Information Technology

The cost of ransomware incidents worldwide is expected to spiral out of control, exceeding $265 billion by 2031. 

Ransomware is now one of the most potentially damaging — and a very popular — types of malware. If ransomware lands on a vulnerable system, files are usually encrypted, users are locked out, and payment is demanded, usually in cryptocurrency, in return for a decryption key. In a more recent evolution of the applications of ransomware, operators will also steal information during an attack and will threaten to publish this information on leak sites on the dark web or sell it on, doubling the pressure for victims to pay up.  At present, some of the most well-known groups that have turned ransomware into a lucrative ‘business’ opportunity are Maze, Nefilim, Clop, and DarkSide, the latter of which left the scene — at least, under that name — after extorting Colonial Pipeline out of $4.4 million following a devastating attack that disrupted fuel supplies across the United States.  Cybersecurity Ventures predicts that the damage caused by ransomware could cost the worldwide stage $265 billion by 2031, based on this type of cybercrime attacking both enterprises and consumers at a rate of one attack every few seconds.  Currently, the cybersecurity agency estimates that ransomware will cost us approximately $20 billion this year, a 57x jump from 2015.  The latest estimates released by the company have been generated based on a 30% growth in incidents year-over-year.

Ransomware infections can result in costly insurance premiums and payouts, the need to hire cyberforensics firms to investigate incidents, damage limitation or system repair, data loss, and potentially payments made to attackers to retrieve critical systems or prevent data from being leaked.  The latest estimate also includes during and post-attack business disruption, reputational harm, and the expense of employee training following a ransomware incident.  Palo Alto Networks suggests that ransomware payouts alone have surged from $115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. The largest demand recorded in recent years is $30 million. Despite government officials across the globe becoming involved, including figures such as US President Biden who recently signed an executive order demanding that federal agencies work toward improving the country’s cybersecurity posture, ransomware incidents are only becoming worse.  “Despite authorities’ recent success in busting several ransomware gangs, this particular breed of malware has proven to be a hydra — cut off one head and several appear in its place — and all signs are that the coming decade will be no less problematic,” Cybersecurity Ventures noted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australians in 2020 reported losses to scams totalled AU$851 million, with AU$128 million lost to business email compromise (BEC), AU$8.4 million classed as remote access scams, and AU$3.1 million a result of identity theft.Topping the list of scams was investment scams, ripping people off to the tune of AU$328 million. The total number of scam incidents was 444,164.The information was revealed in a report [PDF] from the Australian Competition and Consumer Commission’s (ACCC) Scamwatch. The AU$851 million loss figure is reduced to AU$156 million, however, when information from Australia’s top financial institutions is removed. This is still an increase of around 23% compared to the AU$143 million in losses reported in 2019.The total number of scams received by Scamwatch during the 2020 calendar year was 216,087.Bank transfer remained the most common payment method used in scams, with just over AU$97 million lost, but bitcoin and other cryptocurrency was the second highest payment method, with AU$26.5 million lost.Those aged over 65 were the ones reporting the most loss, comprising AU$37.7 million of the total, but those in the 25 to 34-year old bracket made the most reports to Scamwatch, with 33,000 reports. The scam victims were almost split exactly 50-50 among those that identified as men and those that identified as women.It was shown phone calls were still the number one method for scammers to use, at 47.7%, or 103,153 scams, with email accounting for 22%, text message for 15%, “internet” for 6.3%, and 4.5% of victims were spoofed via social media.

Unsurprisingly, COVID-19 led to an increase in losses and reports for several categories. Victoria, which was the hardest hit with lockdowns, was the origin of AU$49 million of the total losses for 2020.
Image: Scamwatch/ACCC
Compared with 2019, remote access scam reported losses increased more than 74% to AU$8.4 million and threat-based scam reported losses increased more than 178% to AU$11.8 million. 8,691 scams were attributed to “hacking”, 3,885 to ransomware and malware, and phishing accounted for 44,079 reports.The most commonly impersonated entities for phishing scams in 2020 were the same as those in 2019: Telstra, NBN Co, government organisations, the big four banks, and package delivery companies, with a large increase in the number of phishing scams involving impersonations of Amazon.Email phishing in 2020 most commonly impersonated PayPal, followed by Netflix.Health and medical scam reported losses increased more than 2,000% compared with 2019 as a result of the pandemic, reaching over AU$3.9 million.In 2020, there were over 24,000 reports about government impersonation scams made to the ACCC, with losses of AU$1.9 million.There was also a 220% increase in reports and a 322% increase in reported losses to scams related to buying vehicles including cars, caravans, and campervans, with reported losses of just over AU$1 million. The ACCC said scammers targeted both people buying and selling vehicles and used Facebook Marketplace, Gumtree, Car Sales, and Autotrader, mostly, to make contact with potential victims.Scamwatch also received over 330 bushfire-related Scamwatch reports through its website.Celebrity endorsement scams caused reported losses of over AU$1.8 million in 2020. Some of these, the ACCC said, included encouraging people to invest in cryptocurrencies.Scamwatch received 2,082 reports with reported losses of over AU$7 million to Chinese authority scams in 2020. This was a 77% increase in the number of reports and a 250% increase in the amount reported lost compared with 2019.Scam losses reported by businesses increased by 260% in 2020, to AU$18 million. Businesses made the most reports about false billing and phishing scams, with the scams typically involving a request for payment for a service or item that wasn’t ordered or a scammer diverting money by impersonating the intended recipient of a payment.In 2020, WhatsApp was added as an option in the reporting form. The ACCC received 347 reports selecting WhatsApp from the drop down menu. Scam reports listing the contact mode as social networking/online forum and identifying the platform as dating app Tinder increased from 73 in 2019 to 174 in 2020. “This 138% increase in reporting was primarily in relation to romance scams, but also included investment scams where scammers encouraged victims to invest in cryptocurrencies,” the reported added.SEE ALSO More

The US Department of Justice (DoJ) has charged a Latvian woman for her alleged role in creating and deploying Trickbot, the computer banking trojan that has evolved to become a highly popular form of malware among cyber criminals.The accused individual, Alla Witte, was arrested in Miami four months ago.According to the charges, Witte worked in the criminal organisation, called Trickbot Group, which deployed the Trickbot malware. In this role, she allegedly wrote code related to the control, deployment, and payments of ransomware for the organisation. Trickbot malware provides cyber criminals with a means of delivering malware onto compromised machines to steal personal and financial information, including login credentials, credit card numbers, emails, passwords, dates of birth, social security numbers, and addresses. Once the information is obtained, the attackers use that information to gain access to online bank accounts, execute unauthorised electronic funds transfers, and launder the money through US and foreign beneficiary accounts, the DoJ alleges. According to the indictment, Witte and others have stolen money and confidential information from unsuspecting victims, including businesses and their financial institutions, across Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, Russia, the United States, and the United Kingdom, through the use of the Trickbot malware. Initially emerging as a banking trojan in 2014, Trickbot malware has increasingly been used by cyber criminals to distribute malware attacks, particularly in the wake of the takedown of the Emotet botnet.

Emotet was the world’s most prolific and dangerous malware botnet before it was disrupted by an international law enforcement operation in January. In addition to the accusation that Witte helped write code for the Trickbot malware, the department also issued an indictment against Witte for her role in allegedly ransoming victims. Witte and her co-conspirators allegedly coerced victims into purchasing special software through a bitcoin address controlled by the Trickbot Group in order to decrypt compromised files. Witte also allegedly provided code to the Trickbot Group that monitored and tracked authorised users of the malware and developed tools and protocols to store stolen login credentials. In total, Witte has been charged in 19 counts of a 47-count indictment. If convicted, she could face up to 87 years in prison. Information about the other individuals charged in the indictment is currently confidential. “These charges serve as a warning to would-be cybercriminals that the Department of Justice, through the Ransomware and Digital Extortion Task Force and alongside our partners, will use all the tools at our disposal to disrupt the cybercriminal ecosystem,” Deputy Attorney-General Lisa Monaco said. Related Coverage More

New South Wales Health has confirmed being impacted by a cyber attack involving the file transfer system owned by Accellion.  The system was widely used to share and store files by organisations around the world, including NSW Health, the government entity said on Friday afternoon.”Following the NSW government’s advice earlier this year around a world-wide cyber attack that included NSW government agencies, NSW Health is notifying people whose data may have been accessed in the global Accellion cyber attack,” it said in a statement.The state entity said medical records in public hospitals were not affected and the software involved is no longer in use by NSW Health.”Different types of information, including identity information and in some cases, health-related personal information, were included in the attack,” it added.NSW Health said it has been working with NSW Police and Cyber Security NSW and that to date, there is no evidence any of the information has been misused.See also: How NSW Health used tech to respond to COVID-19

“A cyber incident help line has been set up to provide further information and support to those people NSW Health is contacting,” it said. “If you are contacted by NSW Health, you will be given the cyber incident help line details; if you are not contacted by NSW Health, no action is required.”The NSW Police Force and Cyber Security NSW have set up Strike Force Martine to determine the impact on NSW government agencies that were caught up in the attack on Accellion.Accellion’s file-sharing program, File Transfer Appliance, is an enterprise product used to transfer large files. While now discontinued and supplanted by other software such as Kiteworks, a zero-day vulnerability in the legacy software was found in December and has since been exploited by attackers in the wild. It is estimated that some 100 organisations around the world were among those affected by the breach.Transport for NSW in February confirmed being caught up in the breach.The Australian Securities and Investments Commission (ASIC) in January said one of its servers was breached earlier in the month in relation to Accellion software used by the agency to transfer files and attachments.Accellion was also used as the vector to breach the Reserve Bank of New Zealand (RBNZ) in January.HERE’S MORE More

Image: Getty Images/iStockphoto
The New South Wales Police Force is in the process of bringing its back-end into the 21st century, turning to Microsoft and its Azure cloud platform for help.According to Microsoft, the force is retiring, re-architecting, or replacing over 200 legacy systems with cloud-based systems. Part of this transformation is changing the way the force analyses CCTV footage.Labelled as the “AI/ML-infused Insights policing platform”, the system essentially speeds up the processing of data. In one example, NSW Police collected 14,000 pieces of CCTV as part of a murder and assault investigation and analysed it in a manner faster than it previously could.”The AI/ML infused Insights platform ingested this huge volume in five hours and prepared it for analysis by NSW Police Force investigators, a process that would otherwise have taken many weeks to months,” Microsoft said in a case study prepared alongside NSW Police.”Detectives were able to then within days piece together the time sequence of events, movements, and interactions of the person of interest as well as overlay this onto a geospatial platform, visualising the data for detectives and aiding in the preparation of the brief of evidence for Courts.”Leveraging Microsoft Azure cognitive technologies, machine learning, and deep learning capabilities, NSW Police has been able to train the system on image classification allowing it to interpret petabytes of CCTV footage automatically and at speed provide rapid access to leads that officers can pursue to ultimately solve crime faster.”Must read: Human Rights Commission calls for a freeze on ‘high-risk’ facial recognition

The platform can also turn voice to text, allowing for the speedy transcription of police interviews, and can also stitch together CCTV with dash cam footage and then search for objects, including overlaying this on a geospatial solution, the pair added.”Using computer vision it can search to recognise objects, vehicles, locations, such as a backpack, or a tie, or type of shoes a person of interest might be wearing,” NSW Police CITO and executive director of digital technology and innovation Gordon Dunsford said.”The system has been designed with ethics front and centre, and in consultation with privacy experts with a particular focus on avoiding bias,” Microsoft added.Insights is currently hosted internally, but will “shortly” migrate to the cloud. NSW Police, however, is already using a containerisation strategy to parcel up data that needs to be interpreted rapidly, and sending that to Azure for processing.Elsewhere, the force is also working on its Integrated Policing Operating System (IPOS), which will replace the existing 27-year old central database and be used to manage all the data from operations including triple zero calls, arrests and charges, firearms, criminal investigations, forensics, complaints, and public reports.IPOS is based on Mark43’s public safety software.IPOS also provides the force with a single view of a person of interest and can be viewed on an officer’s MobiPol mobile devices. “It can also provide access to important additional information; for example, alerting police to the fact that the address where they are going to apprehend someone is located next to another house where residents are known to be antagonistic to the police through its geofencing capability,” Microsoft added.See also: How Victoria Police handled the Bourke Street incident on social media (TechRepublic)Dunsford said that, at present, officers share MobiPols, but with IPOS there are plans to equip every officer with their own device and access to IPOS.NSW Police also has plans to replace the legacy data store systems with the Digital Evidence Cloud, and has built a small-scale capability that it has trialled with NSW Police’s Forensics Command.Dunsford also wants to understand how low earth orbit (LEO) satellites could be used to support police; how data from the Integrated Connected Officer program which collects data from an officer’s firearm, taser, car, and body worn camera can be ingested into Insights; and how drones could be deployed to collect video that could help identify potentially dangerous situations.Advanced AI and machine learning could, he thinks, be used to train systems to identify everything from the colour, make, and model of vehicles, to a backpack in a crowded street, to finding a particular individual based on their unique gait.In June 2020 Microsoft said that it would not sell or deploy facial recognition to police services.RELATED COVERAGE More

CSIRO chief Dr Larry Marshall trying to explain basic science to a climate science-denying Senator
Image: APH
As with many things, timing is everything, and in the weeks after word drifted out that Australia’s Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Data61 was binning its secure microkernel research, the world of cyber attacks manifested in the real world in new ways. From oil pipelines, to meat works, to a more traditional Russian-backed phishing campaign, the cyberdial has been turned up and the frequency of attacks, particularly in the ransomware space, has hit deluge-like levels. And yet, while the torrent of malware is far from unexpected, people lining up with jerry cans and fighting with each other because someone might have clicked on a dodgy email certainly is. The need to develop a better foundation, and more secure ways of computing, would appear to be more necessary than ever — but not at the CSIRO, where artificial intelligence is the order of the day. “We think Australia needs artificial intelligence for industry 4.0, for our sovereign capability, for digital agriculture, and to deal with environmental hazards,” CSIRO CEO Dr Larry Marshall told Senate Estimates on Thursday night. “Really putting digital at the heart of Australia’s resilience and recovery as we build back.” One of the problems with the seL4 microkernel and the Trustworthy Systems team that developed it, according to Marshall, was that it supposedly did not provide enough “national benefit”.

“So it’s difficult to see an opportunity to build an industry in Australia, or to derive a national benefit from that technology, and given priorities are artificial intelligence, we chose to pursue that and focus our resources where we thought we could drive greater national benefit,” Marshall said. “The challenge with that technology … it’s very mature and it is open source.” During the hearing, Marshall waved articles listing CSIRO’s high ranking among global research organisations, but seL4 has been similarly regarded as first class research. One has to walk a long way to find a mathematically proven secure kernel. “This is an instance of Aus policy directly leading to undermining Australian cybersecurity,” security researcher Vanessa Teague said in reaction to CSIRO’s decision. “It’s hard to think of better world-leading Aus cybersecurity research than [seL4 Foundation].” Chair of the seL4 Foundation Gernot Heiser rebutted CSIRO claims that seL4 was mature technology in a blog post. “The group is not accidentally called ‘Trustworthy Systems’ (and not, say, the ‘seL4 Research Group’). seL4 is only the starting point for achieving trustworthiness in computer systems. It’s as if over 100 years ago people said combustion engines are a solved problem once it was shown they could power a car,” he wrote. “Fact is that, while seL4 is mature enough to be deployed in the real world, there’s plenty of fundamental research work left on seL4 itself, and there is far more research left on how to achieve real-world trustworthy computer systems. It’s not that just sprinkling a bit of seL4 fairy dust over a system will make it trustworthy.” Heiser laid out the work to be done on temporal isolation of processes, especially on systems where critical real-time workloads run at the same time, but he added the research was under threat as the CSIRO had handed back some money from the US Air Force. The University of New South Wales has backed Trustworthy Systems until the end of 2021, with Heiser stating it gives some breathing space to “line up more pathways”. In recent years, the push has been on in Australia to commercialise the country’s research, and this seems to be the rock that Trustworthy Systems has tripped on. “Unfortunately that technology was licensed [to Qualcomm] for a one-time fee,” Marshall said. “And when I say unfortunately, that technology has gone through two billion mobile devices, but unfortunately, there’s no ongoing royalty arrangement with that deal that was done back in at that time.” Keep in mind that the CSIRO loves royalty payments and will sue to ensure it gets its cut. The organisation boasts it got AU$430 million in settlements over its Wi-Fi patents. The open-source nature of seL4 does not lend itself to this type of outcome. Marshall said it would be great if a company was spun out around the work and if it could figure how to make money. “Our conclusion was that’s not really feasible in Australia, which is why we chose to discontinue the work,” he said. Given the current environment, where Australian politicians are calling on ASD to use its classified powers to blast away ransomware groups, and who knows what the political response from Moscow, Pyongyang, and Beijing would be to that; local law enforcement continue to say dumb stuff about encryption; and Australia’s strategic rivals are using current weaknesses to be downright awful to parts of their population, a little research on the defensive side of computing would be useful. The seL4 kernel isn’t going to be powering any desktop or server near you anytime soon, but it could go some way to making IoT devices look less like Swiss cheese to bad actors. It could even end up being the underpinning of CSIRO’s “artificial intelligence for industry 4.0” systems — whatever they are — or help inform the new OSes that are being developed. In a worst case scenario for CSIRO where it kept seL4 but it didn’t yield rivers of gold, it could still push research in vital areas of cybersecurity, increase Australia’s research reputation, and show that the nation isn’t completely full of the cyber ignorant. But alas, the world of secure kernels is not as sexy and pitch-friendly as the buzzword-laden AI realm, and Trustworthy Systems has been forced to shift from a national research organisation that has been subject to funding cuts, into a university sector that has seen far more drastic cuts. For our national benefit, hopefully the upcoming AI research yields more than a better chatbot. ZDNET’S MONDAY MORNING OPENER  The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.  PREVIOUSLY ON MONDAY MORNING OPENER: More

Security teams are in place in less than a third of Brazilian organizations, even though most businesses frequently suffer cyberattacks, according to new research. Some 57% of businesses from the education, financial services, insurance, technology and telecommunications, health and retail are targeted by cybercriminals frequently, according to a survey by Instituto Datafolha commissioned by Mastercard.On the other hand, the study has found that only 32% of the organizations polled have dedicated cybersecurity teams. While 80% of respondents claimed digital security matters are important to them and most have some kind of plan in place to deal with potential cyberattacks, this is not among the budgetary priorities for 39% of those polled.

Among the segments analyzed in the survey, financial services, insurance, technology and telecommunications are among the most prepared in terms of cybersecurity readiness. Conversely, the education and healthcare sectors are the most vulnerable. According to the survey, the areas most susceptible to hacker attacks are the finance department and customer databases. The Mastercard/Datafolha survey interviewed 351 decision-makers in Brazil in February 2021. The survey echoes the findings of a separate study on perceptions of cybersecurity risk in Latin America since the start of the Covid-19 crisis, carried out by consulting firm Marsh on behalf of Microsoft. Most Brazilian companies have not increased their investments in information and cyber security since the emergence of the pandemic despite an increase in threats, the study noted, adding that the majority of Brazilian companies invests 10% or less of their IT budget in that area. More

The FBI and Justice Department upped the ante on the rhetoric around ransomware attacks on Thursday and Friday, telling a number of news outlets that cyberattacks will be treated with almost the same level of concern as terrorist attacks.Christopher Wray, the director of the FBI, compared the government’s fight against ransomware to the situation the country faced after 9/11 in an interview with The Wall Street Journal. He added that the FBI has identified nearly 100 different types of ransomware, each of which has already been implicated in attacks. He also took direct aim at the Russian government, singling them out for harboring many of those behind the different brands of ransomware. But he also revealed that the FBI has had limited success working with some private sector cybersecurity officials in obtaining encryption keys without paying any ransoms. The comments came after three significant developments in the government’s response to the recent wave of ransomware attacks on companies in critical industries like Colonial Pipeline and global meat processor JBS. Anne Neuberger, deputy assistant to the President and deputy National Security Advisor for Cyber and Emerging Technology, sent a letter to private sector leaders on Thursday urging them to prepare for potential attacks and implement a number of security measures to prevent an incident. Senior Justice Department officials then told Reuters that memos had been sent out to all US Attorney’s Offices explaining that ransomware attacks would be investigated in a manner similar to incidents of terrorism. Technology journalist Kim Zetter shared a snippet of a memo sent by Deputy Attorney General Lisa Monaco that said urgent reports should be filed whenever a US Attorney’s Office learns about a new ransomware attack. The memo adds that officials should notify a newly created ransomware task force about any new developments in cases, potential emergencies or incidents that will “generate national media or Congressional attention.”

“Urgent Reports should be submitted, for instance, when a United States Attorney’s Office learns of a ransomware attack on critical infrastructure or upon a municipal government in their District,” Monaco wrote. Reuters reported that the new guidance also said senior Justice Department officials need to be notified of any cybercrime cases involving cryptocurrency exchanges, botnets, digital money laundering, illicit online forums, “bulletproof hosting services” and counter anti-virus services. Rep. Jim Langevin told ZDNet that the memo from Neuberger was a sign that President Joe Biden was taking the ransomware incidents seriously, but he urged the White House to give CISA more power to issue similar guidelines.”The advice in the White House memo is sound, and I hope corporate leaders will adopt a more risk-informed cybersecurity posture as soon as possible,” Langevin said. “However, I also hope the President will follow Congress’s direction and empower CISA to make similar recommendations moving forward.”Cybersecurity experts said that while the guidance from the White House was helpful, it did little to address the underlying problems thousands of organizations face when trying to protect themselves. Robert Haynes, open source evangelist with Checkmarx, said it was critical for organizations to identify the impact of the loss of different systems on their ability to operate. For most businesses, Haynes noted, the threat of a ransomware attack, the cost of the ransom itself and the huge impact on operations should be motivation enough to take these threats extremely seriously. “The primary focus needs to be on prevention, and then mitigation assuming total loss of systems. Leaders should be aware that the recovery time will involve rebuilding systems and restoring data, even with a successful recovery of encrypted files,” Haynes said. “The risks are real and the disruption, no matter how good your data protection solutions are, can be costly.”Dirk Schrader, global vice president at New Net Technologies, suggested the government find a way to make it a requirement for organizations to report any case of ransomware to authorities and strongly discourage ransom payments. But he noted that companies may not be willing to report a ransomware incident if that will delay the return to normal operations. Kevin Breen, director of cyber threat research at Immersive Labs, explained that valuable advice from the White House, like having offline backups, was nice to say but can cause friction within enterprises because they are typically hard to implement and costly. The same goes for other guidance shared by Neuberger like network segmentation. “If you’re not already doing it, implementation may be complex,” he said, adding that incident response tests will be key for preparing any organization for an attack.”These need to be done with a higher cadence than traditionally, and across the entire workforce to take into account the impact on technical, legal, communications and other cross functional teams.”The Justice Department’s efforts to create a centrally coordinated response will give authorities a deeper pool of evidence and data while also helping with the identification and targeting of the entire chain, Breen added, noting that it may also help add legislative teeth to mitigation efforts.Breen went on to say that the other measures being taken by the FBI and Justice Department were happening because ransomware gangs had “poked the sleeping giant one time too many.” More