Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Strengthening cyber resilience in the UK through managed service providers

The UK government has released a National Cyber Strategy to help guide the country’s strategic approach to combating the proliferation of cyber threats. As part of this strategy, the UK government is looking to expand its regulations under the Network and Information Systems (NIS) to include managed service providers (MSPs). The government’s efforts follow a string of supply chain attacks targeting SolarWinds, Microsoft Exchange Servers and the Colonial Pipeline. The UK government has highlighted a number of barriers to proper management of supply chain risks, including low risk recognition, limited visibility and insufficient expertise and tools to evaluate suppliers.

This strategic move by the UK government involves widening the scope of the NIS regulations to include MSPs. Original NIS regulations came into effect in 2018 to optimize cybersecurity offerings provided by companies within the essential services industries – water, energy, transport, healthcare and digital infrastructure. Expansion of the NIS regulations to include MSPs informs part of the UK government’s broader strategy to improve the country’s overall cyber resilience.

MSPs provide critical digital outsourcing services for IT departments and manage key business processes for many organizations. As such, MSPs play a vital role in promoting a digital-first economy. The UK government wants to ensure MSPs are fully prepared to manage ongoing cyber threats and protect the data integrity of their customers.

As the UK government moves forward with its plans, part of its proposal involves defining what an MSP does, from a commercial perspective. Under the proposed regulations, MSPs could be required to enact reasonable and proportionate security measures to protect their network and proactively manage the risks associated with services provided to customers. As of late, the NIS regulations that are being proposed could carry reporting requirements and heavy fines for those MSPs that don’t comply.

Embrace regulatory shifts with ease

We know adapting to these new and evolving requirements can be overwhelming.

Carbonite + Webroot are here to help. We offer a suite of business solutions to help keep your customers secure with reliable always-on protection, backup and recovery solutions designed to fit your needs.

Find the best solution for your business.

Social engineering: Cybercrime meets human hacking

According to the latest ISACA State of Security 2021 report, social engineering is the leading cause of compromises experienced by organizations. Findings from the Verizon 2021 Data Breach Investigations Report also point to social engineering as the most common data breach attack method.

Social engineering is a term used to describe the actions a cybercriminal takes to exploit human behavior in order to gain access to confidential information or infiltrate access to unauthorized systems and data.

What does social engineering look like?

Social engineering can take many forms. Some malicious actors might trick you into giving your password or financial information away. They may also try and convince you to provide remote access to your computer or mobile devices. Cybercriminals are looking for ways to gain your trust and take advantage of your curiosity by sending messaging that contains malicious links or downloads.

“One method of attack bad actors use quite frequently involves spoofing legitimate vendor support centers. Cybercriminals will pretend to represent these organizations by posting sponsored ads online or through promoted search results. They will offer assistance and sell expired or stolen products of the vendor they have impersonated. These cybercriminals prey on unsuspecting individuals who offer up their personal and financial information because they believe they are in contact with the real vendor,” says Tyler Moffitt, senior security analyst at Carbonite + Webroot, OpenText companies.

Some common social engineering tactics include:

  • Impersonating someone. An urgent request from a ‘friend’ or person you may know is a common tactic used by bad actors to compromise your information by attempting to gain your trust.
  • A legitimate-seeming request from a trusted source. A phisher may send an email, message or text that appears to be from a legitimate organization you interact with. According to the latest IDG report, phishing attacks are on the rise.
  • Oversharing personal information online. Some cybercriminals will gather intel through social networking sites like Twitter or Instagram and use that information to spoof various services or places you visit.

“Oversharing personal information online is especially dangerous for public figures or prominent employees. Cybercriminals conduct research online through a user’s social media channels to determine where a person visits and what activities a person participates in. Cybercriminals will then spoof their target with seemingly legitimate messages from that vendor with attractive offers. All they need is a click,” says Moffitt.

Avoid becoming a victim

To outwit social engineering attacks:

  • Slow down and remain in control. If you receive a message that conveys a sense of urgency to act, carefully consider whether you should respond.
  • Beware of what you download. Use a reputable web browser and remain conscious of what links you are accessing before clicking on them. Avoid downloading free applications that may possess remote access trojans that can compromise your device.
  • Delete any requests to provide financial information or passwords and report them as spam. Avoid responding to requests for help or offers to assist from individuals you don’t know.
  • Invest in security awareness training. Prevent your devices from becoming compromised by common attack vectors by investing in security awareness training. Testing yourself regularly with phishing campaigns can help you learn what to avoid.

As cybercriminals continue to exploit human behavior and take great strides to make their attack vectors appear harmless, it’s important to remain vigilant of how cyber threats continue to evolve.

Webroot offers a number of solutions to help you tackle these ongoing cyber threats. Experience powerful and reliable protection from Webroot that won’t slow you down. Whether it’s updating your antivirus software or learning to spot phishing traps with security awareness training, Webroot has you covered.

Find the best solution for your home or your business.

Considering cloning? Combat data bloat with file transfers instead.

If you own a computer that seems to have slowed to a crawl, you may be thinking about replacing it. But what about all the files on your old dinosaur? You may be thinking about transferring them to an external hard drive, a time-consuming and tedious process, or you may have heard of the far simpler process known as “cloning.”

Cloning is the act of creating a direct, one-to-one copy of a hard drive. Like the term suggests, cloning a computer will leave you with an identical copy of all the particular apps, files and settings on the device, which a user can then install onto a new one or keep as a backup in case something disastrous happens to the original.

Cloning is a pretty simple procedure and there are a lot of free tools to help you do it. But one problem it won’t help you solve is data bloat. Bloat is unwanted data that slows down a computer. This unwanted data can come in all types of different forms. It could be music, photos, games and apps, spreadsheets or text documents. One specific type of bloat, known as “software bloat,” occurs from successive updates to a computer program as they’re layered over one another time after time.

Generally, bloat is the result of the steady accumulation of more and more data as it’s added to your computer. Bloat eats away at the available memory on your hard drive and can lead to performance issues, most notably, slowing it down. If you’re experiencing frequent crashes, it may also be a problem with a corrupted file trying to execute.

You can’t clone the bloat away

Here’s where the problem with cloning comes in. Since a slow computer is a common reason for getting a new one, and cloning simply replicates all the data already stored on a device, it may not be the best strategy for getting existing files from an older computer onto a new one. Given that you’ve also probably updated your hardware, it won’t slam the breaks on your processing speeds immediately, but it’s an added burden right out of the gate.   

An alternative strategy is to back up your old device to the cloud and migrating files to the new one as needed. When done this way, all the old and unnecessary files you don’t think to update yourself aren’t taking up space on your shiny new laptop. When automatic cloud backup is installed, all the latest files from the initial computer exist online, ready to be pulled down to your device whenever a local copy is needed.

Transferring data piecemeal can also help identify anything problematic that’s causing a device to crash. Once isolated, it can be easier to uninstall or delete.

By storing the majority of your files in the cloud, you ensure free space remains on your hard drive log into the future. It’s less taxing on your device, and you’ll notice better performance as a result. There are also organizational benefits to having old files stored in one convenient location. If you’re combing for tax documents from previous years, for instance, you know where to grab them from your old drive. Without having to having to watch an old laptop inch along.

So, when it comes time to replace an old computer, think twice about cloning. Choosing cloud backup from Carbonite could help extend the life and improve the performance of that new device.

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups.

Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be compromised by ransomware in 2021. These were mainly hit with well-known variants, sometimes unleashed by state-backed hacking groups. But it’s key to understand that no “Top 10” list of ransomware incidents paints an accurate – or at least comprehensive – picture of the impact ransomware played over the last year.

That’s because, small businesses and not-for-profit organizations are often hit the hardest by ransomware. Here are a couple factors to consider that might help reframe how we think about ransomware, who’s targeted and why small businesses can’t escape the gaze of ransomware groups.

  1. Attach Surface vs. Cybersecurity Resources

In our 2021 Webroot BrightCloud® Threat Report, we found overall infection rates to be rising fastest in the healthcare, non-profit and arts/entertainment/recreation industries. Schools, local governments and hospitals are some of the most commonly targeted types of institutions, accounting for some 2,400 breaches in 2020, according to the Ransomware Task Force’s (RTF) 2021 report.

We don’t typically think of these organizations as having excess budget earmarked for ransomware actors, so why are they so often targets? What makes them attractive to cybercriminals? It turns out, it’s exactly this lack of resources.

Often operating with limited IT budgets, hospitals, schools and local governments also typically run some of the most complex and difficult to secure networks. Spread out over multiple locations and responsible for hundreds or even thousands of devices – factors referred to as the “attack surface” in information security – make these institutions attractive targets. To make matters worse, a shortage of cybersecurity professionals and budget constraints mean they handle these challenges short-staffed.

As a result, public school systems, police departments and towns were among major compromises in recent years.

  • “Average” Ransomware Costs Can Be Misleading

Many security companies justifiably try to quantify the costs of ransomware year over year. While almost all agree both the number of attacks and the demanded ransoms are rising, these stats can obscure the real story.

Leaving aside the fact that they’re almost certainly underreported – businesses tend not to disclose ransomware incidents to avoid negative publicity and fines from regulatory agencies – a few high-profile incidents can drive up averages and distort the perceived cost to small businesses.

“I could never afford a $50 million ransom like the one hackers demanded of Acer,” the thinking goes, “so I must not be worth their time.” While understanding, this conclusion misrepresents the problem.

In fact, the median ransom demand in 2021, according to advanced findings from our upcoming threat report, was $70,000. Still potentially bankruptcy-inducing, this figure is within reach for a far greater number of businesses. Hence, a larger number of businesses are considered acceptable targets by criminals actors.

  • Ransomware as a Service Changed the Game

Maybe it was the case once, but malicious actors no longer have to be savvy behind a keyboard. Ransomware as a service (RaaS) is an increasingly popular business model among malicious actors where interested parties can buy ransomware “products” – malicious code meant to encrypt a target’s files – from a developer online.

According to the RTF, “In 2020, two-thirds of the ransomware attacks…were perpetrated by cyber criminals using a RaaS model.”

While supply chain attacks and major breaches of global corporations still require a good deal of technical sophistication, cracking the dentist’s office down the street no longer does. All that’s needed is a working knowledge of the dark web, a connection to a developer with loose morals and some startup capital to purchase the code.

This means casting a wider net with smaller ransomware demands threatens to ensnare more small and midsized businesses than before this business model emerged.

Securing small businesses in the crosshairs

Business owners and the MSPs that secure them can see how a set of factors are converging to increase the cybersecurity risks to businesses of all sizes. Luckily, there are a few steps, relatively easy to implement, that can help these organizations reduce their risk of falling victim to ransomware – or to limit the scope of any successful attacks.

These include:

  • Locking down Remote Desktop Protocols (RDP) – As the trends from 2021 emerge, it’s become clear that open RDP ports are the most common method of compromise among small businesses. They’re simply too easy for cybercriminals to discover and exploit, so lock them down.
  • Educate end users – The next common method of compromise is phishing attacks, independent of company size. But our research suggests that regular phishing simulations can dramatically reduce click-through rates among frontline users.
  • Install reputable cybersecurity software– What used to be the main method of defense against malware is now only a single method of defense, but it’s still a critical one.
  • Set up a strong backup and disaster recovery plan– Misconfigurations and user-enabled breaches are almost impossible to stop entirely. Having backups of critical files can reduce the pressure to pay a ransom and undermine the leverage cybercriminals have against a business.

Interested in learning more about ransomware and its effects on businesses? Download our eBook on the Hidden Cost of Ransomware.

Threat hunting: Your best defense against unknown threats

Threat actors are becoming more sophisticated, agile and relentless in their pursuit of stealing personal information for financial gain. Rapid and evolving shifts in the threat landscape require the knowledge and solutions to prepare and prevent threats that could spell disaster for organizations’ reputations and operations.

Organizations of all sizes remain at risk. Small to medium-sized businesses (SMBs) and managed service providers (MSPs) are especially vulnerable to the stealth efforts of bad actors. With fewer financial resources, a ransomware payment demand could mean the difference between staying in business and closing up shop.

Government entities are also prone to attack. In December 2021, Belgium’s Ministry of Defence experienced a cyberattack exploiting the Log4j vulnerability that paralyzed the ministry’s computer network. Within the same month, Australia’s utility company, CS Energy, experienced a ransomware attack involving the well-known ransomware Conti.

Evolving cyber threats can be unpredictable, but that doesn’t mean businesses have to tackle them alone. A robust security stack can help businesses stay protected and prepared. Establishing this level of resilience involves partnering with a provider that has human-powered threat hunting resources.

What is threat hunting?

Threat hunting involves actively searching for adversaries before an attack is carried out. Threat hunting involves the use of tools, intelligence and analytics combined with human intervention. Threat hunting centers around the proactive containment and identification of potentially damaging files before malicious vectors can cause severe damage to an organization’s operations.

What does a threat research analyst do?

“At Webroot, we focus our efforts on analyzing customer data. Our threat research analysts examine this data to determine if malicious files are present. Our analysts are constantly looking for files that possess certain characteristics that make up various types of malware. If we identify and determine that critical elements of a suspicious file are present, we classify and block them. Making determinations can be approached in different ways. One avenue of determination is carried out by creating isolated conditions to run the suspicious file to see what results it presents,” says Marcus Moreno, manager, threat research at Carbonite + Webroot, OpenText companies.

“Since our database is comprised of mass quantities of SMB and MSP data, we can continue to make determinations from a large and evolving data set. This is why SMBs and MSPs can derive value from partnering with Webroot,” adds Moreno.

Take your security stack to the next level

Cyberattacks will continue to be a concern for businesses, governments and individuals. Combatting cyber threats means adopting a cyber resilience approach. Cyber resilience is the ability to remain operational in the face of threats – whether human or maliciously-based. One important element of a solid cyber resilience strategy is to remain in a pre-emptive and proactive stance. Avoid costly ransomware payment demands, bolster customer confidence and minimize downtime for business operations by investing in a solutions provider backed by threat hunting capabilities.

Discover how Webroot’s solutions can protect your business.

Report: Phishing Attacks Sustain Historic Highs

Phishing attacks sustain historic highs

In their latest report, IDG and the pros behind Carbonite + Webroot spoke with 300 global IT professionals to learn the current state of phishing. We learned that 93% of IT executives are still concerned about phishing – and it’s no wonder, as companies averaged 28 attacks each over the previous 12 months.

Luckily, the report details how to fight back. With the right preparation and the right protection, companies can prevent all but 0.3% of attacks.

Phishing capitalizes on COVID

Phishing attacks have been part of the cybercriminal arsenal for years. But it’s only recently that phishing has flourished into the scourge it is today. That’s because cybercriminals have found success by targeting COVID-19 fears with their schemes.

In fact, phishing attacks spiked by 510% from just January – February 2020, according to the 2021 Threat Report. These increases leveled off by the summer, but phishing attacks still increased 34% from September – October 2020. Overall, 76% of executives report that phishing is still up compared to before the pandemic.

COVID-based tactics might purport to have new info on a shutdown, to share COVID stats or even suggest info from your doctor. But in each case, cybercriminals are looking to steal your information.

Who’s getting attacked?

IT departments are feeling the brunt of these attacks, with 57% of them targeted by phishing. Carbonite + Webroot Sr. Security Analyst Tyler Moffitt says, “Even if malware targets someone with lower-level access, the attack will move laterally to eventually find an IT administrator.”

He goes on to say that attackers can then linger for a week or more to find valuable data or steal a balance sheet that gives an indication of how much ransom to charge.

Because they often have important credentials, top executives and finance groups are also common targets. Public-facing customer service employees also offer easy access.

Consequences of phishing

75% of global IT executives say they’ve suffered negative consequences from phishing attacks. That includes:

  • 37% suffered downtime lasting more than a day
  • 37% suffered exposure of data
  • 32% lost productivity
  • 19% had to pay legal or regulatory fines

A layered approach to security

But it’s not all bad news. Yes, phishing is using new tactics to target businesses. But there are ways to fight back.

The report cites training as one of the most effective tools. But the frequency of training varies greatly, and 25% of those who use it don’t include phishing simulations. By using security awareness training that offers regular simulations, you can reduce phishing by up to 70%.

But even with great training, the report notes that people will still click some of the time. That’s why a multi-layered approach gives peace of mind that not all is lost if one person messes up.

No layer is 100% effective, but taken together many layers get very close. A defense in depth security posture utilizing DNS and endpoint detection as well as a sound backup strategy can give you confidence that you’re prepared to withstand even a successful phishing attack.

Ready to start protecting yourself and your business? Explore how Carbonite + Webroot provide a full range of cyber resilience solutions.

Download the IDG report.

Data Privacy Week 2022: The Security Awareness Canary in the Coalmine

Whether you’re shopping for the latest tech gadgets or checking your work email, your online presence is susceptible to malicious threats. No industry or sector is immune. Even in the early days of 2022, a hospital in Jackson, Florida, experienced a ransomware attack that left medical professionals struggling to access patient records. Attacks like this not only have implications for patient care, but they also serve as a stark reminder of ongoing privacy issues in the online realm. As consumers and businesses are becoming increasingly more concerned about their data privacy, understanding how to protect that information becomes vital.

This week, the global community is rallying together to raise awareness about online privacy through Data Privacy Week.

What is Data Privacy Week?

Data Privacy Week began as a day of awareness in the United States, Canada and Europe and to commemorate the signing of Convention 108, the first internationally binding agreement addressing privacy and data protection. This year, the initiative has expanded to a week-long effort to generate awareness.

As data privacy and security implications become important for both businesses and individuals, there are a series of steps everyone can take:

  • Adopt privacy mindfulness. Whether it’s for your home or your business, ensure you take privacy into account when you agree to the terms and conditions of items available for download from the internet or when you create a program that may expose your employees to online risk.
  • Educate yourself. Avoid common attempts to compromise your information and identity by investing in security awareness training. Participate in simulated modules to test your knowledge and learn what traps to avoid.
  • Back up your precious files. Not ready to part with your personal information? Make sure it’s backed up. That way, if you experience accidental or malicious data loss, your information is secure and accessible.
  • Use antivirus software. Ensure online activities like shopping and browsing are secure by investing in a reliable antivirus. Adhere to updates and always renew your subscription to avoid a lapse in protection.
  • Partner with a reliable provider. Some providers offer free protection and backup solutions, but can you really trust them? Always do your research and select a reputable provider to keep your devices and data safe.

From the rise of ransomware as a service (RaaS) to the use of malware to disrupt the political landscape, security, privacy and governance remain at a crossroads. With no signs of a resolution apparent, it’s important for everyone to take stock of their security stack.

One reliable approach is to adopt cyber resilience. Cyber resilience is a multi-layered, defense in depth strategy to ensure continuous access to your personal and business data no matter what happens.  Establishing cyber resilience begins by assessing your current defense approach and employing the tools and know-how to remain protected and prepared for unknown threats. Whether it’s taking the time to educate your staff, upgrading your antivirus solution or investing in a reliable backup provider, make cyber resilience a priority.

This Data Privacy Week, let’s move beyond just becoming more aware of bad actors. Let’s take action to protect our data and our privacy. 

Survey: How well do IT pros know AI and machine learning?

What do the terms artificial intelligence and machine learning mean to you? If what comes to mind initially involves robot butlers or rogue computer programs, you’re not alone. Even IT pros at large enterprise organizations can’t escape pop culture visions fed by films and TV.

But today, as cyberattacks against businesses and individuals continue to proliferate, technologies like AI and ML that can drastically improve threat detection, protection and prevention are critical. This is even more true as workforces continue to operate remotely in such numbers.

That’s why, for a few years now, we’ve been conducting surveys of IT professionals to determine their familiarity with, and attitudes toward, artificial intelligence (AI) and machine learning (ML). For the purposes of this report, we surveyed IT decision-makers at enterprises (1000+ employees), small and medium-sized businesses (<250 employees), and consumers (home users) throughout the U.S., U.K., Japan, and Australia/New Zealand. 

As a result, we learn about:

  • Baseline cyber hygiene, including what cybersecurity tools are in use and how they’re used
  • General experience with data breaches and attitudes toward the safety of their data
  • How many organizations use cybersecurity tools with AI components
  • Whether IT admins feel that AI actively contributes to the safety of their organizations or is marketing fluff

We titled this year’s survey Fact or Fiction: Perceptions and Misconceptions of AI and Machine Learning and expanded it to include professionals in the enterprise, mid-market organizations and private individuals. It’s one of the largest and most thorough reports on the topic we’ve put together to date and is packed with interesting findings.

Historically, we’ve seen significant confusion surrounding AI and ML. IT professionals are generally aware that they’re in-use, but struggle to voice how they’re helpful or what it is exactly that they do. In Australia, for instance, while the bulk of IT decision makers employ AI/ML-enabled solutions, barely over half (51%) are comfortable describing what they do.

Nevertheless, adoption of AI/ML-enabled technologies continues to rise. Today, more than 93% of enterprise-level businesses report using them. Overall, slightly less than half (47%) call increasing adoption of AI/ML their number one priority for addressing cybersecurity concerns in the coming year.

Here are a few other key takeaways regarding enterprise attitudes toward AI/ML:

  • Understanding is growing – But more education is still required, so vendors must focus on benefits of AI/ML in terms of the bottom line and an enhanced security posture.
  • AI/ML are key to repelling modern threats – Especially for remote workforces, advanced technologies are emerging as a key component for ensuring uptime and availability for clients.
  • AI/ML can differentiate a business – Buyers are looking to invest in their tech stacks to stay out of the headlines for suffering a breach. As understanding of AI/ML grows, more are looking for these capabilities in their cyber defenses.

For the mid-market and individuals, another theme has persisted through our studies: overconfidence.

Among IT professionals at businesses with fewer than 250 employees, almost three-quarters (74%) of respondents believe their organizations are safe from most cyberattacks. But 48% have also admitted to falling victim to a data breach at least once. Interestingly, despite their confidence in their cybersecurity, the same respondents also believe their security situation has been worse by COVID-19.

Other notable findings among small and mid-sized businesses include:

  • They’re beginning to recognize they’re targets – SMBs are catching onto the fact that cybercriminals pick off weak targets and realizing this fact’s implications for their supply chains.
  • Limited IT budgets must be spent wisely – Without the resources to hire full-time IT staff, it becomes critical that a security stack defends against all the most common forms of attack (and their consequences).
  • User education is key – If a business can’t spring for top-of-the-line cybersecurity solutions, educating users on how to keep from enabling breaches can go a long way towards building a strong defense with relatively little investment.

Consumers continue to report abysmal habits in their personal online lives. Less than half use an antivirus or other security tool. Only 16% report using a VPN when connecting in public spaces and 48% have had data stolen at least once. On the brighter side, constant headlines concerning corporations leaking consumer data have made consumers wary about who they give their data to and how much. This healthy skepticism is a good sign as the next large data breach is likely just around the corner.

Some valuable learning from the consumer sector, and how it bleeds over into the corporate sector, include:

  • Business breaches affect consumers’ data – And they know it. Consumers are wary of providing too much sensitive data to companies after being barraged by news of high-profile hacks and data breaches.
  • Consumers ARE NOT taking proper precautions – Fewer than half of home users have antivirus, backup or other cybersecurity measures in place. In all, 11% take no precautions online. This finding is especially relevant if remote workers are using personal devices for business.
  • Unsurprisingly, AI/ML knowledge is lacking – When paid IT professionals don’t understand the technology, it may not be practical to expect the average consumer to be. But consumers should do their research on the tech powering their protection before committing to a VPN, antivirus or backup solution.

For the report’s complete findings, including a breakdown of cybersecurity spending by business size, download the full report.

The 6 Nastiest Malware of 2021

Malware leaps from the darkness to envelop our lives in a cloak of stolen information, lost data and worse. But to know your enemy is to defeat your enemy. So we peered over the ledge leading to the dark web and leapt. The forces we sought are disruptors – without warning, they disturb our businesses and our connections to family and friends.

And darkness we found – from million-dollar ransoms to supply chain attacks, these malware variants were The 6 Nastiest Malware of 2021.

How malware disrupted our lives

These days, every major ransomware campaign runs a “double extortion” method, a scary prospect for small businesses. They steal and lock files away and they will absolutely leak data in the most damaging way if a ransom settlement is not reached.

Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware.

This highlights the importance of user education – training users to avoid clicking these phishing lures or preventing them from enabling macros from these attachments are proven in stopping malware in its tracks.

While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This allows each group to specialize on their respective payload and perfect it.

This year’s wicked winners

Lemonduck

  • A persisting botnet with a cryptomining payload and more
  • Infects via emails, brute force, exploits and more
  • Removes competing malware, ensuring they’re the only infection

REvil

  • The Nastiest Ransomware of 2021 that made headlines with supply chain attacks
  • Many attempts to shutdown the REvil group have so far failed
  • Their ransomware as a service (RaaS) platform is on offer to other cybercriminals

Trickbot

  • Decade old banking and info-stealing Trojan and backdoor
  • Disables protections, spreads laterally and eventually leads to ransomware like Conti
  • Extremely resilient, surviving numerous attacks over the years

Dridex

  • Banking and info-stealing Trojan and backdoor
  • Spreads laterally and listens for domain credentials
  • Eventually leads to ransomware like Grief/BitPaymer/DoppelPaymer

Conti

  •  Longstanding ransomware group also known as Ryuk and likely linked to LockFile ransomware
  • TrickBot’s favorite ransomware
  • Will leak or auction off data if victims don’t pay the ransom

Cobalt Strike

  • White hat-designed pen testing tool that’s been corrupted and used for evil
  • Very powerful features like process injection, privilege escalation and credential harvesting
  • The customizability and scalability are just too GOOD not to be abused by BAD actors

Victimized by malware

The good news (I guess) is that last year’s average ransom payment peaked at $200,000 and today’s average is just below $150,000.

The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience.

The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it. To top it off, supply chain attacks are becoming a massive issue.

Protect yourself and your business

The key to staying safe is a layered approach to cybersecurity backed up by a cyber resilience strategy. Here are tips from our experts.

Strategies for business continuity

  • Lock down Remote Desktop Protocols (RDP)
  • Educate end users
  • Install reputable cybersecurity software
  • Set up a strong backup and disaster recovery plan

Strategies for individuals

  • Develop a healthy dose of suspicion toward messages
  • Protect devices with antivirus and data with a VPN
  • Keep your antivirus software and other apps up to date
  • Use a secure cloud backup
  • Create strong, unique passwords (and don’t reuse them across accounts)
  • If a download asks to enable macros, DON’T DO IT

Discover more about 2021’s Nastiest Malware on the Webroot Community.

Supply chain attacks are closing in on MSPs

If you attended Black Hat this year, you couldn’t avoid the topic of supply chain attacks. From keynotes to vendor messaging to booth presentations, they were a ubiquitous topic in Las Vegas this year.

Supply chain attacks are cyberattacks targeting an upstream vendor for the ultimate purpose of compromising one or more of its customers. Cybercriminals are aware that, by compromising updates from trusted vendors, they can easily bypass installed security software to infect all customers that install it.

Essentially, compromising a software vendor allows damage to cascade down the supply chain to another supplier– a consequence sometimes known as the “waterfall effect” – to increase collateral damage against multiple targets.

Black Hat founder Jeff Moss even began this year’s conference with a few words about software supply chains.

“We all rely on the software supply chain,” he said. “We’re building tools and systems based on it. We’re trusting it. We’re hoping that people in the supply chain…are doing things to help everyone else in the supply chain. Because, if they don’t, everything we do is potentially vulnerable.”

“We all depend on the supply chain being fully immunized,” he continued, “and it’s not there yet.”

Now, “not there yet” is putting it mildly. A few recent, high-profile attacks bear recalling to demonstrate the scope of the problem.

SolarWinds

For many within cybersecurity, the SolarWinds attack by what are widely believed to be state-sponsored cybercriminals was the most significant supply chain attack since the Cleaner attack of 2018 and a worrying reminder of the damage made possible by the tactic.

SolarWinds is a Texas-based IT management platform that unknowingly pushed a Trojanized update to a large portion of its some 300,000 customers. It’s believed that the attackers concealed their presence within the victim’s network for some time to ensure they could carefully select their next targets and preserve time for intelligence gathering.

While not widely known at the time, it’s now assumed that this wide-net attack was ultimately an effort to compromise a handful of high-value intelligence and governmental agencies. Second-stage infections were then pushed against these targets, plus some of the world’s most influential technology vendors.

Critically, this type of espionage-inspired cyberattack differs a great deal from moneymaking practices embraced by for-profit hacking groups. These broadly targeted attacks against suppliers cause widespread disruption without obviously disrupting a specific target.

Codecov

Another supply chain attack targeted Codecov, a software development firm that makes tools for developers, in January 2021. Investigators told the newswire service Reuters that attackers were able to use the access they’d gained to breach hundreds of Codecove customers.

As was the case with SolarWinds, compromising Codecov may have presented access to other software vendors, which could have initiated the waterfall effect presented previously. The firm counts among its clients giants like IBM, Hewlett Packard and Atlassian.

The infosec researcher Matt Tait, who spoke at this year’s Black Hat on the topic of supply chain attacks, called the Codecov compromise an instance of high-volume disruption based on indiscriminate targeting.

According to the company, information stolen from customer devices was then sent to a third-party server outside of Codecov’s control, suggesting that espionage may have once again been the end-goal of the attackers.

Kaseya

Perhaps the most far-reaching supply chain attack conducted by a non-state actor in the history of the tactic took place this July. This time, Kaseya, one of the world’s largest IT management platforms, was compromised by the Russia-based hacking group REvil. Unlike in the SolarWinds and Codecov, this attack included a ransomware stage meant to deliver financial rather than intelligence returns for the attackers.

REvil targeted Kaseya’s remote monitoring and management (RMM) solution, known as Kaseya VSA, which is used to manage client machines from afar. Again, targeting was indiscriminate, but unlike with espionage actors, the ransomware gang could focus on maximizing financial returns of the attack rather than trying to avoid detection.

Describing the impact of this attack, the USC Berkeley infosec researcher Nicholas Weaver noted that, “Each victim is a small-to-medium-sized business that is going to, at best, find its computers unusable and, at worst, have all their data lost forever.”

In terms of the cascading effects of a supply chain attack, the Kaseya VSA compromise hit MSPs and their small business clients especially hard.

Protecting

Like a technology that advances through state-sponsored R&D but then becomes available to a wider public, recent supply chain attack techniques were honed by state-backed actors but have now been adopted by more run-of-the-mill ransomware actors. This is bad news for MSPs.

While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold. The problem is a significant security challenge, and one that some think only vendors can solve.

But there are a few measures MSPs can take to enhance their defenses against supply chain attacks. These include:

  • Layer cybersecurity defenses for both you and your clients. Supply chain attacks commonly evade defenses by sneaking in with a trusted update. But after the initial compromise, network security can block communication with known-malicious IP addresses to limit damage.
  • Mandating two-factor authentication (2FA) wherever possible. While 2FA isn’t the end of security issues, it makes things more difficult for cybercriminals at every turn.
  • Monitor for anomalous web traffic. Be wary of communications with previously unknown IP addresses, unusual application traffic and other out-of-the-ordinary happenings on your network. Consider following these steps to reducing the time to detection of a compromise if one occurs.
  • Push patches and updates with urgency. Zero-day vulnerabilities often play a key role in advancing the spread of supply chain infections. Closing those gaps as soon as possible is an actionable step MSPs can take to protect themselves and their clients.
  • Back up everything. One of the most surefire ways of reducing the leverage an attacker has over you and your clients is keeping multiple backups of critical business data. Cybercriminals can’t be trusted to restore data even after a ransom is paid, so don’t be left relying on them.
  • Test your backup plan. The day disaster strikes is not the time to discover if your disaster recovery plan is well designed. Instead, simulate a worst-case scenario ahead of time and see if any gaps emerge.

As global cybercrime collectives continue to experiment with supply chain attack techniques, we should expect more indiscriminate, wide-net infections to make headlines. To prevent passing these infections along to their clients, vendors must take the lead in security their products and processes. But MSPs aren’t helpless in protecting themselves and their clients.  

Podcast: Can we fix IoT security?

For many U.S. workers the switch to remote work is a permanent one. That means more high-stakes work is being conducted on self-configured home networks. For others, home networks are simply hosting more devices as smart doorbells, thermostats and refrigerators now connect to the internet.

Security experts warn that while the internet of things (IoT) isn’t inherently a bad thing, it does present concerns that must be considered. Many devices come pre-configured with inherently poor security. They often have weak or non-existent passwords set as the default.

As our guest and host Joe Panettieri discuss, these are issues that would be addressed on corporate networks by a professional IT administrator. The conversation covers the issues of IoT and home network security both from the perspective of the average family household and what the age of remote work means for employees working on their own networks.

Security intelligence director Grayson Milbourne brings a unique perspective to the podcast. Having held senior roles in both threat intelligence and product management, Milbourne is acutely aware of what the threats security products come up against. He knows both the cyber threat landscape and the consumer internet security market, so he’s able to provide insightful advice for how tech-loving homeowners can keep personal networks powerful and protected. 

Milbourne suggests problems of IoT and home network security could be addressed with a cybersecurity version of ENERGY STAR ratings. A program could formalize current IoT security best practices and incorporate them into a standard consumers recognize.  

During this informative podcast, Panettieri and Milbourne discuss that idea and more cybersecurity topics related to IoT devices. They cover:

  • The difference between device security and the security of the app used to control it
  • How to leverage user reviews while researching IoT devices and what security concerns to check on before buying
  • Privacy and data collection issues, including why one of the most common IoT devices may be among the most intrusive
  • Configuring IoT devices to prevent them from joining rogue IoT zombie networks

Targeted assets: The need for cyber resilient infrastructure

Aging infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our pipelines, water treatment facilities and power grids are also vulnerable to exploitation.

As of now, we still don’t know much about the ransomware attack against the operators of the Colonial Pipeline. Details about how and when cybercriminals were able to compromise Colonial’s network have yet to emerge. The FBI has confirmed that Darkside, a ransomware as a service (RaaS) group, was behind the attack but background on that group is about the only place where information is plentiful.   

We still don’t know if a ransom has been paid. Or if Colonial was able to completely isolate its operational network from its corporate systems – the intended target of the attack according to the company – or if Darkside could have bridged that gap.

Based on the Darkside’s own statements and analyses of its past behavior, experts believe the attack wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. But that’s beside the point.

It was enough for states of emergency to be declared up and down the Eastern seaboard and for the federal government to issue warnings to other utility providers to be on the lookout for similar attacks.  

And this cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center responsible for supplying several sites in the Western U.S. was considered a near miss in which the country got off easy.

Early this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.

The sorry state of cybersecurity in U.S. critical infrastructure is well-known within the industry. The rise of the Internet of Things (IoT) isn’t limited to the consumer sector. These devices help with automation and make industrial control systems (ICSs) smarter than they’ve ever been before, but cybersecurity is often an afterthought in their design if it’s one at all. One source claimed it was communication between an ICS and Colonial’s corporate networks, responsible for simplifying the billing process, that caused concern about the attack spreading to operational systems.

Making more cyber resilient infrastructure

After several shots across the bow have luckily not resulted in direct hits, what can we do to bring about a hardening of U.S. infrastructure cybersecurity? How can we prevent a replay of the 2017 attacks against Ukraine’s power grid from happening here?

Here are a few suggestions:

  • Don’t disincentivize cybersecurity investment. – Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies who happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.
  • Actively promote that investment. – Policy analysts who have studied this issue urge government, at whatever level, ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, until now under less pressure than a public utility to account for compromises, should be invited in.
  • Don’t forget to secure corporate networks, too. – Just because the computer in the lobby of corporate HQ can’t crank up the sodium hydroxide in the drinking water doesn’t mean it’s not worthy of an antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. And with phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.
  • Make smarter ICSs more secure. – IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. But they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.

For the time being, major damage and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack. But we need to act deliberately now in order to avoid relying on the same luck in the future.