Healthcare and financial services were the two most attacked industries, according to Blackberry’s latest Global Threat Intelligence Report. The data for the report was collected from March to May 2023 from its cybersecurity solutions, which blocked more than 1.5 million attacks at a rate of around 11.5 attacks per minute, with 1.7 novel malware samples detected per minute – A 13% increase from the previous reporting period.

During the reporting period, Blackberry detected 13,433 unique malware binaries and prevented over 109,922 disparate attacks across the wider healthcare sector. Ransomware and information stealing malware were highly prevalent. The RedLine information stealer and the Amadey bot were regularly blocked threats. Amadey has information stealing capabilities and is often used to perform reconnaissance before downloading additional malicious payloads. The Emotet, IcedID, and SmokeLoader malware families were also extensively used in attacks on the sector, all of which have information stealing capabilities and can download additional malware payloads.

The healthcare industry continues to be an attractive target for cyber threat actors due to the volume of sensitive data stored by healthcare organizations, the ease of monetizing that data, and the reliance on access to data and computer systems for providing critical services, which makes the sector a highly attractive target for financially motivated threat groups.

It is not only financially motivated cybercriminal groups that are attacking the healthcare industry. State-sponsored threat actors are breaching healthcare defenses and stealing confidential medical data, and cyber threat groups have targeted the sector in retaliation for the U.S. providing support for Ukraine. The RomCom group, for example, targeted U.S. medical groups providing humanitarian aid to Ukrainian refugees.

Two advanced persistent threat (APT) groups were highly active during the reporting period: APT28 (aka Sofacy/Fancy Bear) and Lazarus Group (aka Labyrinth Chollima, Hidden Cobra, Guardians of Peace, Zinc, and Nickel Academy). APT28 is a highly skilled cyber espionage group thought to operate on behalf of the Russian government and Lazarus Group is thought to be a North Korean state-sponsored threat actor.

Attacks on government and public sector services were up 40% on the previous reporting period, with 55,000 attacks on public sector organizations blocked during the 90-day reporting period. Ransomware groups such as LockBit, Royal, BlackCat/ALPHV, and Clop were highly active, accounting for a large percentage of the attacks on city, state, and government systems and public sector organizations. These attacks included the LockBit ransomware attack on the City of Oakland, CA, BlackByte’s Royal ransomware attacks on the cities of Dallas, TX, and Augusta, GA, and the Clop group’s mass exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution.

Some of the most common tools used by threat actors include AdFind for stealing information from Active Directory (AD), Mimikatz for credential theft, Cobalt Strike as an attack framework, and Extreme RAT for remote access, malware delivery, and espionage. The most common malware families detected and blocked across all industry sectors were droppers/downloaders such as Emotet, PrivateLoader, and SmokeLoader; information stealers such as RedLine, Racoon Stealer, Vidar, and IcedID; and remote access Trojans such as Agent Tesla. Blackberry’s telemetry shows a 13% increase in unique malware samples, indicating threat actors are diversifying their tooling when compiling their malware. While the malware used is similar, the compilation process produces different hashes for similar samples in order to evade the simple feeds and filters used by more traditional security operations centers.

Blackberry predicts the number of attacks on the healthcare industry will continue to increase and recommends prioritizing detection of the most frequently used tactics in the attacks – discovery and defense evasion. Learning about the tactics, techniques, and procedures used by threat groups can help network defenders significantly reduce the impact of attacks, and will aid their threat hunting, incident response, and recovery efforts.

The post Healthcare and Financial Services Remain Top Targets for Cyber Threat Actors appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their Five Eyes intelligence partners have issued a joint security advisory detailing the most commonly exploited vulnerabilities in 2022. Cyber threat actors target Internet-facing systems that contain unpatched vulnerabilities to gain initial access to organizations’ internal networks, allowing them to steal sensitive data and conduct other post-exploitation activities. The advisory lists the top 12 Common Vulnerabilities and Exposures (CVEs) that were exploited by malicious actors in 2022 along with a further 30 CVEs that have extensively been exploited by threat actors. This year, the vulnerability list includes associated Common Weakness Enumerations (CWEs), which show the root cause that allowed the vulnerabilities to be exploited.

While sophisticated threat groups actively seek out zero-day vulnerabilities or develop exploits for recently disclosed CVEs, in 2022, malicious actors exploited older vulnerabilities much more frequently than recently disclosed flaws. Many of the vulnerabilities in the list had Proof-of-Concept (PoC) exploits in the public domain, which allowed exploitation of the flaws by a much broader range of threat actors. Top of the list is a five-year-old vulnerability in Fortinet’s SSL VPNs (FortiOs/FortiProxy) – CVE-2018-13379, which was also one of the most frequently exploited vulnerabilities in 2020 and 2021. Despite the vulnerability being the 15^th most commonly exploited vulnerability in 2021 and a patch being available since May 2019, many organizations failed to patch and were vulnerable to attack. The vulnerability has been exploited by Advanced Persistent Threat (APT) actors and cybercriminal groups such as ransomware gangs.

It was a similar story with a group of Microsoft Exchange Server vulnerabilities dubbed Proxy Shell (CVE-2021-34473, CVE-2021-31207 & CVE-2021-34523) which allow security features to be bypassed, escalation of privileges, and remote code execution. The vulnerabilities were identified and patched the previous year, and despite extensive media coverage and security warnings about the vulnerabilities, patches failed to be implemented to fix the flaws. An authentication bypass flaw in Zoho ManageEngine which allowed remote code execution and a code execution flaw in Atlassian’s Confluence Server and Data Center were also disclosed and had patches released the previous year.

Threat actors develop exploits for known vulnerabilities and can typically exploit them successfully for a couple of years in low-cost, high-impact attacks due to the failure of many organizations to patch promptly or implement recommended mitigations. The cybersecurity agencies urge all organizations to use the list as a guide to help them prioritize patching. The failure to apply patches promptly, especially known exploited vulnerabilities, makes it easier for attackers to gain access to organizations’ networks.

In addition to implementing a centralized patch management system, patching promptly, and conducting regular vulnerability scans, the cybersecurity agencies encourage vendors, designers, developers, and end-user organizations to take other steps to reduce the risk of compromise by malicious cyber actors, such as implementing secure-by-design principles, prioritizing secure-by-default configurations, and ensuring disclosed CVEs include the correct CWE stating the root cause of the vulnerability.

Most Commonly Exploited CVEs in 2022

The post Cybersecurity Agencies Share 2022’s Most Commonly Exploited Vulnerabilities appeared first on HIPAA Journal.

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.

The Biden Administration has unveiled its National Cyber Workforce and Education Strategy (NCWES) which seeks to address the current cyber workforce shortages and prepare the country for a cyber future. The NCWES was developed by the Office of the National Cyber Director in collaboration with 34 agencies, departments, and EOP components and lays out a comprehensive approach for addressing immediate and long-term cyber workforce needs while ensuring all Americans have the cybersecurity skills they need to participate in the digital ecosystem. The aim of the strategy is to empower all Americans looking to participate in the digital ecosystem, including communities that are currently underrepresented in the cyber workforce, and to promote and develop pathways for well-paying and fulfilling cyber careers. Under the strategy, the Biden Administration and its partners will leverage adaptable ecosystems to effect change at scale, enable the lifelong development of cyber skills, and grow and enhance the cyber workforce through diversity and inclusion.

“The plan is the product of over a year of work, including a National Cyber Workforce and Education Summit at the White House in July 2022,” said Camille Stewart Gloster, deputy national cyber director of technology. “The strategy is truly reflective of that collective effort and is the first step to securing and unleashing the next generation of American innovation.”

At present, there are an estimated 400,000 unfilled cybersecurity jobs in the United States and the lack of cyber skills is affecting the ability of the government and the private sector to build defenses resilient to increasingly numerous and sophisticated cyberattacks. No one actor is able to achieve the necessary changes at scale so all stakeholders – educators, industry, government, and more – must execute on all of the objectives detailed in the NCWES for it to be a success.

The NCWES is based on four pillars:

1. To equip all Americans with foundational cyber skills to enable everyone to attain the full benefits of our interconnected society.
2. To transform cyber education to address immediate cyber workforce needs and prepare to meet the future needs of a dynamic, technological environment.
3. To expand and enhance the National Cyber Workforce by adopting a skills-based approach to recruitment and development and by improving access to cyber jobs for all Americans, including underserved and underrepresented groups.
4. To strengthen the Federal Cyber Workforce by communicating the benefits of careers in public service to job seekers and current employees, improving career pathways, and lowering the barriers to hiring and onboarding.

The strategy calls for a shift in responsibility for defending cyberspace from individuals and small businesses to the most capable actors, and that requires cybersecurity to be built into education and workforce development programs relevant to sustaining the digital environment. It is also necessary to have incentives across both the public and private sectors that favor long-term investment in security.

While there is an immediate need for highly skilled individuals, it is necessary to build from the ground up. All Americans should have foundational skills that allow them to efficiently and confidently use computers and the Internet to ensure that they are qualified to pursue well-paid, fulfilling cyber jobs. Currently, one-third of U.S. workers lack digital skills, yet 92% of jobs across all industries require digital skills. Demand is currently outstripping supply and the skills shortage must be addressed to ensure U.S. economic competitiveness in the global economy.

The strategy sets out an approach for enabling the lifelong development of cyber skills, starting with foundational cyber skills such as digital literacy, computational literacy, and digital resilience, to ensure that all Americans have the skills to work efficiently, effectively, safely, and securely. To address the cyber workforce shortfall, it is necessary to draw on the full diversity of the American talent pool, and that requires improvements in diversity, equity, inclusion, and accessibility in cybersecurity. One of the easiest ways to achieve rapid gains is to attract people of all ages into cybersecurity, especially people from underrepresented communities such as women, veterans, military spouses, people of color, first-generation professionals, individuals with disabilities, LGBTQI+ individuals, Tribal nations, and members of rural communities. Many cyber jobs do not require a four-year degree, instead, there are alternatives that allow individuals to obtain the necessary digital skills that will allow them to join the cyber workforce.

Many stakeholders, including educators, industry, and government, have demonstrated their commitment to the strategy. For example, the National Science Foundation (NSF) has committed to investing more than $24 million in CyberCorps Scholarships for Service (SFS) awards over the next four years to support the development of a robust and resilient cybersecurity workforce. The National Security Agency (NSA) National Center of Academic Excellence in Cybersecurity will release four grants to support a pilot initiative to develop four new Cyber Clinics at colleges and universities in Nevada, Minnesota,  Louisiana, and Virginia. The Office of the National Cyber Director (ONCD) has committed to greater diversity among its internship applicants to increase recruitment and outreach to underrepresented communities, and the National Institute of Standards and Technology (NIST) will award up to $3,600,000 for Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects.

The post Biden Administration Announces National Cyber Workforce and Education Strategy appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) have issued a joint cybersecurity advisory warning about insecure direct object reference (IDOR) vulnerabilities in web applications and web application programming interfaces (APIs).

Threat actors actively seek IDOR vulnerabilities as they are common and can be abused at scale using automation tools to gain access to the sensitive information of millions of consumers. IDOR vulnerabilities are access control vulnerabilities that can be exploited by issuing requests to a website or web API specifying the user identifier of other, valid users. These attacks are usually made possible due to insufficient authentication and authorization checks.

For example, an application or API may require an identifier such as an ID number, name, or key to directly access an object such as a database record; however, an attacker may have a valid ID number, name, or key. In addition to an identifier, an application or API should also check the authentication or authorization of the user submitting the request.

There are different types of IDOR vulnerabilities. Horizontal IDOR vulnerabilities allow a user to access data that they should not be able to access at the same privilege level, such as another user’s data. Vertical IDOR vulnerabilities are when a user can access data that should be restricted to users with higher privilege levels. Object-level IDOR vulnerabilities are where a user can modify or delete an object they should not be able to, and function-level IDOR vulnerabilities are where a user can access a function or perform an action they should not be able to. These vulnerabilities typically exist because an object identifier is exposed, passed externally, or can easily be guessed.

IDOR vulnerabilities are difficult to identify outside of the development process and cannot be mitigated with a single function. It is therefore vital for vendors, developers, and web designers to build adequate authentication and authorization checks for any request that modifies, deletes, or accesses data, implement secure-by-design principles, and follow cybersecurity best practices.

CISA, NSA, and ACSC have shared mitigations for vendors, designers, developers, and implementors of web applications to reduce the prevalence of IDOR vulnerabilities. In addition to implementing secure-by-design principles and best practices at all stages of the software development life cycle, secure coding practices should be followed, such as ensuring that identifiers are not exposed in URLs and configuring applications to deny access by default and performing authentication and authorization checks for every request to modify, delete, or access sensitive data. The agencies also recommend CAPTCHA for limiting automated invalid user requests and code reviews to check for backdoors, malicious content, and logic flaws, and to verify compliance with security requirements.

CISA, NSA, and ACSC have also detailed cybersecurity best practices for end-user organizations for improving their cybersecurity posture and recommend developing an incident response and communication plan that can be implemented immediately in the event of a cyber incident or data breach.

The post CISA Releases Guidance on Preventing Web Application Access Control Abuse appeared first on HIPAA Journal.

The Health 3rd Party Trust Initiative (Health3PT) has published the findings of a recent survey of HIPAA-covered entities and their business associates that explored the current state of third-party cyber risk management in healthcare and identified some of the key challenges faced by HIPAA-regulated entities.

Supply chain vendors and service providers introduce risks that need to be identified, managed, and reduced to a low and acceptable level; however, the methods used to manage third-party risks are often burdensome and inadequate. According to the survey, which was conducted on 59 HIPAA-covered entities and 128 business associates, significant resources and money are committed to managing third-party risk but 68% of covered entities and 79% of business associates say third-party risk management (TPRM) processes are inefficient and 60% of HIPAA-covered entities and 72% of business associates think TPRM is not effective at preventing data breaches.

55% of healthcare organizations have experienced a data breach in the past year through a third party, and 90% of the most significant healthcare data breaches in 2022 occurred at business associates of HIPAA-covered entities. The average cost of those data breaches was more than $10 million per incident. According to Health3PT, there are significant blind spots in organizations’ third-party information security management programs. These are caused by organizations and vendors handling assessments differently and, in many cases, relying on manual processes.

Many organizations lack the necessary resources to follow up on vendor risk management efforts, and while vendors provide assurances that information security controls have been implemented, they do not consistently demonstrate that appropriate controls are in place. One of the main problems is covered entities and business associates relying on outdated TPRM approaches which result in inconsistent and unclear risk management outcomes. TPRM processes at many healthcare organizations have not changed for decades and were not particularly effective even when they were introduced as they were adopted from other verticals and never properly matched the needs of healthcare organizations. These processes have also failed to maintain pace with advances in technology, such as the use of the cloud.

The biggest challenge for covered entities is keeping pace with the volume of security assessments. Due to the number of vendors used by healthcare organizations, vendor audit fatigue often sets in. Healthcare organizations are receiving a high volume of security questionnaires from vendors but they do not have the necessary IT resources to deal with the questionnaires they receive, which means third-party vendors are not properly evaluated and risks fail to be properly addressed. Other key challenges were getting vendors to address deficiencies, the turnaround time for assessments, obtaining transparent assurances from vendors to satisfy requests the first time around, and keeping up with changing threats and risks associated with vendors.

The biggest challenges for business associates were customers’ willingness to accept a validated assessment in lieu of questionnaires, handling the variability of questionnaires and audits, and the time allowed to provide quality responses and evidence to requesting customers. Covered entities and business associates both admitted to feeling overwhelmed with TPRM processes and felt current processes are effective at preventing data breaches. Covered entities and business associates both expressed a desire to improve TPRM efficiency through improved collaboration, standardization, and automation.

Third parties pose major risks to healthcare organizations and there is considerable potential for those risks to compromise privacy and patient safety. Some of the main shortcomings with TPRM are the lack of an overarching methodology for risk-tiering vendors, overreliance on verbose contract terms, inconsistent questionnaires and validation of the information collected, limited follow-ups on the resolution of identified security gaps, and limited organization-wide insight into vendor security risk.

To help address these shortcomings, Health3PT has shared best practices in its Recommended Practices & Implementation Guide which helps covered entities and business associates improve TPRM efficiency and effectiveness. “Establishing and adopting these more effective and efficient TPRM processes will transition TPRM in healthcare from a superficial check-the-box exercise that exposes organizations to unnecessary risks to more robust, collaborative information protection programs that ultimately will benefit all participants across the healthcare community,” explained Health 3PT.

The post Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare appeared first on HIPAA Journal.

Ivanti has released patches to fix a maximum-severity zero-day vulnerability in its Endpoint Mobile Manager (EPMM) mobile device management solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35078 and is an authentication bypass vulnerability with a CVSS score of 10. Successful exploitation of the vulnerability will allow an unauthorized user to access restricted functionality or resources of the application, gain access to sensitive user data, and potentially make limited changes to the server.

Ivanti said the vulnerability affects all supported versions of its EPMM solution (11.10, 11.9, and 11.8) as well as older versions, although the patches have only been released for supported versions. Evidence has been found that indicates the vulnerability has already been exploited in attacks, although the extent to which the vulnerability is being exploited is unclear. The Norwegian government is believed to be one of the victims. Hackers allegedly exploited the flaw to compromise 12 government ministries in the country.

According to security researcher Kevin Beaumont, the flaw is very easy to exploit, and given the severity of the flaw and known active exploitation, immediate patching is strongly recommended. Beaumont recommended that anyone still using an unsupported version that has reached end-of-life should switch off the appliance until an upgrade to a supported version is possible. The updated EPMM versions with the patch applied are EPMM 11.8.11, 11.9.11, and 11.10.02. More than 2,000 MobileIron user portals are exposed to the Internet and are potentially able to be exploited, most of which are located in the United States.

The post Patches Released to Fix Actively Exploited Flaw in Ivanti Endpoint Mobile Manager appeared first on HIPAA Journal.

A recent analysis of ransomware activity by NCC Group’s Global Threat Intelligence team shows a major spike in cyberattacks by ransomware groups in June, with attacks occurring at 221% the level of June 2022 with 434 recorded attacks in the month.

NCC Group tracks ransomware attacks and data theft/extortion attempts by ransomware groups and reports that the massive increase was mostly driven by the Clop ransomware group’s mass exploitation of a zero-day vulnerability – CVE-2023-34362 – in Progress Software’s MOVEit Transfer file transfer solution. The ransomware remediation firm Coveware estimates the Clop group generated between $75 million and $100 million in profit from those attacks, which directly impacted more than 1,000 companies and indirectly affected a great deal more.

According to NCC Group, the Clop group was responsible for 21% of all recorded attacks in June, with attacks continuing to be conducted in high numbers by LockBit 3.0 affiliates, which accounted for 14% of attacks, although this was a reduction from the 21% of attacks the previous month. Several new ransomware groups have emerged that started to conduct attacks at relatively low levels in May, but one of those groups – 8base – has rapidly increased activity and conducted at least 40 attacks in June – 9% of the month’s total. Two other new groups – Rhysida and Darkrace – conducted 26 attacks in June (6%). The most targeted sectors in June were industrials (33%), consumer cyclicals (12%), and technology (9%), with North America the most targeted region with 51% of the attacks.

While attacks have increased significantly, the percentage of victims that are choosing to pay the ransom has fallen considerably. Coveware reports that ransom payments have fallen to a record low, with just 34% of victims paying ransoms in Q2, 2023, down from more than 75% in Q1, 2019. With ransom payments continuing to decline, cybercriminal groups have been forced to increase their ransom demands. In Q2, 2023, the average ransom payment increased by 126% from Q1, 2023, to $740,000 and the median payment increased by 20% to $190,424. Coveware says the attacks by the Clop group have driven the increase. While relatively few companies chose to pay the ransom to recover the data stolen in the MOVEit attacks, those that did pay paid very high ransom payments.

Coveware attributes the record low to the compounding effects of companies continuing to invest in security, continuity assets, and incident response training, but warns that the fall in revenue is forcing ransomware gangs to evolve their attack and extortion tactics, such as the switch from encryption to pure extortion by the Clop group. While this attack method is quicker and quieter, without the disruption caused by encryption, the percentage of victims paying the ransom is much lower; however, these attacks may prove to be more profitable for ransomware gangs. Encryption attacks require more time and resources, with teams of individuals involved in the different stages of the attacks and those individuals need to be paid, which decreases the profit.

Coveware’s report separates extortion and encryption attacks. Its data indicates BlackCat and Black Basta are the dominant encryption groups, each accounting for 15.5% of attacks in Q2. Royal accounted for 10.1% of attacks, followed by LockBit 3.0 (6.2%), Akira (5.4%), and Silent Ransom and Cactus each with a 3.1% share. Coveware reports that sophisticated affiliates of ransomware groups that have previously been using ransomware variants such as Dharma and Phobos are increasingly conducting attacks using 8base, hence the increase in attacks. In Q2, 2023, phishing was the most common initial access vector followed by RDP compromise and software vulnerabilities. Professional Services was the most targeted sector (15.5%) followed by healthcare (14%), materials (11.6%), and the public sector (10.1%).

The post June 2023 Saw Massive Spike in Ransomware Activity appeared first on HIPAA Journal.