Ransomware gang reportedly drops encryption, Saskatchewan insurance broker hit by ransomware and employees put COVID data at risk.
Welcome to Cyber Security Today. It’s Monday, May 3, 2021. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Babuk ransomware gang says it’s dropping the encryption of data of victims as a tactic. Instead it will focus strictly on data theft and blackmail to enrich itself. Until now the gang did both: Stealing data from victim organizations, then encrypting data on corporate servers. The threat to the victim was, ‘Pay for the decryption keys or the copied data will be released, embarrassing you and your customers.’ If the organization didn’t have a good data backup, it faced two threats – embarrassment and loss of business, and the loss of data. This double extortion tactic started being adopted by ransomware groups about two years ago. But creating and maintaining an encryption solution isn’t easy. Emsisoft discovered a bug in the code that caused permanent data loss even if using the decryptor Babuk supplies after payment. Some cybersecurity companies have cracked the encryption of a few gangs, and give away the decryption keys to any victims. Now Babuk has apparently decided it’s easier – and perhaps just as lucrative – to only steal data and hold it for ransom. A researcher at Emsisoft doubts other ransomware groups will follow this strategy.
By the way, last week the Babuk gang got into the computer systems of the Washington D.C., police department and stole data. It is still threatening to release the names of police informants unless it is paid. In an interview with a news site in Poland, Babuk claimed the police department’s virtual private network was hacked with a zero-day vulnerability – that is a vulnerability that hasn’t publicly been disclosed. That claim hasn’t been confirmed.
Meanwhile, other ransomware groups continue to find victims. One of the latest in Canada apparently is an insurance broker headquartered in Regina, Saskatchewan. I say ‘apparently’ because I wasn’t able to confirm it at the time this podcast was recorded. But the REvil ransomware gang has posted on its website what it says are documents copied from the insurance broker as proof of the attack. Among the pages are copies of pre-paid credit card authorization forms filled out by customers. These would allow the broker to automatically charge a customer’s insurance fee to their card. These forms list names, credit card numbers, expiry dates and the card verification number from the back of the card. This information would allow a crook to do anything they wanted with the credit card. Why this data wasn’t encrypted by the broker for protection in case of data theft is a mystery.
Unfortunately many companies don’t protect their data as it sits on company servers. That’s called data at rest. Many companies know to encrypt data if they send it to another company, say for data processing. But sensitive data at rest also has to be protected. And remember, there’s also possibly sensitive data sitting in corporate email. Customers may email organizations their names, credit card numbers, dates of birth, social insurance numbers or passport numbers. And all of that may be sitting in the email boxes of employees. That needs to be protected as well – and not just with an email password.
More ransomware news: Last week the municipal government of the famous skiing resort in Whistler, British Columbia was the victim of a ransomware attack. The gang behind that attack has issued a warning the town has only a few days to negotiate before the data it copied is released. The gang claims to have taken 800 GB of data.
Two weeks ago I told you that the ParkMobile parking payment application used in Canada and the U.S. had been hacked. Well, the data stolen by the attacker is now being given away to other crooks online. The attacker tried to sell the data, but apparently found no buyers. The data on over 21 million people includes their names, car licence numbers, mobile phone numbers and email addresses, and in some cases their dates of birth as well — if they were foolish enough to give them to the app.
Finally, I want to tell you about a violation of the data privacy of 72,000 people in the U.S. by employees who ignored company rules. As reported by the Associated Press, it happened this way: A company called Insight Global was hired by the state of Pennsylvania to do COVID-19 contact tracing. In contact tracing people who were in contact with someone confirmed as having COVID are notified and urged to be tested. That information has to be closely guarded, because it includes names, addresses, phone numbers, email addresses, COVID diagnoses and sexual orientation. But in violation of company rules, employees set up unauthorized Google accounts for sharing the data. This included names of people who might have been exposed to COVID, whether they have symptoms and who lives with them. There’s no indication that this data was copied by outsiders. It sounds like the employees of Insight Global were trying to get around rules so they could find possible victims fast. The news story also suggests this was because hundreds of inexperienced people were being hired. The point is sometimes employees try to get around rules, and software protection, to do their jobs quicker. Managers always have to watch for this.
Remember links to details about these stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.