Many of us are ready to be done with 2020—it’s been a tough year. But the silver lining is that the cybersecurity community has learned a great deal, and we wanted to share some of the lessons learned.
In many ways, 2020 dramatically accelerated existing trends. The criminal activity we have seen so far in 2020 is a continuation—with increased tactic and technology sophistication—of the attack trends experts have been working to prevent and defend against for some time. In addition to continued technology advancements, there has also been an ongoing sophistication in attack targeting.
For example, attackers are focusing on particular job roles and industries to obtain specific data and using more refined research to appeal to their victims. Research and reconnaissance across the web to gather intelligence about their targets allows malicious emails to appear more credible, making them more likely to be effective.
Although the core of what the cybersecurity industry is experiencing did not change in 2020, certain key factors definitely did.
Increased frequency of attacks. There is typically a decrease in cyberattacks after the first of the year, but in 2020 we did not see this. We saw an increase in the volume of attacks across all vectors.
Attacks leveraging hot topics and chaos. The pandemic, economic stabilization mechanisms like stimulus checks, social unrest, and a presidential election. There has been no shortage of emotional, urgent, and volatile events offering perfect cover for malicious email campaigns. As just one point of reference, by mid-April, there were more than 1.2 million COVID-19/coronavirus-related registered domains.
Disrupted workforce. Due to COVID-19, millions of Americans are now working from home, and this arrangement is expected to continue for many months. Previously, many organizations did not allow employees to work from home, especially in highly regulated industries like banking and healthcare. Therefore, many of these organizations had no policies or remote capacity in place. They were forced to enable remote work virtually overnight, and they are just now getting to the cybersecurity part of the equation.
Ransomware-as-a-service. Although ransomware-as-a-service offerings did not materialize for the first time in 2020, there has been a dramatic growth in these services’ utilization. Until recently, if someone wanted to launch an attack, the level of required technical knowledge was significant, especially for launching advanced attacks like polymorphic malware, supply chain attacks, code compression packers, and fileless malware. Now criminals can go onto the dark web and purchase these kinds of attacks, sharply reducing the demanded technical skill.
The cybersecurity industry has learned numerous lessons in a short period. The following are three of the attacks we found to be interesting, and the lessons we can all learn from them. The views and opinions expressed within this article are those of SilverSky cybersecurity experts and information from publicly available sources like news articles. The information shared within the webinar is intended to be directional (observed trends), rather than diagnostic recommendations for your specific organization.
For a fascinating analysis of 9 additional 2020 cybersecurity attacks, view the Hindsight Is 2020 on-demand webinar.
Tillamook County, Oregon
When: January 2020
Rebel, an international cybersecurity network known to law enforcement, carried out the attack. This group is known to run a ransomware-as-a-service operation. In fact, Rebel was unlikely to be the organization that launched the attack, but the attacker used Rebel encryption malware to infiltrate the county’s computer and telephone systems.
The county’s rapid response mitigated the compromise and contained the encryption to 17 of its 55 servers and only 5 out of 285 county workstations.
The county maintained a redundant backup designed to protect its systems in the case of a natural disaster, but it was not designed to withstand a cyberattack. Therefore, the county’s backup was also encrypted by the malware. The county spent hundreds of hours trying to recover using its backups, but it concluded that the county’s operation could not be restored without the decryption fee. Officials determined it would have taken them one to two years to restore the systems, and doing so would cost up to one million dollars. Ultimately, officials decided to pay the $300,000 ransom.
The encryption malware shut down all workstations, servers, phones, and email, forcing officials to return to manual processes for 72 hours.
The Lessons Learned
- Ensure backups are protected from ransomware.
- Consider an endpoint detection and response (EDR) solution that protects endpoints and offers the ability to roll back to the preattack state if breached.
- To pay or not to pay is a difficult decision. Most cybersecurity experts recommend against paying but sometimes it is easier said than done.
Hammersmith Medicines Research
When: March 2020
Hammersmith Medicines Research is a UK medical firm that was designated to test COVID-19 vaccines. The MAZE Group launched a ransomware attack on March 14, but Hammersmith’s IT and security team were able to detect the attack while it was still in progress and stop it right away. Additionally, the team was able to restore computer systems and email by the end of the day.
Although the MAZE Group is notorious for threatening to release stolen data unless payment is made, Hammersmith Medicines Research asserted that it had no intention of making the ransom payment.
The attackers captured 8–20 years of sensitive historic medical data for more than 2,300 patients.
The Lessons Learned
- Around-the-clock monitoring is essential.
- Strongly consider an EDR solution. Hammersmith likely had an EDR solution in place that allowed them to detect the intrusion and act quickly while sharply reducing the damage.
- Incident response plans must include strategies for swiftly reacting to attacks, not merely recovering from them.
Texell Credit Union
When: September 2020
On May 14, Texell discovered suspicious activity involving an employee’s email account. They hired a firm to conduct an extensive review and uncover the impact on the affected email account. It was confirmed that that account had accessed some of their members’ personal information in early July. While the breach happened on May 14, 2020, Texell did not notify its customers until September 3.
Although an unknown number of records were impacted, stolen data included names, addresses, social security numbers, and bank account numbers. Additionally, Texell experienced significant reputational damage by waiting so long to reveal that member data had been stolen.
The Lesson Learned
- Advanced and modern email security is essential for adequate protection. Additionally, both access to the email account and the content going into the mailbox must be protected.
- Rapid and transparent communications build trust and protect reputational damage.
To learn lessons from 9 additional 2020 cybersecurity incidents analyzed by SilverSky experts, view the Hindsight Is 2020 on-demand webinar.
Cybercriminals have gotten more sophisticated, attacks have become more relentless, and the technical knowledge required to keep your organization safe has grown exponentially. But don’t get overwhelmed. At SilverSky, we spend all day, every day providing solutions to defend our clients’ organizations. We employ the diverse technologies and technical expertise required to stand up to today’s cybercriminals—we’re here to help. Contact us.