Threat Focus: Malware in Hospitality, Ransomware Preparedness, Bird Flu and More

This week, our team looked at a variety of issues and concerns, including Bird Flu’s global footprint and, taking a look at recent reports regarding the 2015 Tunisia beach resort terrorist attack, the importance of following through on risk assessments and after action reports. This post, however, focuses on two notable cybersecurity issues pulled from our daily reporting on the global, all-hazards threat environment. This week the Gate 15 Threat and Risk Analysis Cell (TRAC)  noted two areas of concern in the Threat Focus section of Wednesday’s Threat Dashboard – malware moving into the Hospitality community and the importance of understanding and being properly prepared for ransomware, which we’ve previously assessed will be one of the top cyber threats to organizations in 2017.

Ongoing analysis of the Carbanak banking Trojan has revealed that while it was primarily known to target financial information and banks, it also heavily targeted the hospitality industry in 2016. This shift accompanied a pivot in focus to extract data from individuals as well. Details revealed that the malware leveraged Google Services to perform command and control functions. This tactic made it harder to identify malicious traffic from the banking Trojan and differentiated it from legitimate traffic between a computer and Google Services… The shift in focus of the Carbanak Group serves as an important reminder that tactics observed in one Sector will typically shift to other Sectors as well, if they aren’t already there but undetected.”

Elaborating in Thursday’s Torpedo ReportDave Pounder added, “The ultimate aim of a successful cyberattack is to gain access to, and exploit an individual or organizations’ information using any number of means. Human error and weaknesses remain a significant weak link and a great entry point for attackers. The latest Carbanak… variants seek to exploit human weaknesses, and are accompanied by social engineering teams who are able to converse in excellent English. In one such case, a caller contacted a call center and reported problems using a reservation system. The caller requested that he/she be able to send the information directly to the customer support agent. As soon as the agent opened the email and the execution of the malware confirmed, the caller hung up the phone. In other cases, the social engineering included well-crafted professional looking websites for the companies the callers purport to be from and multiple phone calls allowing the actors to develop rapport with the victims before delivering a malicious payload.

Addressing ransomware the team noted, “One of the latest ransomware victims of the new year is a cancer clinic in Indiana. Rather than give in to cyber criminals, the Cancer Services of East Central Indiana-Little Red Door resolved not to pay a ransom, choosing instead to re-build servers in more secure environments. This allows the clinic to preserve their financial resources, focus on their primary job – to heal and help patients affected by cancer – and sends a powerful message to other organizations and criminal elements.”

This, with reports of a new ransomware “bluff” strategy “making its way around the web. This bluff uses the fear of ransomware to stress the decision-making process and get victims to pay without even encrypting the files. The attackers are hoping the pressure and fear of having to disclose ransomware, and potentially lose customers, hurry their targets into deciding to pay before even verifying that there is an issue.”

“These two incidents highlight genuine threats and scams, and demonstrate the need for organizations to deliberately plan their response to a potential ransomware incident in order to calmly and methodically verify a threat and respond in accordance with established guidance, processes and decisions. We reaffirm our assessment that 2017 will bring new variations of ransomware and continue to proliferate across a wide-variety of organizations, not limited by a specific type or size of target. Ransomware will disrupt immediate activities and events, as well as day-to-day business operations, but it is not fatal. As we have seen, paying the ransom doesn’t always solve the problem. The latest ransomware threats and scams come just as the Necurs botnet remerged late last week and started pushing out multimillion email campaigns. The expectation is that Locky, one of the ransomware variants distributed by Necurs, will also re-emerge after ‘a long winter’s nap’ and resume attacks. Being infected with Locky, and new variants such as Spora (or potentially just the threat that they have been infected…), could lead unprepared leaders into hasty decisions that deviate from best practices or established plans or processes.”

The complete Torpedo Report includes additional background and analysis as well as some preparedness and operational ideas for leaders to consider. This week’s reports and previous releases can be linked to from the “Reports” tab of this website.

To help leaders maintain active threat situational awareness, we distribute our (free!) daily paper and the above mentioned weekly products. Our team hopes they can help you achieve a sound background as you assess your organizational risks and then apply a threat-informed, risk-based and prioritized approach to preparedness and operations. If you’re not already signed-up, subscribe to our free products and receive them directly! Free reports include our daily paper, the Gate 15 SUN, with additional detail, focus and analysis in the weekly Threat Dashboard and Torpedo Report.

Follow our Gate 15 team on Twitter: @Gate_15_Analyst; and our Gate 15 page on LinkedIn and subscribe to our free daily and weekly products!