AXEL.org

Cybersecurity

A Look into North Korea’s Legion of Cyber Criminals

When it comes to infamous hacker gangs, Russian ones seem to garner the most attention. However, North Korea’s state-sponsored group is just as formidable. Here, we attempt to break down the rogue nation’s cyber army and see how it operates.

Bureau 121

The Reconnaissance General Bureau (RGB) of North Korea is the country’s intelligence agency, consisting of six different “bureaus.” Formed in 1998, Bureau 121 is the cyber warfare sector of the RGB. According to an intelligence report from the United States Army, this branch consists of four subgroups[1]. These include:

The Andarial Group: Andarial members assess targeted computer systems and identify vulnerabilities to use in future attacks.

The Bluenoroff Group: This group focuses on financial crime. Cyber theft is one of North Korea’s biggest revenue streams.

Electronic Warfare Jamming Regiment: They are in charge of jamming enemy computer systems during actual, on-the-ground war scenarios.

The Lazarus Group: The most notorious part of Bureau 121, The Lazarus group is an agent of social chaos. They infiltrate networks and deliver malicious payloads.

The Lazarus Group is often synonymous with the other three units, especially the financial crime division. It is unknown how many individuals comprise Bureau 121, but it is estimated to be thousands. Members often reside in other countries like Russia, China, Belarus, India, and Malaysia. This helps obscure the true origin of attacks and provides more robust electronic infrastructure to the malicious agents. Due to worldwide economic sanctions and a generally low industrial capacity, North Korea itself does not have access to the resources necessary to carry out large attacks.

An elite organization

North Korea’s internal policies and actions are opaque to the international community. However, defector testimony claims that the nation’s top computer science students from the University in Pyong Yang make up Bureau 121. These talented hackers then enjoy special privileges in North Korean society[2]. Instead of rundown tenements or rural farmhouses, they receive relatively posh -by North Korean standards- uptown apartments in the Capitol. With these kinds of unheard-of perks, it’s no wonder that people desire the positions.

Significant revenue generation

North Korea’s illicit digital activities replace a portion of what’s lost due to sanctions and flawed policies. In 2019, a United Nations report concluded that the rogue country gained $2 billion from cyberattacks[3]. Now, that sounds bad, but maybe it’s some sort of Robin Hood situation, where they steal from the rich to provide food and essentials for their ailing citizens? But no, the money actually went to their weapons division, specifically the nuclear weapons program. This makes North Korean hackers a threat to global security.

Notable attacks

2013 South Korea Cyberattack

In March 2013, North Korea unleashed a devastating cyberattack against their neighbors to the South. Utilizing the “DarkSeoul” malware, they infiltrated banking and media institutions throughout the country. Their top two television stations, the Korean Broadcasting System and MBC, suffered widespread computer issues but were able to stay on the air.

Popular banks such as the Shinhan Bank, Jeju, and NongHyup reported outages for their online banking and in-person services alike. Some even had their internal files erased. Luckily, they recovered most of the data from backups and restored operations within a few hours. Although resolved relatively quickly, it was still proof North Korea could cause chaos to their enemies.

The Sony hack

The November 2014 hack of Sony Pictures remains one of the most-publicized cyberattacks in history. It was a massive data breach that exposed a mountain of sensitive info. This ranged from personal information regarding employees and inter-office emails to plans for upcoming films, scripts, and complete cuts of then-unreleased movies.

If anyone doubted whether North Korea was responsible for the attack, it was all but verified when the hackers made their demands. The most adamant requirement was for Sony to nix the release of “The Interview.” For the readers out there unfamiliar with the intricacies of the Seth Rogen/Jame Franco buddy comedy genre, The Interview starred the famous duo attempting to assassinate the Supreme Leader of North Korea, Kim Jong Un. In the face of the hack, and under threats of terrorism by the attackers, Sony pulled the movie from theaters and released it online only.

The Sony hack was a huge deal. It led the United States to bring formal charges against North Korea and increased tensions to the point that it has never really recovered.

WannaCry ransomware

WannaCry is another extremely high-profile cybersecurity incident. In May of 2017, using a Microsoft Windows vulnerability, WannaCry infected hundreds of thousands of computers in less than a day! While only receiving a paltry (by successful ransomware standards) $130,000 in ransoms, the virus made a huge practical impact.

The biggest example of this was the attack on National Health Service hospitals in England and Scotland. Many of them had to turn away non-life-threatening emergencies, and the incident disrupted ambulance service throughout the region.

After the attack, the United States held a Congressional hearing with security professionals to solicit ideas about improving resiliency to such situations.

Recent activity

The hacks above had the most significant impact on global cybersecurity, but that doesn’t mean Bureau 121 slowed down in recent years. On the contrary, they’ve been extremely busy! The increased popularity of cryptocurrency gives entities like the Lazarus Group an easy way to transact with the organizations they attack and launder the ransoms afterward.

They outright target cryptocurrency-related companies too. Research indicates they use the professional social media platform LinkedIn to lure in unsuspecting employees and spear phish to penetrate network vulnerabilities[4]. These underhanded tactics result in lucrative ill-gotten gains. According to the UN report mentioned above, $571 million out of the $2 billion revenue was from cryptocurrency theft.

Phishers target AstraZeneca

Using the LinkedIn phishing method, the Lazarus Group set their sights on pharmaceutical giant AstraZeneca in late November. State agents posing as high-level recruiters flooded their employees with fake job offers. Then, they emailed the targets with malware attachments. Luckily, no one fell for the scheme, but it shows that Bureau 121 isn’t burdened by any moral compass.

AstraZeneca is one of the companies working on a viable COVID-19 vaccine. Cybersecurity researchers believe that North Korea is focusing on COVID-related organizations at the moment[5]. As one of only 11 countries without a reported COVID-19 case[6], perhaps they don’t see the harm in attacking a vaccine maker. For the rest of us, we can only hope they fail.

Protect your data

When you think of state-sponsored hacking groups, you may assume they only attack political targets. However, rogue nations like North Korea gain a considerable portion of their revenue from such endeavors, as you’ve seen. Therefore, assume that any organization with network vulnerabilities and substantial cashflow is susceptible.

Protect your sensitive data from threat actors by using AXEL Go to store and share files. AXEL Go is built on secure blockchain technology and utilizes robust encryption to keep your documents safe and private. It is available on Windows, Mac, iOS, and Android. So, no matter where your platform allegiances lie, you can enjoy secure, private file sharing. Our free basic account offers all the great features of AXEL Go with 2GB of free online storage. Download it now.

 

[1] “North Korean Tactics”, Department of the Army, July 2020, http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html

[2] Ju-min Park, James Pearson, “In North Korea, hackers are a handpicked, pampered elite”, Reuters, Dec. 4, 2014, https://www.reuters.com/article/us-sony-cybersecurity-northkorea/in-north-korea-hackers-are-a-handpicked-pampered-elite-idUSKCN0JJ08B20141205

[3] Michelle Nichols, “North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report”, Reuters, Aug. 5, 2019, https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

[4] Anthony Cuthbertson, “North Korean Hackers Use LinkedIn for Cryptocurrency Heist, Report Reveals”, The Independent, Aug. 25, 2020, https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-lazarus-linkedin-cryptocurrency-a9687086.html

[5] Jack Stubbs, “Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources”, Reuters, Nov. 27, 2020, https://www.reuters.com/article/us-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUSKBN2871A2

[6] Kaia Hubbard, “Countries Without Reported COVID Cases”, U.S. News, Nov. 13, 2020, https://www.usnews.com/news/best-countries/slideshows/countries-without-reported-covid-19-cases?slide=13

Ransomware is Big Business for REvil Hacker Group

REvil, or Sodinokibi, is one of the most notorious hacker gangs in the world. Known for their ransomware attacks, the group claims it will make $100 million by the end of the year[1]. Here is a brief overview of the Russian hackers and their illicit accomplishments.

A sordid history

For all of their high-profile attacks, concrete information about the group remains elusive to the public. They are likely based in Russia due to known cybersecurity information as well as their unwillingness to attack companies or governments in the former Soviet-bloc.

An offshoot

Cybersecurity analysts believe malicious developers from a previous group called GandCrab make up REvil[2]. GandCrab was a prolific gang that collected an estimated $2 billion in ransoms in an 18-month period between 2018-2019. REvil popped up almost immediately after GandCrab stopped activities in 2019, and the two malware share much of the same code.

The gang also employs a Ransomware-as-a-Service (RaaS) model to supplement their revenue. Those interested in a more in-depth breakdown of ransomware can read our recent blog post about the topic.

RaaS is interesting because the gang itself doesn’t have to focus constantly on finding new victims. REvil simply licenses out their malware to vetted affiliates, who do the dirty work of searching for and breaching vulnerable networks. REvil then takes a healthy 20-30% cut of the affiliates’ payments. How’s that for a business model!

High-profile attacks

Texas local governments. In a concerted August attack, REvil infected 23 local Texas government agencies and demanded a $2.5 million collective ransom[3]. The malware brought down the systems and websites of these agencies. Luckily, the victims were well-prepared in this case. Teams of cybersecurity experts restored the systems via backups or full rebuilds. They did not cooperate with REvil, and their sites are now back online.

Travelex: On New Year’s Eve in 2019, REvil infiltrated Travelex’s network. Travelex is a foreign currency exchange company known for its kiosks in airports around the world. Unfortunately for them, they weren’t very vigilant when it came to cybersecurity. They hadn’t installed any security patches for their VPN system in over two years! This allowed REvil to breach their network and inject ransomware easily.

It spread so fast that it took down their entire operation. Instead of coming clean about the hacking incident, Travelex claimed it was “planned maintenance” and quietly paid a $2.3 million ransom to the notorious gang. Once this information leaked (as it usually does), the company was in real hot water. Not only had their lax security policies led to a data breach and loss of service, but they lied about it. It evidently affected consumers’ trust, as the company did not recover from the situation. After a failed attempt to sell, Travelex fell into administration, cut over 1300 jobs, and is currently undergoing significant corporate restructuring[4].

Grubman Shire Meiselas & Sacks: In May of 2020, REvil stole over 750 gigabytes of confidential legal documents from the Grubman Shire Meiselas & Sacks law firm[5]. The practice is famous for representing celebrities and other high-profile clients. REvil gained access to records pertaining to people such as Madonna, Lady Gaga, Drake, Elton John, and United States President Donald Trump. At first, the ransom was an already-obscene $21 million but ballooned to $42 million after they figured out they had Trump’s information.

Upon the FBI’s guidance, the firm allegedly refused to pay the ransom, causing REvil to auction the information on the Dark Web to the highest bidder.

According to a recent interview with an apparent member of the gang, this may not be the entire story. The hacker claims a secret identity paid the ransom to prevent the Trump documents from leaking[6]. This cannot be confirmed but adds another layer of intrigue to the incident.

Televangelist Kenneth Copeland. Wealthy televangelist pastor Kenneth Copeland suffered a REvil attack recently as well. The hackers encrypted and stole 1.2 terabytes of information from the Kenneth Copeland Ministries’ computer systems. The data includes email databases, bank documents, financial contracts, and more. The actual ransom demand amount isn’t known at the moment, but with an estimated net worth of over $750 million, the famous Pastor can likely afford it. If unpaid, he’ll need to take some time off from banishing evil from the world, to focus on banishing REvil from his network.

Desperate or enterprising?

REvil uses a double-extortion method to extract ransom payments from its victims. This means that they encrypt the breached data so that the victim must either pay to unlock it or restore it from a backup (which they may or may not have). Concurrently, they steal and transfer the information back to their own storage and threaten to sell it on the Dark Web. This means even if the company, agency, or individual has a backup, they still might elect to pay up to stop the data from leaking. It’s a lucrative model, but evidently not lucrative enough.

According to the interview mentioned above, the gang may add another wrinkle. They are now considering flooding a victim’s website with bot traffic, called a Denial-of-Service, to bring it down while also employing the double-extortion methods. This cripples the victim’s ability to function and puts more pressure on them to remedy the situation quickly.

Some analysts wonder if this is a sign that the gang is in desperate need of more money. However, it could just be good, old-fashioned greed. Only time will tell. What is certain is that REvil shows no sign of stopping their practices soon, and even if it does shutter eventually, a new gang will form out of the ashes to continue their dubious legacy.

Data security

AXEL is a company dedicated to data security solutions. Our file sharing and storage cloud, AXEL Go, utilizes three ultra-secure technologies (Blockchain, IPFS, encryption) to keep private documents safe. We offer a fully-featured, free Basic plan with 2GB of online storage, as well as paid plans for power users and enterprise clients. Don’t just sit back and wait for hacker gangs like REvil to set their sights on you; protect yourself with AXEL Go. Download it today and try it out for Windows, Mac, Android, or iOS.

 

[1] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

[2] Jai Vijayan, “GandCrab Developers Behind Destructive REvil Ransomware”, Dark Reading, Sept. 25, 2019,https://www.darkreading.com/attacks-breaches/gandcrab-developers-behind-destructive-revil-ransomware/d/d-id/1335919

[3] “Texas government organisations hit by ransomware attack”, BBC News, Aug. 2019, https://www.bbc.com/news/technology-49393479

[4] Kalyeena Makortoff, “Travelex falls into administration, with loss of 1,300 jobs”, The Guardian, Aug. 6, 2020, https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration-shedding-1300-jobs

[5] Lindsey O’Donnell, “REvil Ransomware Attack Hits A-List Celeb Law Firm”, threatpost, May 12, 2020, https://threatpost.com/revil-ransomware-attack-celeb-law-firm/155676/

[6] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

Cyber Monday Attracts Cybercriminals

Black Friday and Cyber Monday have been merging for years. This year, amid a global pandemic, the trend is likely to accelerate. With almost 1/3rd of historically in-store shoppers claiming they will only shop online this year[1],  hackers and online fraudsters will assuredly be on the prowl. Here are some of the most common scams to watch out for and how to avoid them.

Popular Cyber Monday scams

Most of these cons aren’t exclusive to Cyber Monday, but the influx of online shoppers during the time period does magnify thieves’ efforts.

Phishing emails

‘Tis the season for shady emails. Since legitimate retailers send emails en masse during Cyber Week to advertise deals, many fraudulent phishing attempts slip through the cracks. These emails will look like they’re from an established brand but are really trying to trick you.

We recommend being suspicious of any brand emails sent during Cyber Week and checking the sender’s address to ensure it appears valid. Do not trust any address not instantly recognizable as being credible. Never click links or open attachments in these emails. Navigate to the brand’s website via your browser and see if the promotion is there too. If it is, make the transaction through the website rather than clicking any email links.

Fake social media offers

Even Black Friday and Cyber Monday deals have limits to their believability. Cybercriminals make fake social medial accounts to take advantage of consumers wanting the best bargains. These accounts will post up too-good-to-be-true offers with malicious links or bogus surveys with the promise of free rewards.

The easiest way to avoid these scams is not to get caught up in the fear of missing out on a once-in-a-lifetime deal. The truth is, most of these are ploys to infect your system or steal sensitive personal information. Don’t follow strange Twitter accounts shilling pie-in-the-sky promotions.

Formjacking

Also known as “e-skimming,” formjacking is an especially deceptive way to scam unsuspecting online shoppers. Here, the bad actor is able to inject malicious code into otherwise legitimate retail sites. The malware executes once the shopper enters their payment information. Then, the script scrapes the credit card information and transmits it back to the hacker.

Cyberthieves target third-party plugins on e-commerce websites to find vulnerabilities. This makes it difficult for retailers to spot the problem before it becomes a huge issue since it doesn’t even occur in their controlled system. Although smaller companies without the resources to staff large IT teams are most affected, large corporations are also not immune. For example, in 2018, online ticket vendor Ticketmaster suffered a formjacking incident that exposed customer’s personal information and payment data[2].

Preventing formjacking as a consumer is difficult, if not impossible. The website is legit, and there’s no signal that the payment form is compromised. Shop trusted sites you’ve ordered from previously and use a credit card instead of a debit card number, if possible. Typically, credit cards offer more comprehensive fraud coverage than debit cards. You won’t be liable for the vast majority of fraudulent credit card charges. Just remember to pay it off immediately!

Man-in-the-middle attacks

This is a cyberattack where the hacker compromises a network and inserts themselves between two other parties. The attacker can then intercept and alter the information relayed between these parties. A common example of a “man-in-the-middle” attack is when a threat actor gains control of a public WiFi access point. Everyone connecting to the public WiFi is then at the mercy of the cybercriminal.  Hackers typically accomplish this in one of two ways:

Hacking the router. If the router used for a businesses’ WiFi is in a public area,  or there is a nefarious employee, the router itself is susceptible to a hack. Small companies, such as local restaurants, usually lack sufficient IT personnel to prevent these breaches.

Setting up a fraudulent access point. Sometimes, the fraudsters don’t even have to hack anything. They simply set up their own unauthorized WiFi access point and name it deceptively. This tricks customers into connecting to harmful networks.

Companies should keep their routers out of public spaces and only allow trusted employees to deal with them. However, the best way to prevent these occurrences is for customers to refrain from using public WiFi altogether. Use your cellphone data whenever you can. Cellular networks are much more challenging to crack.

Counterfeit goods

Here’s a new twist on an old classic. Cyber Monday is a massive opportunity for counterfeiters to sell their inauthentic wares. In a bit of irony, counterfeiters may actually charge more for their fakes than usual while still making it look like a great sale to their victims. So, before you click the checkout button on that incredible deal from Gucci-Bag-Sales-4-You.com, think twice. Is the website reputable? If not, you should probably pass.

Check online to see if there are validated reviews for the site before you buy. If there’s even a hint of fake reviews, steer clear. Verify how long the company has been in business. One trick is to perform a WHOIS lookup on the domain. Copy and paste the web address into the WHOIS lookup box and hit the search icon. Then, search for the “Creation Date” attribute within the returned information. If the site was registered recently, that’s a major red flag.

Stay safe

Black Friday, Cyber Monday, and all of Cyber Week are fantastic times to save big on your favorite products. But you have to be safe and vigilant to prevent hacks, data breaches, and other scams. Please don’t get fooled by those looking to leverage other people’s greed to satisfy their own.

AXEL is passionate about data security. That’s why our motto is “Securing data at rest and in motion.” We are a company that’s always utilizing new technologies to offer more robust protection for your information. If you’d like to learn more about our philosophy and software solutions, such as our secure, privacy-focused file-sharing platform, AXEL Go, please visit axelgo.app today.

 

 

[1] Emily Eberhard, “How the pandemic may affect holiday shopping”, July 2020, Think With Google, https://www.thinkwithgoogle.com/consumer-insights/consumer-trends/pandemic-holiday-shopping/

[2] John Leyden, “Ticketmaster gatecrash: Gig revelers’ personal, payment info glimpsed by support site malware”, The Register, June 27, 2018, https://www.theregister.com/2018/06/27/ticketmaster_support_bot_hack/

Phishing: Not as Relaxing as it Sounds

Phishing is a common form of cybercrime that has been around for decades. While there have been many permutations throughout the years (nobody wants your AOL passwords anymore), the basic concept remains the same.

For such a prominent tactic, it still works well enough for criminals to send off three billion phishing emails every day in hopes of catching the big one[1]! So, dust off the oars and make sure the rowboat isn’t leaking because it’s time to visit the phishing hole.

The basics of phishing

The term “phishing” refers to when cybercriminals deceive unsuspecting people to extract sensitive personal information or deploy malicious software payloads. It relates to traditional fishing in that a fisherman tricks the fish into thinking they will get a delicious meal, when in fact, they are the meal!

There are two main end goals for phishing attacks. These are:

Identity theft. In 2019, over 5% of consumers experienced some form of identity theft and suffered nearly $17 billion in losses due to it[2]. That’s more than the total GDP of Jamaica! Phishing attacks can procure the necessary information (names. addresses, social security numbers, etc.) for thieves to open fraudulent credit cards or apply for loans under their victims’ names.

Malware infection. Many phishing attempts lure unsuspecting victims into clicking a malicious link containing a virus or ransomware. Your computer could even be taken over entirely and added to a botnet to carry out DDOS attacks.

Different types of phishing

Spear phishing. These are more advanced, targeted phishing attacks. Whereas a typical phishing attempt may be mass-emailed out to millions of people hoping to snag a few victims, spear phishers strike specific companies, departments, or individuals. They send tailored messages designed to appear authoritative and legitimate. It has a much higher chance of success but takes more research to develop.

Vishing. Also known as Voice Phishing, here, the scammer calls the intended individual and poses as an authority figure. A common example is a visher calling an employee of a company as someone from IT. They try to get the employee to install “security updates,” which actually end up being malware.

It doesn’t have to be related to business, however. Another popular scenario is contacting older people as law enforcement to gain personal information for identity theft or extort payments for fake fines.  Sadly, criminals go to great lengths to achieve their fraudulent intentions.

Smishing. Since spam emails are frequent and well-documented, many people have caught on to blatant email phishing attempts. That must mean the swindlers have accepted defeat, right? No way. They are always coming up with different ways to deceive. That includes smishing, where phishers utilize SMS text messaging to carry out their schemes. People think text messages are more trustworthy than emails and are therefore more likely to click a bad link.

Whaling. Whaling is a subcategory of spear phishing where the mark is a high-level executive at a company. They have access to the most confidential data, and therefore, make for attractive targets.

Clone phishing. If a hacker accesses one person’s email, they can see who they’ve emailed. Clone phishing is where the bad actor sends an email to someone that’s identical to one they’ve already received. Except, the cloned email contains a malicious link or attachment.

Signs of phishing

Strange URLs from trusted brands. Phishers disguise themselves as trusted brands. Always check to make sure the links you’re following from brand emails are legitimate. We recommend copying and pasting links into your web browser bar instead of clicking them directly. This way, you have a better idea about whether or not the link looks suspicious.

Personal information requests. Companies and government agencies usually won’t require anyone to provide personal information via email or text. Err on the side of caution and refuse any such requests. If necessary, find the organization’s legitimate contact information from their verified website and call a representative.

Urgent, time-sensitive language. Phishers sometimes utilize scare tactics to make their targets feel like they need to act or risk enormous consequences. This is especially common when the phishers pose as law enforcement or legal professionals. Never pay for “fines” or “settlements” you had no idea about previously.

Too good to be true claims. Another classic phishing strategy! We’ve all likely received an email claiming we’ve won a lottery we never participated in, or been contacted by a “Nigerian Prince” who wants to reward us with untold riches. The old adage “If it sounds too good to be true, it probably is,” applies here.

Poor grammar or spelling. Many phishing attacks originate from outside the Western world. If the recent email from your boss is riddled with spelling or grammatical errors, you need to verify it came from a legitimate sender before you reply.

High-profile phishing incidents

Phishing has higher stakes than your Grandmother paying a fake parking ticket over the phone (as unfortunate as that is.) Here are a few high-profile incidents that made national news throughout the years.

Ukrainian Power Grid Attack. In December 2015, a spear phisher gained control of a portion of Ukraine’s power grid and caused an outage for over 225,000 people. Russian hackers were suspected to be the culprits[3].

Mia Ash. Throughout 2016-2017, a state-sponsored hacker group in Iran used the fake LinkedIn and Facebook profiles of Mia Ash to spear phish high-priority targets. Posing as a British photographer, the group friended senior employees in the region’s energy, tech, and telecommunications sectors. After lengthy conversations, “Mia” would send excel documents disguised as surveys that secretly contained malware[4].

The Walter Stephan Incident. In 2016, a major aerospace parts manufacturer, FACC, lost $47 million due to phishing. The malicious agent posed as FACC CEO, Walter Stephan, and demanded an employee transfer the enormous sum to a new account for an “acquisition project.” The project was fake, and the phisher made off with the largest known payout ever. Unsurprisingly, FACC later fired the CEO and CFO for the mishap[5].

How to prevent phishing

Never click strange links. If there’s even a passing thought of “Hmm. I wonder if I should click this,” Don’t! Hackers can compromise trusted friends and colleagues. Call and talk in person for verification if there’s a hint of fraud.

Ensure URL is https with a lock beside it. When browsing the internet, ensure the sites you visit are HTTPS (the “S” stands for “Secure”) and that there is a lock icon to the left of the web address. This means the site is safe. Stay away from websites still using the outdated HTTP protocol.

Use firewalls and antivirus software. Modern operating systems come standard with antivirus and firewall software. Use them and keep them updated to the most current versions. Hackers can breach older versions with known vulnerabilities, so it’s a good idea to activate their “auto-update” options.

Don’t put personal info online publicly. Spear phishers and whalers use readily available information found online to plan their attacks. This is why it’s important to consider everything you’re putting out to the world. Social media is a part of our lives, but being too transparent is dangerous. Find the right balance.

Block popups. Popups can be more than minor annoyances. Sometimes, ads with malware or cryptocurrency miners can sneak through and infect the devices of people who click them. Luckily, popular browsers have extensions that block all popups. Less annoyance. Less chance of a malware infection.

Secure your data

Phishing attacks won’t stop until they become ineffective. Hopefully, through education on the tactics phishers use, more people can protect themselves from identity theft and malware. Mistakes happen, however, and it’s challenging to account for all potential methods of attack. That’s why it’s vital to safeguard your data in other ways as well.

AXEL specializes in securing data at rest and in motion. Our file storage and sharing platform, AXEL Go, utilizes a system of decentralized servers to transfer your documents. This means there is no single point of failure like there is in a traditional server farm. It’s harder to pinpoint areas to attack in a decentralized system, and even if a particular node is compromised, we remove it from the system without affecting your files. Content can also be password protected using AES 256-bit encryption to provide an additional layer of security. Hackers can’t crack the encryption and thus aren’t able to access useful data. It’s the safest way to store and share your files. Visit axelgo.app today to learn more and signup for a  free, full-featured account with 2GB of storage.

[1] “More Than Three Billion Fake Emails are Sent Worldwide Every Day”, Security Magazine, June 11, 2019, https://www.securitymagazine.com/articles/90345-more-than-three-billion-fake-emails-are-sent-worldwide-every-day

[2] Krista Tedder, John Buzzard, “2020 Identity Fraud Study: Genesis of the Identity Fraud Crisis”,  Javelin Strategy, April 7, 2020, https://www.javelinstrategy.com/coverage-area/2020-identity-fraud-study-genesis-identity-fraud-crisis

[3] Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, March 3, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

[4] Danny Palmer, “How these fake Facebook and LinkedIn profiles tricked people into friending state-backed hackers”, ZDNet, July 27, 2017, https://www.zdnet.com/article/how-these-fake-facebook-and-linkedin-profiles-tricked-people-into-friending-state-backed-hackers/

[5] Reuters Staff, “Austria’s FACC, hit by cyber fraud, fires CEO”, Reuters, May 25, 2016, https://www.reuters.com/article/us-facc-ceo-idUSKCN0YG0ZF

Ransomware: Give us back our files!

Ransomware attacks are on the rise. By 2021 they’re expected to cost companies over $20 billion per year[1]. With that kind of money at stake, it becomes evident that prevention is crucial. Let’s look into some background on ransomware and what companies can do to prevent catastrophic hacks.

What is ransomware?

Ransomware is a type of malware that has gained popularity over the past five years. The general progression of a ransomware attack goes like this:

  1. The targeted computer network is delivered a malicious payload. The majority of the time, this means an employee falls for a phishing scam, clicks a bad link, and accidentally opens access to the system.
  2. The computer virus maps out the connected drives (both local and networked) and encrypts data as it goes. Depending on the strain of malware, the infected computers may transmit the encrypted data back to the hackers.
  3. The hackers contact the company to inform them about their misdeeds and demand a ransom to unlock the files. Usually, this is on a strict time limit, and the demand increases if not met promptly. If the bad actors stole the data and not just encrypted it, they also threaten to leak or sell it on the Dark Web when no payment is received.

The encryption used in ransomware attacks is practically impossible to brute force crack. If there are no backups, or the organization doesn’t want the information leaked and sold, favorable response options are limited.

Common types of ransomware in 2020

There are many different flavors of ransomware, and all of them are disgusting. But, the most popular versions in 2020 include:

Sodinokibi. Also known as REvil, this malware comprised up to 29% of ransomware attacks this year[2]. It is thought to be a ransomware-as-a-service (RaaS) package that different affiliated hacker groups purchase. These groups focus on U.S. businesses and have demanded ransoms of up to $42 million. Analysts estimate this virus has generated approximately $81 million in profit through September.

Maze. Here’s another RaaS. Maze made up 12% of ransomware attacks so far this year. It incorporates similar tactics to Sodinokibi but, starting recently, is known to utilize a program called the Buer Loader. The Buer loader is especially insidious. Once installed on the target network, it can execute additional malicious payloads while establishing persistence in the system. This means that while the infected computers remained attached to the network, that entire system is compromised.

EKANS. Let EKANS slither into your network, and you’re in for an awful time. Discovered in late 2019, it’s involved in 6% of ransomware attacks in 2020. It’s unique in that it can terminate critical processes, including some Industrial Control System (ICS) functions. This makes it very dangerous to industrial organizations that rely on automation.

Ways to prevent attacks

The best way to protect yourself from ransomware is to build a strong defense plan against it. Doing so puts you well ahead of most companies, as a recent survey concludes 77% of IT professionals feel their organizations don’t have consistent response plans[3]. Here are our top six tips:

Maintain current offline backups. It may be a pain to set up redundant backup file storage, but it’s well worth the effort to prevent a successful ransomware attack. You should back up your important files regularly to offline hard disks. This allows you to wipe infected systems and reload your sensitive information back onto the clean drives. This alone offers full protection against many attacks, although if the hackers obtained the data for themselves and threaten to sell it online, you still have problems.

Implement quarterly phishing training. As previously stated, phishing is responsible for the majority of data breaches. It’s doubtful you will prevent all phishing, but providing the proper training will help. Employees should take mandatory quarterly classes that inform them about new phishing techniques and how to spot fraudulent communications.

Test the system to find weaknesses. We recommend frequent penetration tests from internal or third-party experts. Consider penetration testers ethical hackers. They will poke and prod your network to expose vulnerabilities. Once they are known, your company can fix the issues and solidify your defenses against the unethical hackers out there.

Monitor file systems and mail servers to pinpoint suspicious activity. With recent advances in AI solutions, monitoring network traffic is easier than ever. Block unknown or suspicious connections immediately. You can always unblock connections after they are confirmed safe. Email is the primary attack vector for phishing, so ensure that you monitor it sufficiently as well.

Use up-to-date, patched antivirus software. Antivirus programs are critical defenses against ransomware, but you should update them frequently to their current versions. Hackers continuously attempt to find new exploits that can go undetected by older software. They also develop new ransomware to evade antivirus programs. Be as safe as possible by keeping things patched.

Do not pay ransoms. This advice may not seem preventative, but it is in the longer term. If you ever do get attacked, we recommend not paying the ransom unless absolutely necessary. Paying criminals will put a bigger target on you for other cyber thieves in the future. Furthermore, if businesses worldwide stopped paying altogether, the market would dry up, and the malicious actors would have no incentive to keep trying. We understand that not all circumstances are created equal, but as a general rule, you should not negotiate with crooks. Can you even trust them to do what they say they’ll do after you pay the ransom? Think about it.

What to do if successfully attacked

Nobody wants to boot up their computer to find a ransom demand. However, there are steps you should take if you ever find yourself in this unenviable position, such as:

Isolate infected computers. Figure out which machines have encrypted data and decipher their network connections. Then, disconnect the affected computers as soon as possible. Many ransomwares attempt to connect to peripheral networks, so you want to quarantine them quickly.

Identify the type of ransomware. Hopefully, the malware is known and documented. If it’s older, someone may have leaked the decryption keys online. In these lucky cases, you can decrypt your data within paying a dime. Even if that isn’t the situation, you still want to know exactly which ransomware is infecting your system.

Talk to law enforcement. Contact your local authorities, or if it’s a more considerable ransom, federal law enforcement. Federal agencies especially may have access to common decryption keys and can give more information about the perpetrators’ tactics.

Wipe infected drives and install recent backup data or recover data from damaged drives. Organizations with reliable backups should wipe the compromised drives and reinstall their most current data. Those without backups may have to use specialized IT firms to recover information from damaged and cleaned drives.

Conclusion

To protect your company from ransomware, you need to have robust security and threat response strategies. New file storage solutions like AXEL Go should play a part as well. AXEL Go uses the decentralized AXEL Network to store and transfer files. Instead of holding data on a central server farm, the information gets spread around a vast collection of network participants (Masternodes). This results in data storage without a single point of failure. Even if a particular server gets compromised, your data has redundant backups throughout the world. It makes for a much more secure way to store sensitive information. Visit axelgo.app to learn more about this exciting technology.

[1] Steve Morgan, “Global Cybersecurity Spending Prediected To Exceed $1 Trillion From 2017-2021”, Cybercrime Magazine, June 10, 2019, https://cybersecurityventures.com/cybersecurity-market-report/

[2] Camille Singleton, Christopher Kieer, Ole Villadsen, “Ransomware 2020: Attack Trends Affecting Organizations Worldwide”, Security Intelligence, Sept. 28, 2020, https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/

[3] “IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them”, IBM News Room, April 11, 2019, https://newsroom.ibm.com/2019-04-11-IBM-Study-More-Than-Half-of-Organizations-with-Cybersecurity-Incident-Response-Plans-Fail-to-Test-Them

Think Twice Before Using Email Attachments

Even with the increase in digital communication options nowadays, email continues to be very popular. It may not be the flashiest way to reach out, but over four billion people[1] know it gets the job done.

Unfortunately, however, there is a dark side to this ubiquitous messaging system. And no, it isn’t your mother’s chain letters about the horrible things that will happen to you if you don’t forward them to 10 friends. Somehow, it’s even worse. It is not to say you should stop using email; you just need to use it more intelligently. And that means stop using attachments!

Best reasons to stop sending attachments

Email attachments are dangerous for many reasons, especially if you send or receive sensitive documents.

Significant security risks. 90% of successful cybersecurity incidents take place through email[2]. The vast majority of these get delivered via attachments. In many cases, hackers employ phishing techniques to gain access to susceptible systems.

“Phishing” is when a malicious email looks legitimate. Bad actors research your company or acquaintances and send a phony email disguised as being from someone you trust. Usually, this will include an infected payload as an attachment that they ask you to open. Those not careful or inherently suspicious click it and potentially compromise the entire network. Hackers use phishing in combination with the following forms of malware to achieve their malevolent purposes:

  • Open the wrong attachment, and you could cost your company some serious money. Ransomware is a type of computer virus that maps attached storage drives and encrypts their data. The drives can’t be unencrypted unless the business pays a hefty ransom to the attackers. The estimated average payout for a successful ransomware attack is over $110K in 2020[3], with high-profile incidents fetching multimillion-dollar sums.
  • Zero-day exploits. Zero-day vulnerabilities are the security holes in software that even the developers are unaware exist. Hackers are crafty and find bugs to exploit that nobody else has considered. Obviously, they aren’t going to run and tell the developer about these flaws, so they only become known after an attack. If you run a Zero-day exploit from an attachment, you could give up complete control of your computer.
  • When criminals want to steal employee credentials, they turn to keyloggers. Keyloggers are computer programs that track user keystrokes. Every time the victim types, it is recorded in a separate file and transmitted back to the hacker. If you log in to any of your accounts during this time, the bad actor now has the same information. This can be extremely damaging if the malicious agent targets a high-level executive for keylogging. However, even if the victim is a low-level employee, the information gained from their account is useful for future phishing attacks.

Loss of confidentiality. Never use an attachment to transfer confidential material. While most people think of data breaches as being hacks, it’s a more encompassing term. Let’s say you send an email to a colleague containing privileged company financial information. That document is now out of your control.

The employee’s computer could become compromised, or the employee may be disgruntled and distribute it elsewhere. The point is, you cannot track the attachment after you send the email. This means you can never be sure anything sent in an attachment is secure.

Lack of flexibility. Sometimes, the file you want to send is too large to attach. Many email clients have strict maximum attachment sizes. Why deal with this hassle in the first place? Even if you can send large attachments, it’s a good possibility they won’t go through. Many spam filters or malware detectors flag bigger documents. There’s also a chance their email provider blacklists you and prevents future emails! Save yourself the headaches.

Sender’s remorse. You send off important documentation in an attachment only to realize later that you accidentally CC’ed Brian Stahl-a personal contact- rather than Brian Stalder-your CFO. We’ve all been there. Unfortunately, since you used email, you’re out of luck. Better hope Mr. Stahl is a standup guy!

Then, there’s the case of attaching the wrong file. MayEarningsStatement.xls looks so similar to MaysBirthdaySurprise.pdf. You’re busy, and sometimes busy people make mistakes. It shouldn’t be a big deal, but the irrevocability of attachments makes it a big deal.

Steps to improve security

We don’t recommend ever sending attachments, honestly. If you must, however, there are some steps you can take to make it a bit safer.

Authenticate the sender or recipient. Many phishing attempts come from emails that look similar to trusted ones but are slightly different. Before opening any attachment (or sending one), triple-check to ensure the address is valid.

Never open unsolicited email attachments. If you receive an email attachment out of the blue, even from a valid email address, call the person to confirm it’s legitimate. You never know if a cyber attack compromised their account.

Save and scan. Do not open email attachments directly from your inbox. Save them to your drive and scan them with antivirus software beforehand. It isn’t foolproof, but modern antivirus programs will catch the majority of malware.

Turn off automatic downloads. Many popular email clients do not offer automatic attachment downloads these days, but if you run custom or older clients, it’s something to consider. Check your settings to make sure you do not automatically download attachments.

A better way

Hopefully, you understand why you should be wary of email attachments. There are very few benefits and severe risks in ignoring this advice. So, how should you be sending and receiving confidential files? We recommend AXEL Go.

AXEL Go is a secure way to share and store information online. There are no file size limits, so you can send anything you want. More importantly, it provides industry-leading security options to safeguard you against data breaches and cyber-attacks.

With AXEL Go, you’re always in control. You set the expiration dates of your shared files and can prevent recipients from downloading them. This means if you don’t want sensitive documents sitting around on other peoples’ computers, it’s not a problem!  Combined with optional AES 256-bit password encryption, you can trust that important content stays confidential.

To make things even more secure, AXEL Go operates on the InterPlanetary File System (IPFS). It is a decentralized network with servers called nodes that function throughout the world. Files shared on this network are divided into small chunks and distributed to these nodes. It results in a system without a single point of failure. Traditionally, if the server farm holding your documents was under attack, your files were at risk. With IPFS, this isn’t the case. It’s the future of the internet, and AXEL Go runs on one of the largest IPFS networks in the world.

And finally, AXEL Go has full blockchain integration. Blockchain technology is a distributed ledger system where information is unchangeable once written to a block. While our blockchain doesn’t store your files, it does hold transactional details. So every time you share something, that data is timestamped to a block. This is an excellent feature for professionals, as they can transfer time-sensitive content with absolute proof of delivery.

Download today

These capabilities highlight why AXEL Go is the safer, objectively better alternative to email attachments. You can sign up for a free, full-featured Basic account and receive 2GB of storage to try it out for yourself. Download AXEL Go today for desktops or mobile devices and see why email attachments are a thing of the past.

[1] J. Clement ,“Number of e-mail users worldwide from 2017 to 2024”, statista.com, Mar. 25, 2020, https://www.statista.com/statistics/255080/number-of-e-mail-users-worldwide/

[2] “Report unveils most ulnerable sectors to phishing attacks”, Security Magazine, Sept. 14, 2020, https://www.securitymagazine.com/articles/93347-report-unveils-most-vulnerable-sectors-to-phishing-attacks

[3] Mathew J. Schwartz, “Ransomeware: Average Business Payout Surges to $111, 605”, bankinfosecurity.com, April 30, 2020, https://www.bankinfosecurity.com/ransomware-average-business-payout-surges-to-111605-a-14205