The British Library has published its lessons learned from the devastating cyber attack that struck in October 2023.

In an eighteen-page report which shows an impressive commitment to transparency, but makes for painful reading, the organisation details how it was compromised by the Rhysida ransomware group during a traumatic timeline of events. In a subsequent press release, the Library also states it hopes other institutions will learn from its findings in the wake of a ‘deeply damaging criminal attack.’

Unfortunately, the report makes clear that in response to tighter security standards, the organisation ceased to be Cyber Essentials Plus certified in 2022, pending replacement of some older systems. In section six, sixteen ‘lessons learned’ form the basis of its future plans and guidance to other organisations:

• Enhance network monitoring capabilities
• Retain on-call external security expertise
• Fully implement multi-factor authentication: Multi-factor authentication needs to be in place on all internet-facing endpoints, regardless of any technical difficulties in doing so.
• Enhance intrusion response processes
• Implement network segmentation
• Practice comprehensive business continuity plans
• Maintain a holistic overview of cyber-risk
• Manage systems lifecycles to eliminate legacy technology
• Prioritise remediation of issues arising from legacy technology
• Prioritise recovery alongside security
• Cyber-risk awareness and expertise at senior level
• Regularly train all staff in evolving risks
• Proactively manage staff and user wellbeing
• Review acceptable personal use of IT
• Collaborate with sector peers
• Implement Government standards, review and audit policies and processes regularly

The exact origin of the hack – which took Library systems offline for months – is unconfirmed, in part due to the scale of the destruction. However the Library’s independent security investigators believe the original breach was caused by either a spear-phishing, brute force or other credential compromise. This allowed hackers access to a remote session on a terminal server that was not yet subject to Multi-Factor Authentication for a user to login.

From there, around 600GB of data (or half a million documents) were exfiltrated, with searches for sensitively-named content such as ‘passport’ and ‘confidential’. Backup copies of twenty-two databases were also made, and removed from the network. Ransomware was also deployed, and the encrypted data used for attempted extortion.

At several points Rhysida are believed to have made their own actions difficult to track – deleting log files and destroying servers to prevent a swift recovery. In a classic ‘double-extortion’ the group also leaked employee and customer data for auction on the dark web in November, with a starting value of 20 Btc (then approximately £600,000). The British Library insists that in line with guidance given by the National Cyber Security Centre, no attempt was made to communicate with the attackers, nor any ransom paid.

The Rhysida ransomware group are also reported to, or have claimed responsibility for, hacks carried out in Chile, Portugal, Kuwait and the United States in the latter half of 2023. Cyber security professionals believe the hackers are Russian-speaking, although evidence is limited.

Lengthy and costly, the cleanup effort has clearly been difficult. The report details that the Library convened Gold and Silver level crisis-management committees, with both private sector and UK state cyber security assistance – although senior staff at the BL were at one point forced to communicate via an emergency WhatsApp call in the absence of official systems. The Library’s main catalogue, containing more than 36-million records, only returned online in ‘read-only’ format in January, and the report states ‘Many staff have been unable to perform significant parts of their roles’ (for more than 3 months.)

The Financial Times have speculated that the recovery costs may eventually total over £7m, which would represent around 40% of the institution’s known financial reserves, although the Library’s Chief Executive, Sir Roly Keating, told the BBC it was too early to calculate the true value.

For cyber security expertise and assistance, please contact our team today.

Ransomware provider LockBit has been taken offline by a joint operation involving law enforcement agencies from eleven countries.

As of the 20th February, a banner on LockBit’s website declares that the site is now under the control of the UK’s National Crime Agency, part of a coordinated operation to take down the group’s ‘command and control’ infrastructure.

Authorities from the NCA, the FBI, Europol and others from around the world swooped on a number of individuals believed to be involved with Lockbit – making arrests in Poland, Ukraine, and in the United States. Two further named individuals are believed to be Russian nationals.

The combined operation (‘Operation Cronos’) also froze more than two hundred cryptocurrency accounts, took down 34 servers and closed 14,000 rogue accounts.

LockBit made headlines as one of the world’s most successful ‘Ransomware-as-a-service’ providers: offering a toolkit any would-be cyber criminal could use to launch their own cyber extortion operation, demanding more than $120m in ransoms for unlocking encrypted data.

The group behind LockBit, which first emerged on Russian forums in 2020, did not respond to Reuters following requests for comment, but published messages on an encrypted messaging app stating it has backup servers not yet ‘touched’ by law enforcement. Investigations by police in numerous countries also revealed copies of stolen data the group claimed to have deleted after negotiating ransom payments.

More than 1,700 organisations are believed to have been compromised by LockBit, many of which are now listed online – and include Royal Mail, the NHS, Boeing and ICBC, China’s largest bank, among many others.

Decryption tools have so far been released to victims of LockBit in 37 languages, as part of the ‘No More Ransom’ project, with UK authorities pledging to reach out to organisations affected by the ransomware.

For Cyber Security expertise and assistance, please contact our team today.

Each year new cyber threats appear to circulate online, and 2023 has certainly been no exception. For cyber criminals, it’s business as usual… right?

Not quite. Over time certain new patterns emerge that are important for cyber security researchers to identify, and these can help protect businesses and organisations in the future. So what can we learn from this year’s crop of nasty ransomware strains?

Akira

First spotted around April 2023, Akira ransomware appears to be one of the better-organised criminal efforts to extract payments from victims.

Suitable for multiple operating systems and sporting a green-and-black ransom note aesthetic Sophos describes as ‘Retro’, Akira is a professional effort that should give pause for thought.

Disabling many security settings to give itself more lateral movement on systems, the infection also tries to destroy backups to hinder the user, and has a ransom note written in (relatively) good quality English with a host of supporting infrastructure to help the hacker leverage a bigger payout.

The threat actor(s) behind Akira were known to exploit an existing VPN vulnerability to spread the ransomware, but had used stolen credentials purchased online from third-party data breaches to get started – in what has become a common pattern of low level breaches by third-parties supplying the more serious cyber crime via online black markets.

MedusaLocker

Originating back in 2019, this nasty ransomware has been through a string of variants with the most recent strain popping up in September 2023 to hit a major European health organisation.

MedusaLocker is an example of ‘Ransomware-as-a-Service’ – anybody can purchase and launch their own version, with a typical ransom being around $12,000. Like legal software companies, the developers behind Medusa even offer their customers a Support Helpdesk!

More recent variants have moved over to ‘double-extortion’ style attacks, where the hacker not only compromises the data, but threatens to leak a copy online, which is more likely to compel healthcare and public-sector organisations holding very private information on behalf of the public to pay the ransom demand.

Black Hunt

Targeting Windows environments, this ransomware looks relatively traditional, but may show the shape of things to come.

It can be spread both by email and via drive-by downloads on malicious websites that purport to give away free software or content, and for a special trick, immediately tries to terminate other processes on the user’s machine to speed up how quickly it can corrupt data – getting ahead of efforts to slow it down.

Curiously the ransomware searches for a specific text file called ‘Vaccine.txt’, which is likely a safety mechanism used by the original developers to protect their own systems against the dangerous infection.

The Group behind Black Hunt also use a tactic becoming increasingly popular among cyber criminals – publicly naming their victims in a perverse online ‘Hall of Fame’ – as a warning to others.

Our Verdict:

Keeping your data, staff and systems safe from ever-evolving ransomware infections means instilling good cyber-hygiene among your organisation, backed by a cyber security strategy that covers a range of areas including; endpoint protection, identify security, perimeter defence and user awareness training among others. Learn more here. 

For Cyber Security Expertise and Support, please contact our team today.

British intelligence services are actively providing advance warnings to potential ransomware targets in order to thwart impending cyber attacks. On average, every seventy-two hours for the last three months, a team of cyber security experts within GCHQ has been identifying the initial stages of new ransomware attacks targeting British entities, alerting intended victims and preventing attacks from being carried out.

An innovative system known as ‘Early Warning’, overseen by the National Cyber Security Centre (NCSC), is already believed to have thwarted major attacks, and draws on a range of unknown information sources including exclusive intelligence community feeds, public data, commercial inputs, and proprietary resources not available to the public.

This proactive approach, disclosed by several unnamed sources who spoke to Recorded Future News on the condition of anonymity, demonstrates the potential to curtail a significant number of successful cyber breaches. However, it has been noted by insiders that broader participation from organisations is needed to fully capitalise on the benefits of this system.

Currently, the scheme still has its challenges. Only a small fraction of organisations receive alerts – and it is estimated only 2% of those alerted act on the potential threat.

Ironically, a spokesperson from NCSC acknowledged the difficulties faced, stating, “We often struggle to find the correct contact information, or the person believes they’re speaking to a scammer.” The agency has taken steps to provide guidance on distinguishing official communications from criminal attempts to extract money or sensitive data.

In some cases, the delay in notifying potential victims has been so substantial that by the time NCSC establishes contact with the relevant parties, the ransomware attack has already been unleashed.

However, GCHQ clearly has big plans for developing the scheme further, and is encouraging organisations to sign up for Early Warning. As of the close of 2022, a mere 7,819 organisations had registered for the original service, but the NCSC’s annual report reveals that the system alerted over 5,900 user organisations about threats, more than 2,200 about vulnerabilities on their networks, and 56 received early alerts about ransomware attacks.

Learn more about Early Warning here, or speak to our Cyber Security team today.

The National Cyber Security Centre (NCSC) has released its annual ‘Cyber Security Breaches Survey’.

The survey is used to inform government policy on digital security, educate British businesses, and ensure UK cyber space remains safe.

Data collected across over 2,400 business and 850 charities produced some startling statistics concerning the ever-looming threat of cyber-attacks infiltrating UK businesses’ digital footprint.

The report discovered that 39% of UK businesses detected an incoming cyber-attack during 2021. Phishing attacks made up a fifth of all threats identified – the most frequent type of malicious attack.

Organisations also revealed that ransomware was being recognised as a serious digital threat with 56% of businesses stating they have installed or will be introducing a company policy to not pay ransoms to cyber criminals.

Whilst 58% of small and medium businesses disclosed to outsourcing their IT Support service, only 23% of surveyed businesses had a cybersecurity incident management strategy in place that is more advanced than a basic endpoint antivirus.

NCSC promote a blend of regular cyber security learning and training processes within your business to better inform the deployment of traditional cybersecurity software measures across all the organisation’s IT systems.

This multi-layered approach aims to counteract the report’s discovery that a lack of cyber technical expertise amongst UK businesses is to blame for threats going undetected.

Similarly, a company-wide policy of digital hygiene erodes the false assumption that managed cybersecurity strategies are a cost to the business rather than a strategic, protective investment.

31% of business admitted being attacked at least once a week showing that any weak link in an organisation’s cyber defence can have grievous financial implications.

To mitigate this, we recommend organisations follow the NCSC’s guidance and adopt Cyber Essentials and Cyber Essentials +. The scheme requires businesses to meet or exceed an assured set of security requirements each year to protect against common forms of online crime, technology dangers and digital threats.

It is estimated that a Cyber Essentials certification can reduce your organisation’s risk of a cyberattack by 98.5% – contact Lineal to assist with your organisation’s application and to help you meet the requirements for a successful certification or re-certification today.

Law enforcement agencies have announced the arrest of seven individuals linked to REvil ransomware which caused a series of high profile ransomware incidents earlier this year.

Europol and the US Department of Justice recently announced the success of ‘Operation GoldDust’ which included a joint-effort from 17 countries – with arrests spanning Romania, Poland, South Korea and Kuwait.

The group are accused of 7,000 individual ransomware attacks, and links to attacks which breached organisations using Kaseya remote-manageement software back in July – a supply chain attack described by security specialists SentinelOne as a ‘well orchestrated’ and ‘mass-scale’ ransomware campaign.

REvil was also used in the devastating attack on the Colonial Pipeline which caused fuel shortages across the US East Coast, and at the world’s largest meat supplier JBS Foods earlier in 2021. Authorities are believe to have recovered around $6.1m in ransom payments so far.

Europol thanked all the countries involved for a concerted effort, Eurojust and Interpol, and also praised the contribution of a number of private cybersecurity firms who assisted Operation GoldDust with technical support.

A previous investigation by Romanian police suggested the REvil group were an offshoot of those responsible for GandCrab ransomware released in 2018, and resulted in the release of three universal decryption tools by UK and US authorities which are believed to have prevented a further €60m of ransom payments from being extorted.

After originally claiming to be disbanding in September, it was revealed REvil’s infrastructure was itself hacked by a joint team from the FBI, US Cyber Command and the Secret Service – and forced offline. Key members of the group’s leadership, believed to be Russian, were thought to be on the run.

The issue of Russian reluctance to tackle cyber-crime syndicates also spilled over into warnings of US retaliation during in-person talks between US President Joe Biden and Russian President Vladimir Putin in June.

More than a thousand organisations using Kaseya Remote Monitoring and Management (RMM) software are estimated to have been hit by ransomware over the weekend.

The supply chain attack, which was described as “colossal and devastating” by security research company Huntress, is believed to have been carried out by the same Russia-linked ‘REvil’ ransomware gang strongly-suspected of the recent ransomware attack on meat-packing corporation JBS.

Miami-based Kaseya’s ‘VSA’ product – which is used by Managed Service Providers to provide remote IT services to the systems of organisations worldwide, including endpoint and patch management – is believed to have been breached with an update that rolled-out ransomware to many of Kaseya’s own customers.

REvil themselves claim the total number of encrypted user endpoints around the world may be as high as one million, and have demanded an unprecedented ransom of $70m in Bitcoin (around £51m at current price.)

On Friday, Kaseya advised all customers to immediately shut down any on-premises Kaseya VSA servers, to prevent hackers shutting off administrative access for future fixes – and ignore any communication from hacking groups while an FBI investigation was ongoing. 

Access to Kaseya’s cloud-based SaaS services were initially shut down as a precaution, but has since been restored, and an endpoint detection tool has been published online here.

It is now believed that the exploit for Kaseya VSA had recently been highlighted by the Dutch Institute for Vulnerability disclosure, but early patches to rectify the problem had not yet been issued. In the 48 hours following the breach, more than 2,000 VSA severs were taken offline – suggesting that many organisations did heed warnings issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC) and others – although Swedish supermarkets, New Zealand schools and many others have had systems crashed by encrypted data.

Kaseya is published regular updates to its advisory page, here.

For Cyberscurity expertise and support, please contact our team today.

Microsoft has announced that up to 92% of all stand-alone Exchange servers have been patched, following a mass data breach by Chinese state-sponsored Hafnium cybercrime group.

A mass attack on zero-day Exchange servers through four security vulnerabilities was identified and exploited by Hafnium in early March. Those with at risk servers, according to Microsoft VP Tom Burt, are recognised as 400,000 on-premise Exchange servers belonging to multiple government and corporate data centres including defence contractors, schools and other entities globally.

Consequently, the ProxyLogon security fixes released on 2^nd March have mitigated this number significantly with 92% of Exchange servers now protected under the new patches. Nevertheless, Microsoft states that around 32,000 servers remained unpatched and vulnerable to Hafnium cybercrime including theft of confidential sensitive data together with installation of ransomware and ‘corrupted web shells’, such as China Chopper, allowing unrestricted external access to the unpatched Exchange servers.

These security fixes are in conjunction with Microsoft’s Exchange on-premises mitigation tool (EOMT) which installs defender scripts and dependency downloads whilst automatically running the Safety Scanner; troubleshooting any identified problems on the Exchange servers.

However, the patches do not protect servers that have already been compromised from further exploitation, therefore Microsoft has advised that organisations administrators scan their stand-alone networks for potentially installed malicious software and scripts in addition to the scans of EOMT.

The attacks themselves have raised questions over the security maintenance of in-house email servers and adds weight to the growing adoption of cloud-based internet email.

Cybersecurity experts are warning against a prevalent new strain of macOS ransomware for Apple devices dubbed ‘EvilQuest’ – packaged alongside pirated versions of popular apps.

Like most ransomware, EvilQuest encrypts all the Apple user’s files and demands a $50 ransom for decryption within 72 hours.

While many Mac users believe malware for Apple devices does not exist – this is simply untrue. The newest strain comes after similar infections spreading between Mac users in recent years, including KeRanger and Patcher.

EvilQuest is also a more sophisticated effort than most attempts by cybercriminals: the app is correctly code signed, with a very convincing installer, and even overpowers the Mac versions of common antivirus softwares such as Norton, Kaspersky, Avast, McAffee and Bullguard.

The trojanised software known to be used to deliver EvilQuest to unsuspecting victims are torrent download versions of popular Apple macOS apps, examples of which include Little Snitch, Ableton Live and Mixed in Key 8 – a popular DJ software.

Among the important steps Mac users should take to reduce the risk of macOS ransomware are:

• Keep a regular, organised regime of backups, offline and air-gapped from the device itself.
• Only download Apps from reputable sources.
• Consider whether utilities like Malwarebytes and RansomWhere are needed as extra precautions.

For IT Support and cybersecurity expertise, please contact our team today.