Information Technology

On Wednesday, Senator Rick Scott ended his objection to the unanimous consent needed for the Senate to vote on the nomination of Jen Easterly to be Director of CISA.Scott had been holding up the vote as a way to force Vice President Kamala Harris to visit the US-Mexico border. He said he would refuse to confirm any Department of Homeland Security nominees until Harris went to the border, which she did last Friday. “This isn’t about Ms. Easterly. This isn’t about cybersecurity,” Scott said last week. Despite lifting his hold on her nomination, all of Congress is away for the July 4 holiday and Easterly will not be confirmed until after Congress returns on July 9. CISA has not had an official director since former President Donald Trump fired Chris Krebs in November. His deputy, Brandon Wales, has been holding the position on an interim basis ever since, even as the country continues to deal with the fallout from the SolarWinds hacks and a number of other state-sponsored attacks on government organizations. A number of lawmakers and experts, like Krebs, took to Twitter to criticize the decision to hold up Easterly’s confirmation. Krebs even joked that Easterly’s confirmation was being “ransomed” by politicians and said the situation was “one more reason it’s time for a conversation about splitting up DHS.”Rep. Jim Langevin, one of the most vocal members of Congress on cyber issues, told ZDNet that the Cyberspace Solarium Commission looked at several different models for civilian and critical infrastructure cybersecurity, including spinning off a separate agency.  

“However, our ultimate conclusion was to double down on CISA in its current form. We passed a number of new provisions intended to do just that last year, and the House just released draft legislation increasing CISA’s budget by nearly 20 percent,” Langevin said.  “I believe CISA can be perfectly effective within DHS if properly resourced and given the right authorities.”Among former government officials, opinions were more mixed on the topic. Drew Jaehnig spent more than 20 years managing networks and IT services and other technology at the Department of Defense. Jaehnig, who is now a director of Bizagi Government Services, said that before CISA’s creation in 2018, DHS already had the task of securing US critical physical and cyber infrastructure with the National Protection and Programs Directorate (NPPD). The NPPD was created in 2007 and was charged with tracking all visitors to the country, providing federal protective services for federal owned and leased assets, assuring the reliability of the nation’s cyber and communications infrastructure, and reducing risks to the nation’s critical infrastructure, according to Jaehnig, who added that the cyber component was originally organized under the Office of Cybersecurity and Communications (CS&C). “It is important to understand that the Department of Defense was working to protect the DoD cyberinfrastructure initially with the JTF-GNO (Joint Task Force – Global Network Operations) that was later to be part of the Cyber Command,” Jaehnig said.  “The civil agencies and national infrastructure needed something similar and as such, the CS&C was created. The CS&C’s resources and standing were not sufficient to accomplish the given task, and in 2018 the Cybersecurity and Infrastructure Security Agency Act elevated the agency to a higher standing in DHS. Subsequent actions have substantially increased the resources available to CISA. Indeed, in the upcoming year, Congress is seeking $2.42 billion for CISA, $300M above what the President’s budget requested.” Jaehnig said there is a lot of overlap between the jobs of CISA and DHS, and the idea of spinning CISA into its own agency “would probably only complicate the nation’s response to any major cyber or infrastructure incident.” “The mission to secure borders, uphold economic prosperity, and increase our preparedness and resilience are all tied to the cyber and physical infrastructure,” he said.  Despite advocating that the organizations stay connected, Jaehnig acknowledged that the arguments for splitting CISA from DHS are centered around it not getting enough attention and voice within DHS.  He also noted that the situation with Easterly was part of a larger problem of CISA-related issues being lumped into the controversies that typically swirl around DHS in relation to border policies. He added that others have argued that any coordination issues created by separating CISA from the DHS can be overcome, as they have with DHS and the FBI on cybercrimes. Some private industry cybersecurity groups have also expressed hesitancy about working with DHS due to the public debates over border policies, according to Jaehnig.  But in the end, Jaehnig agreed with Langevin that CISA simply needed more resources and increased focus by the private and public sectors on infrastructure protection and resiliency.  “With the continued blurring of the line between the cyber and the physical, this is more apparent than ever. These would be steps in the right direction and would address many of the concerns of those wishing a split and avoid a messy reorganization that would interrupt operational responses at a critical juncture,” Jaehnig said. “In the current environment, this is an issue that is likely to be more troublesome to the hill than keeping the status quo and adopting the Solarium recommendations. The Solarium recommendations are more practical to pass in legislation, as already accomplished with the appointment of a National Cyber Director, also in the CSC’s 2020 recommendations. Indeed, Congress adopted 27 of the 80 recommendations last year, and this year the CSC is working on getting 30 more of its recommendations codified into law. Politically, this approach is working even in today’s polarized political landscape.” Other former government officials took a different stance, arguing that CISA’s ties to DHS complicated the organization’s mission and added additional red tape that made it harder for the agency to respond quickly to cyber incidents. Jake Williams, who spent years in the US Army and now serves as CTO at BreachQuest, told ZDNet he was working in the intelligence field when DHS was created and said, “even then it wasn’t clear it could perform its mission without adding more bureaucracy.” Williams said it is time to have discussions about a cabinet-level position for cybersecurity. “Politics aside, what we’re seeing now is budget and focus being split within DHS between immediate cybersecurity and physical security needs. In these types of ‘immediate need’ dilemmas, cybersecurity almost always loses,” Williams explained. “I would fully support a cabinet-level directorate focused on cybersecurity. It’s sorely needed today and not something we can kick down the road.”Others who have worked alongside the US government on cybersecurity issues also said CISA may be better served by operating within another agency. Bill O’Neill, a vice president at ThycoticCentrify, has spent years at companies that worked with the Defense Department and other agencies on cybersecurity.He noted that the previous presidential administration succeeded in ensuring CISA became a more fully realized government agency and added that Krebs’ leadership — coupled with its role in protecting the integrity of the 2020 election — resulted in a new level of credibility, visibility, and autonomy for CISA.O’Neill said DHS’s agenda, regulatory focus, and priority to work with sector-specific agencies “undermines and supersedes CISA’s mandate to handle civilian cybersecurity issues, diminishing the country’s ability to fight cybercrime on a united front.” “If CISA were decoupled from DHS and integrated instead into the ranks of US Cyber Command, the agency would have much greater efficiency and independence to implement policies for civilian incident response unencumbered,” he said. “You can correlate a sharp rise in cyberattacks across the country with the lack of defined oversight of US cyber defense strategy. And although Jen Easterly was nominated for the role of CISA Director three months ago, the Senate failed to confirm her. At a time when cyberattacks are at an all-time high, a vacuum in cybersecurity leadership only emboldens cyber criminals.” More

Columbia University’s School of International and Public Affairs will be collaborating with SAP to help identify and develop more diverse talent in the cybersecurity sector in the coming years. The software giant is hoping to help promote diversity in cybersecurity through increased funding and a variety of internships, job opportunities, curriculum assistance and events at Columbia University. Jason Healey, cyberthreat intelligence expert and senior research scholar at Columbia University’s School of International and Public Affairs, said the funding provided by SAP would help the school attract a wider pool of candidates interested in cybersecurity. “Due to SAP’s funding, we’re already finding new opportunities to reach out to our diverse student body to let them know about the amazing job prospects in cybersecurity, even for those outside of STEM,” Healey said. “The events, projects, information and first-hand experience our students will have access to will be extremely valuable for their career development.”Tim McKnight, the chief security officer at SAP, explained that it was the software industry’s responsibility to devise new ways to protect valuable data and support business operations and secure enterprises of all sizes. SAP’s relationship with Columbia University will allow the company “to identify diverse talent to keep SAP’s customers and products safe while providing students and recent graduates an opportunity to launch a new and exciting career,” McKnight added. 

In addition to funding and campus events, SAP will also sponsor “Capstone workshops” that allow students to “work with and advise external clients.”There is an outsized need for cybersecurity talent across the country as organizations struggle to protect themselves from an evolving cyberthreat landscape. Elena Kvochko, the chief trust officer at SAP, noted that there was still a significant gender disparity in the cybersecurity workforce despite the increased demand. She said she was hopeful that the program would help diversify the industry and “bring new ideas, skills and creativity when solving security challenges.”Kvochko told ZDNet that much of the collaboration would consist of SAP’s support for campus hiring and recruiting to provide a greater opportunity for graduates to start their careers in the cybersecurity and technology sectors. “The goal is to immerse students in the cybersecurity world and give them the opportunity to explore this fast-growing field. The capstone projects will be designed and developed around the most pressing needs of the cybersecurity sector, so that students, graduates and SAP employees have exposure to diverse perspectives from around the world,” Kvochko said. “SAP is excited to have the first group of recent graduates joining us this summer. We are prepared to lead groups of students of different sizes in their cybersecurity journey while helping to close the diversity gaps in our field and ensure diversity of perspectives.” More

Organisations can test their network defences and evaluate if their cybersecurity procedures can protect them from a ransomware attack using a new self-assessment tool from the US Cybersecurity and Infrastructure Security Agency (CISA). The Ransomware Readiness Assessment (RRA) is a new module in CISA’s Cyber Security Evaluation Tool (CSET) that allows organisations to assess how well equipped they are to defend and recover from a ransomware attack. 

Accessible by desktop software, the self-assessment tool can be applied to both information technology (IT) and industrial control system (ICS) networks, and enables users to evaluate their cybersecurity strategy based on government and industry recommendations and standards.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)”The Ransomware Readiness Assessment (RRA) will help you understand your cybersecurity posture with respect to the ever-evolving threat of ransomware,” says the tool’s release notes.  The CISA tool asks users to answer a series of questions about their cybersecurity policies with the aim helping organisations improve their defences against ransomware. It focuses on the basics first, before moving onto intermediate and advanced questions and tutorials.The aim is to make it useful for organisations whatever the state of their cybersecurity strategy, so CISA is strongly encouraging all organisations to take the Ransomware Readiness Assessment. 

“CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity,” said CISA.  Following the high-profile ransomware attack against Colonial Pipeline, the United States has taken a firmer stance against ransomware and is encouraging organisations to do more to shore up their networks’ defences.SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefPresident Joe Biden signed an executive order to boost cybersecurity across the US federal government. The US President has also discussed ransomware with Russian President Vladimir Putin.While the exact subjects discussed during the meeting in Geneva, Switzerland aren’t known, it’s believed that Biden tried to press Putin on the issue of ransomware gangs working out of Russia.MORE ON CYBERSECURITY More

Ransomware attacks are targeting legacy industrial control systems (ICS) and more needs to be done to secure networks at industrial facilities against the threat of being disrupted by cyber criminals attempting to make money from extortion. A report by cybersecurity researchers at Trend Micro warns that ransomware is “a concerning and rapidly evolving threat to ICS endpoints globally” with a significant rise in activity during the past year. 

The motive behind ransomware attacks is simple – making money. Cyber criminals know that by hitting the industrial control systems used to operate factories and manufacturing environments, which rely on constant uptime, they have a good chance of getting paid.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)These networks, and the ones that support utilities like water and power, need to be fully operational in order to provide services and the longer the network is down, the more disruption there will be, so the victim might make the decision to give in and meet the ransom demand of the cyber criminals. “The underground cybercrime economy is big business for ransomware operators and affiliates alike. Industrial Control Systems found in critical national infrastructure, manufacturing and other facilities are seen as soft targets, with many systems still running legacy operating systems and unpatched applications. Any infection on these systems will most likely cause days if not weeks of outage,” said Bharat Mistry, technical director at Trend Micro. Recent examples of successful ransomware campaigns like the attack against meat processor JBS demonstrate just how lucrative ransomware can be, as cyber criminals using REvil ransomware were able to make off with $11 million in bitcoin. 

Meanwhile, the Colonial Pipeline ransomware attack showed how a ransomware attack against an industrial target can have very real consequences for people, as gasoline supplies to much of the north-eastern United States were limited because of the attack. Cyber criminals using many different forms of ransomware are targeting industrial control systems but four families of ransomware account for over half of these attacks. They are Ryuk – which accounts for one in five ransomware attacks affecting ICS by itself – Nefilm, REvil (also known as Sodinokibi) and LockBit.  

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

According to the report, the US is the country with the most instances of ransomware affecting ICSs, followed by India, Taiwan and Spain. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefTo help secure ICS endpoints against ransomware and other cyberattacks, the Trend Micro report offers several recommendations. They include patching systems with security updates, something the paper acknowledges as a “tedious” but necessary process. By ensuring networks are patched with the latest security updates, it means cyber criminals can’t exploit known vulnerabilities that can be protected against. If patching isn’t an option, then the network should be segmented in order to restrict vulnerable industrial control systems from internet-connected systems.  It’s also recommended that ICS networks are secured with strong username and passwords combinations that are difficult to crack with brute force attacks. Applying multi-factor authentication across the network can also help secure it against unauthorized intrusions. MORE ON CYBERSECURITY  More

What you think you know as PrintNightmare, might not be what Microsoft refers to, or then again it might. During the week, PrintNightware, a critical Windows print spooler vulnerability that allowed for remote code execution was known as CVE-2021-1675. Exploits were publicly available after Microsoft’s patches failed to fix the issue completely and the security researchers had already published their code, said they deleted it, but it was already branched on GitHub. In short, if it was a supported version of Windows, it had a hole in it. “Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable,” the CERT Coordination Center said. The workaround suggestion was to disable the Print Spooler service. A potentially bad situation got further muddied when Microsoft dropped its CVE-2021-34527 notice on Thursday.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the notice said. “An attack must involve an authenticated user calling RpcAddPrinterDriverEx().” So this seems like PrintNightmare, it’s going after the same function, and Microsoft says it is the same, but then it isn’t. Here’s the FAQ in full that Microsoft has published. Is this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability. Is this vulnerability related to CVE-2021-1675? This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update. Did the June 2021 update introduce this vulnerability? No, the vulnerability existed before the June 2021 security update. Microsoft strongly recommends installing the June 2021 updates. What specific roles are known to be affected by the vulnerability? Domain controllers are affected. We are still investigating if other types of roles are also affected. All versions of Windows are listed in the Security Updates table. Are all versions exploitable? The code that contains the vulnerability is in all versions of Windows. We are still investigating whether all versions are exploitable. We will update this CVE when that information is evident. Why did Microsoft not assign a CVSS score to this vulnerability? We are still investigating the issue so we cannot assign a score at this time. Why is the severity of this vulnerability not defined? We are still investigating. We will make this information available soon. So due to a different attack vector, Microsoft has broken out a second CVE. The suggested workaround is to disable the print spooler service or disable inbound remote printing through group policy. “This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible,” the warning attached to the workarounds state. For CVE-2021-1675, it earned a CVSS 3 base score of 7.8 and is clearly considered by Microsoft since there is no workaround section. “This is an evolving situation and we will update the CVE as more information is available,” Microsoft said. No doubt they will. Related Coverage More

Some naive people may still think they’re not using open-source software. They’re wrong. Everyone does. According to the Synopsys Cybersecurity Research Center (CyRC) 2021 “Open Source Security and Risk Analysis” (OSSRA) report, 95% of all commercial programs contain open-source software. By CyRC’s count, the vast majority of that code contains outdated or insecure code. But how can you tell which libraries and other components are safe without doing a deep code dive? Google and the Open Source Security Foundation (OSSF) have a quick and easy answer: The OpenSSF Security Scorecards.

Open Source

These Scorecards are based on a set of automated pass/fail checks to provide a quick review of many open-source software projects. The Scorecards project is an automated security tool that produces a “risk score” for open-source programs. That’s important because only some organizations have systems and processes in place to check new open-source dependencies for security problems. Even at Google, though, with all its resources, this process is often tedious, manual, and error-prone. Worse still, many of these projects and developers are resource-constrained. The result? Security often ends up a low priority on the task list. This leads to critical projects not following good security best practices and becoming vulnerable to exploits.  The Scorecards project hopes to make security checks easier to make security easier to achieve with the release of Scorecards v2.  This includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.For developers, Scorecards help reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain. Consumers can automatically access the risks to make informed decisions about accepting the program, look for an alternative solution, or work with the maintainers to make improvements. Here’s what new:  Identifying Risks: Since last fall, Scorecards’ coverage has grown; the project has added several new checks, following Google’s Know, Prevent, Fix framework. Spotting malicious contributors:  Contributors with malicious intent or compromised accounts can introduce potential backdoors into code. Code reviews help mitigate such attacks. With the new Branch-Protection check, developers can verify that the project enforces mandatory code review from another developer before code is committed. Currently, this check can only be run by a repository admin due to GitHub API limitations. For a third-party repository, use the less informative Code-Review check instead. Vulnerable Code: Even with developers and peer review’s best efforts, bad code can still enter a codebase and remain undetected. That’s why it’s important to enable continuous fuzzing and static code testing to catch bugs early in the development lifecycle. The project now checks to see if a project uses fuzzing and SAST tools as part of its continuous integration/continuous deployment (CI/CD) pipeline.Build system compromise: A common CI/CD solution used by GitHub projects is GitHub Actions. A danger with these action workflows is that they may handle untrusted user input. Meaning, an attacker can craft a malicious pull request to gain access to the privileged GitHub token, and with it the ability to push malicious code to the repo without review. To mitigate this risk, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default. Bad dependencies: A program is only as secure as its weakest dependency. This may sound obvious, but the first step to knowing our dependencies is simply to declare them… and have your dependencies declare them too. Armed with this provenance information, you can assess the risks to your programs and mitigate those risks.  That’s the good news. The bad news is there are several widely used anti-patterns that break this provenance principle. The first of these anti-patterns are checked-in binaries — as there’s no way to easily verify or check the contents of the binary in the project. Thanks in particular to the continued use of proprietary drivers, this may be an unavoidable evil. Still, Scorecards provides a Binary-Artifacts check for testing this.Another anti-pattern is the use of curl or bash in scripts, which dynamically pulls dependencies. Cryptographic hashes let us pin our dependencies to a known value. If this value ever changes, the build system detects it and refuses to build. Pinning dependencies is useful everywhere we have dependencies: Not just during compilation, but also in Dockerfiles, CI/CD workflows, etc. Scorecards checks for these anti-patterns with the Frozen-Deps check. This check is helpful for mitigating against malicious dependency attacks such as the recent CodeCov attack.Even with hash-pinning, hashes need to be updated once in a while when dependencies patch vulnerabilities. Tools like dependabot or renovatebot can review and update the hashes. The Scorecards Automated-Dependency-Update check verifies that developers rely on such tools to update their dependencies.It is important to know vulnerabilities in a project before using it as a dependency. Scorecards can provide this information via the new Vulnerabilities check, without subscribing to a vulnerability alert system. That’s what new. Here is what the Scorecards project has done so far.  It now has evaluated security for over 50,000 open source projects. To scale this project, its architecture has been massively redesigned. It now uses a Pub/Sub model. This gives it improved horizontal scalability and higher throughput. This fully automated tool periodically evaluates critical open source projects and exposes the Scorecards check information through weekly updated public BigQuery dataset 

To access this data, you can use the bq command-line tool. The following example shows how to export data for the Kubernetes project. For your purposes, substitute the Kubernetes repo url with the one for the program you need to check:$ bq query –nouse_legacy_sql ‘SELECT Repo, Date, Checks FROM openssf.scorecardcron.scorecard_latest WHERE Repo=”github.com/kubernetes/kubernetes”‘You can also see the latest data on all Scorecards analyzed projects. This data is also available in the new Google Open Source Insights project and the OpenSSF Security Metrics project. The raw data can also be examined via data analysis and visualization tools such as Google Data Studio. With the data in CSV format, you can examine it with whatever your favorite data analysis and visualization tool may be.  One thing is clear from all this data. There’s a lot of security gaps still to fill even in widely used packages such as Kubernetes. For example, many projects are not continuously fuzzed, don’t define a security policy for reporting vulnerabilities, and don’t pin dependencies. According to Google, and frankly, anyone who cares about security: “We all need to come together as an industry to drive awareness of these widespread security risks, and to make improvements that will benefit everyone.” As helpful as Scorecards v2 is, much more work remains to be done. The project now has 23 developers, more would be welcomed.  If you would like to join the fun, check out these good first-timer issues. These are all accessible via GitHub.If you would like us to help you run Scorecards on specific projects, please submit a GitHub pull request to add them. Last but not least, Google’s developers said, “We have a lot of ideas and many more checks we’d like to add, but we want to hear from you. Tell us which checks you would like to see in the next version of Scorecards.” Looking ahead, the team plans to add:If I were you, I’d start using Scorecards immediately. This project can already make your work much safer and it promises to do even more to improve not only security for your programs but the programs it covers.Related Stories: More

A brute force password-hacking campaign led by Russian military intelligence tied to the group Fancy Bear has been targeting US and European organizations since mid-2019, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and the UK’s GCHQ on Thursday.

National security officials said the exploitation is almost certainly ongoing and is part of a broader effort by Russia’s GRU and 85th GTsSS to obtain information on a wide range of sensitive targets.The attackers are using brute force techniques — in which repeated login attempts are used to uncover usernames, passwords and valid account credentials — to infiltrate the networks of government and private sector organizations including military defense contractors, energy and logistics companies, law firms, think tanks, media outlets and universities. While the brute force tactic is nothing new, the Russian hackers uniquely leveraged Kubernetes software containers to scale the brute force attempts, the advisory said. The attackers also attempted to evade detection by routing the Kubernetes brute force attacks through TOR and commercial VPN services.According to the advisory, GRU hackers are using compromised account credentials in conjunction with known software vulnerabilities, including exploits for Microsoft Exchange servers like CVE-2020-0688 and CVE-2020-17144, in order to gain access to internal servers. Once the attackers gain remote access, they’re combining a number of techniques to move laterally within the network and to access protected data, including email.”NSA encourages Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators to immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations,” the advisory said. “The most effective mitigation is the use of multi-factor authentication, which is not guessable during brute force access attempts.”  More

Cybersecurity researchers have released a decryption tool which allows victims of Lorenz ransomware to decrypt their files for free – and crucially, without the need to pay a ransom demand to cyber criminals. This is particularly important for Lorenz, as bug in the ransomware’s code means that even if victims paid for the decryption key, some of the encrypted files can’t be recovered. But following analysis of the malware, researchers at Dutch cybersecurity company Tesorion found that were able to engineer a decryption tool for Lorenz ransomware – and now it’s available for free via No More Ransom. No More Ransom is a joint project by law enforcement agencies including Europol’s European Cybercrime Centre, along with partners across Europe in cybersecurity and academics, which aims to disrupt the business of ransomware gangs by providing decryption keys which allow victims to retrieve their files without paying a ransom. The decryption key for Lorenz ransomware is the 120th decryptor to be made available on No More Ransom since the project began in 2016. Lorenz ransomware first emerged in April this year and those behind it have targeted organisations around the world.   SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

The cyber criminals behind Lorenz steal data before encrypting it and attempt to use this as additional leverage in the attack by threatening to publish the stolen information if the ransom isn’t paid. This double extortion technique has become common among the most successful ransomware operations. Typically, the cyber criminals behind Lorenz demand a ransom of between $500,000 and $700,000 in Bitcoin in exchange for the decryption key – but thanks to cybersecurity researchers at Tesorion and the No More Ransom initiative, those who fall victim to Lorenz can retrieve their files for free. However, the best way for organisations to prevent disruption from a ransomware attack is to avoid falling victim to one in the first place by having a sound cybersecurity strategy. Recommendations on how to achieve this from No More Ransom include regularly updating backups and storing them offline, so in the event of a ransomware attack, the data won’t be destroyed by cyber criminals. It’s also recommended that that organisations use robust antivirus software and that all software and operating systems across the network are up to date with the latest updates and security patches so that cyber criminals can’t exploit known vulnerabilities to gain access to the network to install ransomware. MORE ON CYBERSECURITY More