Ransomware strikes close to home

August 22, 2019
Photo credit: WFTV News

Today, the New York Times reported that “This has been the summer of crippling ransomware attacks” to all types of computer systems. Not only have 40 municipalities been struck — their data encrypted and a ransom demanded — but last week there was a report that another synagogue ransomware attack investigated by the FBI.

Cyber-hygiene. If you look closely at the screenshot above, you will see a pop-up from the anti-malware provider  Malwarebytes, stating that its database is out of date (Oops!). What should you be doing to ensure a good cyber-hygiene regimen? (see a longer article from Symantec here)? What can you do to protect your data?

  • Deploy an antivirus/anti-malware product. An up-to-date, real-time antivirus might stop a cyber-attack.
  • Backup. Make sure to back up your important documents and keep a backup set offsite (in case of fire, etc.). There’s no excuse. These days, cloud backups are free or low-cost and you can automatically sync documents to your cloud account.
  • Update, update,update. It’s a constant battle. Bad actors learn how to sneak into our systems to do bad things. Software providers constantly provide security patches designed to close the open doors that bad actors use. Update your operating systems (Window or Mac), browsers, remote management software, Adobe products, Microsoft products, firewalls — everything. True, updates sometimes cause problems, but not updating leads to worse problems.
  • Use a firewall.  Firewalls are the guards designed to protect your network from the internet. Whether you have a hardware or software firewall, it is critical that you keep it up to date.
  • Set strong passwords and use two-factor authentication. People still use easy-to-guess passwords like, “Welcome123”, fail to change default passwords, or use the same password for multiple sites. Check out password tips from Google here. Check out a good primer from PC Mag, Two-Factor Authentication: Who Has It and How to Set It Up.
  • Before you pay a ransom ask for help! Contact the DHS Cybersecurity and Infrastructure Security Agency (CISA), the FBI, or the Secret Service and work with an experienced advisor to help recover from a cyber attack. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

Consider cyber-attack insurance. Cyber-attacks can be costly. Even if you are following all of the steps recommended above and have current backups of everything, you may still be attacked and getting back to business may be costly. A compromised computer or network will have to be restored. If there is a data breach and your members’ confidential data is compromised, other steps will have to be taken. Work with your insurance broker to determine what it would cost to recover from a cyber-attack versus the cost of the policy and do a cost-benefit analysis.

Note: Membership records. The synagogue was lucky, their membership data is stored in the cloud (e.g., Chaverware, ShulCloud). Most of the established synagogue management software stores data online, encrypts it and backs up its database. User agreements should specify that it is the vendor’s responsibility to protect your data and to be prepared to quickly restore it.

For more information visit the CISA Resource Page on Ransomware.

 

Cyber attacks increase, what can you do?

July 24, 2019

Cybersecurity Best Practices

The following is a list of best practices designed to keep individuals and their data safe when connected to the internet.

EMAIL SECURITY

  • Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.

  • Verify unexpected attachments or links from known senders by contacting them via another method of communication.

  • Avoid providing your email address, phone number, or other personal information to unknown sources.

  • Avoid providing sensitive information to anyone via email. If you must, be sure to encrypt it before sending.

  • Be skeptical of emails written with a sense of urgency and requesting an immediate response, such as those stating your account will be closed if you do not click on an embedded link or provide the sender with sensitive information.

  • Beware of emails with poor design, grammar, or spelling.

  • Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.

  • Never open spam emails; report them as spam, and/or delete them. Do not respond to spam emails or use included “Unsubscribe” links as this only confirms to the spammer that your email address is active and may exacerbate the problem.

PASSWORDS AND MULTI-FACTOR AUTHENTICATION

""

Use strong passwords on all of your accounts.  

  • Long, complex passwords make you less susceptible to brute-force attacks.

  • Use a combination of upper and lowercase letters, numbers, and special characters.

  • Avoid easy-to-guess elements like pets’ names, children’s names, birthdays, etc.

To reduce the risk of account compromise, account holders should:

  • Avoid using the same password across multiple accounts or platforms.

  • Never share their password with anyone, leave passwords out in the open for others to read, or store them in an unsecured, plaintext file on computers or mobile devices.

  • Consider using long acronyms or passphrases to increase the length of your password.

  • Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts that offer it. This will help prevent unauthorized access in the event of credential compromise.

ON THE WEB

  • Ensure any websites requesting the insertion of account credentials and those used to conduct transactions online are encrypted with a valid digital certificate to ensure your data is secure. These website addresses will have a green padlock displayed in the URL field and will begin with https.

  • Avoid saving account information, such as passwords or credit card information, in web browsers or browser extensions.

  • Avoid using public computers and public Wi-Fi connections to log into accounts and access sensitive information.

  • Consider using ad-blocking, script-blocking, and coin-blocking browser extensions to protect systems against malicious advertising attacks and scripts designed to launch malware or mine cryptocurrency.

  • Sign out of accounts and shut down computers and mobile devices when not in use. Program systems and devices to automatically lock the active session after a set period of inactivity.

DEVICE SECURITY

  • Keep all hardware and software updated with the latest, patched version.

  • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.

  • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.

May 5779 be a year of peace and security; what you can do to help

August 09, 2018

Rosh Chodesh Elul includes clarion calls indicating that the High Holidays are coming soon. So, now is a good time to check out a recent presentation on synagogue security or to take a deeper dive into the library of documents available on the JCRC-NY Security Resources pages. Here are some relevant selections:

High Holiday Security and Emergency Preparedness Planning Library

Topical guidance

Vulnerability, Risk and Safety Assessments and Planning

Could you be the next victim? How the Russians hacked us.

July 16, 2018

Phishing has been in the news lately. The latest indictment from the Special Counsel’s Office (i.e., Mueller) shows that it’s easy to become a victim (see the screenshot below and click on it for more info).  The attack was both sophisticated and surprisingly simple.

Government sources report that phishing attacks are up. You don’t have to be the target of sophisticated government cyber-warriors. Too many bad actors know the tricks of the trade and they can hijack your identity, your data and/or plant ransomware on your computer.

We’ve collected tips from various sources to help you to identify potentially-dangerous phishing emails. Just click on How to spot phishing like a pro. The document has several examples and is in PDF format so that you can download it and distribute it widely.

Remember to practice the basics:

  1. Don’t click on links that you don’t recognize.
  2. Use strong passwords.
  3. Install anti-virus/anti-malware protection and keep the definitions up to date.
  4. Install security updates for the software on your computer as they are released.

For more information, tips and resources see our dedicated webpage: www.jcrcny.org/cybersecurity.

 

Microsoft Customer Guidance for WannaCrypt attacks

May 15, 2017


Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.

  • In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
  • For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
  • This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.

We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.

Phillip Misner, Principal Security Group Manager  Microsoft Security Response Center

Further resources:

Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Ransomware: Lessons learned

December 20, 2016

Don’t say that we didn’t warn you (see here, here and especially here). Here’s a tale about a synagogue in the NYC area, but it could happen to anyone.

In mid-November the rabbi’s secretary was going about her business on the shul computer. Whether she was duped to click on an infected popup advertisement or she visited an infected website the damage was done. What we do know is that this ransom note appeared on her screen:

ransomware-warning

Then the panic. The note was accurate, they were locked out of the shul’s only computer. What should the shul do?

  • They couldn’t get to their Quickbooks.
  • They couldn’t get to their member software.
  • They couldn’t get to the file with the Yahrzeits.
  • They couldn’t get to their record of Kol Nidre pledges

Some computer-savvy members tried various tools, but no luck. The problem was eventually brought to the synagogue board and a hearty debate followed. Would they just be paying a ransom and get nothing in return (See the FBI guidance here)?  Finally, the vote was to pay the ransom, 3 bitcoins (almost $2,400).  Fortunately, the thieves were relatively honest. The synagogue’s files were decrypted and they could recover their data. Many other victims pay, but their computers remain locked.

Lessons learned

People, there’s nothing new here. Check out JCRC-NY’s Cybersecurity Resources page and our cybersecurity blog posts. This episode is an expensive reminder that it’s crucial to practice good cyber-hygiene.

  1. Backup, backup, backup. There is no excuse. External thumb drives and hard drives are cheap. Buy one and take the time to configure the backup program so that it automatically, regularly keeps critical data safe. There are many free or low-cost cloud options. Backup to Google Drive, Dropbox or a cloud server provided by your anti-virus/backup program. The data in some shul membership management programs are automatically saved to the cloud which may even be monitored by full-time cybersecurity staff. Finally, more than one backup (e.g., one onsite, one offsite or in the cloud)  is better than one … one is better than none.
  2. Keep your anti-virus software up-to-date. The bad guys are smart and they’re getting smarter. Somehow, the bad guys got the rabbi’s secretary to click on the infected link. Our poor synagogue had anti-virus software, but it was a year out-of-date (duh, it turns itself off).  Most of the better anti-virus programs are updated constantly and will probably stop a ransomware attack before your data is seized. Buy a license that will protect all of your computers. (see bargain software rates for nonprofits at Techsoup).
  3. Have strong passwords and record them. Whoever set up the synagogue’s computer did follow “best practice” and didn’t give the users “Administrator” access (pardon the techy-talk). The trouble was that no one knew that password so the consultant who assisted the synagogue had to get permission from the board to reset the password before she could revive the computer. Click to https://www.lockdownyourlogin.com/ for the latest guidance on passwords.
  4. Beware of residual “bread crumbs”. Some ransomware leaves malware on a computer so that the bad guys can re-infect the computer. After all, you paid once, won’t you pay again? Once you have recovered the encrypted files, use multiple products to scan your computer: first your new, up-to-date anti-virus program, then a some others (the trial or basic versions are available free online) such as Malwarebytes, CCleaner, SUPERAntispyware, to name a few. There is no perfect solution. Each may find something that the others missed.
  5. Cybersecurity is a board responsibility. The incident was an expensive lesson. When no one on staff has computer skills, the board has a fiduciary responsibility to make sure that the staff know the basics of cyber-hygiene: the software is being updated, the backups are made, the anti-virus programs are working.

Finally, kudos to JCRC-NY’s outside computer maven from Dragonfly Technologies, who dropped everything to travel to the shul and spent many hours into the night to get them back in business and up-to-date.

It’s National Cyber Security Awareness Month

October 05, 2016

Cyber Security is Everyone’s Responsibility

Data breaches resulting in the compromise of personally identifiable information of thousands of Americans. Intrusions into financial, corporate, and government networks. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general.

These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

But it’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month—a Department of Homeland Security-administered campaign held every October—is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.

What are some of the more prolific cyber threats we’re currently facing?

Ransomware is type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom is paid. In addition to individual users, ransomware has infected entities such as schools, hospitals, and police departments. The actors behind these sophisticated schemes advise the users that if they pay the ransom, they will receive the private key needed to decrypt the files. Most recently, these cyber criminals—demonstrating some business savvy—give victims the option of decrypting one file for free to prove that they have the ability to restore the locked files.

Business e-mail compromise, or BEC, scams continue to impact many businesses across the U.S. and abroad. BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts—often belonging to either the chief executive officer or the chief financial officer—for the purpose of conducting unauthorized wire transfers. After compromising a company’s e-mail account—usually through social engineering or malware—the criminals are then able to send wire transfer instructions using the victim’s e-mail or a spoofed e-mail account. BEC scams have been reported in all 50 states and in 100 countries and have caused estimated losses of more than $3 billion worldwide. More on BEC scams.

Intellectual property theft involves robbing individuals or companies of their ideas, inventions, and creative expressions—often stolen when computers and networks are accessed by unscrupulous competitors, hackers, and other criminals. Intellectual property can include everything from trade secrets and proprietary products and parts to movies, music, and software. And the enforcement of laws protecting intellectual property rights (IPR)—which are critical to protecting the U.S. economy, our national security, and the health and safety of the American public—is an FBI criminal priority. The Bureau’s IPR focus is the theft of trade secrets and infringements on products that can impact consumers’ health and safety, including counterfeit aircraft, automotive, and electronic parts.

“The FBI is doing everything we possibly can, at every level, to make it harder for cyber criminals to operate,” says Associate Executive Assistant Director David Johnson, “and I believe many of them are now starting to think twice before they put fingers to keyboard. But we also ask that the public do its part by taking precautions and implementing safeguards to protect their own data.”

Check back on our website during the month of October for information on protecting your data and devices and on FBI efforts to combat the most egregious cyber criminals.

Ransomware victims urged to report infections

September 15, 2016

FBI

 

 

 

September 15, 2016/Alert Number I-091516-PSA

RANSOMWARE VICTIMS URGED TO REPORT INFECTIONS TO FEDERAL LAW ENFORCEMENT

FBI says “don’t be a victim”: Ransomware on the rise

May 01, 2016

Graphic of Tablet Screen with Lock and Key (Stock Image)From the FBI’s Cyber Division: Incidents on the rise, protect yourself and your organization

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. See a New York Times article here.

The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.

And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.

Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.

While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.

Tips for Dealing with the Ransomware Threat

Prevention Efforts

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts

  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

How does it work?

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

So what does the FBI recommend?

As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations in particular should focus on two main areas:

Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
The creation of a solid business continuity plan in the event of a ransomware attack. (See sidebar for more information.)
“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.

If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

Resources: