How to Create a Ransomware Defense Strategy

How to Create a Ransomware Defense Strategy

How do organizations protect against ransomware?  You need a ransomware defense strategy. It’s important to find the best ransomware defense strategy that is right for your organization. Here are several facts about ransomware to help protect your organization.

Ransomware is a well-named type of cyberattack. Cybercriminals taking this approach kidnap your data. After accessing your network, they encrypt files and demand payment for the passcode. Here are the top facts you need to know about this business threat.

Your Organization is Not Immune to Ransomware

You and your employees are being targeted on an ongoing basis. Cybercriminals rely on your false confidence. Don’t think “it won’t happen to me.” Attacks on government, education, healthcare, or financial institutions get publicity. Yet organizations of all types and sizes are targeted.

Ransomware has become an undeniable threat to business growth, profitability and security. It’s a ruthless type of malware that locks your keyboard or computer to prevent you from accessing your data until you pay the ransom, which is usually demanded in untraceable Bitcoin. Cybercriminals are turning this type of attack into big business, raking in billions each year as many businesses have no choice but to pay up.

How does ransomware get into the network?

Surprisingly, it’s NOT those random USB drives floating around from unknown sources. That’s old school, and cybercriminals operate much more effectively now. The most common vehicle for ransomware attacks today are email, such as phishing or spearing emails, and compromised websites.

One email is all it takes.

We’ve all become so used to email as the major form of business communication that getting someone to click a link is easier than ABC. Ransomware attacks come disguised as legitimate emails that can trick your employees into clicking through to an infected website or opening an infected attachment. Unfortunately, cyber criminals have gotten really, REALLY good at faking internal emails, external communications from stakeholders and seemingly genuine inquiries from customers. They’ll often conceal their ransomware in normal attachments like invoices and reports in Office docs as well as PDFs. Even TXT files can actually be an executable javascript in disguise!

Infected websites aren’t always obvious.

Let’s face it, cybercriminals will infect any web page they can get their hands on, which is why of the less reputable sites should be avoided. But it’s not just about making sure you and your employees stick to suitable sites, mainstream websites can also carry ransomware infections ready to spread to all visitors. It’s happened before – in 2016 the New York Times, BBC & MSN homepages accidentally exposed thousands of web visitors when their infected site showed malicious ads.

Read More: https://cybriant.com/ransomware-attacks-are-here-to-stay-how-to-stay-protected/

Ransomware Spreads Fast

Ransomware is malware, malicious software that can reach throughout a network. So, if Jane from accounting opens a ransomware file, every single computer on your business network could be infected. The virus can spread between businesses, too. Consider the debilitating WannaCry ransomware attack of 2017. Within four days of its first detection in Europe, the strain had spread to 116 countries.

Ransomware Targets You and Your Employees

A common method to send out phishing emails in the hope of having people enter their access credentials. Targeted business communication emails work, too. The attacker gets to know your business first. Then they send an email impersonating a colleague, supplier, or customer asking you to take action or update contact details by clicking on the link or downloading a file.

Ransomware is Costly

Once the ransomware is installed on your system, it locks down your files. To regain access to the files, you need the password or decryption key the attacker supplies when you pay up; that’s if they keep their end of the bargain once you pay the ransom. These are crooks you’re dealing with after all!

In Coveware’s analysis of Q3 2019, the average ransom payment increased by 13% to $41,198 as compared to $36,295 in Q2 of 2019. And that’s just the cost of the ransom. Indirect costs include the cost of downtime, lost revenue, and long-term brand damage. There’s also the expense of removing the ransomware, forensic analysis, and rebuilding systems. https://www.coveware.com/

The average ransomware attack in Q3 2019 resulted in 12.1 days of downtime. — Coveware

Ransom Requires Cryptocurrency

Ransom payment is usually made by bitcoin or another cryptocurrency. Your business needs to buy cryptocurrency with actual cash, then transmit the ransom. They choose cryptocurrency because it’s very difficult to trace. It doesn’t help you that bitcoin is not something you can charge back like a credit card.

A Recovery Plan Helps

Planning in advance can help you respond more reasonably. Document plans to disconnect infected computers from the network as soon as possible. Also, power down any machines that could be vulnerable to avoid spreading contagion.

You should also discuss in advance whether or not your business will pay a ransom. Weighing the costs and benefits without a deadline on the decision can help you react more strategically.

You Can Take Action

You don’t have to sit around worrying and waiting for a ransomware attack. There are many things you can do to help prevent this type of attack:


The number one way to mitigate the damage from any attack on your environment is to prevent it from happening in the first place.

It’s vital to protect your organization from all points of entry and ensure your organization has visibility of all the points of entry that are being accessed by authorized personnel.

CybriantXDR combines the latest technology utilizing machine learning and artificial intelligence with experienced oversight to identify and terminate malicious software before it can execute.


The longer it takes to discover and remediate the cause of a breach, the greater the damage to your company’s reputation and business operations.

To limit exposure and to prevent sophisticated breaches, organizations need a team of experienced security analysts working around the clock dedicated to piecing together any evidence or signatures of malicious behavior.

CybriantXDR offers that capability and alerts your organization only when a credible threat is detected.


When a cyber threat is detected, quick response and remediation is essential to limit impact to your organization’s business operations.

Many IT departments don’t have the resources to completely remediate the threat, or the measures required to regain function are laborious and time consuming.

CybriantXDR remediation capabilities can limit the interruption to your business and restore normal operations rapidly

Ransomware Defense Strategy – Learn more at Cybriant.com/Cybriant-xdr.

What Happens If I Click on a Phishing Email: The Cost of a Click

What Happens If I Click on a Phishing Email: The Cost of a Click

Reports for 2020 so far have shown a drastic uptick in the number of malware caused by phishing emails. Here’s what happens if you click on a phishing email, and the potential cost of clicking on a phishing email. 

what happens if i click on a phishing email

What Happens If I Click on a Phishing Email?

Most of us have been there. Ah! I just clicked on something and it may have been a phishing email. Here are the quick steps to take if that happens to you:

  1. Disable WiFi/Disconnect from the internet. Contact your IT support team for directions if you are on a corporate network.
  2. Save any personal documents. Use a trusted USB thumb drive or external hard drive to avoid going online to backup.
  3. Scan your computer for malware. If you have an anti-virus installed on your computer, it should have prevented any malware from being downloaded. It is smart to scan your computer just to be sure.
  4. Change passwords. Usernames and passwords are an easy sale on the dark web. Many people use the same passwords and once sold to hackers; you are giving them easy access to your sensitive data. Change your passwords on all highly sensitive personal and corporate connections.

Once you feel it is safe to go back online, consider taking the next 11 steps in our Remote Workers Guide to see if you have been compromised online, how to check, and what to do from there.

Download the Remote Workers Guide here. remote workers guide

We also discuss how Cybriant can help prevent malware from executing with our MDR – Managed Detection and Remediation Service. This service has grown vastly in popularity based on the increase in remote workers. It is a simple service that will protect your corporate data by monitoring endpoints on a 24/7 basis. Check it out here.

Will That Click Cost You Thousands?

June 2020 showed a two-fold increase in the reports of malware activity. The report from an antivirus provider showed that:

Adware and malware installers still made up the majority of detected threats. Email traffic was still dominated by the programs that exploit vulnerabilities in Microsoft Office programs.

Ransomware has undeniably been the biggest security threat of recent years. No-one is safe. Hackers targeted everyone and everything, including home PCs – and they were astoundingly successful – earning themselves upwards of $846 million from the US reported incidents alone.

Business is booming for hackers, with thousands of attacks each day bringing in an average of $640 per target. Perhaps even more alarmingly, the financial cost of each individual attack is on the rise – the more ransomware proves to be an easy earner for them, the more they demand each time.

According to a report from June 2020, “Victims of the 11 biggest ransomware attacks (so far) have spent at least $144.2 million on costs ranging from investigating the attack, rebuilding networks and restoring backups to paying the hackers ransom and putting preventative measures in place to avoid future incidents. The victims allegedly paid a ransom in seven of the cases.” Read the full article here.

Here’s Why You Should Never Pay Hackers

For a quick payday, some hackers offer to ‘rescue’ you from immediate danger – for a fee. One method is to trick you into thinking you have a virus that will spread if you don’t pay money to remove it immediately.

Another much scarier method is to pretend to be the FBI and say your computer was involved in a crime (anything from money laundering to child pornography) and you can avoid going to prison by paying a few hundred dollars.

Thousands of regular people are also waking up every day to discover they’ve been locked out of their own files. Entire music and video libraries, digital photos from the past 5 years, personal budget files, and even their secret novel draft …all held hostage until the user pays a ransom. This is bad, but it’s significantly worse if you have access to highly sensitive corporate data. The encryption is so strong and unbreakable that paying the ransom often becomes the only solution.

The way ransomware gets onto your computer is deviously simple. Generally, the hackers convince you to click an email attachment/link or pop-up. With both approaches, the hacker usually offers helpful information, for example:

  • Tracking an unclaimed parcel
  • Alerting that a virus was found and needs to be removed
  • Advising details of a recent traffic fine

It is so tempting to click through for more details and that is what the hackers count on. Their messages and pop-ups are not obvious threats and so slip easily under our radar. Unfortunately, they are not the most trustworthy bunch so paying may not actually unlock your files, and one payment can quickly become several.

advanced cyber threats To make matters worse, they can encrypt any backups connected to your computer too, like a USB drive. Having a backup is super important in any situation, but in cases like this, the right backup is needed. Not only one stored separate from your network, but one created recently with all the files you can’t bear to lose. Before restoring your backup, however, you’ll need to make sure the malware isn’t lurking in the background, ready to not just re-infect your restored files but also the backup drive itself.

 To avoid finding yourself up to the waist in ransom demands or sending hackers money each month, we recommend being wary of email attachments, even from friends and family.

If you are not sure what the file is, DO NOT click it.

They may not have sent that email intentionally; their infected system may be auto-emailing everyone in the address book. You should also be careful with any popups that appear out of place, especially ones that try to make you panic. If it doesn’t sound right or look right, don’t click it. Ransomware is just too dangerous to risk.

An Ounce of Prevention is Worth a Pound of Cure

Just like our personal health, dealing with prevention is better than dealing with the cure – if one is available! Diseases and injuries are more manageable when they are caught early on, just like cybersecurity issues.

Is it possible to prevent cybersecurity issues? We can help you put all the pieces in place to help prevent issues as much as possible.

It’s vital to begin with a strong security foundation. We recommend a framework called the NIST Cyber Security Framework. Read more about it here.

With a framework, we can take each new product; align it with our goals, test the product, and verify our management of the product is appropriate. With each outsourced task, we can quickly and easily see if the value exists through the iterative processes inherent in frameworks. With each consultant, we can direct and manage the work and relationship using the process of satisfying the framework.

Cybersecurity is a process. It is not a rush to prepare for a single point-in-time audit and relax until the next time. By embracing that iterative steps, incremental progress is the proper way to secure your environment, you inherently become secure. Read more about People, Processes Technology here.

The CEO’s Guide to Penetration Testing



3 Essential Cyber Risk Management Services Integrated into an Affordable, Flexible, Subscription-Based Model.
Learn More

Infographic: Evolution of Hacktivism

Infographic: Evolution of Hacktivism

The Black Lives Matter movement has increased activity from the hacktivist group, Anonymous, and hacktivism overall. Take a look at the evolution of hacktivism below.

Based on the video by Anonymous posted on twitter, see the video here, the group released cyberattacks on the Minneapolis police department and Minnesota State Senate’s servers.

What is Hacktivism?

The act of misusing a computer system or network for a socially or politically motivated reason. Individuals who perform hacktivism are known as hacktivists, according to TechTarget.

Hacktivism is typically non-violent, the tactics used are typically to achieve political, social, or religious justice. The tactics they typically use include:

DDoS – Distributed Denial-of-Service, a tactic used to overload systems and crash a website.
Doxxing – used to leak personal, confidential, or incriminating information against organizations or public figures.
Defacement – a tactic used to deface the data integrity of a website by changing the visual appearance.

Ethical Hackers

It may seem strange, but businesses are using ethical hackers to identify weak points in their cyber defenses, provide valuable insights into the actions of their less ethical counterparts and create better, stronger, and more resilient networks.

If you do not think that a hacker could help your business instead of hurting it, you may want to rethink those assumptions. Here are five business benefits ethical hackers can bring to your organization.

Learn more about how Ethical Hackers can help your business. 

Types of Hacktivism

Hacktivists are typically out for justice and not monetary gain like typical hackers. Instead, Panda Security says they their distinct agenda wages an informational war for political lean, social justice, religious intent, or anarchy.

  • Political: Hacktivism as a form of political mobilization aims to lean or sway the population to the hacker’s agenda.
  • Social: Social justice in hacktivism aims to bring about societal change.
  • Religious: Hacktivism for a religious agenda aims to recruit or disavow a religious entity.
  • Anarchist: Hackers can have an anarchist agenda to access or control civil infrastructure, military equipment, or the general population.

Evolution of Hacktivism

Find Out More About PREtect - our All-in-One Cybersecurity Solutions

Top Ransomware Threats of 2020

Top Ransomware Threats of 2020

Ransomware (or cyber extortion) is on the rise. In 2020, there has been a spike in the number of reported incidents as well as the amount that cyber hackers are attempting to extort from organizations. It’s important that your organization does every they can to fight these cybercriminals and education is a key piece. Take a look at the top ransomware threats we’ve seen in 2020. 

ransomware threats

2020 has been a roller coaster ride so far, and with all the news coverage of all the events that have impacted us (so far) ransomware has been sneaking into our world at a remarkable rate. Some sources say that ransomware spiked 25% in Q1 2020 over the previous quarter. (source)

Here Are The Top Ransomware Threats in 2020:

  1. Maze
  2. REvil
  4. Tycoon
  5. TrickBot
  6. Qakbot trojan
  7. PonyFinal
  8. Mailto (aka Netwalker Ransomware)
  9. Ragnar Locker
  10. Zeppelin
  11. TFlower
  12. MegaCortex
  13. ProLock
  14. DoppelPaymer
  15. Thanos

Maze Ransomware

According to an FBI advisory to the private sector, “Unknown cyber actors have targeted multiple US and international businesses with Maze ransomware since early 2019. Maze encrypts files on an infected computer’s file system and associated network file shares. Once the victim has been compromised, but prior to the encryption event, the actors exfiltrate data.”

“After the encryption event, the actors demand a victim specific ransom amount paid in Bitcoin (BTC) in order to obtain the decryption key. An international Maze campaign targeted the healthcare sector, while its deployment in the US has been more varied.”

“The FBI first observed Maze ransomware activity against US victims in November 2019. From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors. Maze was initially distributed via the Spelevo Exploit Kit which targets known vulnerabilities in Internet Explorer and Adobe Flash such as CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878.”

REvil Ransomware

You may have heard of REvil Ransomware because of a recent breach on media and entertainment lawyers Grubman Shire Meiselas & Sacks. They recently confirmed reports that their firm has fallen victim to a ransomware attack.

Several A-list celebrities that are clients of the law firm have potentially had data leaked on the dark web. Madonna’s tour contract was allegedly leaked. 

A screenshot of a legal document from Madonna’s recent Madame X tour surfaced on the dark web, apparently bearing signatures from an employee and tour company Live Nation.

Another screenshot depicts dozens of computer files bearing the names of celebrities including Bruce Springsteen, Bette Midler, and Barbra Streisand.

Stars such as Robert De Niro, Madonna, Drake, Nicki Minaj, Mariah Carey, Elton John, U2 and Rod Stewart are among those whose personal information may have been compromised.

The attackers have doubled the ransom request to $42 million and threatened to release damaging information on President Trump.

Continue reading

SNAKE (EKANS) Ransomware

Ekans Ransomware is a malware variant that infects industrial control systems to disrupt factory operations until a ransom is paid. Security analysts say that Ekans is a spin-off of Snake Ransomware and has so far infected factories related to the automobile and electronics sector, most notably Honda.

Reports are in that hackers have targeted the Honda servers with a file encryption malware variant dubbed Ekans forcing the company authorities to send the production unit workers to home as the installed automated devices became non-operational.

Although Honda never admitted that its servers were disrupted due to a cyberattack, it did agree that it’s IT infrastructure was down due to unspecified reasons.

“On Sunday, June 7th, 2020, Honda experienced a disruption in a computer network which affected the operations across Europe and Japan. And we are currently investigating and assessing the situation” said a spokesperson in a statement released on June 8th, 2020.

Tycoon Ransomware

A new ransomware strain called Tycoon is seeking to wheel and deal its way into the Windows and Linux worlds, using a little-known Java image format as part of its kill chain.

The ransomware is housed in a trojanized version of the Java Runtime Environment (JRE), according to researchers at BlackBerry Cylance, and has been around since December. Its victims so far have largely consisted of small- and medium-sized organizations in the education and software industries, researchers said, which it targets with customized lures.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims,” the researchers noted, in a posting on Thursday. “This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived as more successful in specific environments.”

Trickbot Ransomware

A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.

Started as a banking Trojan, the TrickBot has evolved to perform a variety of malicious behavior.

This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more. TrickBot also partners with ransomware operators, such as Ryuk, to give access to a compromised network to deploy ransomware. Read more. 

Qakbot Trojan

Qakbot is a banking trojan that has been active for over a decade and relies on the use of keyloggers, authentication cookie grabbers, brute force attacks and windows account credential theft, among other techniques.

One of the authors of the research regarding the Qakbot trojan explained the following reasons why cybercriminals are relying on trojans such as Qakbot to launch ransomware attacks:

“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system, find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data), and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials—plus the stolen data helps force infected companies to pay the ransom.”

PonyFinal Ransomware

Microsoft has warned organizations globally about a new type of data-stealing Java-based ransomware dubbed “PonyFinal”. The tech giant described the malware as human-operated ransomware, which is distributed in an automated way by attackers.

“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware is not unheard of, they are not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered,” Microsoft said in a post.

Read more. 

Mailto (aka Netwalker Ransomware)

NetWalker appeared on the scene in mid-2019. Similar to other well-supported ransomware families, the operators target high-value, global, entities. The group’s targets range across multiple industries and span the education, medical, and Government sectors.

As we have seen with Maze, Ragnar, REvil and others, NetWalker harvests data from its targets and is used by the operators as leverage via threats to post or release the data in the event that the target does not comply with their demands. To date, stolen data belonging to twelve different NetWalker victims has been publicly posted. The attackers behind NetWalker campaigns are known to use common utilities, post-exploit toolkits, and Living-off-the-Land (LOTL) tactics to explore a compromised environment and siphon off as much data as possible. These tools can include mimikatz (and variations thereof), various PSTools, AnyDesk, TeamViewer, NLBrute and more.

Over the last few months, we have seen NetWalker transition to a RaaS (Ransomware as a Service) delivery model, which will potentially open up the platform to an increased number of enterprising criminals. More recently, we have observed NetWalker spam campaigns using COVID-19-related lures to entice victims into initiating infection.

Read more. 

Ragnor Locker Ransomware

A ransomware called Ragnar Locker is specifically targeting software commonly used by managed service providers to prevent their attack from being detected and stopped.

Attackers first began using the Ragnar Locker ransomware towards the end of December 2019 as part of attacks against compromised networks.

According to the attackers, one of these pre-deployment tasks is to first steal a victim’s files and upload it to their servers. They then tell the victim that they will release the files publicly if a ransom is not paid.

“Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view !,” the attackers state in the Ragnar Locker ransom note.

When ready, the attackers build a highly targeted ransomware executable that contains a specific extension to use for encrypted files, an embedded RSA-2048 key, and a custom ransom note that includes the victim’s company name and ransom amount.

Ragnar Locker is specifically targeting remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.

Read more. 

Zeppelin Ransomware

Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Although it’s clearly based on the same code and shares most of its features with its predecessors, the campaign that it’s been part of differs significantly from campaigns involving the previous versions of this malware.

The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin – with compilation timestamps no earlier than November 6, 2019 – were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S. In a stark opposition to the Vega campaign, all Zeppelin binaries (as well as some newer Buran samples) are designed to quit if running on machines that are based in Russia and some other ex-USSR countries.

Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed websites and, in the case of PowerShell, on Pastebin. There are reasons to believe at least some of the attacks were conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used a ransomware called Sodinokibi.

Read more. 

TFlower Ransomware

The strain dubbed TFlower splashed onto the scene in late July 2019. It infects organizations through unprotected or poorly secured RDP ports. As soon as the furtive infiltration takes place, the ransomware runs several commands to disable Volume Shadow Copy Service (VSS) and thereby thwart easy data recovery. When traversing the plagued computers for valuable data to be encrypted, it ignores critical system files and objects stored in the Sample Music folder.

This pest does not modify the names of hostage files. However, when analyzed using a hex editor, every encrypted item turns out to have a “tflower” file marker at the beginning of its deep-level data representation. The ransomware also sprinkles a bevy of rescue notes named “!_Notice_!.txt” across all affected folders. Although TFlower ransomware doesn’t appear to be a particularly sophisticated sample, it encrypts files flawlessly and thus poses a serious risk to companies.

MegaCortex Ransomware

MegaCortex made its debut in May 2019. It mainly targets businesses located in the US, Canada, the Netherlands, and France. According to security experts’ findings, MegaCortex affects enterprise networks previously compromised by notorious info-stealing Trojans called Qakbot and Emotet. This fact suggests that the distribution of this ransomware might rely on backdoors created by other malware in a business ecosystem.

The convoluted infection methodology MegaCortex employs leverages both automated and manual components and appears to involve a high amount of automation to infect a greater number of victims. In attacks we’ve investigated, the attackers used a common red-team attack tool script to invoke a meterpretercyber criminals’ reverse shell in the victim’s environment. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initially dropped malware) on specified machines.

The attack was triggered, in at least one victim’s environment, from a domain controller inside an enterprise network whose administrative credentials the attacker seems to have obtained, in what appears to be a hands-on break-in.

The malware’s name is a misspelled homage to the faceless, bureaucratic corporation where the character Neo worked in the first Matrix movie. The ransom note reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.

ProLock Ransomware

According to KrebsOnSecurity, Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations.

An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months.

For example, until recently ProLock was better known as “PwndLocker,” which is the name of the ransomware that infected servers in Lasalle County, Ill. in March. But the miscreants behind PwndLocker rebranded their malware after security experts at Emsisoft released a tool that let PwndLocker victims decrypt their files without paying the ransom.

Diebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the amount requested. But Lawrence Abrams of BleepingComputer said the ransom demanded for ProLock victims typically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim network.

DoppelPaymer Ransomware

The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim’s stolen files if they do not pay a ransom demand.

A new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim’s files before encrypting any devices. They then threaten to publish or sell this data if the victim does not pay the ransom.

This new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied Universal for not paying a ransom.

The most recent victim of the DoppelPaymer Ransomware Gang is the City of Florence, AL. 

Thanos Ransomware

Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.

Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos, which they say is increasing in popularity in multiple underground forums.

Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.

Beyond its utilization of RIPlace, Thanos does not incorporate any novel functionality, and it is simple in its overall structure and functionality. But this ease-of-use may be why Thanos has surged in popularity amongst cybercriminals, shared with Threatpost.

The Financial Industry’s Biggest Threat


Protect Your Network from Ransomware with PREtect


REvil Ransomware Hackers Are Ramping Up Efforts

REvil Ransomware Hackers Are Ramping Up Efforts

revil ransomware

REvil Ransomware affiliates have been ramping up their threats to sell stolen data from law firms, Trump, celebrities, and now a food distributor and a 3D printer manufacturer. Learn more about the threats and how others have handled their responses to the attacks.

What is Sodinokibi or REvil Ransomware?

Since its arrival in April 2019, it has become very clear that the new kid in town, “Sodinokibi” or “REvil” is a serious threat. The name Sodinokibi was discovered in the hash ccfde149220e87e97198c23fb8115d5a where ‘Sodinokibi.exe’ was mentioned as the internal file name; it is also known by the name of REvil.

At first, Sodinokibi ransomware was observed propagating itself by exploiting a vulnerability in Oracle’s WebLogic server. However, similar to some other ransomware families, Sodinokibi is what we call a Ransomware-as-a-Service (RaaS), where a group of people maintains the code and another group, known as affiliates, spread the ransomware.

The ransomware appends a random extension to encrypted files and reports double the price of the ransom if not paid on time. The malware is actively being distributed in the wild through Managed Service Providers, taking advantage of server flaws, spam campaigns, and exploit kits.

McAfee has more information in their detailed report.

History of Attacking Celebrities

You may have heard of REvil Ransomware because of a recent breach on media and entertainment lawyers Grubman Shire Meiselas & Sacks. They recently confirmed reports that their firm has fallen victim to a ransomware attack.

Several A-list celebrities that are clients of the law firm have potentially had data leaked on the dark web. Madonna’s tour contract was allegedly leaked. 

A screenshot of a legal document from Madonna’s recent Madame X tour surfaced on the dark web, apparently bearing signatures from an employee and tour company Live Nation.


Another screenshot depicts dozens of computer files bearing the names of celebrities including Bruce Springsteen, Bette Midler, and Barbra Streisand.


Stars such as Robert De Niro, Madonna, Drake, Nicki Minaj, Mariah Carey, Elton John, U2, and Rod Stewart are among those whose personal information may have been compromised.

The attackers have doubled the ransom request to $42 million and threatened to release damaging information on President Trump.

Although Trump reportedly has never been a client of Grubman Shire Meiselas & Sacks, the New York Post Page Six noted, that the hackers posted a message online saying that the ransom had been doubled and that “The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry…”  Read more on SCMagazine. 

Latest News on REvil – Targeting Food Distributors and Manufacturers

A major food company, Harvest Food Distributors, and its parent company, Sherwood Food Distributors have recently been the targets of REvil affiliates.

The threat actors posted a notice about their new target around 3 pm MST 5/15.


This notice contained a link to download a portion of Sherwood’s proprietary files as “previews” which they plan on releasing one at a time (8 in total). The first link to leaked information contains roughly 2,300 files. These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including that of Kroger, Albertsons, Sprouts – scanned drivers’ license images for drivers in their distribution networks, etc. The threat actors also posted a conversation they had with Coveware, a leading ransomware mitigation company, dating back to at least May 3rd.

According to HackRead: 

Both of these have various supermarket chains as their clients including but not limited to three large ones, namely Kroger, Albertsons, and Sprouts. Hence, at stake is not only the data of the food distributors themselves but also their client chains.

For this, the attackers have demanded a sum of $7.5 million, lesser than their most recent heist on Grubman but a substantial sum nonetheless.

The data exposed is believed to include 2300 files composed of the following:

  1. Cash flow analysis details
  2. Sub-distributor information
  3. Detailed insurance information
  4. Scanned images of the drivers’ licenses they use as a part of their logistical network.

DarkOwl reports that FARO Technologies, a leading 3D printing/manufacturing Co. – is revealed to be the latest victim of REvil hackers’ ransomware attacks. Read more from DarkOwl. 

Download our REvil Ransomware Advisory

Created in partnership with Cyberint, download our REvil Ransomware Advisory and you’ll learn:

  • Background of the REvil Ransomware
  • Information on the Dark Web Stolen Data Repository
  • Potential Data Exposure
  • Risk and Potential Damage from REvil
  • Recommendations from Cyberint and Cybriant

Click here to learn more


REvil Ransomware Advisory

CybriantXDR: Solution to Cybersecurity?

CybriantXDR: Solution to Cybersecurity?

It is possible to have a simple solution to cybersecurity. We have created an all-in-one solution that includes our top managed services and bundled those services into one solution called CybriantXDR.

The Cybersecurity Problem

Hackers are constantly seeking the low-hanging fruit or easiest point of entry to raid your network. While you can never cover every scenario, it’s vital to cover every base that you possibly can.

Technical vulnerabilities are the low-hanging fruit for bad actors. 10 years ago the average time between when a vulnerability was published by a tech manufacturer and when hackers began scanning networks for it was 38 days, today it is minutes. You have to be able to move at a real-time pace to be able to close this gap.

Discovering the vulnerability is step one, the next step is to patch that vulnerability. Many businesses do not have the resources to respond in an effective fashion. Even a company as big as Equifax.

Endpoints and the mobile workforce have created a new source for hackers to focus their energies on. This new perimeter has proven that traditional technologies like antivirus used to secure these devices are not up to the challenge. It requires next-generation technology in the hands of skilled security resources to blunt this attack vector.

Another surprising statistic is “dwell time” or the amount of time between the breach and the discovery of the breach. Sadly, back in 2019 the average between MTTD (Mean time to detect) and MTTR (Mean time to remediate) was 206 days. Most businesses learn they have been breached by third parties like clients, the FBI, or vendors. In order to thwart the most sophisticated attacks, you must be able to identify when security controls have failed or detect odd environmental behavior.

Related: IT Security Best Practices Checklist

Cloud Security Solution Options for Today’s Enterprise


The solution to Cybersecurity Problem

CybriantXDR is a bundled solution of our core managed service. These services will help you effectively reduce your threat landscape and sleep easier at night knowing you are fully protected. These services help businesses solve three challenges; reduce cyber risk, achieve compliance, and meet security framework control standards. The services comprised in CybriantXDR address the most common vulnerabilities and threats mid-sized organizations will encounter thereby shrinking the threat landscape maximally.

CybriantXDR includes the following services: 

24/7 Managed SIEM with LIVE Analysis, Response, and Remediation

This security monitoring service utilizes SIEM technology to capture, correlate, and analyze activity throughout the environment. We have two SIEM platforms to choose from; one asset-based and one user behavior based. Cybriant layers on the 24/7 monitoring and human analytics expertise are required to filter out and squelch false positive alerts, and to determine the cause, response, and remediation path in the event of an actionable alert. This service includes threat intelligence.

Managed Detection and Remediation (MDR)

This service is platformed on a 4th generation EDR technology, the only EDR technology that can roll back ransomware, eliminate persistent threat mechanisms in an environment, and truly remediate an endpoint after an attack. This technology is being used by 4 of the Fortune 10 companies. The solution combines endpoint protection and EDR capabilities in a single agent. This service can stop a threat and provide the Cybriant team with forensic data to track the entire event which our analysts can then use to recommend or perform additional remediation if required. The patented rollback capability enables systems to be restored in minutes rather than hours or days.

Comprehensive Vulnerability Management

This service utilizes leading technologies that enable the continuous scanning and patching of operating systems, configurations, and up to 800 3rd Party applications. The SANS Institute has endorsed Australia’s Defense Signals Directorate’s strategies for information security. The leading strategy is the patching of applications, our service provides the most robust capability in this area. The service provides risk and policy-based execution to ensure vulnerabilities are identified and patched in an optimized fashion. (This service combines scanning and patching but these services can also be deployed separately).

NIST CSF and Compliance Standards

Compliance standards like PCI, HIPPA, GLBA, and FINRA, all have requirements satisfied by CybriantXDR. Similarly, all leading security frameworks like NIST-CSF have fundamental control standards satisfied by CybriantXDR. Each service provides standard reporting metrics which can be collaboratively customized with the client to measure specific performance indicators.

Related: Cyber Security Solutions Every Organization Needs

How a Cyber Security Maturity Model Protects Your Business


Learn More about CybriantXDR