What’s the No. 1 most unpleasant pain in the xxx thorn in the side of the modern-day cyber-world in terms of damage, evil sophistication, and headline-grabbing the world over? Can you guess?…

Ah, the title of this post may have given it away, but yes, of course, it’s ransomware (aka cryptomalware, but I’ll stick with the simpler, less tongue-twisting, and professional term ‘ransomware’).

So: ransomware. Bad. How bad?…

Well, it’s actually so bad, and has been so consistently bad for years, so deeply embedded in all things digital, and has so overwhelmed so many large organizations (even indirectly being followed by human deaths), which (large organizations) have forked out so much money to pay ransoms for, that the world’s news media has become almost indifferent to it. It’s stopped being headline news, having been transformed into an every-day casual event. And that’s what’s most worrying of all: it means the cyber-scumbags (apologies for such a strong language, but it’s really the best way to describe these folks) are winning; cyber-extortion is becoming a seemingly inevitable reality of today’s digital world and it seems there’s nothing can be done about it.

And they’re winning for three reasons:

Third (I’ll start at the end): the ‘big boys’ are still playing their schoolyard geopolitical games, which blocks national cyber-polices exchanging operational information for coordinated searching, catching, arresting and charging of ransomware operators.

Second: users aren’t prepared – resilient – enough to respond to such attacks.

And first (most important): not all washing powders are the same anti-ransomware technologies are equally effective – by a long way.

Often, ‘on the tin’, anti-ransomware technologies featured in cybersecurity solutions are claimed to be effective. But in practice they don’t quite do exactly what it says on the tin, or – if they do, consistently. And what does this mean? That users are scandalously unprotected against very professional, technically sophisticated ransomware attacks.

But don’t just take my word for it. Check what the trusted German testing institute – AV-TEST – say. They’ve just published complex research on the ability of cybersecurity products to tackle ransomware. They paid no attention whatsover to marketing claims (à la ‘this deodorant is guaranteed to last for 48 hours’), and didn’t just use widely-know in-the-wild ransomware samples. They besieged several of the top cybersecurity solutions in real ‘battlefield’ conditions, firing at them all sorts of live-ammunition ransomware artillery that’s actually out there today. As mentioned, no in-the-wild samples, but those technically capable of weaponizing a ransomware attack. And what did they find? On the whole – something thoroughly shocking and scary:

Read on…

Personal experience, plus what I’m told by other clever folks, has taught me to treat with much skepticism any predictions regarding the future given by so-called experts – in fact all kinds of prognoses and prophesies about this, that and the other. Although I tend to share this view, I have to make an exception for the predictions of one single person in particular: me! Why? Because, unfortunately, those predictions normally come true…

Ten years ago, when we chose industrial cybersecurity as one of our new main areas for development of the company, attacks on industrial equipment were largely deemed hype and/or something out of Hollywood, or at least limited to relatively few specific enterprises; for example, ones like this. But since the beginning of the 2010s I’ve been repeating (ad nauseam!) that, sooner or later, attacks on industrial installations will go mainstream and become massive in scale, and that modern industrial security is sadly very lacking in its ability to cope with the realities of the digital world.

Today, attacks on industrial objects are becoming a daily – very expensive – reality. We’ve already seen how a ransomware-cyberattack on a mere office network of large pipeline can bring about a short-term rise in the price of gasoline in the U.S.A. So imagine how much more costly attacks on industrial components of critical infrastructure operators could be. And it’s not just a matter of financial losses incurred by targeted companies caused by their compelled down time – there’s also the hit taken by all the consumers of the companies’ products and services, which can be painful for regional economies and even national ones.

Read on…

Hi folks!

Herewith – a brief interlude to my ongoing meandering Tales from the Permafrost Side. And what better interlude could there be than an update on a momentous new K-product launch?!

Drum roll, cymbal!…

We’re launching and officially presenting to the world our first fully ‘cyber-immune’ solution for processing industrial data – the death knell for traditional cybersecurity heralding in a new era of ‘cyber immunity’ – at least (for now) for industrial systems and the Internet of Things (IoT)!

So, where is this cyber-immune solution? Actually – in my pocket! ->

Read on…

Sometimes, reading an article about what to do in case of a ransomware attack, I come across words like: ‘Think about paying up’. It’s then when I sigh, exhale with puffed-out cheeks… and close the browser tab. Why? Because you should never pay extortionists! And not only because if you did you’d be supporting criminal activity. There are other reasons. Let me go over them here.

First, you’re sponsoring malware development

Read on…

Phew. Thank goodness it’s over. The ghastliest year known to most of us ever – finally done, dusted, finito, fertig. Let’s just hope, as many folks are repeating: ‘2021 will be better; it can’t be worse, surely?!’

For a good 10 months of last year practically the whole world was in a permanent state of shock. And I don’t just mean the world’s population; private business and national economies were also hit incredibly hard. Alas, one field that hasn’t been affected badly at all – in fact it has only benefitted from the pandemic, greatly – is cybercrime. Folks locked down and working from home and spending much more time online meant there were many more potential cybercrime victims ripe for the hacking. And not just individual users, but also companies: with employees working from home, many corporate networks came under attack as they weren’t sufficiently protected since, in the rush to get everyone working remotely quickly in the spring, security wasn’t given priority. In short, the whole world’s digital status quo was also badly shaken up by this vicious virus from hell.

As a result of the rise in cybercrime – in particular that targeting vulnerable corporate networks – the cybersecurity sector has been busier than ever. Yes – that includes us! 2020 for us as a Kompany turned out to be most productive. For example, the number of new versions of our solutions launched throughout the year was most impressive – especially in the enterprise sector.

We’ve also had new versions in our industrial cybersecurity solutions line up, one of which is what I want to talk about today – some teKh known as MLAD. Not to be confused with online funny-video sites, or MLAD that’s short for Minimum Local Analgesic Dose, or MLAD that’s short for Mid Left Anterior Descending artery, our MLAD is short for Machine Learning for Anomaly Detection.

If you’re a regular reader of our blogs, you may recall something about this tech of ours. Maybe not. Anyway – here’s a refresher/into, just in case…

Our MLAD is a system that uses machine learning to analyze telemetry data from industrial installations to pinpoint anomalies, attacks or breakdowns.

Let’s say you have a factory with thousands of sensors installed throughout – some measuring pressure, some temperature, others – whatever else. Each sensor generates a constant flow of information. An employee keeping track of all those flows is fairly impossible, but for machine learning – it’s a walk in the park. Having preliminarily trained up a neuro network, MLAD can, based on direct or indirect correlations, detect that something’s wrong in a certain section of the factory. In doing so, million or multimillion-dollar damages caused by potential incidents not nipped in the bud can be avoided.

Ok – that’s the overall idea of what MLAD does. Let me now try and relate the granular scale of the analysis MLAD accomplishes using a medical metaphor…
Read on: MLAD

Normally, my work schedule is made up of all sorts of meetings, press interviews, taking part in exhibitions, speaking at conferences all over the globe. Normally. Not this year, darn it!

Now, some of the events I get to are one-offs. Some are regular, recurring ones (mostly annual) but to which I get only once in a while. While there are some recurring events that I deem simply must-attend. And one of my main must-attends every fall or early winter is the World Internet Conference in Wuzhen, organized by the Cyberspace Administration of China, which I’ve participated in every year (up to 2019, that is) since 2015 – just a year after it’s ‘inauguration’ a year earlier. This year, alas – no traditional trip to eastern China; however, much like here at K, not being able to be present in-person does not mean a big and important event can’t still go on. Which is great news, as this means I can still get what I want to say across to: the main players of the Chinese internet – state regulators, heads of provinces and regional development institutes, and also bosses of the Chinese big tech companies; and all from a huge screen – perhaps the biggest I’ve ever seen!

Sure, it would have been nice to be there in person – to stroll around the quaint cobbled narrow streets of the old ancient town (as old as the Tang dynasty, apparently) and take a boat ride along its canals, which indeed some folks did manage to do, somehow. But I was playing it safe. Still, the plentiful ‘in-person’ activity at the venue is at least cause for optimism during these remote-everything times.

But now for the main thing: about Wuzhen superstition…

Read on…

For a few weeks already, this here mysterious, shiny, clearly hi-tech, futuristo device has been complementing the minimalistic office furniture of my corner office at our HQ. It’s so shiny and fancy and slick and post-modern that whenever I get a visitor – which is not often of late due to our general WFH-policy – it’s the first thing they notice, and the first question is always, simply, obviously – ‘what is that?!’ ->

Is it a bird, is it a plane, is it a camera (on a tripod), is it a gun, is it some kind of scanner? Warmer, warmer!…

But before I tell you – quick digression!…

Read on…

A year ago I addressed cybersecurity specialists to let them know about a new tool we’d developed – our Open Threat Intelligence Portal (OpenTIP). Tools for analysis of complex threats (or merely suspicious objects) – the very same ones used by our famous cyber-ninjas in GReAT – became accessible to anyone who wanted to use them. And use them lots of folks wanted – testing zillions of files every month.

But in just a year a lot has changed. Things have become much more difficult for cybersecurity experts due to practically the whole world having to work remotely because of coronavirus. Maintaining the security of corporate networks has become a hundred times more troublesome. Time, which was precious enough as it was before corona, has become a highly precious resource. And today the most common request we get from our more sophisticated users is simple and direct: ‘Please give us API access and increase rate limits!’

You asked. We delivered…

In the new version of OpenTIP there’s now user registration available. And I highly recommend regular visitors do register, since when you do a large chunk of the paid Threat Intelligence Portal turns up out of the ether.

Read on…

First: brief backgrounder…

On September 10, the ransomware-malware DoppelPaymer encrypted 30 servers of a hospital in the German city of Dusseldorf, due to which throughput of sick patients fell dramatically. A week ago, due to this fall, the hospital wasn’t able to accept a patient who was in need of an urgent operation, and had to send her to a hospital in a neighboring city. She died on the way. It was the first known case of loss of human life as a result of a ransomware attack.

A very sad case indeed – especially when you look closer: there was the fatal ‘accident’ itself (presuming the attackers didn’t foresee a fatality caused by their ghastly actions); there was also a clear neglect of the following of basic rules of cybersecurity hygiene; and there was also an inability on the part of the law enforcement authorities to successfully counter the organized criminals involved.

The hackers attacked the hospital’s network via a vulnerability (aka Shitrix) on the Citrix Netscaler servers, which was patched as far back as January. It appears that the system administrators waited way too long before finally getting round to installing the patch, and in the meantime the bad guys were able to penetrate the network and install a backdoor.

Up to here – that’s all fact. From here on in: conjecture that can’t be confirmed – but which does look somewhat likely…

It can’t be ruled out that after some time access to the backdoor was sold to other hackers on underground forums as ‘access to a backdoor at a university’. The attack indeed was initially aimed at the nearby Heinrich Heine University. It was this university that was specified in the extortionists’ email demanding a ransom for the return of the data they’d encrypted. When the hackers found out that it was a hospital – not a university – they were quick to hand it all the encryption keys (and then they disappeared). It looks like Trojan’ed hospitals aren’t all that attractive to cybercriminals – they’re deemed assets that are too ‘toxic’ (as has been demonstrated in the worst – mortal – way).

It’s likely that the Russian-speaking Evil Corp hacker group is behind DoppelPaymer, a group with dozens of other high-profile hacks and shakedowns (including on Garmin‘s network) to its name. In 2019 the US government issued a indictment for individuals involved in Evil Corp, and offered a reward of five million dollars for help in catching them. What’s curious is that the identities of the criminals are known, and up until recently they’d been swaggering about and showing off their blingy gangster-style lifestyles – including on social media.

Source

What’s the world come to? There’s so much wrong here. First, there’s the fact that hospitals are suffering at the hands of ransomware hackers in the first place – even though, at least in this deadly case in Dusseldorf, it looks like it was a case of mistaken identity (hospital – not a university). Second, there’s the fact that universities are being targeted (often to steal research data – including COVID-19 related). But here’s my ‘third’ – from the cybersecurity angle…

How can a hospital be so careless? Not patching a vulnerability on time – leaving the door wide open for cyber-scum to walk right through it and backdoor everything? How many times have we repeated that FreeBSD (which is what Netscaler works on) is in no way a guarantee of security, and in fact is just the opposite: a cybersecurity expert’s faux ami? This operating system is far from being immune and has weaknesses that can be used in sophisticated cyberattacks. And then of course there’s the fact that such a critical institution as a hospital (also infrastructural organizations), need to have multi-level protection, where each level backs up the others: if the hospital had had reliable protection installed on its network the hackers would probably never have managed to pull off what they did.

The German police are now investigating the chain of events that led up to the death of the patient. And I hope that the German authorities will turn to those of Russia with a formal request for cooperation in detaining the criminals involved.

See, for police to open a criminal case, a formal statement/request or subject matter of a crime committed needs to be presented at the very least. This or that article in the press or some other kind of non-formal comments or announcement aren’t recognized by the legal system. No formal request – no case. Otherwise attorneys would easily cause the case to collapse in the blink of an eye. However, if there is what looks like credible evidence of a crime committed, there’s an inter-governmental interaction procedure in place that needs to be followed. OTT-formal: yes; but that’s ‘just the way it is’. Governments need to get past their political prejudices and act together. Folks are dying already – and while international cooperation is largely frozen by geopolitics, cybercriminals will keep on reaching new heights lows of depraved actions against humanity.

UPD: The first step toward reinstating cooperation in cybersecurity has been taken. Fingers crossed…

Btw: Have you noticed how there’s hardly ever any news of successful attacks by ransomware hackers against Russian organizations? Have you ever wondered why? I personally won’t entertain for a moment the silly conspiracy theories about these hackers working for Russian secret services – as there are many ransomware groups around the world. Here’s why, IMHO: Because most Russian companies are protected by good quality cyber-protection, and soon they will be protected by a cyber-immune operating system – yep, that very protection that’s been banned for use in U.S. state institutions. Go figure.

UPD2: Just yesterday a ransomware attack was reported on one of America’s largest hospital chains, UHS: its computers – which serve ~250 facilities across the whole country – were shut down, which led to cancelled surguries, diverted ambulances, and patient registrations having to be completed oin paper. There are no further details as yet…

A few days ago, a momentous, landmark event took place. It was in a seaside city – a ‘regular’ one, where it gets dark of a night (unlike others I can think of:) ->

The momentous event was – drum roll, cymbal…….. our first post-quarantine conference! In sunny ~Sochi!

And here’s my first post-quarantine event badge! ->

View this post on Instagram

Первый "пост-карантинный" бэджик! Причём с нашей конференции по промышленной кибербезопасности в Сочи. Считаю это – знак :) —8<— My first after-lockdown business badge. This one is from our recent conference on industrial cybersecurity in Sochi. I guess this is a sign :)

A post shared by Eugene Kaspersky ⚕️ (@e_kaspersky) on Sep 7, 2020 at 10:53am PDT

Read on…