A recent analysis of ransomware activity by NCC Group’s Global Threat Intelligence team shows a major spike in cyberattacks by ransomware groups in June, with attacks occurring at 221% the level of June 2022 with 434 recorded attacks in the month.

NCC Group tracks ransomware attacks and data theft/extortion attempts by ransomware groups and reports that the massive increase was mostly driven by the Clop ransomware group’s mass exploitation of a zero-day vulnerability – CVE-2023-34362 – in Progress Software’s MOVEit Transfer file transfer solution. The ransomware remediation firm Coveware estimates the Clop group generated between $75 million and $100 million in profit from those attacks, which directly impacted more than 1,000 companies and indirectly affected a great deal more.

According to NCC Group, the Clop group was responsible for 21% of all recorded attacks in June, with attacks continuing to be conducted in high numbers by LockBit 3.0 affiliates, which accounted for 14% of attacks, although this was a reduction from the 21% of attacks the previous month. Several new ransomware groups have emerged that started to conduct attacks at relatively low levels in May, but one of those groups – 8base – has rapidly increased activity and conducted at least 40 attacks in June – 9% of the month’s total. Two other new groups – Rhysida and Darkrace – conducted 26 attacks in June (6%). The most targeted sectors in June were industrials (33%), consumer cyclicals (12%), and technology (9%), with North America the most targeted region with 51% of the attacks.

While attacks have increased significantly, the percentage of victims that are choosing to pay the ransom has fallen considerably. Coveware reports that ransom payments have fallen to a record low, with just 34% of victims paying ransoms in Q2, 2023, down from more than 75% in Q1, 2019. With ransom payments continuing to decline, cybercriminal groups have been forced to increase their ransom demands. In Q2, 2023, the average ransom payment increased by 126% from Q1, 2023, to $740,000 and the median payment increased by 20% to $190,424. Coveware says the attacks by the Clop group have driven the increase. While relatively few companies chose to pay the ransom to recover the data stolen in the MOVEit attacks, those that did pay paid very high ransom payments.

Coveware attributes the record low to the compounding effects of companies continuing to invest in security, continuity assets, and incident response training, but warns that the fall in revenue is forcing ransomware gangs to evolve their attack and extortion tactics, such as the switch from encryption to pure extortion by the Clop group. While this attack method is quicker and quieter, without the disruption caused by encryption, the percentage of victims paying the ransom is much lower; however, these attacks may prove to be more profitable for ransomware gangs. Encryption attacks require more time and resources, with teams of individuals involved in the different stages of the attacks and those individuals need to be paid, which decreases the profit.

Coveware’s report separates extortion and encryption attacks. Its data indicates BlackCat and Black Basta are the dominant encryption groups, each accounting for 15.5% of attacks in Q2. Royal accounted for 10.1% of attacks, followed by LockBit 3.0 (6.2%), Akira (5.4%), and Silent Ransom and Cactus each with a 3.1% share. Coveware reports that sophisticated affiliates of ransomware groups that have previously been using ransomware variants such as Dharma and Phobos are increasingly conducting attacks using 8base, hence the increase in attacks. In Q2, 2023, phishing was the most common initial access vector followed by RDP compromise and software vulnerabilities. Professional Services was the most targeted sector (15.5%) followed by healthcare (14%), materials (11.6%), and the public sector (10.1%).

The post June 2023 Saw Massive Spike in Ransomware Activity appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has highlighted the importance of implementing a robust Identity and Access Management (IAM) program. Identity and access management has become more complex due to an increase in remote working, which was accelerated due to the COVID-19 pandemic and the pressure on organizations to move high-risk transactions online. While the COVID-19 public health emergency has officially been declared over, many organizations have continued to support remote working, with 48% of employees continuing to spend at least some of the week working remotely and 62% of employees believing their employers will support remote working in the future.

While there are benefits from remote working and moving transactions online, doing so considerably increases the attack surface and provides malicious actors with more opportunities to attack an organization. Threat actors actively seek exploitable vulnerabilities in access protocols, software solutions, and organizations’ mitigation capabilities to hide their malicious activities. According to the 2023 Cost of a Data Breach Report from IBM Security, stolen and compromised credentials are the second most common initial access vector. Data breaches that stem from stolen and compromised credentials take longer than any other breach cause to identify and contain, giving threat actors ample time to conduct a range of malicious actions undetected.

Healthcare organizations need to ensure that they have a comprehensive IAM program covering employees, vendors, and customers that allow all parties to build mutual trust when performing transactions in person and remotely, yet it can be challenging to balance robust authentication to establish the real identity of a user without negatively impacting the user experience. Consequently, IAM programs must be well thought-out and IAM policies comprehensively implemented. The policies must cover remote access and vendor, employee, and customer onboarding to ensure that identity is properly identified and users are authenticated before being granted access to systems and services. Once access has been granted, individuals should not be automatically trusted. Identity should be repeatedly reaffirmed to ensure that an individual is the true owner of their previously determined identity.

Malicious insiders pose a considerable risk and controls need to be implemented to deal with the threat. Data breaches caused by malicious insiders are the costliest type of breach, according to IBM Security, and these breaches often result in considerable harm. Criminals make contact with healthcare employees and convince them to misuse their access to internal systems to steal sensitive data or conduct destructive attacks, such as abusing their access rights to install ransomware.

Mitigating insider threats can be a challenge for healthcare organizations. It requires collaboration between leaders and administrators involved with all stages of hiring and employment processes and the creation of a multi-disciplinary team that collaborates along all business lines to prevent and mitigate insider threats, combining monitoring, surveilling, investigating, escalating, and incident response and remediation.

Processes should include rigorous identity verification and background checks pre-employment and analysis of behavior during employment to identify any changes compared to an established baseline, ideally involving automated monitoring that can flag any anomalous behavior rapidly. Policies should also be implemented covering post-employment, to ensure that all equipment is recovered and access rights and accounts are immediately terminated

“By implementing and designing an IAM security framework and technologies which tie your governance and subsequent policy rules into a centrally managed identity and access system, the ability of your organization to prevent and detect insider threats will be greatly enhanced,” explained HC3 in its recent analyst note.

The post HC3 Stresses the Importance of Robust Identity and Access Management appeared first on HIPAA Journal.