The US indictment against an alleged Phobos ransomware kingpin reveals that no company was too small for the cybercriminal gang to hit.

The US Department of Justice has charged a Russian national named Evgenii Ptitsyn with selling, operating, and distributing a ransomware variant known as “Phobos” during a four-year cybercriminal campaign that extorted at least $16 million from victims across the world.

The government’s indictment against Ptitsyn should dispel any notion that ransomware gangs only target the largest, richest, most robust corporations on the planet, as one Phobos affiliate allegedly extorted a Maryland-based healthcare provider out of just $2,300—possibly the lowest payment ever recorded.

In a November 18 statement, Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, stressed the wanton victim targeting by Ptitsyn’s ransomware network.

> “Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments.”

Ransomware is the single most devastating cyberthreat to businesses today. Through a variety of evolving techniques, cybercriminals break into a company’s network and then deploy ransomware to lock down every file, computer, and sensitive piece of data within reach. The files cannot be unlocked without a “decryption key,” which the cybercriminals will only offer for a price.

But for many companies, the price of a ransom demand isn’t the only dilemma they face, as the price of recovery can be even heftier.

According to Malwarebytes’ business unit, ThreatDown, the average cost of a ransomware attack—excluding the ransom itself—is a whopping $4.7 million. That enormous sum represents a company’s downtime during a ransomware attack, any reputational damage it suffers, and the lengthy recovery process of rebuilding databases and reestablishing workplace accounts and permissions.

From what was revealed in the government’s indictment against Ptitsyn, those costs were likely beyond reach for many Phobos victims, which included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to an analysis of Phobos ransom demands last year, these smaller targets line up with the gang’s focus. In 2023, ThreatDown discovered that, unlike other ransomware gangs that demanded up to $1 million or more from each victim, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

Smaller demands mean little, however, for the companies hit by the ransomware.

Ptitsyn, who was extradited to the United States out of South Korea, now faces 13 counts, which include wire fraud, conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse, along with four counts each of causing intentional damage to protected computers and extortion in relation to hacking. According to the Department of Justice, the charges carry a “maximum penalty of 20 years in prison for each wire fraud count; 10 years in prison for each computer hacking count; and five years in prison for conspiracy to commit computer fraud and abuse.”

**How to protect your small business from ransomware**

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 No company too small for Phobos ransomware gang, indictment reveals 

This week on the Lock and Code podcast, we re-air an episode from 2023 about why modern cars want to know about your sex life and a lot more.

_This week on the Lock and Code podcast_…

Two weeks ago, the Lock and Code podcast shared three stories about home products that requested, collected, or exposed sensitive data online.

There were the air fryers that asked users to record audio through their smartphones. There was the smart ring maker that, even with privacy controls put into place, published data about users’ stress levels and heart rates. And there was the smart, AI-assisted vacuum that, through the failings of a group of contractors, allowed an image of a woman on a toilet to be shared on Facebook.

These cautionary tales involved “smart devices,” products like speakers, fridges, washers and dryers, and thermostats that can connect to the internet.

But there’s another smart device that many folks might forget about that can collect deeply personal information—their cars.

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what types of data modern vehicles can collect, and what the car makers behind those vehicles could do with those streams of information.

In the episode, we spoke with researchers at Mozilla—working under the team name “Privacy Not Included”—who reviewed the privacy and data collection policies of many of today’s automakers.

To put it shortly, the researchers concluded that cars are a privacy nightmare. 

According to the team’s research, Nissan said it can collect “sexual activity” information about consumers. Kia said it can collect information about a consumer’s “sex life.” Subaru _passengers_ allegedly consented to the collection of their data by simply being in the vehicle_._ Volkswagen said it collects data like a person’s age and gender and whether they’re using your seatbelt, and it could use that information for targeted marketing purposes. 

And those are just the highlights. Explained Zoë MacDonald, content creator for Privacy Not Included: 

> “We were pretty surprised by the data points that the car companies say they can collect… including social security number, information about your religion, your marital status, genetic information, disability status… immigration status, race.”

In our full conversation from last year, we spoke with Privacy Not Included’s MacDonald and Jen Caltrider about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 These cars want to know about your sex life (re-air) (Lock and Code S05E25) 

A list of topics we covered in the week of November 25 to December 1 of 2024

December 2, 2024 - The US indictment against an alleged Phobos ransomware kingpin reveals that no company was too small for the cybercriminal gang to hit.

December 2, 2024 - This week on the Lock and Code podcast, we re-air an episode from 2023 about why modern cars want to know about your sex life and a lot more.

November 29, 2024 - Printer issues are very common, but searching Google for help may get you into more trouble than you'd expect.

November 28, 2024 - A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

November 27, 2024 - LifeLabs managed to hold up a report about a ransomware incident in court for four years. It's now been published.

 A week in security (November 25 &#8211; December 1) 

Printer issues are very common, but searching Google for help may get you into more trouble than you'd expect.

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

**Malicious Search Ads**

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘_hp printer help_‘. It’s only after those that the official HP website appears.

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive\[.\]solutions  
geeksprosoftwareprints\[.\]org  
select-easy123print\[.\]com  
printcaretech\[.\]com

**The driver scam**

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

**Remote access and extortion**

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

 Printer problems? Beware the bogus help 

A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

The 713.1 GB container (an Amazon S3 bucket ) did not have password-protection, and the data was left unencrypted, so anybody who stumbled on them could read the files. The files not only contained thousands of people’s vehicle records (license plate and VIN) and property ownership reports, but also criminal histories, and background checks.

The majority of the records were labelled as background checks which contained full names, home addresses, phone numbers, email addresses, employment history, family members, social media accounts, and criminal record history.

Data brokers collect and sell your information, including financial, personal, behavior and interests, for profit. SL Data Services markets itself as a provider of real estate information reports. But when the researcher contacted its support team, they stated the company also provides criminal checks, division of motor vehicles (DMV) records, death and birth records.

Probably to organize the data to this end, the folders inside the container all had names of separate website domains. The company apparently operates a network of an estimated 16 different websites, offering a range of information services (e.g. PropertyRec).

Background checks can and are often done without the subject’s awareness. But with all the combined information about a person, it paints a very complete picture that insurance companies, advertisers, and even cybercriminals can use to their advantage.

The researcher explained:

> “I am not stating nor implying that Propertyrec’s customers or any individuals are at risk of impersonation, spear phishing, or social engineering attacks, I am only providing a real world risk scenario of how this type of information could possibly be exploited by criminals.”

And to make things worse—if possible– the files had names that used the following format: “First\_Middle\_Last\_State.PDF.” Which makes it incredibly easy for anyone, whether they are supposed to have access or not, to find a person of interest and read that file.

It took the researcher quite a few calls and emails to get the exposed data taken out of public sight, and SL Data Services never provided the researcher with a response, let alone an explanation how this could happen.

**Don’t give up your information, remove it where you can**

Unfortunately, incidents like this are commonplace, so it’s clear that we should take it upon ourselves to make sure our information can’t be found by data brokers.

Removing your personal information from data broker sites can be a complex and time-consuming process. While manual opt-outs are effective, they require considerable effort to keep up with new data entries and the reappearance of your information on various sites. This is where data broker removal services come in handy. 

Data broker removal services are designed to automate the process of finding and removing your personal information from data broker databases. These services regularly scan known databases for your information and submit opt-out requests on your behalf, ensuring a more comprehensive and continuous protection of your privacy. 

Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.

 Data broker exposes 600,000 sensitive files including background checks 

LifeLabs managed to hold up a report about a ransomware incident in court for four years. It's now been published.

In 2019, a ransomware attack hit LifeLabs, a Canadian medical testing company. The ransomware encrypted the lab results of 15 million Canadians, and personally identifiable information (PII) of 8.6 million people was stolen.

After noticing the attack, LifeLabs informed its customers and the Canadian privacy regulators, which immediately announced an investigation.

The privacy commissioners of both British Columbia and Ontario finished writing a report about the incident in 2020 but LifeLabs managed to hold that up in court for four years. Now the report is publicly available and some of the findings are both shocking and unsurprising.

According to the report, LifeLabs had several shortcomings before the breach:

*   LifeLabs failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification or disposal.
*   LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA
*   LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.

Additionally, the investigation found that LifeLabs didn’t comply with its obligation to notify affected people at the first reasonable opportunity. This was because it didn’t implement a process to notify people about the details of what personal health information was compromised without requiring them to make a formal access request.

Patricia Kosseim, Information and Privacy Commissioner of Ontario commented:

> “Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals.”

The regulator said it was important for the report to be made public after four years of resistance by LifeLabs. We agree that it is important that we know how companies are protecting our data, especially the medical kind. But at the same time we also know that many organizations in the healthcare industry do not have the staff to handle this, not do they have the funding to hire those staff. It’s catch 22.

At the time, LifeLabs wrote in an open letter that the cybersecurity firm it hired to investigate the incident advised it that the risk to its customers in connection with this cyberattack was low. LifeLabs said it hadn’t seen any public disclosure of customer data as part of its investigations, including monitoring of the dark web and other online locations.

Malwarebytes checked up whether that claim still held through and could indeed not find any LifeLabs customer data that came from that breach.

The reason is not a big mystery. Reportedly, LifeLabs paid the ransomware group, which is why it’s still unknown which group was behind the attack. The specific amount of the ransom paid has not been disclosed by the company.

But as ransomware groups are just a gang of criminals, it might be hard to take their word for it that they won’t release the data at some point. We will keep an eye on it.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Medical testing company LifeLabs failed to protect customer data, report finds 

Microsoft connected experiences have been the subject of heated online discussions. So what are they, and do they train AI with my data?

Recently we’ve seen some heated discussion about Microsoft’s connected experiences feature. As in many discussions lately there seems to be no room for middle ground, but we’re going to try and provide it anyway.

First of all, it’s important to understand what the “connected experiences” are.

Microsoft describes it like this:

> “Connected experiences that analyze your content are experiences that use your Office content to provide you with design recommendations, editing suggestions, data insights, and similar features.”

If that sounds like auto-correct on steroids, you’re close. You like it or you don’t.

But I found that there are two types of connected experiences.

Let’s start with a locally saved document created in Microsoft 365 (Word). To find the connected experiences settings, you’ll need to

*   Click on **File** > **Options**

Options

*   Select **Trust Center** and click on **Trust Center Settings**

Trust Center Settings

*   Select **Privacy Options** and click on **Privacy Settings**

Privacy Options > Privacy Settings

Then you’ll see three entries for Connected experiences:

*   Experiences that analyze your content
*   Experiences that download online content
*   All connected experiences

My tinfoil hat warns me that the second one is bound to show up in some vulnerability, but nowhere does it say that anything you produce will be shared with anyone, let alone train an AI model. If anything is worrying in there, it’s the fact that it uses content in your documents to find online information that might be of interest to you.

Connected experiences

Feel free to turn these options off.

For **online** documents created with Microsoft 365 apps it’s a different topic, and depends on what the administrator of the organization that provided it has decided to make available to you.

The overview of optional connected services provided by Microsoft says:

> “If you have a work or school account, your organization’s admin may have provided you with the ability to use one or more cloud-backed services (also referred to as “optional connected experiences”) while using the Office apps, like Word or Excel, that are included with Microsoft 365 Apps for enterprise.”

It then goes on to list all the possible optional connected experiences. The settings for these are of the type  “all or nothing.”

You can find these settings if you have a document open in your browser by following the path **File > About > Privacy Settings > Optional connected experiences**.

Optional connected experiences

The official Microsoft 365 account on X tweeted to say it didn’t use customer data to train large language models (LLMs)—a type of artificial intelligence (AI) program—in M365 apps:

> “In the M365 apps, we do not use customer data to train LLMs. This setting only enables features requiring internet access like co-authoring a document.”

So, turning that option off might result in some lost functionality if you’re working on the same document with other people in your organization.

If you want to turn these settings off for reasons of privacy and you don’t use them much anyway, by all means, do so. The settings can all be found under **Privacy Settings** for a reason. But nowhere could I find any indication that these connected experiences were used to train AI models.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Explained: the Microsoft connected experiences controversy 

Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

Spotify and Amazon services have been flooded with bogus listings that push dubious “forex trading” sites, Telegram channels, and suspicious links claiming to offer pirated software according to our friends over at BleepingComputer.

Cybercriminals are abusing the options to inject keywords and links into playlist names to make their entries rank high in Google search results.

BleepingComputer found that spammers had posted a lot of links on the content platforms, but that the length of the audio “episodes” published under these “podcasts” was zero seconds.

What you can expect to be offered are cracks, keygens, cheat codes, and other game related content, but also “forex trading” seems to be a popular subject to promote.

The fact that many cracks, keygens, and game mods are often replaced by or come bundled with malware was already known in the previous century, so that shouldn’t surprise anyone.

The “forex trading” part may be a little harder to understand.

On the content platforms we mentioned, links are shared pointing to forex trading platforms where you can trade one currency for another speculating on exchange rate fluctuations. Forex trading is far from illegal, it’s an important part of international trade. But in areas where so much money changes hands, there will always be criminals looking for a piece of the action.

There are two main types of forex trading scams you need to be aware of. Scams performed by external criminals, and unethical forex brokers. Even though management teams within brokers must be vetted by regulators and licensers, there are plenty of incentives for brokers to take advantage of their customers.

The scams themselves can be largely identified as:

*   Signal scams: Signals are data-driven broker-generated information prompts that give traders improved opportunities to make profitable trades. While many of them can be considered legitimate, they do not guarantee success and they can be abused by signal-sellers that prey on our tendency to want to get rich fast and with little effort.
*   Pyramid schemes: The pyramid schemes are in fact private circles run by individuals who seek to profit by charging a subscription fee and encouraging new members to recruit fellow investors for the prize of a small commission payout. The higher up the money-earning pyramid you are, the more subscription fees flow your way.
*   Point-spread scam: As brokers earn their commissions based on the gap between bid and ask prices, they make more money when the gap is bigger. When the natural supply and demand conditions do not create a big enough gap, some brokers have been known to exaggerate the gap by rigging the code that displays the prices.
*   Robot scamming: This is a relative newcomer to the scams. It offers traders the option to earn money while you are not actively trading on your system. The term “robot” refers to the automation of the process with software. Needless to say these robots can be rigged to work for the broker instead of for you.
*   Sale of personal information: Under the rules of Know Your Customer (KYC) legislation, every trader must be able to supply private and confidential information that often includes details like banking information and credit card information. Scam brokers could sell this information to a third party, who may try to lure you into another scheme.

But cybercriminals could also have set up their own fraudulent trading platforms and be phishing for your login credentials to existing platforms.

**How to stay safe**

If you decide you want to delve in forex trading, there are a few pointers to keep your money safe.

There are some similarities between forex trading and casino gambling, only forex trading involves more skill and analysis than most casino games. Don’t go all-in. Don’t lose your shirt.

*   Get rich quick schemes often work for those offering them, but not for those falling for them.
*   It is vital to research any financial service or platform before investing.
*   As always, if it sounds too good to be true, it probably is.
*   It is crucial to understand what you are doing or what is being done for you.
*   Watch out for clone websites.
*   If you don’t understand how the trader’s robot works, ask until you do or don’t use it.
*   Stay away from forex trading platforms promoted on content platforms that have nothing to do with forex trading.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Spotify, Audible, and Amazon used to push dodgy forex trading sites and more 

Hacktivists have breached Andrew Tate's learning platform The Real World and obtained 794,000 usernames for current and former members, as well as 324,382 email addresses of former clients.

Andrew Tate’s online education platform The Real World—formerly known as Hustlers University—has been hacked and user data has been stolen.

Hacktivists flooded the primary chatroom with emojis as proof that they had breached the site. After this they shared approximately 794,000 usernames of, allegedly, the site’s current and former members with the Daily Dot and journalism collective DDoSecrets.

The stolen chat logs originated from the platform’s 221 public and 395 private chat servers. Included in the data are 794,000 usernames for current and former members, and 324,382 unique email addresses that appear to belong to users who were removed from the main database after they stopped paying their subscriptions.

It’s not clear if this set of email addresses came from a less secure environment or whether the hacktivists just stumbled over those first. A source close to the hacktivists say the platform’s security is “hilariously insecure.”

An unpatched vulnerability meant they could “upload emojis, delete attachments, crash everyone’s clients, and temporarily ban people.” All of this must be painful for a platform that claims to teach “all digital skills.”

Highly controversial figure Andrew Tate has not responded to the breach yet.

This could be because he is facing other problems. He’s currently under house arrest in Romania, facing trial after being charged with rape, human trafficking and forming an organised crime group to sexually exploit women. He is also wanted in the UK to face allegations of sexual assault. He denies all the allegations.

Anyway, there are reasons why clients, especially those that stopped payments, would not like to be associated with The Real World.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 &#8220;Hilariously insecure&#8221;: Andrew Tate&#8217;s The Real World breached, 800,000 users affected 

A list of topics we covered in the week of November 18 to November 24 of 2024

November 25, 2024 - Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

November 25, 2024 - Hacktivists have breached Andrew Tate's learning platform The Real World and obtained 794,000 usernames for current and former members, as well as 324,382 email addresses of former clients.

November 22, 2024 - Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves

November 20, 2024 - People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

November 20, 2024 - Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

Source

Malwarebytes