Phish Fryday – Ransomware Trends

2019 saw an increase in ransomware attacks against public organizations, as we witnessed numerous headlines reporting outages and ransom demands. With ransom payments being made, should we expect to see these attacks increase? In this episode we speak with Cofense Cyber Threat Intelligence Analyst Aaron Riley about phishing prevention what we saw and what we should be planning for in the coming year.

For more information on topics mentioned in this episode, please visit:

EMSISoft State of Ransomware Report

Cofense – Ransomware in 2020

Questions or comments? Reach us at [email protected]

Phish Fryday – URL Scanners as Part of Phishing Defense

URL Scanners are a great way to investigate potentially malicious websites in a low-risk way. Attackers, however, are adapting to these tools to escape detection and keep the pressure on defenders. In this episode, we speak with Cofense Security Consultant Chris Hall to discuss the usefulness of these scanners, how attackers are adapting, and what these scanner services may need to do to stay useful as phishing prevention tools.

For more information on topics mentioned in this episode, please visit:

Are URL Scanning Services Accurate for Phishing Analysis?

VirusTotal

URLScan.io

REMnux

Questions or comments? Reach us at [email protected]

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

By Alan Rainer

The fourth quarter of 2019 showed a strong start but a dull finish, as the world eased into the holiday season. Although the end of Q3 2019 saw a resurgence in Emotet, Q4 witnessed a higher degree of phishing from the Trojan and its botnet. Read all about it, alongside other malware trends and campaigns, in the Cofense Intelligence Q4 2019 Malware Trends Report.

Continuing from Q3, Emotet picked up momentum in distributing malicious emails. From email reply chain compromises to crafty phishing templates with macro-laden documents, user inboxes found no solace. Emotet delivered financial invoices, “invites” to a Christmas party, and other phish baits to trick recipients into infecting their systems. Other malware families were not as prolific, decreasing in volume as the quarter went on.

The new year, however, is likely to hold greater wickedness. On the malware front, Windows 7’s End of Life will probably lead to the creation of new malware and look for targeted ransomware to continue growing. 2020’s election season may bring about more phishing, while geopolitical events can result in more cyber threats. And to round it off, Emotet will keep on churning.

Figure 1: Varenyky Spambot Phishing Email Sample

Our Q4 report outlines key trends, statistics, breakdowns of specific campaigns, and insights on what to expect in Q1 2020 and beyond, all of which you can use to defend your organization. Cofense Intelligence provides phishing campaign updates throughout the year, which includes comprehensive threat reports and bi-weekly trend digests.

View the Q4 2019 Malware Trends Report at: https://go.cofense.com/malware-trends-2019-q4/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Helps 2020 Presidential Candidates Secure Their Campaigns from Pervasive Phishing Attacks

Leesburg, Va. – Jan. 23, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced its partnership with Defending Digital Campaigns (DDC), a nonprofit and nonpartisan organization committed to bringing cybersecurity tools and resources to federal election campaigns. Under the new partnership, DDC qualified campaigns can leverage Cofense’s experience, expertise and managed phishing defense service to strengthen their resilience against email-based cyberattacks during the 2020 election cycle.

“There is not a single anti-phishing technology on the market that will stop phishing emails from hitting campaigners’ inboxes.” said Aaron Higbee, chief technology officer and co-founder, Cofense.  “No candidate wants to relive the successful phishing attacks that have plagued elections across the globe these past several years. Every day, we find hundreds of malicious threats in supposedly ‘protected’ email environments. Our methods have prevented sophisticated APT29 email phishing attacks that make the Podesta phish look childish. As most attacks target specific individuals, it’s critical campaign managers prepare their teams to react quickly to what is about to come. We’re proud to partner with the DDC to provide candidates and campaign workers the support they need to better defend against malicious actors.”

“Protecting campaigns from cybersecurity threats is essential to our democratic process, and Cofense understands the critical importance this plays,” said Michael Kaiser DDC President and CEO. “We are excited to partner with Cofense, who pioneered phishing defense, so campaigns can more quickly and easily implement better cybersecurity practices.”

Cofense’s new managed Election Phishing Defense Service is now available to eligible campaigns, a special permission granted to DDC by the Federal Election Commission, to bolster their phishing resilience in a single, managed service at minimal cost, allowing them to stay focused on what they do best – campaigning:

  • Phishing simulation training to prepare staff to identify and report phishing incidents
  • Cofense Reporter, a one-click embedded email button, to enable staff to quickly report suspicious messages
  • Phishing analysis provided by Cofense to quickly identify and mitigate a phishing incident

Additionally, Cofense has launched an educational site that will be updated with resources such as threat intelligence, best practices, and expert perspectives. To learn more, visit: https://cofense.com/election-security/

###

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

About Defending Digital Campaigns

Defending Digital Campaigns (DDC), a 501(C)4, is a nonpartisan and non-aligned organization focused on increasing campaign cybersecurity by making available free and low-cost cybersecurity products.  DDC operates under a Federal Election Commission administrative opinion allowing for the provision of in-kind cybersecurity services to eligible campaigns.

DDC’s was founded and lead by former presidential campaign managers for Hillary Clinton and Mitt Romney, tech and cybersecurity industry leaders, and former senior officials at the NSA and DHS.

 

Media Contact

[email protected]

Cofense to Host Third Annual Phishing Defence and User Conference in London

LONDON, United Kingdom – 22 January, 2020 – Cofense, the global leader in intelligent phishing defence solutions, today announced registration is open for Submerge London, its international user conference and phishing defence summit. Taking place at the Hilton Canary Wharf from 5-6 May 2020, Submerge London is Europe’s premier event for phishing defence and incident response, providing two full days of technical and educational sessions led by industry leaders and security experts.

The third annual conference promises even deeper hands-on content than ever before including more than 20 sessions covering the latest phishing defense strategies and tactics, case studies presented by leading industry professionals and ample networking opportunities with peers from across the world. As with previous years, there will also be a wealth of speaker tracks over the two days, truly submerging attendees into the latest anti-phishing best practices and how they can unlock the power of collective human intelligence to defend against advanced cyber threats.

Those interested in sharing their knowledge and expertise at the event can submit a presentation abstract for consideration through the Call for Speakers submission form, focusing on one of four topics: Innovation in Phishing Awareness; Aligning Phishing Defence to the Business; Phishing Incident Response; or the Phishing Threat Landscape.

“The email security threat landscape is constantly evolving with attackers innovating their way past security controls on a daily basis,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “That’s why it’s important cybersecurity professionals stay ahead of the latest attack vectors and be prepared for threats heading their way. With a 95% recommendation rate from previous attendees, we’re thrilled to bring organizations, partners and industry leaders the tools and knowledge they need to ramp up their phishing defence programs.”

Submerge London 2020 is open to existing Cofense customers and non-customers. The event is ideally suited for cybersecurity professionals, operators, and decision makers who focus on email security and phishing defence. Early bird registration discounts for Submerge London 2020 are available until 1st March, where tickets are available for £49 – half the regular rate. Those interested in attending can register here and find further information on the event and venue.

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

Media Contact

[email protected]

Ransomware in 2020: Not Just More, But Different

Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase from 2020 into the next few years, based on attack and ransom payment trends over the last six months. In the latter half of 2019 through this year, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach.

Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at their insurer’s recommendation, often with the insurance companies covering a good deal of the cost. With enterprise ransomware campaigns becoming more lucrative for the operators, Cofense Intelligence predicts a surge in the next few years.

In the most recent IC3 report, the “FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and /or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

In the second half of 2019 and through 2021 ransomware campaigns targeted different types of organizations, including schools, governments, infrastructure, and hospitals. Most of the victims offer public services that were disrupted or severely damaged. The Flagstaff Arizona school district suffered a ransomware attack that reportedly closed the entire school district for two days before services were recovered. Johannesburg, South Africa, was attacked in October 2019 and held hostage for $30,000—the third ransomware attack the city government suffered last year. Ransomware attacks in December 2019 targeted the Oahu Cancer Center in Hawaii and disrupted patient care, including the ability to administer radiation treatment. The victims of these attacks are finding it preferable to pay the ransom than to deal with the aftermath of data and system loss. Unfortunately, this emboldens future attacks and creates more targets.

In 2021, Colonial Pipeline, a company that transports about 45% of all the fuel consumed on the East Coast and serves almost 50 million U.S. customers, was hit by a malware attack led by the ransomware group, Darkside. That attack was followed quickly by JBS Meatpacking company, then REvil ransomware threat actors exploited a zero-day vulnerability to issue ransomware payloads disguised as legitimate software updates from Kaseya. Other notable ransomware incidents include Buffalo Public Schools, Acer, CNA Financial, Quanta Computer, and Ireland’s Health Service Executive.

We are now seeing ransomware campaigns that include data breaches and exfiltration. A number of victims of Maze ransomware, a few companies and one Florida city, did not immediately pay up and learned the hard way that a data breach had also ensued. Maze operators exfiltrated data in the course of their attack and released stolen documents, further extorting their victims to pay up and threatening that failure to do so would mean the release of more sensitive information. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment. The Maze ransomware operators allegedly exfiltrated around 120GB of data from Southwire during another ransomware attack.

Ryuk and Sodinokibi (ReVil) are two of the other widely recognized ransomware operators. In a report from Palo Alto Networks, the average ransom paid for organizations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. Additionally, the highest ransom paid by an organization doubled from 2019 to 2020, from $5 million to $10 million. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million. In 2021, that number grew to $40 million.

Other more recent ransomware attacks of note are:

  • Kia Motors:  The incident became known when it was reported that the company was suffering a major IT outage across the U.S., which affected the internal sites used by dealers, mobile apps, and phone and payment systems.
  • University of MD and University of CA were both hit by the same attack group named CLOP
  • Whistler Resort (Canada) -The incident resulted in its temporarily suspending phone, network and website access, with walk-in services at the municipal hall also being suspended.
  • Pierre Fabre, a leading cosmetics group, was hit with $25 million ransomware attack

In May 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity. The United States federal government advises organizations not to pay a ransom, as it only encourages further attacks and there is no guarantee the captured resources will be returned in their original form. However, victims are increasingly paying the ransom, as was seen in the latter half of 2019. Then in July, the White House issued National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems whose primary objective is to “defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.  The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.” Participation is voluntary.

Future Dangers of Ransomware

With their profits rising, ransomware operators will likely increase their campaign volume in the next few years at least. The success of ransomware campaigns may encourage the creation of additional ransomware families, requiring global organizations to evolve their cybersecurity posture.

We expect other trends to follow in line with our ransomware predictions. More cybersecurity firms might be utilized as a third-party negotiator for payments. Stolen data can be used in different ways—not just taken hostage—to leverage more money from the victims, especially if unsavory information is exfiltrated.

More and more enterprise organizations are expected to include cybersecurity insurance within their yearly budgets. In short, it appears more companies are making business decisions that demonstrate an understanding of the likelihood of ransomware attacks. While it is good to be prepared, feeding the beast of ransomware will fuel cybercriminals looking to make large profits.

HOW COFENSE CAN HELP

Cofense is the only company that combines a global network of 30 million people reporting phish with advanced AI-based automation to stop phishing attacks fast. Our Phishing Detection and Response (PDR) security solutions combine technology and unique human insight to catch and stop phishing attacks — before they hurt your business.

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense.

Cofense Debuts Phishing Defense Podcast

 

Leesburg, Va. – Jan. 17, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced the debut of its phishing defense podcast, Phish Fryday. Gathering leading experts and threat researchers across Cofense’s security intelligence groups including Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center, the new podcast provides security teams and analysts with weekly insights into the latest phishing threats, trends and news so they can stay ahead of the latest attacks.

With most data breaches occurring as a result of a successful phishing attack, defenders are constantly seeking to understand the latest evolving threats and tactics used by phishers to bypass popular security technologies. Cofense analyzes millions of emails and malware samples every day—both in the wild and within organizations’ environments – to identify new and emerging malware, providing organizations recommendations so they can quickly and proactively defend their organization.

“The key differentiator between Cofense and our competitors is the actionable intelligence that underpins all of our solutions,” said Rohyt Belani, chief executive officer, Cofense. “Our unique view of the cyber-threat landscape allows us to provide valuable and timely insights into active phishing threats that consistently bypass email gateways. We’re thrilled to further extend and share our expertise through Phish Fryday as we strive to unite humanity against phishing.”

The debut season includes the following episodes:

  • Episode 1: Cofense Labs’ Jason Meurer discusses Emotet’s recent evolutions, including modifications to its URI structure, new templates used and new information targeted by the botnet.
  • Episode 2: As tensions escalate between the U.S. and Iran, Mollie MacDougall of Cofense Labs, an expert on cyber and international security, explains Iran’s cyber capabilities and its history of cyberattacks.
  • Episode 3: Alan Rainer from Cofense Intelligence discusses how attackers are using trusted cloud services to evade security technologies and compromise corporate networks.
  • Episode 4: Max Gannon of Cofense Intelligence shines a light on Office macro attacks, how they are leveraged by attackers and why it’s challenging for organizations to defend against them.

To listen and subscribe to the Phish Fryday podcast, visit: https://cofense.com/category/podcast/phish-fryday/

###

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

Media Contact

[email protected]

Phish Fryday – Office Macros in Phishing Attacks

Automation with macros in Microsoft Office documents has been with us for decades. The abuse of these macros has been with us for almost as long, as attackers leverage the functionality  – and the common permissions needed to run them – to cause considerable harm to organizations. In this episode, we speak with Cofense Cyber Threat Intelligence Analyst Max Gannon to discuss the latest phishing threats and how they leverage macros to compromise organizations.

For more information on topics mentioned in this episode, please visit:

Complimentary Threat Alerts

PowerShell Scripts Delivered by Office Macros

Geodo Malware Campaigns

Questions or comments? Reach us at [email protected]

Jeopardy GOATs Buzz In, Security World Groans

By Tonia Dudley

When Jeopardy invited its top players ever to battle it out, the winner would be crowned the Greatest of All Time (GOAT). Not the Pretty Goodest or the Gosh, Nice Try-est. And certainly not the Wow, You Very Nearly Failed-est.

But when three acclaimed geniuses hit the buzzers last week, those were the titles they earned in the cybersecurity category. The contestants missed two out of five. No big deal? Normally not, but these guys were the best of the best—and their combined score of correct answers equaled 60 percent. In most grading systems, that’s one point shy of an ‘F.’

I mean, shouldn’t a Jeopardy GOAT be good at almost everything?

Really? They missed ‘BYOD’?

Yes, they did. And it was worth $600, a pretty generous sum for a pretty easy answer.

It was exciting to see cybersecurity included in this highly watched episode. To be fair, I thought the show came up with an interesting selection of topics. Ransomware. Keylogger. Whitehats. And sigh, BYOD. Again, if this were a normal episode (or a normal game show) you’d expect easier questions. But hey, this is Jeopardy, GOAT Edition.

Here’s the dagger: current GOAT tournament leader Ken Jennings is in IT. Ken, you let us down, man! Okay, “keylogger.” Not everybody knows what it means.

But, sorry to say this, a real genius would. To claim GOAT status, you need to go beyond the basics. And not wait until the other categories are nearly exhausted before summoning the courage to tackle cybersecurity. Call me biased, but it’s a pretty important subject these days.

Kudos to the players for knowing what bitcoin is.

And for nailing HTTPS and whitehats. But millions of people watched this episode. Ken, Brad, and James could have shown America that any self-respecting GOAT knows cybersecurity as well as The Oscars or American Idols.

And couldn’t there have been one measly phishing awareness question? “Who is John Podesta, Alex?” Or “What is a fraudulent email?” The FBI published two alerts last year on business email compromise alone.

All right, enough griping. At least our industry got some recognition. But if Jeopardy ever includes us again, I want the players to do better than a D+.

Discover how phishing awareness training can help your organization defend against changing phishing threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.