Looks Like Your Insurer Probably Won’t Be Covering Your Latest Malware Breach…

No Gravatar

So, this was a bit of an eye-opener on the financial effects from the latest corporate Malware breaches; Insurance Companies are declining coverage on the latest corporate malware breaches! In a recent article in the New York Times, it was brought to light that Mondelez International, a major global player in the food industry and one of hundreds of companies affected worldwide by the NotPetya attack in 2017, would have to bear the full burden of the more than $100MM financial hit the company experienced. Company executives had expected that their insurer, Zurich Insurance, to reimburse Mondelez for the financial blow it had suffered, only to be declined. Zurich had cited a common “war exclusion” clause that protected it and other insurers from being responsible for costs related to the damage from war. Mondelez was the unfortunate collateral damage in a never-ending cyberwar.

According to the NYT article, the 2017 NotPetya attack “was a watershed moment for the insurance industry”. Insurers, since then, have been utilizing the “war exclusion” clause in order to avoid claims related to digital attacks. Further justification was provided to insurers when the US government assigned responsibility for the NotPetya malware to Russia in 2018.

Naturally, Mondelez was not the only large conglomerate that was adversely affected by this shift coverage responsibility by the insurance industry; pharmaceutical goliath Merck, who had suffered a NotPetya attack causing to the tune of $700MM in damage, had also been denied claims from its insurer. Needless to say, disputes are still playing out in court with these major players suing their insurers for rejecting claims related to the NotPetya attack based on the “war exclusion” clause. It is expected that these cases will take years to resolve. The results of the legal fights will set major precedents regarding who pays when businesses are hit by cyberattacks blamed on foreign governments, especially when many of these insurance policies explicitly cover “cyber events” (i.e. cyber attacks).

Unfortunately, cyberattacks are a unique challenge for insurers since malware moves fast and unpredictably; often leaving a broad and expensive swath of destruction in its wake. Risks can no longer be contained and limited in such an interconnected cyber landscape. According to some industry experts, there are a multitude of insurers who are currently sitting on insurance policies that were never underwritten nor understood to cover cyber risk. Many insurers had no idea of the kind of losses that could be faced from cyber attacks such as NotPetya; but they are quickly realizing the depth of the potential harm. As such, many insurance companies are rethinking their coverage of these types of events.

Reflecting on the above, do you know if YOUR organization is covered in the event of a cyber attack? With the ongoing lawsuits against the insurers, it may be years before the final judgement is in on whether or not the insurance companies are responsible and liable for providing relief against these types of attacks. In the mean time, almost assuredly, the costs of premiums for insuring against these attacks will be going up.

Again, we come back to our all-encompassing “Detect and Block” approach to cyber security. Having to rely on an insurance payout to make your organization “whole” again after a cyber attack is so reflective of the “Detect and Remediate” mindset that continues to be followed by most of the industry and, in our view, is the much much more expensive approach. With Wedge’s Advanced Malware Blocker, an attack by NotPetya would have easily been detected and blocked BEFORE it had a chance to get into the network and cause so much damage. With Wedge’s patented Deep Content Inspection, alongside the orchestrated best-in-breed malware heuristics and artificial intelligence neural engine, even a new, never-before-seen variation of the NotPetya malware (and other major global attack malware such as WannaCry, CoinMiner, Zeus, etc.) would have been detected and blocked in real-time!

Once again, if your organization is at risk and if you’re not sure whether your insurance provides coverage in the event of a malware breach, perhaps it’s time to consider the “Detect and Block” approach to your network security. Then, you won’t have to worry about whether your insurance provides you coverage. Feel free to get in touch with our team at info@wedgenetworks.com. We offer a FREE 90 day trial of the Wedge Advanced Malware Blocker. You have nothing to lose and everything to gain!

Posted in Industry News, Latest Security News | Tagged , , , , , | Leave a comment

Hackers Can Now Give You… Tumours!

No Gravatar

Security in the Healthcare industry has been coming up a lot in the news lately, but not just for the hacking of patient data or the ransoming of hospital infrastructure; that has been the norm in the past. The latest spate of news articles have been dealing more with the potential for hackers to access and take control of machinery and equipment. In the case of an earlier blog, where Norsk Hydro was hit, the company’s production facilities were knocked out of commission, causing damage financially. With the healthcare industry, the stakes are much higher; where lives could be put at risk.

A very good article was posted on The Verge recently, that did a nice job of highlighting the OTHER security risks that the healthcare industry faces from hackers and malware. Much like the Norsk Hydro case, medical organizations such as hospitals and clinics could be at great risk should hackers take down critical equipment such as CT scanners, MRI machines, and other diagnostic or life-assisting equipment. Referring back to the WannaCry cyberattack, that crippled the UK’s National Health Service as well as other large organizations around the world, the effects of that attack, which combined to be one of the largest ransomware attacks in history so far, could be minuscule compared to what COULD happen if hackers focused a concerted attack against the woefully unprepared and typically underfunded healthcare industry cybersecurity efforts.

One alarming case in which hackers could potentially cause life-threatening results has been brought up in a few publications where hackers have been able to tamper with 3D medical imagery, adding or removing evidence of medical conditions from 3D medical scans. The potential harm that can come from this seems like something out of a movie plot where an attacker may tamper with medical scans in order to “stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder”. Seemingly implausible but very scary that it actually is possible! In a landmark publication revised last week (see previous link), researchers from Ben Gurion were able to demonstrate how malware could add fake tumours to medical scan images. The malware was so good that, in laboratory tests, the malware altered 70 images and managed to fool three radiologists into believing that their patients had cancer. Coverage was even covered by BBC.

Getting back to WannaCry, although there isn’t evidence pointing to any patients dying because of the WannaCry attack, the malware did end up crippling thousands of hospital computers and bringing down pieces of diagnostic equipment, causing delays in treatment and life threatening diagnoses as doctors had to revert back to more manual methods of getting lab results. Unlike business organizations where “time is money”, the effects on the healthcare industry would be “time is lives” since decisions made here could have dire real-life consequences for patients.

Then, we consider NotPetya, which was one of the largest cyberattacks of all time. This attack had an estimated damage total of around $10 Billion and crippled computers around the world. This also affected healthcare related companies and could have created acute patient safety issues. The unfortunate situation is that most healthcare organizations don’t have the resources to put in place robust security systems to protect them from any of these types of attacks apart from perhaps putting in place backup systems from which to restore if their network has been compromised.

Medical imaging devices, similar to many other IoT devices, are typically difficult to patch. The only option for remediation against an attack is to re-image the device; leading to often lengthy downtimes for when patients can be serviced. These organizations are operating a wide variety of computers, diagnostic machines and other endpoints that are running a range of operating systems; many of which are archaic systems that (like the case of the medical imaging devices) cannot be patched and are difficult to remediate. This just exacerbates the problem, especially in the case where resources for security are so scarce.

In any event, when attacks on the healthcare industry occur, the effects from equipment downtime and remediation have the potential of costing lives.

So, we get to bring up Wedge’s Absolute Real-time Protection solution again as possible fix to the Healthcare industry’s woes. Wedge has been having some great wins in the healthcare field as of late with some major national healthcare providers choosing our solutions to protect not just their patient information but their equipment and other endpoints as well. The Wedge platform allows for organizations to detect and block malware at the network in real-time, before they have a chance to hit any endpoints. With patented Deep Content Inspection that reassembles all content that comes in, the solution is able to “see” the intent of all content while scanning it for known and never-before-seen malware. The great thing is that the system is OS agnostic so it doesn’t matter what operating system is running on the endpoints; all computers and diagnostic / medical equipment would be protected with malware being blocked before they can enter the network and corrupt any machines. Combined with in-depth analytics and a single-pane-of-glass management console that can provide SecOPs with actionable threat intelligence on their network, healthcare organizations would be able to easily pinpoint and isolate potentially infected endpoints. It all comes down to the idea of “Detect and Block”, which is more of a preventative way of doing things than the current “Detect and Remediate”, which focuses on treating the endpoints AFTER they’ve already been hit by malware.

By enabling SecOps at these healthcare organizations with a platform and tool that allows them to be proactive in preventing malware attacks and by providing them with actionable intelligence that reduces the number of alerts that they have to remediate, organizations can save money that would have been spent on remediating against malware infections. Healthcare organizations can get back to treating its patients instead of having to worry about treating their networks.

Posted in Latest Security News, Wedge News | Leave a comment

Save Patient Zero!

No Gravatar

Owing to the onslaught of ever-evolving malware, firewalls will typically offload an inconclusive scan to a sandbox in order to properly identify whether content is safe or malicious.

This is how it works:

Your firewall will attempt to use Deep Packet Inspection scanning of network traffic against a continually updated malware database.

When the scan is inconclusive, because the traffic might contain new or never-before-seen malware, these are sent to a sandbox (which could be on premise or installed in the cloud) for further examination.

But here is the bad news. Current sandboxes are not real-time solutions and can take anywhere from a few seconds, to more typically, several minutes to several hours, before they can reach any sort of verdict on the safety of the file being analyzed. On top of that, depending on how many files the firewall sends for further inspection, these sandboxes can get overloaded.

In a business-oriented world where time means money, this sort of delay and unreliability would be unacceptable to owners and managers who are depending on safe content to arrive in real-time so that they can make their best business decisions.

The result is a compromise – if the sandbox does not give its verdict within a specific time, content is passed through, and if later on the sandbox concludes that was malicious, IT staff will need to go and remediate and figure out what could have been lost.

That victim endpoint, be it a server, workstation or OC, in Sandbox terminology, is termed as Patient Zero (not to be confused with the 2018 movie but somewhat similar in concept). Unfortunately, in a severe outbreak, this could be several endpoints; and in some cases, spanning up to complete network segments. The industry has been living with this concept for the last 5 years, and we are now being conditioned to accept it…

But what if we cannot afford any losses? What if we cannot have a Patient Zero? Can we be both extremely accurate while operating in real-time so that we do not have to take on such casualties?

This is why I get excited with the disruptive technology that the team here at Wedge has developed – namely, Wedge’s Absolute Real-time Protection! Wedge has combined patented Deep Content Inspection technology, that recreates content for complete visibility to its intent as it passes through the network, and orchestrates multiple security scanning engines and malware databases to be able to detect known malware, all topped with a deep learning AI Neural Network that can detect unknown malware. All of these pieces have allowed Wedge to create the industry-leading malware blocking solution that can detect and block malware in real-time at a detection rate of 99.97%! For the remaining 0.03% that comes up as grayware, we still block these, but they can be forwarded on to Wedge’s own optional Malware Analyzer service that utilizes cloud-based efficiencies to render verdicts faster than your average sandbox!

So, although Sandboxes have had their time in the spotlight as organizations attempt to improve on the reliability of malware detection, they have been proven to be too slow; and when overloaded they can still pass along malware. It’s time for the next generation of real-time detection and blocking solutions to shine. Sandboxes can now be replaced with Wedge’s Absolute Real-time Protection solutions!

Check out Wedge’s latest video that speaks to this new method of real-time network protection.

WedgeARP – Replacing Sandboxes
Posted in Latest Security News, Product and Services Updates, Wedge News | Tagged , , , , | Leave a comment

IoT and Smart Cities – Protecting Them From Growing Security Concerns

No Gravatar

I was fortunate to participate and present at the 2019 Smart Cities Summit and Expo in Taipei, Taiwan last week representing Canada’s leading cybersecurity Industries in a visit facilitated by the Alberta Taiwan Office and the Alberta Economic Development and Trade – Trade and Investment Attraction Division.  There, I talked to the growing security issues that are coming to light and that will need to be dealt with as cities around the world develop themselves into “Smart” cities.  On a very high level view, Smart Cities are just like a very large computer; just with way more attack surfaces.  As city resources and services become more intertwined and interlinked, we are seeing that Operational Technology (OT) Networks (i.e. water treatment plants, power plants, etc.), along with regular IT networks increasingly lacking the “Air Gaps” that had previously been put in place to protect many of these critical networks.

Unsecured links between the IT and OT environments are thus open to various vulnerabilities with the three most worrisome attack vectors that include:  

1.  Process Destruction – where critical systems that are connected to control systems in these plants can be co-opted by hackers and malware; leading to the disruption, of say, electricity distribution processes..

2.  Equipment Sabotage – where business applications, that exchange information with critical devices in order to operate, are hacked, leading to the equipment being destroyed (e.g., security camera hacks to the firmware).

3.  Market Fraud – where malware can get into business systems and fake data, potentially moving markets with erroneous or false information.

With the proliferation of IoT devices connecting to the city networks, gathering and feeding up immense amounts of data, many of these standalone devices are too underpowered to defend themselves.  This is where the discussion of security becomes very critical.  How does a smart city protect and defend itself from the ever-growing entries of attack?  

That’s where Wedge’s Vision comes into play.  At Wedge, we’ve built our company focus on this simple analogy – Water Treatment.  In developed countries, water is processed and cleaned of all impurities at strategically located water treatment plants.  As a result, all taps and endpoints that are connected to this system have access to clean water, free of germs, contaminants and other impurities.  We believe that the Internet could and SHOULD work in the same manner.  Internet traffic could be filtered and cleaned of all spam, viruses and other malware, at the network layer; allowing all endpoints connected to the network to be delivered content that is completely free from exposure to malicious attacks.  

By having all of the “heavy lifting” and content cleaning taking place at the network layer, the underpowered IoT devices no longer have to worry about being attacked or co-opted by hackers and other actors with malicious intent.

Because of Wedge’s focus and vision, we’ve built our products and services around making our Water Treatment Plant analogy a reality for the Internet.  Wedge’s underlying network security platform utilizes our patented Deep Content Inspection, which allows full visibility into the traffic flowing through the network, and orchestrates it with best-in-class security services.  In real-time, we are able to take that content and use massive multi-threading and various inspection engines and heuristics to scan the content for viruses, spam, malware and other malicious content, detecting and blocking before it can reach the endpoints.  Combined with a single-pane-of-glass management console that can manage all connected devices for compliance and security policies as well as in-depth actionable analytics that can detect anomalies in the network and related to these devices, Wedge’s platform is built to be THE platform and tool-of-choice for those providers that are helping to manage Smart Cities.

Utilizing the Wedge network security platform as part of the larger management system in Smart Cities can help to counteract the growing security issues facing these cities.  By protecting the increasing attack surfaces through the centralized cleaning and filtering of the internet services that are linking these IoT devices, Smart Cities should be able to continue to develop; reaping the benefits and efficiencies that come from making the cities “Smart”.

Presenting on Security for IoT and Smart Cities
Posted in Industry News, Latest Security News, Wedge News | Tagged , , , , , , | Leave a comment

Weaponized Word Documents: Block Them BEFORE They Enter Your Network

No Gravatar

A recent article, this time from GBHackers, brings to light yet another way that hackers are getting quick and easy gains – Banking Malware.  Banking malware, in this case the Emotet variety, is a banking trojan that can steal key personal information used for online banking such as usernames and passwords.  Having first been introduced in 2017, this is one of the costliest banking trojans to date, typically spreading through large spam campaigns.

The spam email starts with an unassuming invoice email that urges the recipient to clear the outstanding amount, with a link that they can click to complete payment.  This link has recently been linking to an XML document with a .doc extension.  With the ubiquitous nature of Microsoft Word, especially with the prevalence of Office 365 use in most organizations, this .doc file will open up in Microsoft Word by default.  Since the document has macros, if enabled, the infection process begins, getting the Emotet malware through the door.  Once the infection has happened, Emotet starts intercepting logs and saves outgoing network traffic via a web browser, leading to sensitive data being collected and used to access the victim’s bank accounts.  Not only that, the Emotet malware is enabled to further download the Qakbot malware, that installs itself on the victim’s machine, copying itself to another directory and disguising itself as a calc.exe program.  Combined, these two pieces of malware are capable of monitoring browsing activities, logging all finance-related information and transactions.

Unfortunately, the above events play out a lot more frequently than most would like to think; despite users becoming more wary of spam emails and with users becoming more savvy against clicking on emails from unknown sources.  In some cases, the same malware could be used in targeted phishing attacks, in which case, the emails may be from sources that the users know or “believe” they know.  In any event, once the file gets through to the endpoint, the possibility of infection increases astronomically.

The question becomes, what is the best solution for protecting against this sort of attack?  Most solutions out there rely on “Detect and Remediate”, which unfortunately allows malware to get into the door and onto the endpoint through their web or email.  Wedge’s solution is different.  We believe in the “Detect and Block” approach; detecting and blocking in real-time so that these attacks don’t have a chance to get through to the endpoint.  With Wedge’s Advanced Malware Blocker, we use our patented Deep Content Inspection, which gives our solution the ability to reconstruct the full content and to “see” the intent of the content, scanning it with signature-based scans, heuristic based scans and an artificial intelligence neural engine; all of this in real-time and before it hits your endpoint.  WedgeAMB would be able to detect and block the malware in real-time before it had a chance to be seen by the end user, thus taking any possibility of infection out of the equation.  With Deep Content Inspection and the various scanning engines, the “intent” of the content can be determined, even if the malware is a new variation or new, never-before-seen malware, it will be scanned and blocked as soon as its mal-intent is revealed.

So, if you are interested in protecting your organization from attacks such as those driven through weaponized word documents, feel free to get in touch with our team at info@wedgenetworks.com.  We offer a FREE 90 day trial of the Wedge Advanced Malware blocker.  What have you got to lose?

Posted in Industry News, Latest Security News | Tagged , , , , , , | Leave a comment

Norsk Hydro Ransomware A Week Later: What Is The REAL Target?

No Gravatar

Going back to our previous blog on the ransomware attack that hit Norsk Hydro, in Norway, we’re hearing a bit more about the underlying piece of malware that was used in that attack, LockerGoga.  A brief article appeared yesterday on Fossbytes.com that outlined how ransomware is changing and why it is becoming more and more dangerous.

To begin with a bit of background, Ransomware is a nasty piece of malware whose mode of operation is to encrypt a user’s files until such time that the user pays the hacker a ransom to have their files “released” or unlocked.  At least that’s how it has worked in the past.  The LockerGoga malware has been changing as of late, with hackers more interested in targeting industrial and manufacturing complexes instead of going after a simple ransom.  Their intent is also becoming less clear, with less of a focus on making money on ransom and more of a focus on causing widespread damage.  

Attacks like that perpetrated on Norsk Hydro, caused an incredible amount of harm by taking away the factory’s ability to control their machinery, bringing manufacturing to a screeching halt.  In that attack, the monetary harm wasn’t limited to the company itself as it caused metal prices to spike on the London Metal Exchange because aluminum production from one of the world’s largest aluminum producers (Norsk) ground to a halt.  Extrapolating from this, hackers needn’t even bother with collecting a ransom from the attacked company anymore if the harm that they do can cause financial damage on the global markets!  Almost like a script from a movie; “hackers invest heavily in aluminum because they know a price spike (that THEY are about to cause) will net them big gains on the market”.

Here is what we know (a week later) from that attack:

  1. So far, the cost of this malware – and even though the company is back at 70 – 80% production – is NOK 300 – 350 MM or USD $40MM (see here).  Now this might not be much for a company that employs 36,000 people and has $18.47 billion in revenues; however, that represents 10% of their last year’s profit (which was $505m see here).  
  2. The impact to the industry is that the price of Aluminum went to a three-year high.   So now we have proof that such attacks can be more far-reaching and could have financial ramifications far beyond the ‘victim’.
  3. The malware’s starting infection itself is unknown though it seems to have come through RDP (which is a protocol commonly used by IoT/industrial applications for remote management).  Its goal is unknown – it started as ransomware asking to contact a certain e-mail address, but then it transformed into being ‘destructive-ware’, which, unlike typical ransomware behaviour, is wiping disks and forcing users off their machines.  Luckily, it does not use propagation techniques (YET!!!).   So, it seems it is trying to make recovery more difficult – See the very interesting ThreatPost article, which points out that the malware is now taking on “Wiper-like” characteristics; simply wiping out data instead of encrypting and requesting ransom. 

This new variant of LockerGoga, is proving that ransomware is now being weaponized; snatching all access from users, and not even allowing any way to pay a ransom.  Industrial operators affected by this malware are rendered completely powerless to control any of their machinery.  Having this much power is incredibly dangerous and the effects could be catastrophic.  If this were perpetrated on, say, a nuclear power plant, a water treatment plant or any industrial endeavour that provides essential services, this could cause some life and death situations.

As described in our earlier post, the industry’s current practice in defending against ransomware attacks is typically a routine update of antivirus software as well as regular backing up of essential files, securing email gateways and either separating critical data from network access, or at least protecting it.  Unfortunately, for most organizations, once a ransomware attack hits them, even if they have the appropriate back-ups, they will experience downtime (almost definitely!) as endpoints are re-imaged and data is restored from the back-ups.  The downtime becomes a scary thought in the instances where an essential service is affected.

Wedge again argues that for essential industries and services where even a small amount of downtime can be catastrophic, these organizations should instead contemplate implementing a “Detect and Block” mode of operation instead of the current “Detect and Remediate”.  If ransomware such as LockerGoga and its variants can be blocked in real-time, as it can with the use of the Wedge Advanced Malware Blocker, attacks like these can be a thing of the past, especially when variants of the ransomware are starting to take on a more malicious tone and are moving into the realm of simply wiping data instead of encrypting for ransom.  

As always, we offer the Wedge Advanced Malware Blocker FREE for 90 days.  If you are an organization who cannot afford the downtime faced in a typical ransomware attack, and could benefit from a solution that can detect and block all malware in real-time, please email our team at info@wedgenetworks.com.

Posted in Industry News, Latest Security News | Tagged , , , , | Leave a comment

Talk with Wedge to Secure Your Smart Cities at the 2019 Smart City Summit and Expo in Taipei, Taiwan

No Gravatar

March 26-29.2019 – 2019 Smart City Summit and Expo – Nangang Exhibition Center – Hall 1, Taipei, TAIWAN – Wedge Networks will be participating at this event with The Canadian Trade Office in Taipei / Alberta Taiwan Office, Booth I-305.  Wedge’s CEO & CTO, Dr. Hongwen Zhang, will be in attendance and will be presenting how Wedge is protecting Smart Cities.  Please visit with Wedge’s team at the event!  If you would like to request a meeting with Wedge’s CEO, please contact us.

Posted in Wedge Channel Partner Forum | Tagged , , | Leave a comment

Even With Adequate Backups in Place, Ransomware Hitting a Network Can Still Cause Disruptions and Have a Financial Impact

No Gravatar

Ransomware is again in the news as of late; this time hitting one of the world’s largest aluminum producers, Norsk Hydro, in Norway.  As reported by Yahoo! Finance, Norsk Hydro was battling to contain a ransomware cyberattack yesterday that caused a halt in parts of its production.  Even with minimal internet exposure to its systems, the company had to shut several metal extrusion and rolled products plants while its giant smelters in Norway were reduced to operating on largely a manual basis.

Classifying it as a classic ransomware attack, the company’s CFO told a news conference that they had not identified the hackers and that the situation was quiet sever.  According to the Norwegian National Security Authority (NNSA), the attack used a virus known as LockerGoga, a relatively new strain of ransomware that encrypts computer files and demands payment.

Norsk Hydro has declined to say whether they would pay the hackers to unlock their systems but had said that because the company has good back-up systems, they had plans to restore them from backup servers.

In this case, thankfully, Norsk Hydro had back-up systems that they could rely on to get the company running again.  Unfortunately, for many other companies, they are not so lucky and would be hard pressed to pay whatever ransom the hackers demand in order to get their information back and their systems up and running again.  Norsk Hydro mentioned that the financial impact on the company has been limited so far and that any impact was mostly from direct labor.  Some of the activities that the company used computers to do, they had to switch to manual labor and add more people.  That and whatever downtime they experienced as a result of remediation efforts to get their systems back online.  External to the company, however, as news of Norsk Hydro’s plant outages hit the market, it pushed aluminum prices to a three-month high on the London Metal Exchange, as well as causing the company’s shares to fall as much as 3.4% before they recovered a bit to trade 0.8% lower.

So, we see that even with good backups in place, the company still suffered in downtime, an increase in labour cost and even a drop in share price.  All of this could have been prevented had they enhanced their security backup systems with a real-time malware prevention system such as Wedge’s Advanced Malware Blocker.  Wedge is a major proponent of Detection and Blocking; stopping malware BEFORE they hit the network, instead of the current mentality of Detect and Remediate.  We feel that once malware has hit the network, it’s already too late and costly remediation efforts will be needed.  With WedgeAMB’s orchestrated network security product, enhancing its Deep Content Inspection with an AI deep learning neural net trained to detect even never-before-seen malware, ransomware attacks, such as the one that hit Norsk Hydro, could be stopped in their tracks, in real-time.  It is disheartening for us to keep hearing of ransomware attacks such as these still occurring, especially when we know that they could have been stopped by the WedgeAMB solution. 

We continue to argue that prevention should be the cure instead of relying on detection and expensive remediation.  Thankfully, many of our customers have the same thoughts as us and are protected from exactly what Norsk Hydro had to experience with the WedgeAMB solution. We are hoping that more will join the “Detect and Block” mentality.

To help organizations protect themselves, Wedge offers its Wedge Advanced Malware Blocker FREE for 90 days.  If you feel that your organization might be interested in and could benefit from a solution that can detect and block malware in real-time, please email our team at info@wedgenetworks.com.

Posted in Industry News, Latest Security News | Tagged , , , , , , | Leave a comment

Ryuk Ransomware – Still Netting CyberCriminals Payouts Through Attacks on Local Governments and Smaller Enterprises – So, What Should They Do?

No Gravatar

Despite better security solutions now available to combat ransomware, old and new strains are still being utilized to great effect. The latest report from Bleeping Computer, is focused on the “Ryuk” ransomware, being used by a group in Eastern Europe to attack municipalities in North America. Borrowing code from the previously seen “Hermes” malware, attributed to the North Korean hacker group Lazarus, the Ryuk strain is hitting smaller government offices, communities and enterprises quite successfully, and in this case, Jackson County ended up having to pay them USD$400,000.

There is a reason hackers are hitting these municipalities and smaller offices. The effects of these ransomware attacks can be enormous, especially for government organizations; reducing activities to a crawl, wreaking havoc on government services, and still costing the organizations ransom in exchange for decryption keys. As noted in the article, Jackson County, Georgia was hit, forcing county offices to revert to paper to do their jobs, slowing operations to a snail’s pace.

Because the county did not have a backup system in place, it either had to take a huge operational hit and be offline for a long period; spending money to rebuild their networks and hopefully incorporate a much needed data backup policy and network security system; or it had to pay the $400,000 ransom, which it ended up doing.

Unfortunately, Jackson County was not the only victim of this new Ryuk ransomware. Major newspapers in the US, whose printing and delivery were greatly affected by attacks in December of 2018, were also not immune. A list of those hit include some major publications, such as the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun, to name a few.

However, Jackson County exemplifies the case of small organizations such as municipalities having to continually cut costs to the extent that resources are always scarce for these organizations. The decision facing these CIOs is what sort of solutions could be put into place to battle these attacks and to ensure they will not be affected again?

Wedge’s position is that even if they had the resources to implement a proper data backup and maintenance program, these organizations need to put in place a real-time solution like Wedge Advanced Malware Blocker (WedgeAMB), where ransomware attacks could be detected and blocked before they have a chance to even enter the organizations’ networks. The reasoning is simple –ransomware’s approach today is to encrypt an organization’s resources, but it is easy to paint the picture that in the future, exfiltration of data OUTSIDE the organization is the next step of ransomware’s evolution. You heard it here first!

Together, with its Deep Content Inspection technology, combined with AI-algorithms and multiple malware databases, WedgeAMB can see the content in real-time and block ANY content that is deemed malicious before it has a chance to do any damage. Having such a system in place would definitely have prevented attacks such as the ones perpetrated on Jackson County and the various newspapers.

So we argue that prevention could be the cure instead of relying on detection and expensive remediation and out of our civic responsibility to our municipalities out there, Wedge is offering its Wedge Advanced Malware Blocker FREE for 90 days. Email our team at info@wedgenetworks.com to see how your organization could benefit from a solution that can make ransomware attacks obsolete!

Posted in Industry News, Latest Security News | Tagged , , , , , , | Leave a comment

Separ Malware – Showing That the Simple Attacks are Sometimes the Most Effective

No Gravatar

Over the last week, more has been made public about the Separ Malware / phishing campaign that has been making the rounds, starting at the end of January.  Threatpost states that “it has affected around 200 companies and over 1,000 individuals, located mainly in Southeast Asia, the Middle East, and North America”.  The effectiveness of this malware has been a result of its use of a combination of legitimate executable files and short scripts, with no attempt by the attacker to evade analysis.

Separ’s earlier variants have existed since November 2017, with info-stealers such as this being active as far back as 2013, so it’s not like this is a new malware.  What has allowed this attack to become so effective is that it is launched using legitimate files that are either common within the organizations being attacked or are widely-used administrative tools; with these legitimate files and executables being abused to perform the malicious info-stealing that is the underlying goal.

The attack will start as a phishing email that contains the malicious attachment; often-times a fake pdf document passing itself off as a self-extracting executable, related to normal business activities such as quotations, shipments, etc.  However, once clicked, the self-extractor runs a Visual Basic script that executes a list of short batch scripts with malicious functions; often masquerading as fake adobe-related programs.  Then, it’s off to the races with the scripts changing firewall settings, stealing email and browser credentials, etc.; eventually using TFTP to upload your stolen data.

What makes this attack so successful is that it uses multiple vectors in launching its attack; many of which are not caught by the various malware solutions out on the market since the malware uses legitimate executable files in its attack.  Oftentimes, even the most up-to-date malware databases will not list these files.  Thankfully, there are solutions out there, such as the Wedge Advanced Malware Blocker, with its Deep Content Inspection technology, combined with AI-algorithms, that can see the whole picture and can piece together the multiple vectors of attack that this campaign uses.  Using the deep learning AI-engine, WedgeAMB can catch attacks such as these in their first phase of infection by looking at the various actions of the adobe installer and seeing whether there were any malicious activities occurring, even within this legitimate executable file.

Unlike many other solutions on the market, WedgeAMB is able to reassemble all content in the network stream in real-time and block such content if its intent is malicious.  This provides a clear advantage, especially when attacks such as Separ are utilizing multiple vectors; many of which might be within legitimate files and executables.  

With Separ and other similar attacks on the horizon, organizations should really take a look at solutions that can “see” the whole picture and stop malicious activities in real-time before they can do any damage within their networks.  If you have such Separ problems and are committed to building an infrastructure that can withstand such attacks, why don’t you e-mail us at info@wedgenetworks.com. Our great team of engineers would be very willing to help!

Posted in Industry News, Latest Security News, Wedge BeSecure Community Support Forum | Tagged , , , , , | Leave a comment