Ransomware is a serious threat to institutions of all kinds, resulting in mounting costs for organizations that must literally pay ransom to regain access to their essential systems. A ransomware attack takes place when a cybercriminal denies an organization access to the data it needs to conduct business, usually by encrypting the data with a secret key. The attacker then offers to reveal the encryption key in exchange for a payment. The payment can vary in amount or kind.

PowerShell had its beginnings as a way to enable administrators to perform their tasks both locally and remotely with unprecedented access to underlying Windows components, such as COM objects and WMI. Since being included in every major Windows Operating System since Windows 7, PowerShell based tooling is well proliferated for both legitimate and malicious use and includes common tooling such as SharpSploit, PowerSploit, PowerShell Empire, Nishang and Invoke-Obfuscation.

Fear, uncertainty, and doubt are powerful emotions, and time and again, hackers attempt to leverage these for their own gain. As the coronavirus develops into a worldwide pandemic, hackers are taking advantage of the fear many of us feel to spread malware. We’re seeing an abundance of coronavirus-themed phishing, business email compromise (BEC), malware, and ransomware attacks targeting different industries, especially in the health sector.

In 2019 multiple cities, hospitals and educational institutions in the U.S. were crippled by ransomware, including Baltimore, Atlanta, New York City, Regis University in Denver and Monroe University in New York. In the the last 12 months, the infosec community has seen these ransomware operators seriously upping their game (see Ryuk ransomware).

During research into client side attacks, we recently observed a skimmer loading on the popular Pakistani fashion website, Khaadi. Khaadi is a global brand including seven stores in the UK and the company boasts over 5.4 million followers on social media. Khaadi have faced negative press recently, after an uproar about inhuman workplace conditions in 2017, and narrowingly avoiding going into administration in 2019.

Ransomware has been a growing threat in recent years, and experts now estimate the cost of these attacks at $7.5 billion in the USA alone in 2019. The affected institutions include 966 government agencies, educational establishments, and healthcare providers. Since most ransomware attacks stem from a small mistake made by one end user, either through phishing emails or stolen credentials, the threat is only expected to increase in the years to come.

At the start of this month, three U.S. law firms got hit with ransomware attacks. Ivanti security expert Chris Goettl gives us his take on the incident below. First, why are legal firms a good target? To answer that we need to look at what makes an ideal payout scenario for a ransomware attack.

Last month, the Elastic Security Protections Team prevented an attempted ransomware attack targeting an organization monitored by one of our customers, an IT Managed Service Provider (MSP). We analyzed the alerts that were generated after an adversary’s process injection attempts were prevented by Elastic Endpoint Security on several endpoints. Adversaries often attempt to inject their malicious code into a running process before encrypting and holding the victim’s data to ransom.

Visa have reported a new security alert for an advanced, self-cleaning, JavaScript skimmer named Pipka. The security researchers at Visa’s Payment Fraud Disruptions (PFD) discovered the skimmer in September earlier this year. The skimmer was first seen on a North American ecommerce website which had previously been infected with a different skimmer, Inter. Visa have now identified another 16 additional sites with hosting the Pipka code.

The landscape of cybersecurity is always changing, and new threats are constantly emerging. One of the newest – and the most interesting, if you are into that kind of thing – is the rise of printer malware. This type of malware started to be reported in November 2017, when Barracuda Labs saw an attack where cybercriminals spoofed a printer to send a malicious attachment that appeared to be a legitimate file sent by a network printer.