Executive Summary In February 2022, Arete investigated a Surtr ransomware incident where the ransomware author(s) paid tribute to the now defunct REvil (aka Sodinokibi) group by making a registry key change to the infected host. REvil was an infamous Russian-speaking Ransomware-as-a-Service (RaaS) operation known for the Kaseya attack. In October 2021, a multinational effort disrupted REvil’s operations, followed by Romanian and Russian law enforcement largely dismantling the group by arresting individuals and seizing millions in cash and cryptocurrency. Arete notes that the developers of Surt ..read more

Dear Ramey: Missteps During an Incident Response Investigation Can Further Complicate Recovery Answering burning questions from victims of cyber events DEAR RAMEY: What can go wrong during an incident investigation?         – Murphy L DEAR MURPHY L.: That’s certainly a loaded question! The short answer: everything and anything. Cybersecurity investigations aren’t straightforward, and what can go wrong will go wrong. The many moving parts within the incident response (IR) life cycle require continuous direction as any small misstep can have severe consequences that affect th ..read more

By Rae Jewell The cybersecurity industry is chockfull of jargon, abbreviations, and acronyms. So much so that it can often be difficult to decide which tools may provide the best protection for your company. To help, we’d like to clarify some terms and review the benefits of a few solutions. Let’s begin with SIEMs Security information and event management (SIEM) technology has been around for a long time. Having evolved from log aggregation, log management, and event management, SIEMs serve to collect, aggregate, analyze, and store large volumes of log data from across numerous systems ..read more

By Cyber Threat Intelligence Team Arete observed an overlap between a recent BlackMatter case and a Q1 2021 REvil case. In both instances, the actors leveraged the NodeJS-based Gootloader to deliver a CobaltStrike payload. In a March 2021 insight, Arete detailed findings related to complex watering-hole infrastructure used to deliver Gootloader to unsuspecting victims. Highlights included: REvil actors leveraged compromised web servers of legitimate businesses to host Gootloader. Actors leveraged search engine optimization (SEO) hijacking to push malicious results to the top. The malicious se ..read more

Answering burning questions from victims of cyber events.  DEAR RAMEY: The more I read in the news about cyberattacks, the more I worry about all the information that could wind up in the wrong hands. Social media sites, law firms, and consultancies have a tremendous amount of information about their clients.   Can you provide some tips on how to encourage our employees not to share information via social media? And are there questions I can ask our third-party partners, those who may have access to and retain our information, so we can better understand their cybersecurity prac ..read more

Answering burning questions from victims of cyber events DEAR RAMEY: Happy New Year! Our organization made it through the holiday season without a security event. While we were probably one of the few, we’d like to build up our defenses and carry through the confidence with our security program throughout this new year. A portion of our IT budget is devoted to enhancing security. What actions should we take to maximize our budgeted dollars?         -Billy the Budgeteer   DEAR BILLY THE BUDGETEER: Congratulations on surviving the holidays without a security event! It’s ..read more

By Kevin Baker  In many ways, cybersecurity insurance is not so different from car or home insurance. In short, it’s a way to transfer risk. If a cyber incident occurs, insurance can help organizations gain a level of mitigating control and recoup costs, whether they come from direct damages, lawsuits, fines, or breach notification expenses.  Although cybersecurity insurance has been around a while, the industry has had to evolve with the threat landscape — and the advent of ransomware changed everything.   In the early 2000s, cyber insurance policies required little ..read more

By Kevin Baker The holidays are upon us and with them often comes a mad rush to “Act now!” to score the best online deals “before it’s too late!” Unfortunately, competitive, hurried Black Friday-type shopping can translate to distracted shopping, which can translate into a dream opportunity for social engineering. The bad guys want you to be in a hurry. They want you to be distracted. It makes their jobs easier. And they know that the holiday season is a prime time to prey on the unprepared, tricking them into opening phishy emails, clicking on malicious links, or using their phones in other ..read more

Answering burning questions from victims of cyber events. DEAR RAMEY: Last year during the holidays, I remember seeing a lot of articles about breaches. As we move towards this holiday season, should we expect the same? What can we do to protect ourselves better?                    – Security Aware for the Unaware DEAR SECURITY AWARE:  Throughout 2021, there has been a tremendous focus on cybercrime. Every day, a new organization makes headlines for being breached, a new zero-day vulnerability is identified, or a ransomware grou ..read more

Answering burning questions from victims of cyber events. DEAR RAMEY: Our board’s top priority is cybersecurity. We have a large information security organization led by a chief information security officer (CISO) and we’ve also sponsored several company-wide initiatives to promote awareness and enhance cybersecurity controls.   Currently, we have an open board seat we’re considering filling with a hands-on security practitioner. The concern is that the individual may not have the career histor ..read more