role in preventing extortion campaigns. REvil ransomware, for instance, breaks into the defenses of organizations’ network by brute-forcing Remote Desktop Protocol (RDP) access and uploading malicious software into the internal networks of the victims.
REvil ransomware is just one of the many malicious software that’s offered as “Ransomware-as-a-Service (RaaS)” – allowing cyber attackers who aren’t tech-savvy to launch sophisticated attacks on a victim’s network by paying another group of cybercriminal for the access to the malicious code or toolkit that infiltrates victim’s network. As malicious actors have easy access to tools that effectively break the defenses of organizations’ networks, all the more it’s important to harden your organization’s network infrastructure.
Among the services offered by GenX Solutions in hardening your organization’s network infrastructure defenses are the migration of company e-mail systems to cloud-based services, setting up of secure FTP (File Transfer Protocol) services and installation of VPN (Virtual Private Network) services.
Call us today at (416) 920-3000 or email sales@genx.ca and protect your valuable information.