Cybersecurity Saturday

Ramsonware remained on the front pages this week. Bleeping Computer’s This Week in Ransomware tells us that

It has been quite the week when it comes to ransomware, with ransoms being paid, ransoms being taken back, and a ransomware gang shutting down.

This week’s biggest news was the FBI announcing that they were able to recover the majority of the $4.4 million ransom payment paid by Colonial Pipeline. It is not entirely clear how they obtained the private key for the cryptocurrency wallet, but it is believed DarkSide stored it on a seized server.

We also learned that JBS paid $11 million to the REvil ransomware operation to retrieve a decryptor and prevent stolen files from being leaked.

In a bit of good news, the Avaddon ransomware operation shut down and released the decryption keys of close to 3,000 victims to BleepingComputer. Using these, cybersecurity firm Emsisoft was able to release a free decryptor.

Finally, news broke this week that memory maker ADATA and food services supplier Edward Don suffered ransomware attacks.

The Wall Street Journal reports in greater detail on the FBI’s recovery of a portion of the Colonial Pipeline Bitcoin ransom and a “ruthless’ cybersecurity gang knowns as RYUK which targets healthcare providers, after banks tighten up their security.

Cyberscoop discusses the Senate confirmation hearings last week for President Biden’s two top level cybersecurity nominations, Jen Easterly to lead the Department of Homeland Security’s cybersecurity agency, and Chris Inglis to be the national cyber director.

The nominees labeled ransomware a “scourge” that threatens national security, vowed to work with critical infrastructure firms to improve their defenses, and wondered aloud if additional federal regulations were necessary to incentivize firms to reduce their vulnerabilities to hacking.

The U.S. government, Inglis said, must “seize back the initiative that has too long been ceded to criminals and rogue nations who determine the time and manner of their transgressions.” He called on the U.S. and its allies to “remove the sanctuary [to ransomware criminals] and bring to bear consequences on those who hold us at risk.”

Easterly spoke with similar urgency: “We’re now at a place where nation-states and non-nation-state actors are leveraging cyberspace largely with impunity to threaten our privacy, our security and our infrastructure.”

Govinfo Security informs us that

As the federal government hammers out national infrastructure legislation, implements President Biden’s recent cybersecurity executive order and adopts other related initiatives, more attention and funding needs to be allocated to strengthen the healthcare sector’s cybersecurity posture and resilience, some industry groups urge.

In a letter Wednesday addressed to Biden, but also copied and sent to Senate and House party leaders, the Healthcare and Public Health Sector Coordinating Council requested heightened collaboration between industry and government to provide a road map for driving improvements to the cybersecurity readiness of the healthcare sector.

HSCC, a private-sector critical infrastructure advisory council to the Department of Health and Human Services created by Presidential Policy Directive 21 in 2013 during the Obama administration, represents more than 300 healthcare sector organizations, including patient care delivery networks, health plans, laboratories and health IT vendors.

Ars Technica reports on the long tail of ransomware attacks.

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The article directs concerned readers to the Have I Been Pwned website which aggregates breach information as a service to consumers.

In that regard, ISACA reminds us about the important role that data destruction policies play in maintaining cyber hygiene.