The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui.
"The seized funds include ransoms paid by healthcare providers in Kansas and Colorado," the DoJ said in a press release issued Tuesday.
The recovery of the bitcoin ransoms

The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui.

"The seized funds include ransoms paid by healthcare providers in Kansas and Colorado," the DoJ said in a press release issued Tuesday.

The recovery of the bitcoin ransoms comes after the agency said it took control of two cryptocurrency accounts that were used to receive payments to the tune of $100,000 and $120,000 from the medical centers. The DoJ did not disclose where the rest of the payments originated from.

"Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," said Assistant Attorney General Matthew G. Olsen of the DoJ's National Security Division. "The reimbursement to these victims of the ransom shows why it pays to work with law enforcement."

Earlier this month, U.S. cybersecurity and intelligence agencies issued a joint advisory calling attention to the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

The incident targeting the unnamed Kansas facility is said to have occurred around the same time, prompting the Federal Bureau of Investigation (FBI) to uncover the never-before-seen ransomware strain.

It's currently not known how the seizure was orchestrated, but it's possible that it could have been carried out by following the money laundering trails to a cryptocurrency exchange that offers cash-out services to convert their illicit proceeds from bitcoin to fiat currency.

Besides espionage, North Korean threat actors have a storied history of directing financially-motivated hacks for the sanctions-hit nation in a multitude of ways, including targeting blockchain companies and leveraging cryptocurrency heists by making use of rogue wallet apps and exploiting crypto asset bridges.

Viewed in that light, ransomware adds yet another dimension to its multi-pronged approach of generating illegal revenues that help further its economic and security priorities.

The disruption highlights the U.S. government's continued success with cracking down on crypto-oriented criminal activities, enabling it to recoup ransomware payments associated with DarkSide and REvil as well as funds stolen in connection with the 2016 Bitfinex hack.

The development also follows a notification from the FBI, which warned that threat actors are offering victims what appear to be investment services from legitimate companies to trick them into downloading rogue apps aimed at defrauding them.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

FBI Seizes $500,000 Ransomware Payments and Crypto from North Korean Hackers

Growing cyber threats, tightening regulatory demands and strict cyber insurance requirements are driving small to medium-sized enterprises demand for strategic cybersecurity and compliance guidance and management. Since most companies this size don't have in-house CISO expertise – the demand for virtual CISO (vCISO) services is also growing. Yet current vCISO services models still rely on manual

Growing cyber threats, tightening regulatory demands and strict cyber insurance requirements are driving small to medium-sized enterprises demand for strategic cybersecurity and compliance guidance and management. Since most companies this size don't have in-house CISO expertise – the demand for virtual CISO (vCISO) services is also growing. Yet current vCISO services models still rely on manual, humanCISO expertise. This makes these services costly and tough to scale – leaving MSPs, MSSPs and consulting firms unable to add vCISO service to their portfolio or scale their existing vCISO services to meet the growing demand.

This is the challenge Cynomi's Automated vCISO platform is trying to solve. The company's AI-powered vCISO platform automatically generates everything vCISO service providers need to provide their clients, fully customized for each and every client: risk and compliance assessments, gap analysis, tailored security policies, strategic remediation plans with prioritized tasks, tools for ongoing task management, progress tracking and customer-facing reports.

Cynomi enables managed service providers and consulting firms to provide ongoing vCISO services at scale by automating much of the manual, expert and time-consuming vCISO work, empowering their existing teams.

In this review we'll take a deep dive into how Cynomi works, and the potential benefits service providers and consultants can derive from the platform.

****Setting up and managing multitenant client accounts****

Cynomi was designed from the ground up for multitenancy. This means that service providers can offer the Cynomi platform to any number of their clients - managing each separately. The system enables this by letting service providers independently create and manage a separate sub-account for each client. For each client, service providers can create users and delegate roles or ownership within their team.

To onboard a new client, the service provider fills the onboarding questionnaire:

The results of the onboarding questionnaire determine which follow up proprietary questionnaires you'll need to fill for your client

The service provider also runs the Cynomi proprietary scans that assess each client's external-facing assets - discovering critical vulnerabilities in externally visible IPs and URLs, and covering ports, protocols, encryption types, web sites, web applications, emails, DNS servers and certifications.

Cynomi also enables service providers to conduct scans of internal client assets like Office365, Active Directory and more.

The service provider can drill down into each finding from a scan to see an in-depth description and remediation options. Vulnerabilities detected are automatically added to the account task list, and prioritized according to their severity.

MSP staff can drill down into each finding from each scan to see an in-depth description and remediation options. Vulnerabilities detected are automatically added to the account task list, according to their severity. Cynomi also enables service provider to conduct scans of internal client assets like Office365, Active Directory and more.

****AI-driven assessment****

Based on the questionnaires and scans, Cynomi creates a cyber profile for each client. It then continuously parses the findings from questionnaires and scans against industry-specific security standards, regulatory frameworks, and threat intelligence. The Cynomi technology engine, modeled after the knowledge of the world's best CISOs, then generates the vCISO dashboard, a single-pane-of-glass view of each client's overall security posture, including:

*   Overall security posture score
*   Vulnerability and exploit gap analysis
*   Risk score for specific threat vectors
*   Tailor-made cybersecurity policies
*   Actionable, prioritized remediation tasks
*   And more

****Tailored security policies****

Cynomi automatically generates a set of NIST-based security policies. These are custom-created for each client and crafted to be easy-to-follow and actionable. These policies are completely editable, allowing the service provider to customize them.

On the Cynomi policies dashboard, service providers can view the compliance status for all policies generated, and drill down into the details of each. For example, the access policy screen below shows the client's score, and allows drill-down into a breakdown of the policy's requirements.

****Remediation plans with actionable, prioritized tasks****

Cynomi automatically creates remediation tasks, with priority and impact rate of each task, via AI algorithms modeled after the knowledge of the world's best CISOs. Task types range from technical controls and procedures to configuration of security components and more. Service providers can customize the tasks, changing their priority, and add/remove tasks.

On the tasks screen below, filters enable account managers to concentrate on specific domains, jump back to tasks that are already in progress or focus on high severity tasks only. All progress is tracked, and tasks completed are automatically reflected in the client's overall security posture score. Cynomi enables drill down into any task for a step-by-step guidance to put a control in place or mitigate a gap.

****Continuous updates****

Unlike one-time assessment tools, Cynomi continuously updates all client risk scores, compliance readiness, policies and tasks. Changes to client environments, regulatory regimes and industry threat intelligence are automatically reflected in Cynomi. This assures managed service providers and consultants that Cynomi always presents up-to-date information, and automatically updates policies and tasks – so they don't have to do it themselves.

****The Bottom Line****

Cynomi opens new recurring revenue streams for service providers that don't yet offer vCISO services, while using their existing staff. For those that do offer vCISO services, Cynomi enables them to scale these services – without scaling in-house resources, by reducing dependency on manual expert work, and cutting vCISO work to a fraction of the time.

Whatever their current offering, services providers can leverage Cynomi to increase their sales pipeline – leveraging the platform's comprehensive risk and compliance assessments to drive new opportunities. They can also enjoy more upsells, since Cynomi's findings and recommendations substantiate and demonstrate the impact of new services and tools. And most importantly, in today's hyper-competitive market, Cynomi helps service providers lower churn with ongoing, strategic services that increase customer trust and satisfaction. To learn more about Cynomi, visit www.cynomi.com.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cynomi Automated Virtual CISO (vCISO) Platform for Service Providers

A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.

CVE-2020-36558

A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.

commit 9fbe5c87eaa9b72db08425c52c373eb5f6537a0a Author: Greg Kroah-Hartman Date: Thu Apr 2 08:02:32 2020 +0200 Linux 5.6.2 commit cea1c66b816e4f13ad7609cd0082e8f1ff98de0f Author: Georg Müller Date: Mon Feb 3 21:11:06 2020 +0100 platform/x86: pmc\_atom: Add Lex 2I385SW to critclk\_systems DMI table commit 95b31e35239e5e1689e3d965d692a313c71bd8ab upstream. The Lex 2I385SW board has two Intel I211 ethernet controllers. Without this patch, only the first port is usable. The second port fails to start with the following message: igb: probe of 0000:02:00.0 failed with error -2 Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK\_IS\_CRITICAL") Tested-by: Georg Müller Signed-off-by: Georg Müller Reviewed-by: Hans de Goede Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 4d8b01733206b8016f6f5c853fdf02ec07f8e25c Author: Eric Biggers Date: Sat Mar 21 20:43:05 2020 -0700 vt: vt\_ioctl: fix use-after-free in vt\_in\_use() commit 7cf64b18b0b96e751178b8d0505d8466ff5a448f upstream. vt\_in\_use() dereferences console\_driver->ttys\[i\] without proper locking. This is broken because the tty can be closed and freed concurrently. We could fix this by using 'READ\_ONCE(console\_driver->ttys\[i\]) != NULL' and skipping the check of tty\_struct::count. But, looking at console\_driver->ttys\[i\] isn't really appropriate anyway because even if it is NULL the tty can still be in the process of being closed. Instead, fix it by making vt\_in\_use() require console\_lock() and check whether the vt is allocated and has port refcount > 1. This works since following the patch "vt: vt\_ioctl: fix VT\_DISALLOCATE freeing in-use virtual console" the port refcount is incremented while the vt is open. Reproducer (very unreliable, but it worked for me after a few minutes): #include #include int main() { int fd, nproc; struct vt\_stat state; char ttyname\[16\]; fd = open("/dev/tty10", O\_RDONLY); for (nproc = 1; nproc < 8; nproc \*= 2) fork(); for (;;) { sprintf(ttyname, "/dev/tty%d", rand() % 8); close(open(ttyname, O\_RDONLY)); ioctl(fd, VT\_GETSTATE, &state); } } KASAN report: BUG: KASAN: use-after-free in vt\_in\_use drivers/tty/vt/vt\_ioctl.c:48 \[inline\] BUG: KASAN: use-after-free in vt\_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt\_ioctl.c:657 Read of size 4 at addr ffff888065722468 by task syz-vt2/132 CPU: 0 PID: 132 Comm: syz-vt2 Not tainted 5.6.0-rc5-00130-g089b6d3654916 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223\_100556-anatol 04/01/2014 Call Trace: \[...\] vt\_in\_use drivers/tty/vt/vt\_ioctl.c:48 \[inline\] vt\_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt\_ioctl.c:657 tty\_ioctl+0x9db/0x11b0 drivers/tty/tty\_io.c:2660 \[...\] Allocated by task 136: \[...\] kzalloc include/linux/slab.h:669 \[inline\] alloc\_tty\_struct+0x96/0x8a0 drivers/tty/tty\_io.c:2982 tty\_init\_dev+0x23/0x350 drivers/tty/tty\_io.c:1334 tty\_open\_by\_driver drivers/tty/tty\_io.c:1987 \[inline\] tty\_open+0x3ca/0xb30 drivers/tty/tty\_io.c:2035 \[...\] Freed by task 41: \[...\] kfree+0xbf/0x200 mm/slab.c:3757 free\_tty\_struct+0x8d/0xb0 drivers/tty/tty\_io.c:177 release\_one\_tty+0x22d/0x2f0 drivers/tty/tty\_io.c:1468 process\_one\_work+0x7f1/0x14b0 kernel/workqueue.c:2264 worker\_thread+0x8b/0xc80 kernel/workqueue.c:2410 \[...\] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-3-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 903f879e510838969d93506eea1a498fc9928c51 Author: Eric Biggers Date: Sat Mar 21 20:43:04 2020 -0700 vt: vt\_ioctl: fix VT\_DISALLOCATE freeing in-use virtual console commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream. The VT\_DISALLOCATE ioctl can free a virtual console while tty\_release() is still running, causing a use-after-free in con\_shutdown(). This occurs because VT\_DISALLOCATE considers a virtual console's 'struct vc\_data' to be unused as soon as the corresponding tty's refcount hits 0. But actually it may be still being closed. Fix this by making vc\_data be reference-counted via the embedded 'struct tty\_port'. A newly allocated virtual console has refcount 1. Opening it for the first time increments the refcount to 2. Closing it for the last time decrements the refcount (in tty\_operations::cleanup() so that it happens late enough), as does VT\_DISALLOCATE. Reproducer: #include #include #include #include int main() { if (fork()) { for (;;) close(open("/dev/tty5", O\_RDWR)); } else { int fd = open("/dev/tty10", O\_RDWR); for (;;) ioctl(fd, VT\_DISALLOCATE, 5); } } KASAN report: BUG: KASAN: use-after-free in con\_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 Write of size 8 at addr ffff88806a4ec108 by task syz\_vt/129 CPU: 0 PID: 129 Comm: syz\_vt Not tainted 5.6.0-rc2 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223\_100556-anatol 04/01/2014 Call Trace: \[...\] con\_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 release\_tty+0xa8/0x410 drivers/tty/tty\_io.c:1514 tty\_release\_struct+0x34/0x50 drivers/tty/tty\_io.c:1629 tty\_release+0x984/0xed0 drivers/tty/tty\_io.c:1789 \[...\] Allocated by task 129: \[...\] kzalloc include/linux/slab.h:669 \[inline\] vc\_allocate drivers/tty/vt/vt.c:1085 \[inline\] vc\_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066 con\_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229 tty\_driver\_install\_tty drivers/tty/tty\_io.c:1228 \[inline\] tty\_init\_dev+0x94/0x350 drivers/tty/tty\_io.c:1341 tty\_open\_by\_driver drivers/tty/tty\_io.c:1987 \[inline\] tty\_open+0x3ca/0xb30 drivers/tty/tty\_io.c:2035 \[...\] Freed by task 130: \[...\] kfree+0xbf/0x1e0 mm/slab.c:3757 vt\_disallocate drivers/tty/vt/vt\_ioctl.c:300 \[inline\] vt\_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt\_ioctl.c:818 tty\_ioctl+0x9db/0x11b0 drivers/tty/tty\_io.c:2660 \[...\] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 4e1c0484b7f84f55713b1eb1faf641ae49496bb1 Author: Eric Biggers Date: Mon Feb 24 00:03:26 2020 -0800 vt: vt\_ioctl: remove unnecessary console allocation checks commit 1aa6e058dd6cd04471b1f21298270014daf48ac9 upstream. The vc\_cons\_allocated() checks in vt\_ioctl() and vt\_compat\_ioctl() are unnecessary because they can only be reached by calling ioctl() on an open tty, which implies the corresponding virtual console is allocated. And even if the virtual console \*could\* be freed concurrently, then these checks would be broken since they aren't done under console\_lock, and the vc\_data is dereferenced before them anyway. So, remove these unneeded checks to avoid confusion. Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200224080326.295046-1-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit e50d4c4fecccef226a86e2a6be20ad376138e9ec Author: Jiri Slaby Date: Wed Feb 19 08:39:48 2020 +0100 vt: switch vt\_dont\_switch to bool commit f400991bf872debffb01c46da882dc97d7e3248e upstream. vt\_dont\_switch is pure boolean, no need for whole char. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 270db0384de5867ca046c09418f129f5f78072f5 Author: Jiri Slaby Date: Wed Feb 19 08:39:44 2020 +0100 vt: ioctl, switch VT\_IS\_IN\_USE and VT\_BUSY to inlines commit e587e8f17433ddb26954f0edf5b2f95c42155ae9 upstream. These two were macros. Switch them to static inlines, so that it's more understandable what they are doing. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 3f0e2212be7c46a4a43df30c1dc4618e28ad94f9 Author: Jiri Slaby Date: Wed Feb 19 08:39:43 2020 +0100 vt: selection, introduce vc\_is\_sel commit dce05aa6eec977f1472abed95ccd71276b9a3864 upstream. Avoid global variables (namely sel\_cons) by introducing vc\_is\_sel. It checks whether the parameter is the current selection console. This will help putting sel\_cons to a struct later. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit aab76df91483a8803a001c3f5e25b0a8d43f8151 Author: Lanqing Liu Date: Mon Mar 16 11:13:33 2020 +0800 serial: sprd: Fix a dereference warning commit efc176929a3505a30c3993ddd393b40893649bd2 upstream. We should validate if the 'sup' is NULL or not before freeing DMA memory, to fix below warning. "drivers/tty/serial/sprd\_serial.c:1141 sprd\_remove() error: we previously assumed 'sup' could be null (see line 1132)" Fixes: f4487db58eb7 ("serial: sprd: Add DMA mode support") Reported-by: Dan Carpenter Signed-off-by: Lanqing Liu Cc: stable Link: https://lore.kernel.org/r/e2bd92691538e95b04a2c2a728f3292e1617018f.1584325957.git.liuhhome@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7908d2658f92b5164d715959d51ebb88f4ad891b Author: Johannes Berg Date: Sun Mar 29 22:50:06 2020 +0200 mac80211: fix authentication with iwlwifi/mvm commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream. The original patch didn't copy the ieee80211\_is\_data() condition because on most drivers the management frames don't go through this path. However, they do on iwlwifi/mvm, so we do need to keep the condition here. Cc: stable@vger.kernel.org Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211\_tx\_dequeue() case") Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Cc: Woody Suwalski Signed-off-by: Greg Kroah-Hartman commit cb7cd49c9c281cf00fa38a53c2e6ccf708318b87 Author: Daniel Borkmann Date: Fri Jan 24 14:21:14 2020 +0000 bpf: update jmp32 test cases to fix range bound deduction \[ no upstream commit \] Since commit f2d67fec0b43 ("bpf: Undo incorrect \_\_reg\_bound\_offset32 handling") has been backported to stable, we also need to update related test cases that started to (expectedly) fail on stable. Given the functionality has been reverted we need to move the result to REJECT. Reported-by: Naresh Kamboju Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman

CVE-2020-36557

New global study from ESG and ISSA reveals nearly half of organizations are consolidating or plan on consolidating the number of vendors they do business with

EWTON, Mass. & VIENNA, Va.--(BUSINESS WIRE)--Driven by security operations complexity, nearly half (46%) of organizations are consolidating or plan on consolidating the number of vendors they do business with. As a result of this drive toward security technology consolidation, 77% of infosec pros would like to see more industry cooperation and support for open standards promoting interoperability. As thousands of cybersecurity technology vendors compete against each other across numerous security product categories, organizations are aiming to optimize _all_ security technologies in their stack at once, and vendors that support open standards for technology integration will be best positioned to meet this change in the industry, according to a new annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG).

The new research report, _Technology Perspectives from Cybersecurity Professional_s, surveyed 280 cybersecurity professionals, which were primarily ISSA members, focused on security processes and technologies and revealed that 83% of security professionals believe that future technology interoperability depends upon established industry standards. The report shows a cybersecurity landscape that looks favorably towards security product suites (or platforms) as it moves away from a defense-in-depth strategy based on deploying best-of-breed cybersecurity products; a historical precedent that has steadily increased organizational complexity and contributed to substantial operations overhead.

**From Best-of-Breed to Integrated Platforms**

Security professionals have long believed that purchasing best-of-breed products provided the best overall defense-in-depth. However, as the number of security products has skyrocketed, many organizations manage 25 or more independent security tools—an approach that comes with substantial operations overhead.

Security professionals identified numerous problems associated with managing an assortment of security products from different vendors such as increased training requirements, difficulty getting a holistic picture of security, and the need for manual intervention to fill the gaps between products. As a result of these issues, 21% of organizations are consolidating the number of vendors they do business with and 25% are considering consolidating.

**Most common reasons for vendor consolidation**

*   Operational efficiencies realized by security and IT teams (65%)
*   Tighter integration between previously disparate security controls (60%)
*   Improved threat detection efficiency (i.e., accurate high-fidelity alerts, better cyber-risk identification, etc.) (51%)

In addition:

*   53% tend to purchase or will in the future purchase security technology platforms rather than best-of-breed products
*   84% believe that a product’s integration capabilities are important and 86% of respondents say it is either critical or important that best-of-breed products are built for integration with other products
*   After cost (46%), product integration capabilities are the most important security product consideration for 37% of security professionals

**Evaluating “enterprise-class” security vendors**

As the security technology market consolidates, “centers of gravity” will become established around a few large vendors and affect future buying strategies; organizations will place more bets on fewer security technology vendors. According to cybersecurity professionals, the most important attributes for an enterprise-class cybersecurity vendor are:

*   A proven track record of executing its cybersecurity product roadmap and strategy (34%)
*   Provides products designed for enterprise-scale, integration, and business process requirements (33%)
*   Commitment to reducing operational complexity, lowering cost of ownership (31%)

“Given that nearly three-fourths (73%) of cybersecurity professionals feel that vendors engage in hype over substance, the vendors that demonstrate a genuine commitment towards supporting open standards will be best positioned to survive the industry-wide consolidation taking place,” said Candy Alexander, Board President, ISSA International. “CISOs have been so overburdened with vendor noise and dealing with security ‘tool sprawl’ that for many a wave of vendor consolidation is like a breath of fresh air.”

“The report reveals a massive change taking place within the industry, one that for many feels like a long time coming,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow. “The fact that 36% of organizations might be willing to buy most security technologies from a single vendor speaks volumes to the shift in purchasing behavior as CISOs are openly considering security platforms in lieu of best-of-breed point tools.”

After reviewing this data, ESG and ISSA recommend that organizations push their security vendors to adopt open industry standards, possibly in cooperation with industry ISACs. There are a few established security standards from MITRE, OASIS, and the Open Cybersecurity Alliance (OCA), available, and while many vendors speak favorably of open standards, most do not actively participate or contribute to them.

This lukewarm behavior could change quickly, however, if cybersecurity professionals—especially those at organizations large enough to send a signal to the market—establish best practices for vendor qualification with process requirements that include adopting and developing open standards for technology integration as part of the comprehensive process for all security technology procurement.

The full report can be downloaded here.

**About ESG**

Enterprise Strategy Group (ESG) is an integrated technology analysis, research, and strategy firm providing market intelligence, actionable insight, and go-to-market content services to the global technology community. It is increasingly recognized as one of the world’s leading analyst firms in helping technology vendors make strategic decisions across their go-to-market programs through factual, peer-based research. ESG is a division of TechTarget, Inc. (Nasdaq: TTGT), the global leader in purchase intent-driven marketing and sales services focused on delivering business impact for enterprise technology companies.

**About ISSA**

The Information Systems Security Association (ISSA)™ is the community of choice for international cyber security professionals dedicated to advancing individual growth, managing technology risk, and protecting critical information and infrastructure. ISSA members and award winners include many of the industry’s notable luminaries and represent a broad range of industries – from communications, education, healthcare, manufacturing, financial and consulting to IT – as well as federal, state and local government departments and agencies. Through regional chapter meetings, conferences, networking events and content, members tap into a wealth of shared knowledge and expertise. Follow us on Twitter at @ISSAINTL. Learn more about ISSA.

Cybersecurity Professionals Push Their Organizations Toward Vendor Consolidation and Product Integration

The ACLU released a trove of documents showing how Homeland Security contracted with surveillance companies to scour location information.

For years, people have wondered not if, but how much, the Department of Homeland Security accesses mobile location data to monitor US citizens. This week, the American Civil Liberties Union released thousands of heavily redacted pages of documents that provide a “glimpse” of how DHS agencies came to leverage “a shocking amount” of location data, apparently purchasing data without following proper protocols to ensure they had the authority to do so.

Documents were shared with the ACLU “over the course of the last year through a Freedom of Information Act (FOIA) lawsuit.” Then Politico got access and released a report confirming that DHS contracted with two surveillance companies, Babel Street and Venntel, to scour hundreds of millions of cell phones from 2017 to 2019 and access “more than 336,000 location data points across North America.” The collection of emails, contracts, spreadsheets, and presentation slides provide evidence that “the Trump administration's immigration enforcers used mobile location data to track people's movements on a larger scale than previously known,” and the practice has continued under Biden due to a contract that didn't expire until 2021.

The majority of the new information details an extensive contract DHS made with Venntel, a data broker that says it sells mobile location data to solve “the world's most challenging problems.” In documents, US Customs and Border Patrol said Venntel's location data helped them improve immigration enforcement and investigations into human trafficking and narcotics.

It's still unclear whether the practice was legal, but a DHS privacy officer was worried enough about privacy and legal concerns that DHS was ordered to “stop all projects involving Venntel data” in June 2019. It seems that the privacy and legal teams, however, came to an agreement on use terms, because the purchase of location data has since resumed, with Immigration and Customs Enforcement signing a new Venntel contract last winter that runs through June 2023.

The ACLU still describes the practice as “shadowy,” saying that DHS agencies still owed them more documents that would further show how they are “sidestepping” the “Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people's cell phone location information quietly extracted from smartphone apps.” Of particular concern, the ACLU also noted that an email from DHS's senior director of privacy compliance confirmed that DHS “appeared to have purchased access to Venntel even though a required Privacy Threshold Assessment was never approved.”

DHS did not comment on the Politico story, and neither the DHS agencies mentioned nor the ACLU immediately responded to Ars' request for comment.

The ACLU says that no laws currently prevent data sales to the government, but that could change soon. The ACLU endorses a bill called the Fourth Amendment Is Not for Sale Act, which is designed to do just that. Even if that bill is passed, though, the new law would still provide some exceptions that would allow government agencies to continue tracking mobile location data. The ACLU did not immediately respond to comment on any concerns about those exceptions.

How to Stop Location Data Tracking

The main question being debated is whether a Supreme Court decision in 2017 that said police must have a warrant to search cell phone data applies to government agencies like DHS. It's a gray area, the Congressional Research Service says, because “the Supreme Court has long recognized that the government may conduct routine inspections and searches of individuals entering at the US border without a warrant” and that “some federal courts have applied the 'border search exception' to allow relatively limited, manual searches at the border of electronic devices such as computers and cell phones.”

DHS isn't the only government agency that considers itself an exception, though. In 2021, the Defense Intelligence Agency also purchased location data without a warrant, bypassing the 2017 Supreme Court decision because the Department of Defense has its own "Attorney General-approved data handling requirements."

It's all part of a troubling pattern that shows a growing preference for the practice across many government agencies that have considered themselves exempt from legal concerns over the past few years.

Now, as privacy concerns over data tracking by law enforcement have heightened in post-_Roe v. Wade_ America, more mobile phone users are considering ways to keep their data private.

The first step for many might be to stop sharing location data with untrustworthy apps or maybe even entirely. Any time an app asks to track location data, users can either opt in or out. The ACLU told Politico that this opt-in process is what gives third-party vendors like Venntel the right to grant government access to data, claiming users have given permission to share with the government just by opting in.

“It's very clear that when people are doing that, they're not expecting that that's going to be potentially creating this massive database of their entire location history that's available to the government at any time,” Shreya Tewari, the Brennan fellow for the ACLU's Speech, Privacy and Technology Project, told Politico.

For mobile phone users concerned about DHS data tracking, users can specifically opt out of Venntel data collection.

There's not enough information identifying other contracts DHS might have with other vendors selling location data. The ACLU did not comment on the next steps to retrieve the rest of the DHS documents the organization requested, but its initial FOIA request asked for all contracts “concerning government access to or receipt of data from commercial databases containing cell phone location information.” That information may come in a future document dump, as the ACLU lawsuit states, but history proves DHS is not always prompt to respond. The ACLU waited nine months for a response before suing and noted at that time that “DHS has even refused to provide its legal memorandum about these practices to US senators who have requested it.”

The Fourth Amendment Is Not for Sale Act was introduced in Congress in April last year, where it was read twice and then referred to the Committee on the Judiciary. A request for an update on the bill's progress from one of its most vocal authors, Senator Ron Wyden, Democrat of Oregon, did not yield an immediate response. The ACLU advises that officials act sooner rather than later, saying, "Lawmakers must seize the opportunity to end this massive privacy invasion without delay. Each day without action only allows the government's covert trove of our personal information to grow."

_This story originally appeared on_ _Ars Technica__._

The DHS Bought a ‘Shocking Amount’ of Phone-Tracking Data

The rapidly growing Atlas Intelligence Group relies on cyber-mercenaries to carry out its missions.

A threat group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) has recently surfaced with what appears to be a somewhat different — and potentially trend-setting — cybercrime model.

Researchers from Cyberint who were the first to spot the group described the threat actor as selling a variety of services via its main website, including access to stolen databases, exclusive data leaks, distributed denial-of-service (DDoS) services, and initial access to enterprise networks via RDP clients and Web shells. Cyberint said this week that its researchers spotted AIG in May and have observed it growing rapidly since then.

What makes the threat actor different from the myriad others with similar offerings is the fact that the operators themselves appear to be entirely outsourcing the actual hacking activities to independent cyber-mercenaries who have no direct connection to the operation. For instance, when a client purchases AIG's DDoS, data theft, or malicious spam services, the group advertises for and hires independent contractors to execute the actual tasks. That's unlike most threat groups. which recruit and maintain the same team of hackers for different campaigns.

**A Model for OpSec**

AIG's model appears designed to ensure a high level of operations security for its leaders by keeping them segregated from those doing the criminal hacking activity, according to Cyberint.

"AIG is the first group I've seen that is using this business model," says Shmuel Gihon, security researcher with Cyberint. "Every team has its leaders, and every team has key members. But here it's different: we have one leader that controls everything and everyone."

AIG's business model appears designed to take advantage of the growing number of hacker-for-hire groups that have begun surfacing all over the world in recent years. The groups, many of which operate out of India, Russia, or the United Arab Emirates, specialize in breaking into target networks, stealing data, and carrying out a variety of other malicious activities on behalf of the clients who hire them. One example of such a group is Russia-based "Void Balaur," a cyber-mercenary group that researchers at Trend Micro and others have linked to attacks on thousands of organizations and individuals for several years.

Gihon says Cyberint's analysis of AIG's activities shows it is being run by a secretive individual using the handle "Mr. Eagle." This individual appears responsible for initiating all AIG campaigns and plans. Cyberint has so far been able to identify at least four other individuals that are operating under this leader, and who are responsible for tasks such as advertising the group's services, communicating with customers, and operating its Telegram channels.

"What makes them different is the fact that they are very good \[at\] making themselves anonymous and approaching this operation as entrepreneurs and not as technical people," Gihon says. The group's behavior suggests the core members — or at least its leader — were red teamers or malicious hackers that have decided to lead rather than operate.

"They have been around in the darknet and in the cybercrime industry for a while and observed how things are operating," he added.

**Telegram Communications**

Cyberint said it has observed the group use three different Telegram channels, with thousands of subscribers between them, for its operations.

One of the channels is a marketplace for leaked databases. The databases appear to belong to organizations in different sectors such as government, finance, manufacturing, and technology, from around the world. The collection of databases on sale via the Telegram channel suggests that AIG isn't focusing on any specific region or sector. Rather, the group appears to be targeting organizations that it thinks might be valuable for potential buyers.

Some of the databases are available for as little as 15 euros and contain information such as email and physical addresses, phone numbers, and other information likely of interest to distributors of malicious spam, spear-phishing groups, and hacktivists.

"AIG claims that these databases are exclusive, so the assumption is that they obtained it \[via\] their contractors," Gihon says. Given the low price, it is unlikely that AIG obtained them from a third-party and is reselling them, he says.

AIG has a second Telegram channel that it uses to publish ads for various hacking services that it might be looking for, and where hackers have an opportunity to bid for contracts. The channel serves as the threat group's source for finding malware developers, social engineers, red teamers, and other cyber-mercenaries.

AIG's third Telegram channel, which serves as its communication channel, is where the group posts announcements, lists of intended targets, and other information. The threat actor also maintains an e-commerce store where people can purchase AIG's services and stolen databases using cryptocurrency.

Gihon says AIG's business model gives it a level of flexibility that other threat groups do not have.

"The leader is not bound to any one of the members because they are all contractors," he says. "So, while other groups have their ups and downs given the fact that they are the same group of people most of the time, Mr. Eagle has the privilege to hire the best of the best anytime," he says. "This could make this team very lethal in the end game."

'AIG' Threat Group Launches With Unique Business Model

CHICAGO, July 20, 2022 /PRNewswire/ -- **Data-centric Security Market** **size is projected to grow from an estimated value of USD 4.2 billion in 2022 to USD 12.3 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 23.9% from 2022 to 2027** **according to a new report by MarketsandMarkets™.** The need to secure most sensitive information (credit card numbers, intellectual property, or medical records), stringent compliances and regulations; the need to secure sensitive data on cloud, and growing data breach incidents is driving the growth of data-centric security market across the globe.

**_Browse in-depth TOC on_** **"Data-centric Security Market"  
362 – Tables  
41 – Figures  
269 – Pages**

**Download Report Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=1504980

**By component, the services segment to register the highest growth rate during the forecast period**

Based on component, data-centric security services have witnessed a growing demand in recent years. The services segment includes various services that are required to deploy, execute, and maintain data-centric security platforms in organizations. Enterprises need support from service providers to enhance their data management, policy control, auditing & reporting, data protection, and for maintaining the governance over various silos. Professional service providers help enterprises in deploying data centric security software and solutions and managing all the queries in the product life cycle.

The professional services are offered through professionals, specialists, or experts to support the business. These services include consulting, designing and development and implementation, and support services. The latest techniques, strategies, and skills adopted by the professionals are said to be helping organizations in adopting data centric security features. They also offer customized implementation and risk assessment and assist with the deployment via industry-defined best practices.

With the increasing demand for data-centric security solutions in high-growth markets such as APAC and MEA, there is a significant demand for training and education services to spread awareness about various data-centric security solutions.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=1504980

**Based on organization size, the SMEs segment to grow at the highest CAGR during the forecast period**

By organization size, the data centric security market is sub-segmented into large enterprises and SMEs. SMEs use data centric security solutions to reduce data fraud while enhancing the customer experience. The growing usage of mobile devices has influenced the data transfer over business networks to personal devices, such as mobile phones and laptops. Hence, this helps in increasing the fraudulent data, cyberattacks, data losses, and threat of personal data thefts. These rising security issues have made way for SMEs to focus their concerns on data centric security. Although, SMEs have to consider their limited budget, the comprehension of corporate information being an important consideration, makes them use data discovery and classification, data protection, and data governance solutions. Moreover, these solutions are available at economical pricing in the cloud deployment type. In the coming years, data centric security solutions are expected to witness high adoption among SMEs, all over the region.

**North America to hold the largest market share in 2022**

North America is estimated to account for the highest market share in the data-centric security market in 2022. The region comprises some of the key vendors that offer data-centric security solutions and services; some of them are Informatica, IBM, Broadcom, Micro Focus, Varonis Systems, Forcepoint, among others. By country, the US is expected to hold the largest market share owing to the growing data breach incidents. Implementing these technologies enables large amounts of data to be operated upon, which has resulted in widespread adoption of cloud-based solutions and investments in the data-centric security market. North America is a highly regulated region in the world with numerous regulations and compliances, such as the Federal Energy Regulatory Commission (FERC), HIPAA, PCI DSS, and SOX, across verticals. All these factors contribute to the high market share.

**Speak to Research Expert:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=1504980

The major Players in data-centric security market are Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Market Players**

Key and innovative vendors in the data-centric security market include Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Browse Adjacent Markets:** Information Security Market Research Reports & Consulting

**Related Reports:**

**Data Discovery Market** by Component, Functionality, Organization Size, Deployment Mode, Application, Vertical (BFSI, Healthcare and Life Sciences, Telecommunications and IT, Manufacturing), and Region - Global Forecast to 2025

**Serverless Security Market** by Service Model (BaaS and FaaS), Security Type (Data, Network, Perimeter, and Application), Deployment Mode (Public and Private), Organization Size (SMEs and Large enterprises), Vertical, and Region - Global Forecast to 2026

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Data-Centric Security Market Worth $12.3B by 2027 - Exclusive Report by MarketsandMarkets™

The LAPSUS$ group emerged with a big splash at the end of 2021, targeting companies, including Okta, with a "reckless and disruptive" approach to hacking.

The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime.  

However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.

A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools.

"Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity news cycle was chaotic," the report notes.

**Chaos, Lack of Logic Part of the Plan**

"You could absolutely call LAPSUS$ 'a little punk rock,' but I try to avoid making bad actors sound that cool," notes Claire Tills, senior research engineer at Tenable. "Their chaotic and illogical approaches to attacks made it much harder to predict or prepare for the incidents, often catching defenders on the back foot."

She explains that perhaps due to the group’s decentralized structure and crowdsourced decisions, its target profile is all over the place, which means organizations can’t operate from the "we're not an interesting target" point of view with actors like LAPSUS$.

Tills adds that it’s always hard to say whether a threat group has disappeared, rebranded, or just gone temporarily dormant.

"Regardless of whether the group identifying themselves as LAPSUS$ ever claims another victim, organizations can learn valuable lessons about this type of actor," she says. "Several other extortion-only groups have gained prominence in recent months, likely inspired by LAPSUS$’s brief and boisterous career."

As noted in the report, extortion groups are likely to target cloud environments, which often contain sensitive, valuable information that extortion groups seek.

"They are also often misconfigured in ways that offer attackers access to such information with lower permissions," Tills adds. "Organizations must ensure their cloud environments are configured with least-privilege principles and institute robust monitoring for suspect behavior."

As with many threat actors, she says, social engineering remains a reliable tactic for extortion groups, and the first step many organizations will need to take is assuming they could be a target.

"After that, robust practices like multifactor and passwordless authentication are critical," she explains. "Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, Remote Desktop Protocol, and Active Directory."

She adds that while initial access was typically achieved through social engineering, legacy vulnerabilities are invaluable to threat actors when seeking to elevate their privileges and move laterally through systems to gain access to the most sensitive information they can find.

**LAPSUS$ Members Likely Still Active**

Just because LAPSUS$ has been quiet for months does not mean the group is suddenly defunct. Cybercrime groups often go dark to stay out of the spotlight, recruit new members, and refine their TTPs.

"We would not be surprised to see LAPSUS$ resurface in the future, possibly under a different name in an effort to distance themselves from the infamy of the LAPSUS$ name," says Brad Crompton, director of intelligence for Intel 471’s Shared Services.

He explains that even though LAPSUS$ group members have been arrested, he believes the group’s communication channels will stay operational and that many businesses will be targeted by threat actors once affiliated with the group.

"Additionally, we may also see these previous LAPSUS$ group members develop new TTPs or potentially create spinoffs of the group with trusted group members," he says. "However, these are unlikely to be public groups and will probably enact a higher degree of operational security, unlike their predecessors."

**Money as the Main Motivator**

Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity provider, explains that cybercriminals are motivated by money while nation-states are motivated by national goals. So, while LAPSUS$ isn't playing by the rules, its actions are somewhat predictable.

"The most dangerous aspect, in my opinion, is that most organizations have spent the last five or more years developing symmetric defensive strategies based on threat actors with reasonably well-defined definitions and goals," he says. "When a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric, and my main concern about LAPSUS$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time." 

He points out LAPSUS$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness to social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.

Ellis says while the stated goals of LAPSUS$ and Anonymous/Antisec/Lulzsec are very different, he believes they will behave similarly in the future as threat actors.

He says the evolution of Anonymous in the early 2010s saw various subgroups and actors rise to prominence, then fade away, only to be replaced by others that replicated and doubled down on successful techniques.

"Perhaps LAPSUS$ has vanished completely and forever," he says, "but, as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat."

Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists

Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Any time conflict erupts, people tend to take sides, even when it comes to cybercrime. Since the beginning of the ongoing Russian-Ukrainian war, some bad actors have made their alliances known publicly.

The Conti Ransomware-as-a-Service (RaaS) group is one of the most notable – declaring in February that they were backing Russia and would use their arsenal accordingly.

Their latest target seems to be the entire country of Costa Rica, which expressed its opposition to the Russian invasion. This begs the question: Should other countries be concerned? Why is this happening now, and what does it portend?

**The rise of Conti**

The Conti ransomware group is behind many prominent attacks, including the one that took down the Irish healthcare service in May 2021. Conti was also ranked by the FBI (PDF) as the top ransomware variant targeting critical infrastructure in 2021. The bureau identified at least 16 attacks by Conti ransomware against U.S. healthcare and First Responder networks, including emergency medical services, law enforcement agencies and 9-1-1 dispatch centers last year.

Last year, Conti’s internal chat logs were leaked – essentially, their playbook was made public. And more internal records leaked earlier this year showed the group was essentially operating like a company. These documents – ironically leaked in retaliation for Conti’s pro-Russia stance – showed that the ransomware ring has a human resources department, offers bonuses and even names an employee of the month.

And since then, what we’re seeing and hearing seems to indicate that Conti is trying to overcome these reputational setbacks by setting out to prove they are legitimate, sophisticated and still very relevant. We’re seeing this in terms of how they recruit, too – going after other threat actors and holding, essentially, recruitment events not that different from what you might expect from big Silicon Valley companies (though obviously a bit more underground).

While we don’t think they’re a nation-state actor, they’ve certainly made their affiliation well-known and are acting accordingly. That said, the driving factor still always comes back down to money. and they’re trying to make sure they stay on top.

****The Evolution of Ransomware****

The attack on Costa Rica has cost the nation millions of dollars. Tax payments were disrupted and staff at the 27 affected government agencies had to revert to pen and paper as their computers remained useless. With this attack, there’s evidence that this is essentially an attempt by Conti to “rebrand” – with news coming not long after the attack that Conti was shutting down in its current form.

But the big takeaway here is – what do attacks like the one against an entire nation say about how ransomware is evolving? For one thing, while money is still obviously the driving factor, we’re seeing that notoriety and “fame-seeking” also plays a role. Conti has been direct in its desire to not only extort money but to overthrow the Costa Rican government – that’s a new wrinkle in ransomware that only adds to the attackers’ notoriety.

We’re also seeing attacks that seem primarily focused on destruction. FortiGuard Labs researchers recently uncovered a new variant of Chaos ransomware in which the attacker has no intention of providing a decryption tool or file instructions – it’s all about destroying whatever it can.

Bad actors are clearly trying to stoke fear about what could possibly happen. There is still the financial component of ransomware, but at the same time, they are trying to flex their muscles more. It’s quite possible that there are competing philosophical differences between the groups. But it’s definitely more about spreading fear so that companies will pay whatever attackers ask. As tensions rise, that can change daily.

What does this signify in terms of how malware and ransomware are evolving? We’re likely going to see much more destructive ransomware attacks with wiper malware, which will completely destroy data. We’re going to see more aggressive ransomware attacks using Wiper malware. What we’re seeing is that bad actors are now less afraid of using more sophisticated attacks – they’re no longer afraid to try those out – and, unfortunately, it’s going to be much harder to contain and detect them.

****Stay strong****

More recently, the Chaos ransomware variant has sided with Russia, leaving observers to wonder what this could mean from a cybersecurity standpoint. The implications for cyber proxy wars are huge, both for national governments and the profitable companies within their borders. Taking a stand could now unleash additional, digital consequences.

However, organizations don’t have to cower before ransom requests if they have the proper security strategy in place. This includes a comprehensive and integrated security mesh, current threat intelligence, a strong cyber hygiene program and top-notch employee training. Keep your ear to the ground and continue to execute on both advanced and basic security measures, and you’re likely to weather the ransomware storms.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Tag

#intel