Trends & Research

Trends & Research

Access the power of data and objective insight. Data from various sources, including NEACH surveys and member interviews, is compiled and made available as white papers, case studies, articles, benchmarking, and industry reports to provide a snapshot of both the current and future payments landscape. 

Published on Monday, December 14, 2020

Cyber Watch: Monthly Alerts & Updates in Cybersecurity (December 2020)

As ransomware continues to be a primary focus of the Cyber Watch posts, this month, we introduce an entire section dedicated to topics related to it. In the ransomware section, you will read about the continued increase in the number and types of attacks occurring as well as the increased ransom dollar amounts and potential data theft occurring before ransomware encryption. In addition, you will read about various kinds of ransomware such as REvil, Regret Locker, Maze, Egregor, and Ryuk and what is happening with them in the fraud landscape. Also, there are details about an FBI update on ransomware and a real-life case study of the inner workings of what happened with a real ransomware attack. This month's post provides insight into data protection laws, various cyber-attack techniques, delving into the meaning of "threat intelligence," and shares an FBI alert about spoofed government websites. As always, please feel free to share this information with other colleagues and we welcome your feedback and comments on this month's Cyber Watch post.

Massachusetts Voters Pass Right-To-Repair Measure – Massachusetts voters passed a measure allowing citizens more control over the data stored and accessed in cars. "The measure, listed on the ballot as Question 1, amends and broadens a law that gives consumers in Massachusetts the right to repair the vehicles they own. The measure will require automakers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022." Click the following link to read more about the measure and its impact.

Ghimob Threat Actor is Creating New Attack Techniques – "Ghimob is a full-fledged spy in your pocket: once the infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim's smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their anti-fraud behavioral systems. Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device." Click the following link to read more about Ghimob.

Cobalt Strike Toolkit Shared Online – Cobalt Strike is a penetration testing toolkit used to provide remote access to a network and test the vulnerabilities with it. The source code behind Cobalt Strike has been leaked online allowing hackers to exploit it. Click the following link to learn more.

The Real Meaning of Threat Intelligence – According to, Gartner (Technology Research Firm) defines threat intelligence as "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard." It goes on to explain that this definition may not be fully accurate and that how we perceive threat intelligence may be, as it puts it, "poisoned." Click the following link to learn more about threat intelligence and how the Gartner definition measures up against the reality of what it is.

Delaware Division of Public Health COVID-19 Data Breaches – In September, the Delaware Department of Health and Social Services (DHSS) discovered an employee had sent unencrypted emails in August that contained COVID-19 test results for around 10,000 parties. On November 15th, the Delaware division sent a letter to all the impacted parties making them aware of this and directing them to reach out to a call center with any questions. Click the following link to read more about what happened and Delaware's response.

TroubleGrabber Steals Credentials – "This malware, which primarily arrives via drive-by download, steals the web browser tokens, Discord webhook tokens, web browser passwords, and system information. This information is sent via webhook as a chat message to the attacker's Discord server. Based on the file names and delivery mechanisms, TroubleGrabber is actively being used to target gamers." Click the following link to learn more about TroublGrabber and how it works.

Employees Have Access to Lots of Data! – For the most part, we all realize that employees have access to a lot of sensitive information. Most organizations have policies in place to govern and control this access and some even test those controls. But statistically speaking, how much data do employees have access to? Well according to research done by Varonis, financial services employees can access up to 11 million files, 20% of these employees have access to all company folders, and about 60% of companies have passwords to access data that never expire. Want to learn more? Click here to read the full report. You can also access a full summary article by click on the following link.

Internet of Things Cybersecurity Improvement Act of 2020 – The Internet of Things Cybersecurity Improvement Act of 2020 was passed by both the House and Senate. "The legislation marks a step forward in securing IoT devices purchased by the government. U.S. agencies have growing fleets of IoT devices that are used for many purposes, including tracking assets, monitoring ships and controlling access to buildings." Click the following link to learn more.

Free Google Services Used in Phishing Campaigns – "Fraudsters are increasingly using free Google services to create more realistic phishing emails and malicious domains that circumvent security filters, the security firm Armorblox reports." Click the following link to read more about the benefits to a fraudster and how using free Google services can make these attacks more effective.

FBI Spoofed Website Domains – The FBI is warning about spoofed websites that contain slight variations and have lookalike characteristics to trick visitors into thinking the site is legitimate. "Nation state-backed or financially motivated threat actors are frequently using such lookalike domains in attacks designed to harvest the targets' credentials and financial information, to spread malware, as well as to propagate false information." Click the following link to learn more including how you can safeguard against spoofed sites.

U.S. Government Accountability Office Urges Policymakers to  Establish 5G Cybersecurity Standards – "The U.S. Government Accountability Office is urging policymakers to adopt coordinated cybersecurity monitoring of 5G networks to ensure a safe rollout of the new technology. The federal watchdog agency released a study titled 'Capabilities and Challenges for an Evolving Network,' to discuss how the performance goals and expected uses are to be realized in U.S. 5G wireless networks, the challenges that could affect the performance or usage, and the policy options to address those challenges." Click the following link to read more.

Ransomware Updates

Increase in Ransomware Attacks Emphasizes Risks  – Ransomware is not only becoming more pervasive, attacking multiple areas of the business sector, it is also getting better at its attacks with higher success rates and payouts reaching upwards of $1.4 million. Outside of ransoms, the impact on some companies is costing them nearly $700,000 to get things back up and running. Therefore, it is so critical that organizations have good risk mitigation practices in place. Click the following link to read more about this topic and learn what organizations can do to help safeguard against cyberattacks.

REvil Ransomware Acquires KPOT Trojan  – "The operators of the REvil ransomware strain have 'acquired' the source code of the KPOT trojan in an auction held on a hacker forum last month. First spotted in 2018, KPOT is a classic 'information stealer' that can extract and steal passwords from various apps on infected computers. This includes web browsers, instant messengers, email clients, VPNs, RDP services, FTP apps, cryptocurrency wallets, and gaming software, according to a 2019 Proofpoint report." Click the following link to learn more about this purchase and what it REvil plans to do with KPOT.

Blackbaud Sued Because of Ransomware Attacks  – Cloud software provider Blackbaud was attacked by ransomware back in May. The company was able to stop the ransomware from encrypting its data but not before a copy of data was stolen by the attackers. Blackbaud paid a ransom to ensure the stolen data was destroyed. Now the company faces 23 consumer class action suits by its clients located in Canada and the United States. Click the following link to learn more about the ransomware event, lawsuit, and financial consequences that Blackbaud is facing.

RegretLocker Ransomware Encryption  – "A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption." Click the following link to read more about RegretLocker and what it does when infecting a virtual hard drive.

Maze Ransomware Retires and Expected to be Replaced by Egregor  – The developers of Maze Ransomware (a well-known and especially damaging strain of ransomware) are exiting the malware scene. In place of Maze, there is speculation that Egregor (a newer, complex, and equally damaging malware) is expected to replace Maze by threat actors. Click the following link to read more about Maze's exit and Egregor's potential replacement.

50% of Ransomware Attacks Lead to Stolen Data – Ransomware attacks continue to increase, and the payouts keep getting larger. According to HealthITSecurity, the average ransom demand is $234,000 and nearly 50% of these attacks result in data being stolen before it is encrypted. Click the following link to read more about trends and stats related to ransomware attacks.

National Council of ISACs Ransomware Report – The National Council of ISACs has created a comprehensive Ransomware Report. Click here to access the report and learn more about what ransomware is, methods of ransomware infections, the impact of ransomware on government agencies and the economy, key statistics, the growth of ransomware, cryptocurrency and money laundering, and the regulatory gap. Ransomware_NCI_Report.pdf

Ryuk Ransomware Gets Paid $34 Million for  Decryption Key – A Hacker group leveraged the Ryuk Ransomware to target high-value companies and received $34 million to decrypt the infected data. BleepingComputer outlines a 15-step process flow for the attack. Click the following link to read more about Ryuk and the 15-step process.

Ransomware Attack on e-commerce Platform X-Cart – "E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform." The company chose to not pay the ransom and instead restored its servers from backups. There is speculation that a class action lawsuit may be coming. Click the following link to learn more.

Steelcase Furniture Giant Down for Two Weeks After Ransomware Attack – "Office furniture giant Steelcase says that no information was stolen during a Ryuk ransomware attack that forced them to shut down global operations for roughly two weeks." Click the following link to learn more about what happened and how Steelcase is responding.

Manufacturer's Real-Life Ransomware Case Study – Often we talk about cyberattacks anecdotally understanding the high points but not necessarily getting into the meat of what happens. Click the following link to read about a real-life ransomware attack on a manufacturing company and get to see the timeline, response process, and resolution of an actual situation.

REvil Ransomware Demanded $500 Thousand from  – (a web hosting provider) had to take down its servers in response to a REvil Ransomware attack. Initially, only impacted servers were taken down. Eventually, Managed needed to take down the entire network to protect its client's data. It is believed that REvil was demanding a $500,000 ransom and it is unknown whether or not data was stolen before being encrypted. Click the following link to read more about this attack.

FBI Warning About Ragnar Locker Ransomware –  According to BleepingComputer, the FBI has posted an alert about Ragnar Locker Ransomware. "Ragnar Locker actors will manually deploy the ransomware payloads to encrypt the victims' systems after a reconnaissance stage to help them discover network resources, company backups, and various other sensitive files to be collected for data exfiltration." Click the following link to read more about Ragnar Locker Ransomware and details about the FBI alert.




Director, Payments Innovation

As the Director of Payments Innovation for NEACH, Mark focuses on exploring innovative solutions and technologies that will help position members for success, both now and in the future. Connect with Mark to read more of his blogs, articles, and posts.


Rate this article:
No rating
Comments (0)Number of views (1777)

Author: Carlos Ortiz

Categories: Articles

Tags: CyberWatch


Theme picker