The US Department of Justice (DOJ) has announced that an FBI-led operation disrupted the Cyclops Blink botnet in March. The operation successfully removed the Cyclops Blink malware from internet-connected firewall devices. The botnet is believed to be operated by a group known as Sandworm (also known as Unit 74455), an alleged Russian cyber military unit. Many cyberattacks are associated with Sandworm, including attacks on Ukraine’s critical infrastructure and NotPetya ransomware. The unit is also believed to have interfered in the 2017 French presidential elections, as well as carried out the cyberattack on the 2018 Winter Olympics opening ceremony.
The Cyclops Blink botnet was first publicly revealed in February this year when the US and UK governments warned that WatchGuard firewall devices were being attacked. The Cyclops Blink malware specifically targeted WatchGuard and Asus network devices. While it was publicly revealed only in February, the botnet is believed to have begun operations as early as June 2019, likely as a successor to a similar botnet the DOJ took down four years ago.
Both WatchGuard and Asus released guidance and remediation tools to help affected devices immediately after the revelation by the US and UK governments. But the majority of compromised devices remained infected nonetheless, prompting DOJ to act.
“The same day as the advisory, WatchGuard released detection and remediation tools for users of WatchGuard devices. The advisory and WatchGuard’s guidance both recommended that device owners deploy WatchGuard’s tools to remove any malware infection and patch their devices to the latest versions of available firmware. Later, ASUS released its own guidance to help compromised ASUS device owners mitigate the threat posed by Cyclops Blink malware. The public and private sector efforts were effective, resulting in the successful remediation of thousands of compromised devices. However, by mid-March, a majority of the originally compromised devices remained infected,” the DOJ has said.
Following court authorization, the department carried out an operation that removed the malware from all remaining identified command and control (C2) devices that Sandworm used to control the botnet. Furthermore, it also closed the external management ports that Sandworm was using to access those C2 devices.
“These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices,” the DOJ said.
However, the DOJ also warned that WatchGuard and Asus devices that acted as bots might remain vulnerable to Sandworm if no action is taken by the device owners.
No information/data was accessed by the FBI
The DOJ stressed that issuing the commands did not permit the FBI to search, view, or retrieve content/data on a victim’s device.
“The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices”.
Ransomware attacks are becoming increasingly more common. It’s no longer a question of if but rather when will a business/organization suffer a ransomware attack. For businesses and organizations, correctly responding to a ransomware attack can mean the difference between a quick recovery and permanent closure. It’s essential that all businesses have detailed cyberattack response plans in addition to investing major resources into preventing an attack in the first place.
Below are just general guidelines and certainly not a complete guide on how to deal with a ransomware attack. The entire process is highly complicated and it’s best to contact professionals to minimize damage.
What to do if you are hit with a ransomware attack
1. Do not panic and isolate affected systems
When prevention methods fail and ransomware is able to get in, it’s essential to not panic and take the correct steps to minimize damage. Isolating affected systems immediately after a ransomware attack is critical. In order to contain the infection and prevent it from spreading, you must remove the affected system from the network immediately. If you fail to do that, the ransomware may spread to other systems, doing even more damage.
Throughout the whole ransomware attack and recovery process, it’s essential that you keep a clear head. You should also not rush to make decisions but rather focus on minimizing damage.
2. Disconnect backup
Once you have isolated the affected systems, you need to focus on securing your backups. Whatever strain of ransomware it is that you are dealing with, it will most certainly target your backup in order to encrypt or delete files. To prevent this from happening, immediately disconnect your backup from the network and do not reconnect until the infection has been dealt with.
3. Disable maintenance tasks
When you have confirmed a ransomware attack, it’s essential to disable any automated maintenance tasks (e.g. temporary file removal, log rotation, etc.). This is mostly done to prevent any contaminations that could hinder an investigation.
4. Back up infected systems
It’s recommended to make backups of infected systems once they’re isolated. This could prevent the loss of data during the decryption process. If, for example, you make the decision to pay the ransom and receive a decryptor but the decryptor does not work correctly. The decryptor may not work as intended and could damage files during decryption. To avoid corrupting or damaging your only copies, it’s a good idea to back up encrypted systems just in case something goes wrong.
Backing up infected systems is also a good idea for those who do not intend to pay the ransom. If the files are not critical and do not need to be recovered immediately, you can back them up in case a free decryptor becomes available sometime in the future. Law enforcement agencies are actively pursuing cybercrime gangs and are sometimes successful in apprehending them. If this were to happen with the cybercrime gang responsible for the ransomware that’s affecting you, a decryptor may be provided for you.
5. Quarantine the ransomware
Rather than outright removing ransomware, victims should quarantine it until an investigator has given the okay. When victims completely purge an infection from their systems before investigators can analyze it, it makes it that much more difficult for specialists to perform an investigation. During an investigation, specialists need to carefully analyze samples and other data in order to identify which ransomware is responsible, what specifically was affected during the attack, and whether it’s possible to somehow recover encrypted files. And removing the ransomware infection hinders these investigations.
6. Investigate how the ransomware got in
Determining how a ransomware infection got in is an essential step. Not only would it help prevent future infections, but also provide curial information about what other systems may have been affected, or what was done exactly. If the ransomware got in due to a vulnerability, identifying the source of the infection would certainly prevent future incidents. If the infection is the result of an employee error, an investigation would help identify which areas specifically employees need training in.
For businesses and organizations, it’s recommended to contact professionals that specialize in such attacks. It’s often difficult to find the origin of the attack. By the time a ransomware attack is launched and is noticed, cybercriminals will have been in the systems for a while, so it’s recommended to have professionals identify the origin of the attack.
7. Identify the ransomware
In order to figure out the next course of action, it’s essential to correctly identify the ransomware strain. It can be done by using free services like Emsisoft’s ransomware identification tool or ID ransomware. You would need to upload the ransom note, an encrypted file as a sample, and some information. If the ransomware is known, these services would identify it. Identifying the ransomware strain would also help determine whether there is a free decryptor available. There are various resources for victims of ransomware (e.g. NoMoreRansom) that can help find a free decryptor if one is available.
8. Make the decision on whether to pay the ransom
The decision that comes with a ransomware attack is whether to pay the ransom. For victims who have no backups, or if they’re damaged, paying the ransom may seem like a good option. Oftentimes, paying the ransom may be a cheaper option than facing downtime until systems are restored. But the decision to give in should not be taken lightly as it comes with consequences. For one, it should be emphasized that paying the ransom does not automatically mean a decryptor will be provided. In most cases, it will be but there is always that chance that the cybercriminals will just take the money. This is more likely to happen if you’re dealing with a relatively unknown ransomware strain. There’s also a chance that even if the decryptor is sent, it may not work as it’s supposed to. Victims should never rush the decision of whether to pay the ransom and consider all outcomes.
Prevent future ransomware attacks
If you have already dealt with ransomware, you will now realize that such an attack will have lasting consequences. And if you don’t want to go through the whole file recovery and ransomware removal process again, you need to ensure that ransomware will not be able to infiltrate your systems in the future. And the most efficient way to do that is to use security software that’s designed to prevent and deal with such attacks.
Anti-malware program SpyWarrior uses artificial intelligence technology to effectively deal with ransomware attacks. Known ransomware strains will be immediately detected and blocked before they can do any damage or encrypt files. And if the ransomware strain is new, its suspicious behavior would still be detected, and the attack would be stopped in time.
Every year, thousands of businesses, organizations, government entities, institutions, etc., become victims of cyberattacks. And every year, there are at least a few attacks that top the ones from previous years. According to a study by the IDC, 37% of global organizations were victims of cyberattacks involving ransomware in 2021. This year, the attacks on Colonial Pipeline and Kaseya were two of the most serious ones. But there were thousands of businesses and organizations that fell victim to ransomware in 2021.
In recent years, cryptocurrency popularity has skyrocketed, with anyone and everyone now investing in various cryptocurrencies. This has attracted a lot of novice investors who know very little about cybersecurity, as well as cybercriminals who try to take full advantage of that. Less tech-savvy investors are often more susceptible to both investment scams and crypto wallet hacks because they are unaware of how these types of scams work, nor do they properly secure their crypto accounts.
For those fortunate enough to not have heard of ransomware, it’s a type of malware that encrypts files, making them essentially useless. To put it simply, ransomware holds files hostage until a ransom is paid. To decrypt the encrypted files, it’s necessary to pay money, aka a ransom. It’s a highly complicated malware infection that can do and has done significant damage. It is estimated that ransomware will cost around $6 trillion in damages in 2021.
How does ransomware work
The first step in any ransomware attack is getting access to the system. It can happen in a variety of different ways and often depends on who the target is. Malspam and phishing emails are common means of infection. For malware to initiate, all that is necessary to do is for users to open attached malicious files. The emails are often made to look like they come from trusted sources to encourage users to open the files without much thought. Some malspam attempts are more sophisticated than others, with generic ones being quite obvious.
The whole process is quite difficult but the gist of it is that once ransomware is inside a computer, it usually starts encrypting files as soon as possible. During an attack on individual users, personal files (photos, images, videos, documents, etc.) are encrypted. When targetting a business or organization, essential files for the business to operate are usually targeted. More recently, certain ransomware strains started, in addition to file encryption, stealing sensitive information. The cybercriminals operating the ransomware then essentially blackmail the victims by threatening to release the information online if the ransom is not paid.
After ransomware successfully encrypts files, a ransom note is dropped. Generally, the note contains instructions on how the purchase the decryptor and/or contact the cybercriminals operating the malware. Getting the decryptor always involves paying the ransom, though the sum differs from ransomware to ransomware.
Common ransomware targets
Depending on the ransomware and the gang that operates it, victim types are different. While one ransomware may focus on individual users, another may only attack large organizations.
While the big money is in attacks on big organizations, there are many ransomware strains that only target individual users. These infections usually spread via emails or torrents. Ransomware strains targetting random individual users usually demand up to $1000 in ransom.
In recent years, small businesses have become a common target for ransomware attacks. The logic for that is that they tend to have lax security, either because of insufficient funds or the belief that they will never be targeted. Ransom demands are usually what small businesses would be able to pay.
Large organizations and businesses, as well as government organizations, are often a tempting target for ransomware operators as that is where the biggest money is. Some organizations are also more likely to pay the ransom to restore operations quickly. For example, organizations in the healthcare sector cannot afford any downtime, thus are a common target.
How to prevent a ransomware attack
There are a couple of essential steps when it comes to preventing a ransomware infection, or at least lessening the damage an attack could cause.
The most important thing to do is regularly make backups. Not just because of ransomware, backing up all important files is critical for anyone who does not wish to lose them. There are multiple ways to back them up, including cloud services and external hard drives. It’s best to set up automatic backups but in the worst-case scenario, manually backing up is also an option.
Anti-virus software is the one thing that often stands between malware and a computer. It’s important to choose a reliable anti-virus program that has protection against ransomware. Anti-virus software is essential to less tech-savvy users in particular, as they are less likely to recognize potential malware attacks.
The WannaCry ransomware attack proved the importance of installing updates. System and software vulnerabilities are often used by malware to infect computers and known vulnerabilities are patched by updates. Thus, installing an update could prevent a serious malware attack. If possible, it’s recommended to set up automatic updates.
Becoming familiar with the common ransomware distribution methods
In many cases, it’s not difficult to recognize a potential malware attack, users just need to know what to look for. Regular ransomware attacks are often initiated by users opening malicious email attachments or torrent files, so if users learn what that looks like, they should be able to avoid it.
The best course of action when dealing with ransomware infections is to use anti-malware software. Ransomware is a highly complicated infection and trying to manually remove it could result in more damage. It’s also much easier to use anti-malware software.
Unfortunately, removing the ransomware does not decrypt files. The files have been encrypted and it’s not possible to open them unless they are first run through a decryptor. However, while removing the ransomware will not decrypt files, it’s an essential step if files are to be recovered from a backup. If the ransomware is still present when the backup is accessed, those files would become encrypted as well.
Why paying the ransom is not recommended
Many victims face the dilemma of whether they should pay the ransom or not when dealing with the aftermath of a ransomware attack. For users who have backed up their files, there is no reason to pay the ransom because they can easily recover files after removing the ransomware. However, for businesses and organizations, using backup is not always the quickest option. Or the cheapest choice. This is the reason why some victims choose to pay the ransom, despite having a backup.
In most cases, both malware specialists and law enforcement recommend against paying the ransom. Generally, there are a couple of reasons for this. One of the biggest reasons, though more applicable to regular users rather than bigger targets, is that cybercriminals do not always provide the decryptors. In other cases, the decryptor may not work as it is supposed to. Though that is often fixable, and victims can turn to specialists to fix the decryptor so it actually decrypts files. It is important for users to remember that ransomware is operated by cybercriminals and there is little to obligate them to help victims. Numerous users in the past paid the ransom only to receive nothing in return. Like we already mentioned, not receiving a decryptor is more common for individual users rather than bigger targets because if a large target does not receive a decryptor, it would discourage other bigger victims from paying the ransom.
Another significant reason why it isn’t a good idea to pay the ransom is that it encourages cybercriminals to continue their malicious activities. This is the main reason law enforcement does not encourage paying. Ransomware operators make a lot of money from ransomware. Some of the biggest ransomware payouts include travel company CWT paying $4.5 million in ransom, and Colonial Pipeline agreeing to pay $4.4 million. The latter was one of the most serious ransomware attacks in history with consequences felt by millions of people in the US. With payouts like this, even if they’re not particularly common, it’s no surprise that cybercriminals choose to perform ransomware attacks.
Interestingly enough, some ransomware operators adjust their ransom demands depending on who they target. It’s not uncommon for targets located in poorer countries to get smaller ransom demands than victims in economically more wealthy countries. Ransomware operators also modify ransom demands to make it worth it for businesses to pay. When it comes to a ransomware attack, it’s important to consider not only the recovery time but also how downtime will impact the business. If recovery from backup takes a while, downtime for a business can have significant financial consequences. Paying the ransom may be cheaper than actually recovering data from a backup. Thus, it’s important for businesses to not only have a backup but also a fast recovery plan so that when an attack happens, they can avoid significant downtime and return to normal operations as fast as possible.
Most famous ransomware attacks
Colonial Pipeline ransomware attack
On May 7, 2021, the American oil pipeline Colonial Pipeline became the victim of a ransomware attack that crippled all of the pipeline’s operations for a number of days. The ransomware, now known as DarkSide ransomware, targeted the computerized equipment that was used to manage the pipeline. In order to contain the attack, the pipeline halted all of the pipeline’s operations. DarkSide also reportedly stole 100 GB of data, which they threatened to release publicly if the pipeline did not agree to pay the ransom.
Mere hours after the attack, Colonial Pipeline paid the 75 Bitcoin ($4.4 million at the time) ransom. However, the decryptor Colonial Pipeline received was so slow that it was quicker for the pipeline to use its own backups. Fortunately, it appears that the Department of Justice was able to successfully recover 63.7 Bitcoins ($2.3 million at the time).
The attack, or rather the impact, attracted a significant amount of attention from the media and law enforcement. The attention the group behind the attack got was perhaps much bigger than the cybercriminals anticipated, as the group shut down all operations and went dark for a period of time.
Kaseya ransomware attack
On July 2, 2021, Kaseya, an IT management software company, was the target of a cyberattack that resulted in a number of managed service providers (MSPs) becoming the victim of ransomware attacks, which in turn also affected over 1,000 MSP customers. Soon after reports started coming in that hundreds of companies were dealing with ransomware, Kaseya’s remote monitoring and management software package VSA (Virtual System Administrator) was identified as the source of the outbreak. It soon became clear that a vulnerability allowed cybercriminals, now identified as the REvil gang, to distribute malicious payload through the compromised VSA software. Kaseya infected their managed service provider customers, who then infected their own customers, resulting in over a thousand affected companies that had to deal with ransomware.
The cyber gang demanded a $70 million ransom payment in return for a universal decryptor. It is not exactly known whether Kaseya paid the ransom but the software provider did obtain a working decryptor from an unnamed “trusted third party”.
Similarly to the Colonial Pipeline ransomware attack, this too attracted a lot of attention. Because REvil is suspected to be operating from Russia, US President Biden discussed the incident during a phone call with Russia’s President Putin, threatening to take down the gang’s servers if Russia did not agree to do it itself. Almost two weeks after the attack on Kaseya, REvil’s entire infrastructure disappeared.
WannaCry ransomware attack
Perhaps one of the most well-known ransomware attacks was WannaCry. In May 2017, WannaCry ransomware managed to spread worldwide, infecting over 300,000 computers. The ransomware used EternalBlue, an exploit developed by the US National Security Agency (NSA), to spread to older, unupdated Windows computers, resulting in over 200,000 victims. The exploit used in this attack was stolen from the NSA the year prior to the attack by a group known as the Shadow Brokers. Microsoft was aware of the exploit and released an update that patched it two months prior to the attack. However, many users, particularly businesses and organizations, that fell victim either did not install the update or were using old Windows OSs that were no longer supported, thus did not receive updates.
The spread of the ransomware was halted within a couple of hours when a security researcher discovered the kill switch. Nonetheless, the damage was already done. The damage was estimated to range from hundreds of millions to billions of dollars. North Korea was officially named to be behind the attack.
Business email compromise (BEC), alternatively known as email account compromise (EAC), is a type of cybercrime that uses email fraud to target companies, businesses, and corporations. Business email compromise scams involve scammers sending emails to company employees with certain requests, such as making a money transfer. Because they are able to successfully pretend to be authentic senders, cybercriminals are able to scam businesses out of thousands if not millions of dollars every year.
Identity theft is a serious crime that happens when someone essentially steals another person’s identity and poses as them. Criminals steal a victim’s personal data, including the Social Security number or the equivalent for those not in the US, and use the information to impersonate them. This can be done for a variety of reasons, though it’s usually because of money.
The term health care fraud refers to any kind of fraud that is related to health care and is carried out by medical professionals, patients, or anyone who aims to intentionally deceive the health care system. According to the FBI, health care fraud can cost American taxpayers an estimated amount of $80 billion every year. Health care fraud has serious consequences for anyone, as it can raise health insurance premiums, subject patients to unnecessary medical procedures and medication, as well as increase taxes.
What is Market Manipulation (“Pump and Dump”) Fraud?
Market manipulation fraud, also known as pump and dump, refers to a type of fraud that involves investors misleadingly promoting stocks and then selling once the price has risen. Scammers use various tactics to mislead investors into buying certain stocks, thus raising their price. Once enough people have purchased the stocks and their value has risen, the fraudulent investors then sell their shares, which causes the price to drop significantly. The scammers earn huge sums of money, while new investors lose their money.
Funeral and cemetery fraud is one of the most common scams perpetrated on the elderly. Dishonest funeral homes and cemeteries take advantage of those most vulnerable and play with their emotions to make more profit.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.