In today’s cybersecurity news…
Most ransomware victims shut down operations
A new report from the Ponemon Institute found that 58% of organizations hit by ransomware last year were forced to shut down operations as part of their recovery process, up from 45% of victims in 2021. The report also found organizations seeing significant revenue lost due to an attack up from 22% to 40% in the same span, while those experiencing brand damage jumped from 21% to 35%. While those metrics are trending in the wrong direction, the report also found that the average time to recover from ransomware decreased 30% to 132 hours, while the average recovery cost fell 13%. 51% of respondents paid a ransom. For paying victims, 32% said attackers demanded further payment.
EU sanctions GRU members for Estonia cyberattacks
The European Council announced sanctions against three Russian nationals for involvement in cyberattacks against Estonia in 2020. The three men are linked to Unit 29155, aka Cadet Blizzard, of Russia’s GRU intelligence unit. Estonia identified the Unit as responsible for the attack in September, the first time the country attributed a cyber attack to a state-backed actor. Estonia’s Foreign Minister Margus Tsahkna said an international investigation found the 2020 attacks aimed to “damage national computer systems, obtain sensitive information, and strike a blow against our sense of security.” The sanctions will freeze funds, prohibit EU citizens from transferring funds to them, and ban travel in the bloc.
Lynx ransomware runs a tight ship
Researchers at Group-IB gained access to an affiliate panel of the Lynx ransomware organization, giving details on the level of sophistication used by the group. This panel provides a consumer-level UI offering Lynx affiliates configurable victim profiles, custom ransomware sample generation, and data leak scheduling. Add-on services to affiliates include a call center for harassing victims and cloud storage services. Lynx also provides a comprehensive archive of binaries across a range of OSes and processor architectures, with options for multiple encryption modes so affiliates can balance encryption speed with depth based on their needs.
PowerSchool starts notifying victims
The education SaaS giant disclosed a cyberattack earlier this month but only began alerting impacted school districts. Now, the company has begun notifying affected individuals in the US and Canada who have had personal data stolen, including past and current students, parents, and guardians. We know the breach impacted 6,505 school districts, but the exact number of affected individuals and a detailed breach report has not been released. PowerSchool did notify Maine’s Attorney General’s office that 33,488 people were affected in that state.
Huge thanks to our sponsor, Conveyor
Your team probably spends hours daily juggling the back and forth of completing these security requests.
That’s why Conveyor created Sue, the first AI Agent for Customer Trust. Sue doesn’t just handle completing security questionnaires and sending SOC 2 to prospects – she manages all the communication and follow-up too.
You simply get notified when everything’s done so you can do a quick review.
Stop wrangling cats and see what Sue can do for you at www.conveyor.com.
Edge rolls out Scareware protections
Ever visit a website that immediately displays a pop-up claiming it detected a virus and offers a download of free antivirus software? Then you’re familiar with scareware. The latest preview of Microsoft’s Edge browser introduces a new opt-in Scareware blocker feature, which uses locally running computer vision to compare sites against known scareware sites for similarities. If it detects a malicious site, it automatically exits fullscreen mode, stops any audio from the page, and gives users the option to report the site to Microsoft. Windows already offers some scareware protection with its Defender SmartScreen tool, but this is only effective against already flagged sites.
(ZDNet)
Malware writing with GhostGPT
Researchers at Abnormal Security documented a new AI chatbot for cybercriminals called GhostGPT. The chatbot first appeared for sale on a Telegram channel in mid-November, offering pricing models that start at $50 a week. GhostGPT has grown in popularity enough that it’s operators shifted from this model to direct private sales. It’s marketed as being able to develop exploits, code malware, and write phishing messages. Researchers believe GhostGPT isn’t a standalone model but instead a wrapper on a jailbroken version of ChatGPT or an open-source model, as opposed to something like WormGPT. The operators also claim not to record user activity or maintain logs for added privacy.
Ransomware locked out org for six weeks
In an updated filing with the U.S. Securities and Exchange Commission, officials with the energy industry contractor ENGlobal Corporation revealed a recent ransomware attack locked them out of “financial and operating reporting systems for approximately six weeks.” The attack on the contractor initially began on November 25, 2024, with threat actors accessing systems containing “sensitive personal information. Despite being locked out of critical operational systems for over a month, the filing said it did not believe the attack would have a “material impact” on its financials.
The firm with the breach in its side
The multinational engineering firm Smiths Group disclosed a “cyber security incident” in a filing with the London Stock Exchange. The attack involved unauthorized access but Smiths did not disclose if any customer or business data was stolen. It’s unclear if this resulted in any disruption to operations, but the company said it isolated impacted systems and is working with experts on recovery efforts. There is no word on any group behind the attack yet.