web analytics

Ransomware goes postal: US healthcare firms receive fake extortion letters – Source: www.csoonline.com

ransomware-goes-postal:-us-healthcare-firms-receive-fake-extortion-letters-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Fraudsters reportedly demanded up to $350,000 to cover up a fictitious data breach — but how can CSOs tell fake attacks from real ones in cybercrime’s hall of mirrors?

In late February, healthcare organizations across the US started receiving extortion demands by mail claiming that their organization’s data had been stolen in a ransomware attack and giving them 10 days to respond.

According to the letters, printed on paper and delivered in envelopes purporting to be from the BianLian ransomware group, the data would be leaked unless the organization paid a ransom of between $250,000 to $350,000 in Bitcoin.

Now for the good news: the breaches never happened, and the letters are almost certainly fake. Two security vendors that have studied the letters, Arctic Wolf and Guidepoint Security, now believe that the whole letter-writing campaign is a ruse by someone pretending to be BianLian, one of the ransomware industry’s up-and-coming threat groups.

Targeting healthcare organizations, the strange incident is a reminder that ransomware today is really two industries: a larger one that carries out the serious ransomware attacks everyone hears about and a much smaller and less well publicized one that tries to impersonate them.

But how can organizations distinguish a real attack with menaces from an entirely simulated one?

Judging from published examples, not easily, at least for a non-expert. The letters had Boston postmarks and a city center return address, links to Tor data leak sites associated with BianLian and, in two cases, an example of what was claimed to be a compromised password.

“We are not a politically motivated group and we want nothing more than money. Our industry only works if we hold up our end of the bargain,” stated the attackers in a letter analyzed by Guidepoint Security.

“If you follow our instructions and pay the full requested amount on time, all of your company’s data will be permanently destroyed and none of it will ever be published,” the letter continued.

Something phishy

A clue that something is amiss is simply that the attackers would use a letter to communicate. There is no record of this tactic being deployed before by organized ransomware groups such as BianLian and for good reason: sending demands by post is uncertain and very slow.

Letters sent to multiple organizations were also identical to one another, Arctic Wolf noted, apart from small variations tailoring text for each recipient. This is the same tactic used by random email attacks and smacks of opportunism. They also refused to negotiate and offered no channel to do this. In ransomware circles, that is almost unheard of.

That said, sending demands by letter does have a useful characteristic: they won’t be filtered by spam systems which makes them more likely to be read by someone.  It’s a form of social engineering in which if even one company falls for the tactic out of a thousand letters, the pay day will make it worth the effort.

If stolen credit cards are used to pay for the postage costs, it’s probably also cheap or even free with the letters themselves sent via print-to-mail services that feed them to the US Postal Service.

Phantom extortion

Ransomware impersonation is nothing new. In 2019, organizations across the US reportedly received emails deploying the same fake breach modus operandi as the recent letter writers – ‘pay up now because we have your data’. In truth, such campaigns are probably commonplace but are dismissed as obvious ruses and rarely reported on.

However, by 2023 the tactic had evolved into something more sophisticated with a separate campaign backing up its bogus threats by attaching snippets of genuine data culled from dark web trawls. This raises a disturbing possibility: the organization has been breached but the group threatening them is not one who carried out the attack.

Underlying all this is how organizations should defend themselves in practical ways against yet another fraud tactic.

“Attacks like this are unlikely to succeed in the majority of cases, but the perpetrators only have to have a small number of victims fall for it for it to be a big pay day for them,” cybersecurity expert Graham Cluley said via email.

Developing defenses

The first line of defense against this type of attack is simply to develop a process to deal with it, he said. Incidents like this should be reported internally to increase awareness of the scammers’ techniques. At the same time, every ransom threat should be reported to the IT team as well as to the security companies supporting the organization.

Attackers would typically include evidence that data has been exfiltrated in the form of genuine data. However, organizations need to be careful they aren’t being tricked:

“These protocols include verifying the authenticity of any ransom demands. It is important to establish whether that data could have been stolen in an earlier data breach or may have been collected from a different third-party source,” said Cluley.

Cluley also stressed the need for organizations to have a response plan that could assess the possibility of a breach itself while engaging with law enforcement.

“There should be named members of staff in your plan who coordinate communications with any potential extortionist, who ensures that all relevant departments are involved in any important decisions. Make sure that you engage with law enforcement. If you have received a fake ransom snail-mail, chances are that other businesses have as well,” said Cluley.

Ransom demands are always designed for their shock value, agreed John Shier, Field CISO at security vendor Sophos. Sending a demand by letter was unusual but that might be the point.

“Teams need to bring awareness of this latest scam to their leadership. If an organization receives a letter, they shouldn’t panic, but they still need to investigate if there is any basis to the claim,” he said.

“At the very least, companies should review network logs for any unauthorized access and large data transfers that don’t conform to normal patterns. While it appears that the letters are fake, some due basic diligence needs to be performed to rule out a data breach,” he said.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3839190/ransomware-goes-postal-us-healthcare-firms-receive-fake-extortion-letters.html

Category & Tags: Ransomware, Security – Ransomware, Security

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos