Threat actors are becoming more sophisticated, agile and relentless in their pursuit of stealing personal information for financial gain. Rapid and evolving shifts in the threat landscape require the knowledge and solutions to prepare and prevent threats that could spell disaster for organizations’ reputations and operations.

Organizations of all sizes remain at risk. Small to medium-sized businesses (SMBs) and managed service providers (MSPs) are especially vulnerable to the stealth efforts of bad actors. With fewer financial resources, a ransomware payment demand could mean the difference between staying in business and closing up shop.

Government entities are also prone to attack. In December 2021, Belgium’s Ministry of Defence experienced a cyberattack exploiting the Log4j vulnerability that paralyzed the ministry’s computer network. Within the same month, Australia’s utility company, CS Energy, experienced a ransomware attack involving the well-known ransomware Conti.

Evolving cyber threats can be unpredictable, but that doesn’t mean businesses have to tackle them alone. A robust security stack can help businesses stay protected and prepared. Establishing this level of resilience involves partnering with a provider that has human-powered threat hunting resources.

What is threat hunting?

Threat hunting involves actively searching for adversaries before an attack is carried out. Threat hunting involves the use of tools, intelligence and analytics combined with human intervention. Threat hunting centers around the proactive containment and identification of potentially damaging files before malicious vectors can cause severe damage to an organization’s operations.

What does a threat research analyst do?

“At Webroot, we focus our efforts on analyzing customer data. Our threat research analysts examine this data to determine if malicious files are present. Our analysts are constantly looking for files that possess certain characteristics that make up various types of malware. If we identify and determine that critical elements of a suspicious file are present, we classify and block them. Making determinations can be approached in different ways. One avenue of determination is carried out by creating isolated conditions to run the suspicious file to see what results it presents,” says Marcus Moreno, manager, threat research at Carbonite + Webroot, OpenText companies.

“Since our database is comprised of mass quantities of SMB and MSP data, we can continue to make determinations from a large and evolving data set. This is why SMBs and MSPs can derive value from partnering with Webroot,” adds Moreno.

Take your security stack to the next level

Cyberattacks will continue to be a concern for businesses, governments and individuals. Combatting cyber threats means adopting a cyber resilience approach. Cyber resilience is the ability to remain operational in the face of threats – whether human or maliciously-based. One important element of a solid cyber resilience strategy is to remain in a pre-emptive and proactive stance. Avoid costly ransomware payment demands, bolster customer confidence and minimize downtime for business operations by investing in a solutions provider backed by threat hunting capabilities.

Discover how Webroot’s solutions can protect your business.

Phishing attacks sustain historic highs

In their latest report, IDG and the pros behind Carbonite + Webroot spoke with 300 global IT professionals to learn the current state of phishing. We learned that 93% of IT executives are still concerned about phishing – and it’s no wonder, as companies averaged 28 attacks each over the previous 12 months.

Luckily, the report details how to fight back. With the right preparation and the right protection, companies can prevent all but 0.3% of attacks.

Phishing capitalizes on COVID

Phishing attacks have been part of the cybercriminal arsenal for years. But it’s only recently that phishing has flourished into the scourge it is today. That’s because cybercriminals have found success by targeting COVID-19 fears with their schemes.

In fact, phishing attacks spiked by 510% from just January – February 2020, according to the 2021 Threat Report. These increases leveled off by the summer, but phishing attacks still increased 34% from September – October 2020. Overall, 76% of executives report that phishing is still up compared to before the pandemic.

COVID-based tactics might purport to have new info on a shutdown, to share COVID stats or even suggest info from your doctor. But in each case, cybercriminals are looking to steal your information.

Who’s getting attacked?

IT departments are feeling the brunt of these attacks, with 57% of them targeted by phishing. Carbonite + Webroot Sr. Security Analyst Tyler Moffitt says, “Even if malware targets someone with lower-level access, the attack will move laterally to eventually find an IT administrator.”

He goes on to say that attackers can then linger for a week or more to find valuable data or steal a balance sheet that gives an indication of how much ransom to charge.

Because they often have important credentials, top executives and finance groups are also common targets. Public-facing customer service employees also offer easy access.

Consequences of phishing

75% of global IT executives say they’ve suffered negative consequences from phishing attacks. That includes:

• 37% suffered downtime lasting more than a day
• 37% suffered exposure of data
• 32% lost productivity
• 19% had to pay legal or regulatory fines

A layered approach to security

But it’s not all bad news. Yes, phishing is using new tactics to target businesses. But there are ways to fight back.

The report cites training as one of the most effective tools. But the frequency of training varies greatly, and 25% of those who use it don’t include phishing simulations. By using security awareness training that offers regular simulations, you can reduce phishing by up to 70%.

But even with great training, the report notes that people will still click some of the time. That’s why a multi-layered approach gives peace of mind that not all is lost if one person messes up.

No layer is 100% effective, but taken together many layers get very close. A defense in depth security posture utilizing DNS and endpoint detection as well as a sound backup strategy can give you confidence that you’re prepared to withstand even a successful phishing attack.

Ready to start protecting yourself and your business? Explore how Carbonite + Webroot provide a full range of cyber resilience solutions.

Download the IDG report.

Malware leaps from the darkness to envelop our lives in a cloak of stolen information, lost data and worse. But to know your enemy is to defeat your enemy. So we peered over the ledge leading to the dark web and leapt. The forces we sought are disruptors – without warning, they disturb our businesses and our connections to family and friends.

And darkness we found – from million-dollar ransoms to supply chain attacks, these malware variants were The 6 Nastiest Malware of 2021.

How malware disrupted our lives

These days, every major ransomware campaign runs a “double extortion” method, a scary prospect for small businesses. They steal and lock files away and they will absolutely leak data in the most damaging way if a ransom settlement is not reached.

Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware.

This highlights the importance of user education – training users to avoid clicking these phishing lures or preventing them from enabling macros from these attachments are proven in stopping malware in its tracks.

While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This allows each group to specialize on their respective payload and perfect it.

This year’s wicked winners

Lemonduck

• A persisting botnet with a cryptomining payload and more
• Infects via emails, brute force, exploits and more
• Removes competing malware, ensuring they’re the only infection

REvil

• The Nastiest Ransomware of 2021 that made headlines with supply chain attacks
• Many attempts to shutdown the REvil group have so far failed
• Their ransomware as a service (RaaS) platform is on offer to other cybercriminals

Trickbot

• Decade old banking and info-stealing Trojan and backdoor
• Disables protections, spreads laterally and eventually leads to ransomware like Conti
• Extremely resilient, surviving numerous attacks over the years

Dridex

• Banking and info-stealing Trojan and backdoor
• Spreads laterally and listens for domain credentials
• Eventually leads to ransomware like Grief/BitPaymer/DoppelPaymer

Conti

•  Longstanding ransomware group also known as Ryuk and likely linked to LockFile ransomware
• TrickBot’s favorite ransomware
• Will leak or auction off data if victims don’t pay the ransom

Cobalt Strike

• White hat-designed pen testing tool that’s been corrupted and used for evil
• Very powerful features like process injection, privilege escalation and credential harvesting
• The customizability and scalability are just too GOOD not to be abused by BAD actors

Victimized by malware

The good news (I guess) is that last year’s average ransom payment peaked at $200,000 and today’s average is just below $150,000.

The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience.

The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it. To top it off, supply chain attacks are becoming a massive issue.

Protect yourself and your business

The key to staying safe is a layered approach to cybersecurity backed up by a cyber resilience strategy. Here are tips from our experts.

Strategies for business continuity

• Lock down Remote Desktop Protocols (RDP)
• Educate end users
• Install reputable cybersecurity software
• Set up a strong backup and disaster recovery plan

Strategies for individuals

• Develop a healthy dose of suspicion toward messages
• Protect devices with antivirus and data with a VPN
• Keep your antivirus software and other apps up to date
• Use a secure cloud backup
• Create strong, unique passwords (and don’t reuse them across accounts)
• If a download asks to enable macros, DON’T DO IT

Discover more about 2021’s Nastiest Malware on the Webroot Community.

“Phishing” may have been a relatively obscure term, but pretty much everyone has heard of it by now. In fact, recent statistics indicate a high likelihood that you—or someone you know—have been the victim of a phishing attack at least once. 

Now, if you remember the classic Nigerian Prince scams from back in the day, you might be asking yourself how the stats could be so high. After all, it seems pretty unlikely that an otherwise cautious person would fall for something like that, right? And in today’s cyber-climate, where the news is filled with headlines about major hacks and malware infections that spread like wildfire, why would anyone click on links from unknown senders or hand over their sensitive, personal information (think SSNs, etc.) without verifying the authenticity of the request? It turns out, there are a lot of subconscious influences at play, and the thing that makes phishing attacks so successful is the way they take advantage of our trust, curiosity, fear, greed, and even desire to do a good job at work.

Understanding the factors that drive a successful phishing attack is fundamental to preventing them in the future. That’s why Webroot partnered with Dr. Cleotilde Gonzalez, research professor at Carnegie Mellon University, to take a deep dive into the psychology of phishing. 

Read our full report, Hook, Line, and Sinker: Why Phishing Attacks Work, for more information on the psychology behind phishing attacks.

Tip #1: Maintain strong, unique passwords. Using individual passwords for each of your accounts will help prevent fraud, identity theft, and other malicious activity. Consider using a secure password manager, and enable two-factor authentication wherever possible.

What kind of person clicks a phishing link, anyway?

The truth? We all do it. While 86% of Americans believe they can distinguish a phishing message from a genuine one, 62% have had their personal information compromised as part of a breach. So what’s the deal here?

“People are generally overconfident about their ability to spot the fakes. Overconfidence is a big problem in many human actions. In this case, this probably happens because the ratio of phishing emails to regular emails feels low, so our mind underestimates the probability of receiving a phishing email, and in turn, overestimates our ability to identify one if we do.” – Cleotilde Gonzalez, Ph. D.

Tip #2: Stay on your toes. The more overconfident and complacent you are about your security, the easier it is for you to be phished. Don’t play into a cybercriminal’s hands. Maintaining a healthy level of suspicion about all links and attachments in messages may make all the difference during an attempted breach.

How are phishers using psychology against us?

By tapping into our own personal sense of urgency, cybercriminals are able to manipulate us in subtle ways that we may not realize until it is too late. Hackers often use cleverly disguised email handles and targeted messaging, known as “spear phishing,” to create a sense of trust and familiarity. This makes links appear more legitimate, and makes us perceive the click as less risky.

“Ultimately, urgency, familiarity, and context have a strong impact on decision making. If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing.” – Cleotilde Gonzalez, Ph. D.

What are the most convincing ways for a phisher to tap into your sense of urgency to get you to open their email? 

• 65% of Americans prioritize emails from their boss 
• 54% prioritize emails from family or friends 
• 33% prioritize emails to confirm bank transactions 

That means you shouldn’t feel weird or guilty for verifying odd requests from bosses, family, or friends. If your boss sends you an email asking for out-of-the-ordinary action, don’t hesitate to call them up and ask them for details. (Do this instead of replying to the email.) Same with links, downloads, and requests for information from family and friends. It never hurts to double-check.

Practicing phishing mindfulness, even when clicking links from seemingly trustworthy sources, cuts down significantly of the efficacy of spear phishing attacks. Pay close attention to sender addresses and handles, as well as signatures. If you get an email from your bank, financial institution, or even a regular website for which you have a login, navigate to their official website independently instead of clicking through on that potentially risky email.

Tip #3: Back everything up and do it regularly. All of your important data and files should be regularly backed up to a secure hard drive or cloud storage. When using a physical hard drive, only connect it while backing up. This will help prevent the drive from being affected by an infection.

Why are we still clicking?

Here’s the thing: 76% of Americans know they have received a phishing email, and yet still 56% of people would feel comfortable clicking on a link or attachment from an unknown source on their personal devices. So why are so many of us still willing to jeopardize our safety for an unknown link?

“Risk and under-weighed probability are linked. Risks sometimes come with rewards, right? So if the risk seems low and the reward seems high, you’ll make riskier decisions. It’s like gambling; our minds explore different gain/loss experiences, then respond with risk-taking or risk-averse actions.” – Cleotilde Gonzalez, Ph. D.

Tip #4: Always keep your software up-to-date. Hackers are known to regularly exploit security holes in outdated software and operating systems. By installing software updates when prompted, you can stop many cybercriminals in their tracks. 

What if you’ve been phished? Now what?

With 62% of those surveyed reporting some type of data breach, it’s important to know what to do in the event of a breach that can help keep the damage to a minimum. George Anderson, Product Marketing Director at Webroot, recommends the following steps:

1. Change your account passwords immediately! That includes accounts you don’t believe were breached, but are using the same or a similar password.
2. Set up alerts with your credit agency. 
3. Void existing credit cards and order new ones. 
4. Engage a credit security service. 
5. Notify law enforcement or the appropriate government agency. 

While some of these steps may seem obvious to you, they clearly need to be repeated; of people whose information was stolen or exposed, a baffling 32% didn’t bother to change their account passwords afterward. 

Dr. Gonzales shared her thoughts on what can be done to combat this type of complacency.

“These findings illuminate the fact that what we really need here is a mindset makeover,” she says. “The longer-term reward of security needs to be highlighted, front and center, not placed on the backburner. To do that, we’re going to have to shift the way that people think about security and prioritize their responsibilities. We have to allow the time and brain space for security-related considerations.”

What can we all do going forward?

You can nurture the type of security mindset shift Dr. Gonzalez references by taking small steps. First, you know those software and security updates you (like many people) are probably putting off? Just do them. Enable two-factor authentication wherever possible, especially on important online accounts like your banking and credit institution websites. 

You may even find that your heightened security practices influence those around you to make stronger choices. After all, seeing a person you know being on top of their game can be very motivating to start making personal changes! 

Remember, the most important thing you can do is avoid overconfidence. Don’t underestimate the risk of a phishing attack. Doing that is exactly what will make you a prime target for criminals.

“It’s a classic case of underweighting probabilities, but explicit numbers speak for themselves. Providing this information might help people calibrate the risk and confidence more accurately.” – Cleotilde Gonzalez, Ph. D.

MedusaLocker Ransomware Spotted Worldwide

While it’s still unclear how MedusaLocker is spreading, the victims have been confirmed around the world in just the last month. By starting with a preparation phase, this variant can ensure that local networking functionality is active and maintain access to network drives. After shutting down security software and deleting Shadow Volume copies, it begins encrypting files while setting up self-preservation tasks.

Bargain Website Server Exposes Customer Data

Several websites used by UK customers to find bargains have left a database filled with customer data belonging to nearly 3.5 million users completely unprotected and connected to the internet. Along with the names and addresses of customers, the database also included banking details and other sensitive information that could be used to commit identity fraud. The researchers who initially discovered the breach notified the site owners, but received no response or any indication the leak would be resolved until nearly six weeks after the database was left exposed.

Arrests Made Following Major BEC Scam

At least three individuals have been arrested in Spain for their connection to a business email compromise (BEC) scam that netted over 10 million euros and affected 12 companies across 10 countries. It appears the operation began in 2016 and involved the cooperation of multiple law enforcement agencies. By creating a web of fake companies and bank accounts, the group was able to successfully launder money into various investments, including real estate, in an attempt to remain undetected.

LA Court System Hacked

The perpetrator of a 2017 spear phishing attack on the LA court system was sentenced to 145 months in prison following convictions on charges of wire fraud, unauthorized access to a computer, and identity theft. The individual was able to compromise employee email accounts and use them to launch a malspam campaign that distributed over 2 million emails.

Pennsylvania School District Hacked

Multiple students are being questioned after school district officials noticed unauthorized access to the student assistance site Naviance, a hack which appears to have been an attempt “to gain a competitive edge in a high-stakes water gun fight.” Access to the site would have also given them access to other student’s personal data, though no financial or social security information is stored on the site. District officials determined the security practices for the site lacking but have not currently released plans for improvement.

First and foremost, endpoint protection must be effective. Short of that, MSPs won’t succeed in protecting their clients and, more than likely, won’t remain in business for very long. But beyond the general ability to stop threats and protect users, which characteristics of an endpoint solution best set its administrators for success?

Get the 2019 PassMark Report: See how 9 endpoint protection products perform against 15 efficiency benchmarks.

Consider the world of the MSP: margins can be thin, competition tight, and time quite literally money. Any additional time spent managing endpoint security, beyond installing and overseeing it, is time not spent on other key business areas. Performance issues stemming from excess CPU or memory usage can invite added support tickets, which require more time and attention from MSPs. 

So, even when an endpoint solution is effective the majority of the time (a tall order in its own right), other factors can still raise the total cost of ownership for MSPs. Here are some metrics to consider when evaluating endpoint solutions, and how they can contribute to the overall health of a business. 

1. Installation Time

We’ve written recently about the trauma “rip and replace” can cause MSPs. It often means significant after-hours work uninstalling and reinstalling one endpoint solution in favor of another. While MSPs can’t do much about the uninstall time of the product they’ve chosen to abandon, shopping around for a replacement with a speedy install time will drastically reduce the time it takes to make the switch. 

Quick installs often also make a good impression on clients, too, who are likely having their first experience with the new software. Finally, it helps if the endpoint solution doesn’t conflict with other AVs.  

2. Installation Size

Few things are more annoying to users and admins than bulky, cumbersome endpoint protection, even when it’s effective. But cybersecurity is an arms race, and new threats often require new features and capabilities. 

So if an endpoint solution is still storing known-bad signatures on the device itself, this can quickly lead to bloated agent with an adverse effect on overall device performance. Cloud-based solutions, on the other hand, tend to be lighter on the device and less noticeable to users.

3. CPU Usage During a Scan

Many of us will remember the early days of antivirus scans when considering this stat. Pioneering AVs tended to render their host devices nearly useless when scanning for viruses and, unfortunately, some are still close to doing so today. 

Some endpoint solutions are able to scan for viruses silently in the background, while others commandeer almost 100 percent of a device’s CPU to hunt for viruses. This can lead to excruciatingly slow performance and even to devices overheating. With such high CPU demand, scans must often be scheduled for off-hours to limit the productivity hit they induce. 

4. Memory Usage During a Scheduled Scan 

Similar to CPU use during a scan, RAM use during a scheduled scan can have a significant effect on device performance, which in turn has a bearing on client satisfaction. Again older, so-called legacy antiviruses will hog significantly more RAM during a scheduled scan than their next-gen predecessors. 

While under 100 MB is generally a low amount of RAM for a scheduled scan, some solutions on the market today can require over 700 MB to perform the function. To keep memory use from quickly becoming an issue on the endpoints you manage, ensure your chosen AV falls on the low end of the RAM use spectrum. 

5. Browse Time

So many of today’s threats target your clients by way of their internet browsers. So it’s essential that endpoint security solutions are able to spot viruses and other malware before it’s downloaded from the web. This can lead to slower browsing and frustrate users into logging support tickets. It’s typically measured as an average of the time a web browser loads a given site, with variables like network connection speed controlled for. 

Effectiveness is essential, but it’s far from the only relevant metric when evaluating new endpoint security. Consider all the above factors to ensure you and your clients get the highest possible level of satisfaction from your chosen solution.