[BreachExchange] DarkOverlord Extorts WestPark Capital for Ransom

Wed Sep 28 17:36:44 EDT 2016

http://www.infosecurity-magazine.com/news/darkoverlord-extorts-westpark/

*The hacking group known as the DarkOverlord is threatening to release data
from the California investment firm WestPark Capital unless it receives a
ransom.*

The DarkOverlord got away with NDAs, contracts, internal reports and other
sensitive data belonging to the investment firm.

The hackers published links to about 20 stolen documents online after
WestPark Capital initially refused to pay, and is now threatening to
release more. The documents that have already been made public include
non-disclosure agreements, internal presentations, reports and contracts.

The hacking group emerged in June 2016, when it made a name for itself in
lording it over, as it were, healthcare organizations.

It offered a fresh trove of 9.2 million patient records on a Dark Web
marketplace, for 750 Bitcoin (about $477,000). The plaintext 2GB database
as including names, addresses, emails, phone numbers, dates of birth and
Social Security Numbers (SSNs) belonging to 9,278,352 Americans. The group
claimed that the data was lifted using a zero-day exploit for remote
desktop protocol (RDP).

The group is reportedly using similar tactics with WestPark.

Javvad Malik, security advocate at AlienVault, told us in an emailed
statement that despite the threats, paying the ransom is probably not the
best idea.

“The challenge is that even if companies pay the ransom, there is no
guarantee that the data won’t still be leaked publicly or traded
privately,” he said. “Once the genie is out of the bottle, there is no
going back. So I would not recommend paying the ransom under these
circumstances.”

The attacks show that criminals are starting to port winning techniques
from target silo to target silo. “The recent attack on WestPark Capital
indicates that no vertical—even the historically secured financial services
industry—is immune to ransom attacks from either external hackers or
automated ransomware threats,” said Carl Wright, EVP and general manager of
TrapX, via email. “This clearly is a technique that has worked for hackers,
who are now capitalizing on its predictable returns to branch out past
healthcare and take advantage of the surprise factor that compels
organizations to hand over critical data.”

Generally, the best offense here is a good defense. For one, organizations
need to be aware of what data is hazardous to them and under what
circumstances.

“Where possible, this should be imparted into the risk appetite of the
organization and described independently of the technology stack,” said
Malik. “If this can be done, companies will be closer to understanding the
value of their data, and they’ll be able to better protect the most vital
aspects, while minimizing the chances of being held to ransom.”

Tony Gauda, CEO of ThinAir, points out that the incident reinforces the
notion that corporate America's most valuable asset—sensitive, proprietary
data—is also its greatest vulnerability.

“Organizations that are tasked with securing highly sensitive client data
(in WestPark's case, contracts, non-disclosure agreements and confidential
reports) are especially ripe for extortion,” he said by email. “Enterprises
need to assume hackers will eventually breach their networks, and must have
precautions in place that assure data remains safe and under control
regardless of whether or not a malicious actor obtains it. We will continue
to see these types of data ransom attacks against organizations of every
size and across every vertical until data protection solutions are put in
place."

So going forward, organizations—especially regulated verticals with highly
sensitive and protected data—also need to invest in technologies like
deception, which identify a range of ransom threats that are perpetrated by
cybercriminals as well as automated ransomware attacks, he added.

“By detecting these threats early on, security teams are immediately
alerted, which gives the organizations a huge leg up in defeating these
kinds of attackers before they have the chance to swipe critical data and
force payment for its return,” he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160928/0f9b6ceb/attachment.html>