2023 saw a 70% increase in ransomware attacks from 2022.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

2023 was an explosive year for ransomware.

While some ransomware trends hardly changed over the last year, such as LockBit’s continued dominance, ransomware criminals also challenged our fundamental assumptions on how ransomware gangs work, such as by exploiting zero-day vulnerabilities. Through thec onsistenciess and evolutions over the last year, one fact remains clear: 2023 broke records **with its total number of 4475 ransomware attacks, a 70% increase from 2022.**

Global ransomware attacks by month, 2022 vs 2023

Global ransomware attacks, 2022 vs 2023

Additionally, LockBit was responsible for a **22% of all ransomware attacks in 2023**, over half as much as the next top five gangs combined. Together, the top 10 ransomware gangs were responsible for **70% of all ransomware attacks**.

Top 10 ransomware gangs in 2023

Breaking 2023 ransomware attacks by sector reveals that **23% of all attack**s were directed against the Services sector. Together, the top 10 sectors accounted for **80% of all ransomware attacks**.

Top 10 industries attacked 2023

The USA was by far the most attacked country in 2023, **with a whopping 45%** of all ransomware attacks targeting the country.

Top 10 countries attacked 2023

Additionally, we’ve sifted through the backlog of our 2023 ransomware reviews to find the most important stories and trends from the last year. Here are five key takeaways from the ransomware world in 2023.

**1\. LockBit was… LockBit**

LockBit remained the most prolific ransomware gang throughout 2023, responsible for several high-profile attacks (such as against Taiwanese chipmaker TSMC). As well, LockBit also unveiled a new variant, LockBit Green, and showed signs of expanding into macOS territory.  

**2\. Law enforcement worked overtime**

Despite 2023 being the worst ransomware year on record, law enforcement notched notable successes in taking down big-name groups, including the FBI’s shutdown of the Hive ransomware group and the seizure of ALPHV’s infrastructure.

**3\. Gangs seized the day with zero-days**

Ransomware gangs, including Cl0p and ALPHV, aggressively exploited zero-day vulnerabilities (e.g., in GoAnywhere MFT, MOVEit Transfer, and Citrix appliances) to launch attacks on a unprecedented scale.

**4\. Big blows dealt to critical infrastructure**

Critical infrastructure (as defined by CISA) took a beating in 2023, with sectors such as logistics, manufacturing, healthcare, and education accounting for almost **30% of all ransomware attacks** in 2023. Education alone (a subsector of the Government Facilities sector) experienced a 70% surge in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

**5\. New tactics and rebrandings emerged**

Besides an increased focus on exploiting zero-days, ransomware gangs introduced other new tactics in 2023 such as CL0P’s use of torrents for distributing stolen data and innovative social engineering techniques by groups like Scattered Spider. We also saw notable rebrands (i.e Vice Society to Rhysida) and shifts in focus from encryption to purely data theft and extortion.

**Looking ahead**

2023 was a whirlwind year for ransomware: Attacks spiked by 70%, law enforcement landed key victories, gangs pivoted to exploiting zero-day vulnerabilities, and much more.

Going into 2024 it’s safe to say that the threat of ransomware looms large for all organizations—especially those with shrinking security budgets and overtaxed IT teams, organizations located in the US, critical infrastructure sectors like education.

Fighting off ransomware gangs requires a layered security strategy. Technologies such as Endpoint Protection (EP) and Vulnerability and Patch Management (VPM), for example, are vital first defenses to reduce the attack surface breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach any defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And for the ultimate assurance of uptime —choose an EDR solution with ransomware rollback to undo changes and restore files so that productivity continues.

**How ThreatDown Addresses Ransomware**

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
*   RDP Shield: Securing remote access points with Brute Force Protection. 
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
*   Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams.

**Experience ThreatDown Bundles**

 Ransomware in 2023 recap: 5 key takeaways 

FBI and CISA have produced guidance about Chinese APT group Volt Typhoon and other groups that use Living off the Land (LOTL) techniques.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.

Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.

This joint guidance comes alongside a joint Cybersecurity Advisory (CSA) called PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.

These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.

The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat (APT) group known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.

In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.

As Jen Easterly, the director of CISA put it in a hearing before the House Select Committee

> “We have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.”

And it’s not just the US. The Dutch Military Intelligence Service (MIVD) found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.

The Living of the Land (LOTL) guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.

So, it’s important to be aware of what your cybersecurity team, internal or managed (MDR) should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.

The guidance stipulates that LOTL is particularly effective because:

*   Many organizations lack effective security and network management practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
*   There is a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.
*   It enables cyber threat actors to avoid investing in developing and deploying custom tools.

So, it provides some best practices for detecting and hardening that are all explained in detail.

*   Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
*   Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
*   Build or acquire automation to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
*   Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
*   Leverage user and entity behavior analytics to identify abnormal and potentially dangerous user and device behavior.
*   Apply and consult vendor-recommended guidance for security hardening.
*   Implement application allowlisting and monitor use of common LOTL binaries (LOLBins).
*   Enhance IT and OT network segmentation and monitoring.
*   Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.

Understanding the context of LOTL activities is crucial for accurate detection and response. Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Further on, CISA  urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.

Insecure software allows threat actors to leverage flaws to enable LOTL techniques and the responsibility should not solely be on the end user. By using secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.

Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 FBI and CISA publish guide to Living off the Land techniques 

LastPass has warned about a fake app called LassPass, available in the Apple App Store.

Password Manager LastPass has warned about a fraudulent app called “LassPass Password Manager” which it found on the Apple App Store.

The app closely mimics the branding and appearance of LastPass, right down to the interface. So, even if the name was a “happy accident” it seems clear that this was a purposeful attempt to trick users installing the fake app.

The fake app can be recognized not only by the name, but other misspellings in the screenshots, and the app lists Parvati Patel as the developer and the privacy policy as hosted at bluneel\[.\]com. The developer of the legitimate LastPass app is LogMeIn, Inc. 

While using a genuine password manager provides extra security, entrusting your passwords to an app that is a rip-off does not. Obviously, storing all your passwords in an app that is not trustworthy can get you in all kinds of trouble, including identity theft.

We have not tested if the app sends your passwords to a third-party, but we should assume that it does just that.

In the App Store the impersonator claims to be “Trusted by over 1+ million users and 10,000+ businesses” which clearly can’t be right and was most certainly copied from LastPass.

LastPass states that it is:

> “… actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property“

But at the time of writing the app was still available in the Apple App Store.

Malwarebytes Premium and Malwarebytes Browser Guard block the domain bluneel\[.\]com so users will see a warning about the trustworthiness of the app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Warning from LastPass as fake app found on Apple App Store 

A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers.

The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites.

The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam. However, other compromised companies were located in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.

Researchers first detected the activity of the group in November 2023, and tracked the massive malicious campaign targeting employment agencies and retail companies. Due to the criminals’ focus on job search platforms and the theft of resumes, the researchers dubbed the group ResumeLooters.

The stolen data is hard to quantify given the amount of sources, but it may include names, phone numbers, emails, and dates of birth, as well as information about job seekers’ experience, employment history, and other sensitive personal data.

The stolen data were put up for sale on Chinese-speaking Telegram channels. This and other indicators make it very likely that the group is of Chinese origin.

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 2 million job seekers targeted by data thieves 

Your essential guide to toothbrush security.

February 7, 2024 - We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

February 6, 2024 - The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

February 6, 2024 - Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

February 6, 2024 - Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 5, 2024 - Clorox has reported losses of $49 million following a cyberattack in mid-2023.

 How to tell if your toothbrush is being used in a DDoS attack 

We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

Recently I wrote about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English.

I have seen two different types in German.

**First Facebook scam**

_Translation: Deadly accident on highway causes several fatalities_

Notable about this one is that it was posted as a fundraiser and does not allow comments, which blocks me from posting a warning that this is a scam.

I reached out to the person that owns the account to find out if he knew how his account got compromised. He had no idea, but told me that it seemed like a lot of people were having the same issues. Not only did he see the same type of posts, but he also got a lot of Messenger messages prompting him to click a link.

In the past we’ve seen campaigns on Messenger where clicking such a link would install a Facebook app that required posting permissions. These apps would then spread further from the compromised user account.

The host storage.googleapis.com gives the link a legitimate feel, but that feeling is not justified. Although googleapis.com is a legitimate service provided by Google, it’s being abused by all sorts of cybercriminals for phishing, tech support scams, and in this case fingerprinting. The script on that site looks at your IP address, your type of machine and whether you are using a VPN. Based on the analysis of that information you are forwarded to the type of scam that is likely to be the most profitable.

An example of a redirect URL shows some of the elements that were fingerprinted.

https://byxzz.altairaquilae[.]top/?pl=Yyo1IAH5aE2Q4g9YuOImuw&click_id=da5d3q51mm737150e7&sub_id=18222478-Edge%20(Chromium)%20for%20Windows-Windows

Malwarebytes has already blocked the windyplentiful.com domain for Malvertising.

_Malwarebytes Premium blocks the domain windyplentiful.com_

**Second Facebook scam**

The second example is easier to identify as a fake. Both the ambulance and the wrecked motorcycle hail from California, so this highly unlikely to have happened on the German autobahn.

_Translation: Accident causes several victims including a child_

Not only is the picture clearly not German, the grammar used in the sentence is another sign as it’s a bad translation.

When I set my VPN to pretend I was located in Germany, the script identified it as an anonymous proxy and stopped there.

Switching back to the Netherlands I got to “enjoy” sites with explicit content, scam sites where celebrities encourage investing in cryptocurrencies, and websites offering browser push notifications.

These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus.

Several attempts on both images led to different domains as well. Other blocks we encountered during our research:

_Malwarebytes Premium blocks 188.114.96.0_

_Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top_

**How to recover from a Facebook scam**

You can recognize this type of scam because they usually tag several friends of the victim. And although the image looks like a click will start a video, it never has for me. The images were hosted at media.discordapp.net/attachments and although the pages contain a link to Vimeo, the videos there have already been removed or were never even there.

If you find your account has posted a message like this, you should assume that someone else has full control over your Facebook account. Simply changing the password is not always enough.

1.  Check for unknown and unused Facebook apps.
    *   Click your profile picture.
    *   Select **Settings & Privacy**, then click **Settings**.
    *   Click **Apps and Websites**.Go to the app or game you want to remove, then next to the name of the app or game, click **Remove**.
    *   Click **Remove** again to confirm.
2.  Enable two-factor authentication (2FA)
    *   Go to your **Security and Login Settings**.
    *   Scroll down to **Use two-factor authentication** and click **Edit**.
    *   Choose the security method you want to add and follow the on-screen instructions.
3.  Change your password on Facebook if you’re already logged in:
    *   Click your profile picture.
    *   Select **Settings & Privacy**, then click **Settings** (or **Accounts Center** if you’re on your phone).
    *   Click **Security and Login** (or **Password and Security** if you’re on your phone).
    *   Click **Edit** next to **Change password** (or just **Change password** if you’re on your phone).
    *   Enter your current password and new password.
    *   Click **Save Changes**.

If you’re logged in but have forgotten your password or it has been changed to something you don’t know, follow the steps above to change your password, then click **Forgot your password?** and follow the steps to reset it. Keep in mind that you’ll need access to the email associated with your account.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Facebook fatal accident scam still rages on 

The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

Today, Malwarebytes released its 2024 State of Malware report, detailing six cyberthreats that resource-constrained IT teams should pay attention to in 2024. Top of the list is “Big Game” ransomware, the most serious cyberthreat to businesses all around the world.

Big game attacks extort vast ransoms from organizations by holding their data hostage—either with encryption, the threat of damaging data leaks, or both. The report reveals that, awash with money, the number of known Big Game attacks surged by 68% in 2023, thanks to Ransomware-as-a-Service groups like LockBit and ALPHV.

Known ransomware attacks July 2022 – December 2023

Big Game ransomware is just one part of a thriving and highly organized cybercrime business—a multi-billion-dollar mirror to the legitimate economy it feeds off. Its ecosystem supports entire supply chains, dotted about with specialized organizations like access brokers and malicious software vendors. It has brand names, PR stunts, HR departments, incentive schemes, and “employees of the month.”

And like broader, law-abiding “Business” at large, cybercrime has settled on a collection of tools that work. Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware.

For years, the latest iterations of these ideas have only offered marginal improvements on their predecessors. As a result, innovation in cybercrime has increasingly shifted towards tactics—advancements that focus more on how attacks can succeed and less on what malware can do. The 2024 State of Malware report also details how ransomware gangs use Living of the Land (LotL) techniques to hide in plain sight, and how one gang, CL0P, turned to automated zero-day attacks to break ransomware’s scalability barrier.

The report also explains how cybercriminals turned to a tactic called “malvertising” in 2023, using search ads and disposable websites that mimic legitimate brands to distribute malware as an alternative to malicious emails and document macros.

And as Macs continued to buck the trend in declining PC sales, some criminals began to add Mac malware, like Atomic Stealer, to their Windows distribution channels.

As we enter 2024, malware is as dangerous as ever, but when it is used, it is just one link in an attack chain of multiple different threats. IT and security teams now face active adversaries, zero-day exploits, compromised accounts, social engineering, and a range of other threats that don’t meet the traditional definition of malware. Against this backdrop, security budgets are shrinking while resource-constrained IT and security teams firefight ever more complex environments.

When it comes to security, “more of the same” will not work in 2024, so this year’s report also outlines what effective cyberdefense in the year ahead will require.

To learn more about the most serious threats facing IT teams in 2024, and how to combat them, download the 2024 State of Malware report.

 Known ransomware attacks up 68% in 2023 

Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 6, 2024 is Safer Internet Day. When I was asked to write about the topic, I misunderstood the question and heard: “can you cover save the internet” and we all agreed that it might be too late for that. While we laughed about it, it made me think.

The internet has been around for quite some time now, and most of us wouldn’t know what to do without it. Personally speaking, I would not have this job, I would not be able to work from home, I would not have met a great many online friends, and I would have to go shopping in person a lot more.

When I started actively using the internet in 1996, it looked completely different than it does today. There were no social media sites to speak of, companies were selling antivirus and anti-Trojan solutions, but nobody cared about adware, PUPs, and assorted nuisances. Firewalls on the other hand were considered a lot more important back then.

The reasons why people get infected with malware have not changed that much though:

*   **Free stuff**. Why pay when you can get it for free? Well, basically, because you always end up paying a price. Whether that free version displays ads or comes bundled with other software which you didn’t want. Or maybe because it’s not even what they promised it would be: not the game, movie, TV show, or software you were looking for.
*   **Fear**. Alarming messages on the screen make us think that we must be doing something wrong and convince us to install fake security software or fall prey to tech support scammers.
*   **Phishing emails**. Emails telling us that we urgently need to respond to prevent something or get rich, healthy, and happy, so we feel we have to click that link or open that attachment.

But in our defense, criminals have gotten a lot better at convincing us to do the “wrong” things. Social engineering has become a science that cybercriminals are masters at, although the Nigerian prince that keeps telling me about the blocked fortune he has waiting for me is still around.

With the help of Artificial Intelligence (AI) these techniques will become even better and can be fine-tuned so they can be adapted to the intended victim and become more targeted. Only recently we learned about a finance worker that paid out $25 million after a supposed video call with his chief financial officer, that turned out to be a deepfake. After reading that story, I felt very sorry for that finance worker. Even knowing that almost everyone would have fallen for that setup, probably doesn’t relieve you of the guilty feeling.

Social media has gone from a way to keep in touch with distant friends to gigantic money making machines that are all about advertising and algorithms that keep you busy on the platform for as long as they possibly can. Governments are now scrambling to protect at least the children of this generation against the ruthless environment that these social media platforms have become.

At some point, celebrities like Angelina Jolie and Brad Pitt hired online bodyguards to monitor the internet and social media content that their children, who ranged from ages 6 to 13 at the time, encounter. Unfortunately, we don’t all have the funds to follow their example, so we have to be our children’s internet guardians.

Other government actions concerning the internet and social media are more focused on trying to limit the power of the tech giants, rather than on our online safety and privacy.

For now, it seems we have to rely on our own solutions to guard our online privacy and protection. For some pointers, check out our internet safety tips. You may find some useful nuggets that you hadn’t come up with yourself.

Safer Internet Day takes place on the same day in February each year to raise awareness about a safer and better internet for all, and especially for children and young people. Let’s make the internet a safer place. If not for us, then for our children.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Safer Internet Day, or why Brad Pitt needed an internet bodyguard 

Clorox has reported losses of $49 million following a cyberattack in mid-2023.

Cleaning products maker Clorox has reported losses of $49 million in connection to a cyberattack it suffered in August of last year.

On Monday, August 14, 2023, Clorox disclosed it had identified unauthorized activity on some of its IT systems. Despite a business continuity plan, the incident resulted in wide-scale disruptions to the company’s operations throughout the quarter, which ended September 30, 2023.

Clorox says it expects operational impacts from the cyberattack to continue into the second quarter, though the majority of order processing operations have returned to automated processes. Among other consequences of the cyberattack, net sales are expected to decrease between about $487 million and $593 million.

The company never revealed the nature of the attack, but based on a brief description, we must assume it was a ransomware attack. Ransomware experts have attributed the attack to ALPHV/BlackCat, but attribution is hard. This is especially true when the victim decides to pay the ransom, because their details aren’t made public by the attackers. When an organization refuses to pay, the attacking ransomware group will typically publish the organization’s details, along with its data, on their leak site, which are our main source of information about who did what to who.

The ALPHV ransomware gang is arguably the second most dangerous “big game” ransomware operator, as you can see in many of our monthly ransomware reviews.

The costs of the cyberattack, which included payments to third-parties that were hired to help investigate and remediate the attack amounted to $49 million.

Clorox was forced to shut down many of its systems due to the attack, which triggered order processing delays and significant product outages.

The fact that the disruptions lasted as long as they did, does not bode well for the business continuity plan. Add to that the suspicion that the ransom was paid, and we can conclude that backups were perhaps insufficient or not readily deployable.

These are things that, however cumbersome, need to be tested. Waiting for the actual emergency as the first test is never a good idea. Another indication that things may not have been up to par was the chief information security officer (CISO) leaving in November, while the company was still recovering from the cyberattack.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Source

Malwarebytes