Cyber criminals behind PYSA ransomware are targeting colleges and schools in latest double extortion efforts.

SAN RAFAEL, CALIFORNIA – The FBI has issued an official warning that the cyber criminals behind the PYSA/Mespinoza strain of ransomware are increasingly targeting schools and colleges in the United States. 

Hackers are gaining access to networks two ways: targeted phishing campaigns and compromised RDP credentials. PYSA ransomware was first recognized by the FBI in March 2020, and has also been used in successful attacks against government entities and health-care providers. Many schools and colleges have rapidly increased their reliance on Microsoft’s Remote Desktop Protocol since the outbreak of COVID-19, creating a desirable threat environment for hackers.

Traditional Ransomware vs. Double Extortion… What’s the Difference?

In traditional ransomware attacks, from the first documented attack in 1989 until 2019, attackers encrypted their victim’s files, and threatened to destroy those files if their ransom was not met.

The first known strain of “double extortion ransomware” was called Maze, discovered in the last quarter of 2019. In this strain and the multiple copy-cats which have followed, sensitive files are exfiltrated by the hackers before encrypting files on the network. This gives cyber criminals more leverage in ransom negotiations, as they threaten to leak those sensitive documents if their demand is not met. In the case of academic institutions, a leak of students’ personally identifiable information is the sum of all fears.

From the FBI’s official PYSA warning:

“Reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.”

Related: Texas School District Falls Victim to $2.3M Email Scam

How does Evolve help its policyholders in the fight against ransomware?

Evolve policyholders receive free access to six industry-leading cybersecurity vendors, all of which bolster a business’ big-picture defense against ransomware attacks. Especially noteworthy in double extortion defense is our newest partner BlackFog, who monitors data exfiltration in real time.

What else can you do to mitigate your business’ exposure?

The FBI has made the following cybersecurity recommendations:

• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as they are released.
• Use multi-factor authentication where possible.
• Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
• Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Install and regularly update anti–virus and anti–malware software on all hosts.
• Only use secure networks and avoid using public Wi–Fi networks. Consider installing and using a VPN.
• Consider adding an email banner to messages coming from outside your organizations.
• Disable hyperlinks in received emails.
• Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Email server vulnerabilities have lead to the biggest hack attack of 2021 (by far).

First Party Coverage: 

• IT Security and Forensic Costs ($500/hr)

• Data Breach Attorneys ($500/hr)

• Crisis Communication Costs ($500/hr)

• 1st & 3rd Party Privacy Breach Management Costs ($1 – $3 per individual);

  • Credit Monitoring

  • ID Restoration & Theft Services

  • Call Center Damage Control

3rd Party Coverage:

• Network Security Liability (Lawsuit Allegation)

• Privacy Liability (Lawsuit Allegation)

• Regulatory Fines & Penalties (Lawsuit Allegation)

PROTECT YOUR BUSINESS. EVOLVE.

The Advisen Cyber Awards

Evolve needs your nomination help!

Directions: Evolve is looking for nominations in the following categories. To save time, you do not need to fill out every category! Click the button above to vote.

6. Cyber Risk Industry Person of the Year – The Americas

Nominees: Patrick & Michael Costello

Patrick & Michael Costello manage the largest & fastest growing “cyber specialist” team in the United States, nearly doubling in size over the past year. Patrick, recently featured in the Wall Street Journal, is actively solving the #1 issue in the industry by educating brokers on cyber exposure via the Evolved Broker Podcast, the top emerging podcast in insurance. Launched in 2020, the podcast’s guest list already includes some of the most notable and influential individuals in the industry. Michael, recently quoted in Rough Notes on the state of the cyber market, has changed the game for brokers selling cyber by integrating a dark web scan with every quote.

9. Cyber Risk Insurtech of the Year

Nominee: Evolve MGA

Evolve’s Dark Web Scanning technology, proactively proves that all businesses have a cyber exposure, helping brokers sell cyber insurance to the tricky client that “doesn’t believe they can get hacked.” Included on every cyber quote proposal, business owners are getting up front access to their employees information that has already been breached. The average American has 90 accounts online. Most people do not realize that hackers attack these companies all the time to steal credentials and take advantage of businesses. This has been an absolute game changer for brokers dealing with businesses owners that do not believe they have a cyber exposure!

16. Cyber Risk MGA of the Year

Nominee: Evolve MGA

Evolve is truly a “cyber specialist” market, profitably underwriting & distributing the broadest commercial cyber insurance product in the marketplace to tens of thousands of insurance brokers. In 2020 alone, Evolve completed over 1,600+ cyber sales training sessions for retail insurance agencies across the United States, breaking down coverage, exposure, and the most effective sales strategies.

To make cyber exposure crystal clear and simplified for every business owner, Evolve integrated dark web scanning technology directly into their quote proposals and automatically alerted over 20,000 businesses that 100,000+ of their employees’ sensitive information had been compromised.

Finally, Evolve launched the #1 cyber insurance podcast, highlighting advice from extremely successful insurance industry titans. The podcast has reached thousands of insurance brokers across the globe.

19. Cyber Risk Disrupter of the Year

Nominee: Evolve MGA

You know what’s pretty disruptive? Realizing that your employees’ email addresses have been leaked on the dark web. With each quote, Evolve scrapes the corners of dark web to find out which employee email addresses have been compromised, even highlighting the specific hack attack that lead to the breach. It’s a game changer and has pushed the entire quote process in a progressive direction.

Also, Evolve’s podcast, The Evolved Broker Podcast, is quickly becoming one of the top podcasts in the insurance industry, with an unparalleled list of featured guests. It educates the industry, but does so in a very fresh, engaging way.

Breaking Coverage News

Evolve MGA unveils cyber coverage specifically

for retail insurance agencies.

SAN RAFAEL, CA – Since our founding in 2016, Evolve MGA has worked exclusively with retail insurance agencies. We’ve had a front row seat to your unique needs, and have been working in the background to build the ideal coverage solution specifically for retail insurance agencies. Beginning February 2nd, Evolve is proud to offer an Insurance Agency Endorsement, strengthening cyber coverage where retail insurance agencies were hit the hardest in 2020, business interruption.

What is covered on the insurance agency endorsement?

Business Interruption Built for Insurance Agencies: Many times business interruption sections in cyber policies are ambiguous, unclear, an restrictive. We’ve endorsed our cyber policy to specifically pick up the major elements of loss that an insurance agency would experience if their operations were stopped due to a cyber-attack. This includes lost insurance commissions from new business and renewals, and your inability to work with new clients.

Contingent Business Interruption for Agency Management Systems: On top of this, we specifically include dependent business interruption coverage for the insurance agency management systems you rely on for all business operations. For example, in the event Applied Systems has an outage lasting longer than 6 hours, insurance agencies can claim a business interruption income loss. Evolve has endorsed 17 different agency management systems to cover all of the major providers across the insurance industry.

Why is this so important in 2021?

Insurance agencies and their agency management systems have experienced an uptick in attention from hackers, causing a significant spike in business interruption losses (see the recent Vertafore & Blackbaud attacks).

In 2020, ransomware attacks spiked 715% according to the leading cybersecurity firm, BitDefender. In fact, ransomware extortion demands increased to $178,254, up from $10,000 in 2019, due to a brand new type of ransomware attack known as double extortion. In double extortion attacks, hackers locate financial documents to calculate their extortion demand and extract as much personally identifiable information as possible to resell on the dark web. In the vast majority of double extortion attacks, a portion of critical business data is rendered obsolete, even after the extortion has been paid.

Other Notable Coverage Highlights

In addition to the agency-specific coverage outlined above, all Evolve policyholders benefit from the following points of coverage:

• 24/7 Incident Response Hotline ($0 Deductible)

• Unlimited Reinstatement on all 1st Party Coverage (No Aggregate)

• Management Liability/Cyber-Triggered D&O

• Theft of Personal Funds for C-Level Employees

• Access to Evolve’s 6 Free Risk Management Services

  • Each policyholder at Evolve has exclusive, free access to six cybersecurity risk management vendors that retail at $6,000+ in the market (read our full white paper here).

Personal details of wealthy magnates, athletes and celebrities have been stolen. Entire 4,000-person database was exported by hackers.

SURREY, UNITED KINGDOM – Wentworth Golf Club, which has played host to the British Masters, Ryder Cup, and World Match Play Championship, has been hacked. Ransomware criminals accessed Wentworth Golf Club’s network earlier this month and have deployed a “double extortion” ransomware attack. In double extortion attacks, sensitive files are stolen by the hackers before encrypting files on the network. This gives cyber criminals more leverage in ransom negotiations, as they threaten to leak those sensitive documents if their demand is not met.

The membership information was stolen, but as of January 19th, it is not believed to have been leaked online or on the dark web. This likely indicates that negotiations with the hackers are either still underway, or were successful. A forensic investigation determined that the club’s ClubHouse Online system was accessed and the data file exported.

Stolen information is believed to include:

• • Names of members
  • Members’ dates of birth
  • Members’ home addresses
  • Members’ email addresses
  • Members’ phone numbers
  • The last four digits of members’ bank account numbers, used for direct debit payments

In his messaging to affected members, Wentworth’s general manager, Neil Coulson, said:

“I fully appreciate this will be concerning for you but we have taken third-party specialist advice and have been assured there is not enough personal information in the file to enable improper access to your private account and therefore it is considered a low risk.”

While hackers don’t have enough information to access the members’ bank accounts directly, attacks like this greatly increase the members’ exposure to future phishing campaigns. For example, armed with the last four digits of a bank account, cyber criminals are likely to launch smishing and email phishing attempts along the lines of “Immediate Attention Required – Bank Account XXXXXX-1234. Reply now to prevent account closure.”

Related: Research Shows 715% Increase in Ransomware in 2020

Pictured: Wentworth Golf Club

How are double extortion ransomware attacks covered by Evolve’s cyber insurance?

Regarding the ransom payment itself, Evolve’s cyber policy agrees to reimburse the Insured for any ransom paid by the Insured, or on the Insured’s behalf, in response to an extortion demand first discovered by you during the period of the policy as a direct result of any threat to:

• introduce malware, or the actual introduction of malware, including Ransomware, into your computer
  systems;
• prevent access to your computer systems or data or any third party systems hosting your applications
  or data;
• reveal your confidential information or confidential information entrusted to you; or
• damage your brand or reputation by posting false or misleading comments about you on social media
  sites.

Often overlooked in comparison to the ransom payment, these attacks often require substantial Privacy Breach Management Costs. We cover both 1st and 3rd Party Privacy Breach Management Costs as follows:

1st Party Coverage: 

• IT Security and Forensic Costs ($500/hr)

• Crisis Communication Costs ($500/hr)

• 1st & 3rd Party Privacy Breach Management Costs ($1 – $3 per individual);

  • Credit Monitoring

  • ID Restoration & Theft Services

  • Call Center Damage Control

3rd Party Coverage:

• Network Security Liability (Lawsuit Allegation)

• Privacy Liability (Lawsuit Allegation)

• Regulatory Fines & Penalties (Lawsuit Allegation)

Stop Ransomware with BlackFog

Evolve Policyholders Get Free Ransomware Defense

Meet BlackFog, Evolve’s Ransomware Defense Solution

Evolve has officially partnered with BlackFog, an industry leading cybersecurity company, that specializes in preventing ransomware cyber attacks by monitoring, detecting and preventing the unauthorized transfer of data in real-time. Evolve policyholders are now eligible to enroll up to 25 company devices to scan for pre-existing ransomware, malware, and other unauthorized device access, providing results in real time. At the end of the scan, the policyholder will be provided with a detailed report highlighting existing ransomware threats. As modern attacks are predicated on the ability to communicate with third party servers to steal data, BlackFog’s data exfiltration technology prevents cyberattacks by monitoring, detecting and preventing the unauthorized transfer of data in real-time.

How Important Is BlackFog’s Ransomware Defense Software?

In 2021, it is estimated that businesses will be hit by ransomware every 11 seconds costing $20 billion (1). In 2020,  the average ransomware demand was $178,254 across all business sizes & industries. It is also reported that 55% of attacks were on small businesses with less than 100 employees (2). In a successful ransomware attack, businesses experienced an interruption for an average of 16 days (2). 

Ransomware attacks are executed via software vulnerabilities, server weakness exploits, and most commonly, phishing emails to employees. Every time a business increases their human capital, ransomware cyber exposure increases proportionally. For this very reason, BlackFog’s ransomware defense software stops the attack at the very root of the problem, on the individual device level. 

Why Is Cyber Insurance Essential In A Ransomware Attack?

Evolve’s cyber insurance product provides 24/7 hotline access to the best forensic experts ($500/hr) in the world that specialize in ransomware damage mitigation. If ransomware is not handled correctly, the costs below can skyrocket exponentially.

1. Extortion Demand Cost – $178,254 (2020 avg)
2. Business Interruption – 16 Days of Lost Profit (2020 avg)
3. Reputational Harm – All Profit Associated with Lost Clients
4. Data Recreation – All Overtime Costs to Recreate Data
5. Data Extraction – Notification Costs & Legal Hourly Bills 

Evolve Cyber Advisory

Cyber criminals are posing as California Department of Real Estate investigators, demanding payments from agents and brokers.

SACRAMENTO – The California Department of Real Estate (DRE) has alerted its licensees about a vishing (voice phishing) scam targeting real estate agents and brokers.

Scammers are calling licensees and posing as DRE investigators. They then notify the licensee that they are under investigation and subject to a citation or other disciplinary action, unless they pay the DRE to clear their name and license. They will demand that you wire funds. It is worth noting that the DRE accepts online payments for all licensing activities via their eLicensing system; any request for a wire transfer is fraud. In some cases, the criminals are identifying themselves as law enforcement and making similar demands.

To avoid becoming a victim of this scam, the DRE has advised that:

• DRE staff will never contact you and demand money or payment without a formal administrative action being filed against you. If your license is subject to discipline, the DRE will send you a formal document – such as an accusation or citation – via certified mail to the address you have on-record with the DRE;
• California’s DRE will never ask or require you to wire money;
• If you do have a fine or penalty payment to make to the DRE, the payee must be the Department of Real Estate. You will never make a DRE payment to an individual;
• If you receive an e-mail or telephone call from a person claiming to be a DRE staff member and you are unsure, do not provide them with any personal information. Contact the DRE call center at 1-877-373-4542 and follow the prompts to speak to an investigator. DRE will be able to confirm whether or not the person contacting you is indeed a DRE employee;

If the phone number of the caller appears to be a DRE number, you should report the scam to the Federal Communications Commission; https://consumercomplaints.fcc.gov/hc/en-us/articles/115002234203-Unwanted-Calls-Phone

If you are able to confirm that the person calling you is a scammer, contact your local law enforcement agency to report the crime.

Related: Read the CA DRE’s Official Warning

Are vishing attacks covered by Evolve’s cyber insurance?

Yes. Evolve does intend to cover Funds Transfer Fraud resulting from voice phishing attacks. From our Evo 4.0 policy wording:

We agree to reimburse you for loss first discovered by you during the period of the policy as a direct result of any third party committing:

a. any unauthorized electronic transfer of funds from your bank;
b. theft of money or other financial assets from your bank by electronic means;
c. theft of money or other financial assets from your corporate credit cards by electronic means; or
d. any phishing, vishing or other social engineering attack against any employee or senior executive officer that results in the transfer of your funds to an unintended third party.

Russian cyber criminals (part of a state group known as A.P.T. 29 aka Cozy Bear) went unnoticed in US email networks throughout most of 2020.

UPDATE AS OF 3/9/21: 60 Minutes covers the attack.

UPDATE AS OF 1/15/21: Hack’s Total Costs for Cyber Insurers Has Exceeded $90m

UPDATE AS OF 12/21/20: Microsoft’s Powerful Response

Microsoft has taken four dramatic steps to counterattack A.P.T. 29’s initial strike.

1) On December 13th, the day Cozy Bear’s attack became public, Microsoft announced that it removed the digital certificates used by the Trojaned files. These certificates tricked Windows systems into believing that the compromised files were legitimate. This step essentially told Windows systems to stop trusting those files, which in turn could stop them from being used.

2) Next, Microsoft announced updates to its Windows Defender anti-malware. The updates empowered Defender to detect and alert users if the Trojaned files were found on the system.

3) Next, on Tuesday, Dec. 15th, Microsoft and others moved to “sinkhole” one of the domains that the malware was using for command and control (C2): avsvmcloud[.]com. Sinkholing is a legal tactic in which an organization like Microsoft petitions in court to seize control of a domain being used for malicious purposes away from its current owner, in this case, A.P.T. 29.

When successful, the organization can then use its ownership of that domain to interrupt the attacker’s control over the malware and the systems it has infected. Sinkholed domains can also be used to help identify compromised systems: when the malware reaches out to the sinkholed domain for instructions, the new owners can identify those systems and attempt to locate and warn the owners. Sinkholing is a tactic that was first used in big attacks in the 2008-2009 battle against Conficker and has been a standard tactic in Microsoft’s toolkit for years, including most recently against TrickBot.

4) Finally, on Wednesday, Dec. 16th, Microsoft changed its phasers from “stun” to “kill mode” by changing Defender’s default action for the infected files from “Alert” to “Quarantine.” This action could cause systems to crash but will kill the malware when it’s found.

Thanks to these steps, the attackers were left with control of barely a tiny fraction of infected systems. That said, they may still have access to compromised networks through other means; those investigations remain ongoing For example, Cozy Bear may no longer control the machines on a network, but may still have access email systems.

Related: BCP Tech Broker SolarWinds Update

Hackers Had Free Access to Federal Email Networks

Supply chain attack was executed via SolarWinds.

Related: Read the NSA’s Official Warning

What was the goal of the attack?

Investigations into Russia’s motives remain ongoing, but almost all state-sponsored cyber events revolve around a these goals:

A) To gather intelligence.

FireEye, the cybersecurity firm mentioned above, do quite a bit of work for Department of Homeland Security and other federal intelligence agencies. They hire the firm to conduct expert-level, benign hacks of their systems, a strategy called penetration testing. By hacking FireEye, Russia can access the results of these tests, and the means FireEye uses to conduct them. FireEye is far from the only private victim in this attack, but perhaps the most notable.

Because the hackers had access to US Treasury and Commerce Department email systems, they could also have gathered information the old-fashioned hacker way… by combing through inbound and outbound messages from agency accounts.

B) To send future emails posing as US Government employees.

By gaining information about the email habits of federal employees, the hackers are can leverage these patterns for future attacks. Phishing attacks in general have increased 668% since the beginning of the recent pandemic, and governments and private companies alike should take serious measures to protect employees who work from home offices.

C) To impact or otherwise muddy the 2020 Presidential Election, and incite fear/panic in the United States.

Look no further than this article about the Russian involvement in the 2016 Democratic National Convention.

The history of Russian theft of critical data from the U.S. government stretches more than two decades and resulted in the creation of United States Cyber Command, the Pentagon’s quickly expanding cyberwarfare force. As early as the mid-1990s, the F.B.I. was called in for an investigation into networks that included Los Alamos and Sandia National Laboratories, which work on nuclear weapons design, among other issues.

How do these threats impact SMEs in the United States?

The potential impact “supply chain attacks” can have on American businesses is similar to the impact this attack has had on US Federal agencies. If a hacker manages to infect a 3rd party software application used by your business, it could enable them to directly download malware/ransomware onto your network, or launch phishing/spear phishing attacks from your employees company email accounts. Ouch.

Are supply chain hacks covered by Evolve’s cyber insurance?

Yes. Here’s how Evolve covers ransomware and phishing-related funds transfer fraud.

• Ransomware
  

Evolve’s cyber policy agrees to reimburse the Insured for any ransom paid by the Insured, or on the Insured’s behalf, in response to an extortion demand first discovered by you during the period of the policy as a direct result of any threat to:

• • • • introduce malware, or the actual introduction of malware, including Ransomware, into your computer
        systems;
      • prevent access to your computer systems or data or any third party systems hosting your applications
        or data;
      • reveal your confidential information or confidential information entrusted to you; or
      • damage your brand or reputation by posting false or misleading comments about you on social media
        sites.

In addition the the ransom payment itself, ransomware attacks often require data restoration and/or data recreation. Evolve intends to cover those costs, as well as IT Security and Forensic Costs ($500/hr), Crisis Communication Costs ($500/hr), and in the case of a privacy breach accompanying the ransomware attack, we cover both 1st and 3rd Party Privacy Breach Management Costs ($1-3 per individual).

• Funds Transfer Fraud via Phishing attack

Evolve’s cyber insurance policy covers both 1st party and 3rd party bank accounts. If the Insured suffers a BEC attack and the hackers successfully trick one of the Insured’s vendors to wire money to a fraudulent bank account, Evolve would cover the losses of the vendor in aggregate up to the policy limit.

If the vendor were the one whose email account is hacked, and the criminals convince an Evolve Insured to wire money to a fraudulent account, then the Insured would be covered on an each and every claim basis up to the policy limit.

The district ceased all academic activities last week in response to a ransomware attack. Investigations remain ongoing.

Students Return to Classes… Kind Of

Back to the good old days of pencil and paper.

A ransomware attack hit Huntsville City Schools on Monday November 30th, closing the entire district for the rest of that week. Students, most of whom have been learning remotely due to COVID-19, returned to classes this Monday, but with a twist. Due to the ongoing nature of forensic investigations into the origin of the attack, students are still not permitted to use electronic devices to access academic networks. As a result, teachers were forced to create study packets and homework assignments on paper (gasp!).

While a return to old-fashioned pencil and paper assignments may seem harmless and even nostalgic, it represents the dark side of ransomware attacks and the business interruption they can cause. After all, not every business can simply revert back to working on paper. Earlier this year, a similar attack prevented a German hospital from accepting new patients, ultimately leading to the first ever ransomware homicide charges being filed.

Related: 2020 Has Seen a Record Spike in Ransomware

Why are school districts a common target for hackers?

There are many reasons hackers target American school districts, but for the sake of this article, let’s discuss the top three:

1. Schools, similar to local governments, are low-hanging fruit for cyber criminals because their IT departments are typically understaffed and significantly underfunded.
2. Related to point #1, school districts and governments often run legacy software and systems. These products are exceptionally vulnerable to hack attacks, and usually do not receive any sort of regular support or maintenance.
3. Finally, remember that human error remains the #1 cause of cyber attacks in the United States. Tricking people into opening phishing emails is the most common point of entry for hackers, and the large number of students and staff in a given district makes for a perfect target audience.

The startling truth about ransomware in 2020.

As employees and students alike have shifted to at-home work environments due to COVID-19, hackers have greatly ramped up their ransomware efforts. Some key stats:

1. 68% of ransomware attacks begin with a phishing link¹.
2. Phishing attacks have increased 668% since the start of the pandemic¹.
3. 85% of ransomware attacks targeted Windows systems¹.
4. The average ransom demand has risen from $5k in 2018 to $100k+ in 2020².

Are ransomware attacks covered by cyber insurance?

Yes. Here’s how.

Evolve’s cyber policy agrees to reimburse the Insured for any ransom paid by the Insured, or on the Insured’s behalf, in response to an extortion demand first discovered by you during the period of the policy as a direct result of any threat to:

• introduce malware, or the actual introduction of malware, including Ransomware, into your computer
  systems;
• prevent access to your computer systems or data or any third party systems hosting your applications
  or data;
• reveal your confidential information or confidential information entrusted to you; or
• damage your brand or reputation by posting false or misleading comments about you on social media
  sites.

In addition the the ransom payment itself, ransomware attacks often require data restoration and/or data recreation. Evolve intends to cover those costs, as well as IT Security and Forensic Costs ($500/hr), Crisis Communication Costs ($500/hr), and in the case of a privacy breach accompanying the ransomware attack, we cover both 1st and 3rd Party Privacy Breach Management Costs ($1-3 per individual).