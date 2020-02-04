COMMENT:

Ransomware is back in the news, and not in a good way. We are waiting to find out what the “cyber cybersecurity incident” led the multinational logistics company Toll Group to shut down an indefinite number of client systems and applications (UPDATE: Toll finally admitted that a ransomware attack was underway). the source of her persistent problems.)

The company doesn’t say much in addition to saying that it “is making progress in our recovery activities to restore our systems and client applications”, but that could be another major ransomware attack.

An anonymous source contacted the Australian IT publication ITnews and said more than 1,000 servers had been affected by ransomware. Staff were instructed not to turn on the desktop and laptop computers and to leave them disconnected from Toll’s corporate network.

The ransomware activates on user connections and has forced Toll to remove its computer systems.

Toll was asked if the security incident was in fact a ransomware attack, and he did not deny it.

The IT of the logistics company is managed by Infosys, which also refused to provide further details.

If the Travelex ransomware experience is something that is going on, staying silent about what happened is not a good idea for Toll Group and Infosys. If it’s not ransomware, they should say so. If so, sharing information about the attack could help prevent future “cybersecurity incidents”.

Travelex finally figured out what everyone suspected was the case, that they were affected by the REvil / Sodikinobi ransomware from which the forex giant has still not fully recovered. We don’t know if Travelex paid the ransom or not.

It is fair to say that the situation with ransomware is getting worse every week, causing enormous damage.

REvil, for example, is rented to ransomware looters affiliated on a colossal scale: the Dutch internet provider KPN followed the REvil attacks it could find in the last half of 2019 and counted 150,000 unique infections.

Based on the ransom notes found in the REvil samples, KPN estimated that the criminals hoped to extort $ 38 million ($ 58.8 million) from the victims.

Again, this is just the number that KPN could see. The number of attacks is likely to be much higher, but not in Russia or the Post-Soviet Community of Independent States which are banned for ransomware.

Ransomware attacks are not only becoming more and more frequent, they are becoming more and more malicious. As observed last year, ransomware criminals have started stealing data and encrypting computers.

Local security provider Emsisoft followed the Maze ransomware gang, which attacked a local authority in the United States, medical offices, and an accounting firm.

To force businesses to pay the ransom, the Maze gang names them on their website. To further “induce” companies to pay, criminals in the Labyrinth publish small samples of data from compromised computers.

“It’s the equivalent of kidnappers who send a finger,” said Brett Callow, threats analyst at Emsisoft.

No payment means more sensitive data is being released, and Emsisoft now reports that at least five law firms have been affected by Maze in the past week.

It doesn’t take much imagination to realize the gravity of an escalation that publishes sensitive information about people’s legal issues on the Web.

Callow said some data has been posted on Russian hacker forums with a note to “use this information as badly as you want”.

The Maze gang started charging $ 1 million for data decryption and $ 1 million for deleting it. As Emsisoft suggests, it is very unlikely that criminals will delete data from which they can earn money at a later stage.

Again, it appears that ransomware victims are trying to hide that they have been attacked, Emsisoft estimating that only a fifth of the companies are making a public disclosure.

It seems true, none of the companies affected by Maze that I contacted last month responded, even if the messages were transmitted.

In one case, Maze released sensitive data about a company’s employees. This included home addresses, banking and insurance data, and drug test results.

The employer did not tell his employees who did not find out until after Callow said he had called them to let them know that their personal information had been posted online.

Keeping it that way, whether or not a ransom is paid, is guaranteed to encourage criminals. Ransomware attacks should be reported.

Do this, and make sure you have current backups of all data. Backups must be stored off-site and offline so that they cannot be deleted.

If you think the flood of ransomware attacks is not being taken seriously, you are not alone. Security experts say the situation is completely out of control and that ransomware attacks are roughly in the open. This must change, otherwise we will never see the end of this devastating problem.

