nokuBT logo

nokuBT Backup Tools

Efficient management of redundant backup drives
For local and off-site backup drive storage locations

nokuBT News

Synchronize backup drives regularly, and your business and your computers will not appear in these nokuBT Backup News headlines.

Mar 3, 2020: Ransomware Attackers Use Your Cloud Backups Against You

"Backups are one the most, if not the most, important defense[s] against ransomware, but if not configured properly, attackers will use it against you.

Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim's Veeam backup software."

What does this mean?

"Once they gain access, the Maze Ransomware operators told BleepingComputer that if cloud backups are configured, it is very useful when stealing data from their victims."

Mar 3, 2020: DoppelPaymer Ransomware Used to Steal Data from Supplier to SpaceX, Tesla

"'Deciding whether to pay a ransomware extortionist always involves a financial calculus where you determine whether paying is cheaper than recovering the data on your own.' The new methods that malware like DoppelPaymer and Maze employ are raising the stakes for victims of ransomware and increases the potential for financial loss if sensitive or classified data is revealed by threat actors, he said."

What does this mean?

Good backups provide for a good restore -and- fresh knowledge of files that could be used in the extortion operation.

Feb 27, 2020: FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips

"So always make sure to have a tested and working nightly backup routine with file versioning. This includes offline backups that are not accessible via the cloud.

BleepingComputer routinely sees ransomware actors targeting a victim's cloud-based backup service and deleting all backups before encrypting the network."

What does this mean?

"Therefore, it is important to retain offline backups that cannot be wiped by bad actors."

Feb 27, 2020: Ransomware Hits U.S. Electric Utility

"The Reading Municipal Light Department (RMLD) was infected with ransomware, as revealed in a statement by the electric utility...

Best practices include: Back up important files. Follow the 3-2-1 rule by creating three backup copies on two different media and placing one of the backups in a different location."

What does this mean?

The company alert, unfortunately, blames the problem on the state of the nation: "On Friday, February 21, 2020, RMLD was the target of a ransomware security breach, which has been sweeping the nation."

Feb 19, 2020: Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security

"Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) today warned of ongoing ransomware attacks targeting the systems of Swiss small, medium-sized, and large companies."

What does this mean?

Paying a ransom may be an invitation for repeated attacks:

"MELANI also warned both SMEs and large companies that they are still at risk even after paying the ransoms and restoring their systems and data seeing that 'the underlying infection from malware such as 'Emotet' or 'TrickBot' will remain active.'

"As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware or steal sensitive data from it.

MELANI said that there are examples of companies from Switzerland and other countries that were ransomed multiple times within short periods of time."

Feb 19, 2020: When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops

"America's Homeland Security this week disclosed it recently responded to a ransomware infection at an unnamed natural gas plant.... It did, however, spread from an office computer through the plant's IT network to the operational network of PCs that monitor the plant, overwriting documents and other data as it went."

What does this mean?

Firewall or gap your networks, and ensure all networks are covered by independent backup systems.

Feb 10, 2020: Emotet spotted spreading via brute-forced Wi-Fi networks and shares with guessable passwords

"A new variant of the notorious Emotet Windows malware is able to spread wirelessly by brute-forcing Wi-Fi network passwords and scanning for shared drives to infect."

What does this mean?

More than what is in the headline alone. First wifi is brute-forced, then windows accounts on the network are brute-forced in addition to the hunt for network shares. Long and complex passwords matter, more than ever.

Jan 27, 2020: N.Y. Could Ban Cities from Paying Ransomware Attackers

"The investment should go into recovery contingencies, according to Adam Laub, CMO at STEALTHbits Technologies. This includes creating data backups (widely considered the best defense against a ransomware demands).

"'[The funding] doesn’t necessarily mean they need to be able to detect and prevent an attack, but they certainly will need to be able to recover from one quickly and completely,' he told Threatpost. 'That would mean increased funding and acquisition of talent or services, which the lack of is a major component as to why municipalities find themselves the target in the first place.'"

What does this mean?

Developing proposals seem to include two parts: ban ransom payments, and providing a pool of yet more hard-earned taxpayer funds to bribe municipalities into building real backup systems. That's right... New York State may subsidize backups. It seems that the politicians could produce the same results by mandating that all ransom payments must be matched in the form of additional payments to the State. The local governments and local citizens would then be paying for their own IT failures, instead of forcing the costs on all citizens of the state.

Jan 17, 2020: Cybersecurity 2020: A Perilous Landscape

"It is a constant battle to keep abreast of the latest issues. To make matters worse, we predict that in 2020 cyberthreats will become more frequent and sophisticated, spanning a wider attack surface and causing a more deadly impact."

Jan 14, 2020: Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices

"The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them."

What does this mean?

"Sleep" ^= "Secure"

Jan 10, 2020: Cybersecurity 2020 - The Danger of Ransomware

Wiper Worms:

"'I see wiper worms as one of the top cyberthreats for 2020,' Kassner told TechNewsWorld.

"Those hit by such an infection may not even be able to rely on backups, which also are infected. If users restore data compromised by the worm, that doesn't resolve the problem, as each resoration attempt only replicates the problem."

What does this mean?

Though the files will require more storage space, insist on building and archiving full disk images that include all partitions for faster and more reliable restores. Airgap those archived backups, maintain a long retention period and adhere to a frequent schedule for updating those backups. Do so, and wiper worms may be an inconvenience, but they will not ultimately destroy your data and business.

Jan 10, 2020: Sodinokibi Ransomware Hits New York Airport Systems

The managed service provider (MSP) was hacked, providing access to Albany County Airport. The ransomware penetrated backup servers. The MSP was fired. The airport paid the ransom. "Thanks to the fast action by our IT department, airport operations during one of the busiest travel periods of the year were not impacted and no passenger or airline data was acquired or accessed."

What does this mean?

First, MSPs have a serious problem and are at risk of fading away. Second, secure backups matter. It's odd that anyone would dare argue that it is ok to have all backup media firmly attached to any computer or network. If the MSP here had air gapped a set of backups, perhaps the client would have put them on probation instead of being terminated. This event also highlights the need for MSP clients to explore and fully understand their backup system. All by itself, "Contracting" ^= "Security" .

Jan 10, 2020: Ako Ransomware - Another Day, Another Infection Attacking Businesses

"After looking at the ransom note and the Tor payment site, it quickly became apparent that this was not a ransomware infection we had seen before."

MedusaReborn: "...anti-Windows behavior and registry mapped drive disable targeting and isolating specific machines for encryption."

What does this mean?

Windows attacks: Ako deletes volume shadow copies, deletes recent backups and then disables the Windows recovery environment. No big deal, this happens all the time. But then it disables UAC to ensure access to mapped drives, and then does a ping scan that identifies responding machines and associated network shares to serve as encryption targets. Distribution is likely via hacked Remote Desktop services. The lessons? Air gap those backup drives. UAC is of no value here. Disable all Remote Desktop services.

Dec 31, 2019: 2020 Cybersecurity Trends to Watch

Trend #2: "Organized cybergangs will shift focus from leveraging banking trojans in huge multi-million dollar SWIFT-related heists and instead focus on smaller ransomware attacks."

What does this mean?

A secure and reliable backup system is always a critical infrastructure component. This projected trend will be a reversal in contrast with direction over the past couple of years, and will again focus attention on quality backups availability. For those that have relaxed in the belief that now only larger targets are being compromised... prepare.

Jan 15, 2020: A Practical Guide to Zero-Trust Security

"There are five different pillars to implement when moving to a modern, zero-trust security model."

What does this mean?

This generalized introduction to zero trust is highly relevant to backup systems.

Dec 28, 2019: Drilling Deep - A Look at Cyberattacks on the Oil and Gas Industry

The Report is here.

"In this paper, we give an overview of known digital attacks against the oil and gas industry and its supply chain. Current data shows that persistent actors, using relatively simple methods, can cause real harm to companies involved in this industry and even bring about circumstances that can affect world economies."

"We found that a U.S. oil and natural gas company was hit by ransomware, infecting three computers and its cloud backups. The computers that were targeted contained essential data for the company, and the estimated total loss was more than US$30 million. While we do not have additional details on this case, we believe the attackers did plan this attack carefully and were able to target a few strategic computers rather than hitting the company with a massive infection."

What does this mean?

An excellent read, regardless of industry...

Dec 24, 2019: Living off the land - Attackers leverage legitimate tools for malicious ends

"Living-off-the-land techniques remain popular, with Symantec blocking 480,000 PowerShell commands in one month alone."

What does this mean?

Symantec updates us with more to worry about. Essentially, if one owns computers, one should configure them to be as useless as possible.

Dec 24, 2019: Maze Ransomware Releases Files Stolen from City of Pensacola

"The actors behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack."

Dec 18, 2019: Medical biz LifeLabs fesses up - Hackers slurped 15 million customer records – and we paid them to hand it all back

"The medical outfit noted it has not seen any indication that the pilfered data has been released to the public. In fact, LifeLabs said it paid off the hackers to 'retrieve' the swiped database, which we understand to mean it got a copy of the information with a promise from the crooks not to further leak or exploit the data.

"'We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals,' Brown noted."

What does this mean?

Read the above quote again, and welcome to The Twilight Zone.

Seriously? And no backups?

In the spirit of community, here are several starter reference links that LifeLabs should consult:

    nokuBT Backup Tools - streamline the transfer of backup files from the work or home site to secure off-site locations

    Your backup drive needs a backup plan: Three ways to safeguard the data

    Why You Should Backup Your Files

    5 Ways to Back up Your Data
    Play it safe and back up your data

    Is my data safe in online drives, or should I back it up as well?

Dec 16, 2019: Hackers hit Norsk Hydro with ransomware. The company responded with transparency

"But Norsk Hydro was not about to pay a single bitcoin to the hackers or negotiate to recover the locked files. Instead, they opted to restore their data through trusted back-up servers."

What does this mean?

Backups work, once again.

Dec 12, 2019: All in the (Ransomware) Family: 10 Ways to Take Action

"Check out our list of top 10 things to do to protect your organization from the deepening scourge of ransomware."

What does this mean?

Air-Gap, Item #3. Back up your systems regularly, and store that backup offline on a separate device as part of a recovery plan.

Dec 7, 2019: Ransomware at Colorado IT Provider Affects 100+ Dental Offices

"Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as 'Sodinokibi' or 'rEvil' to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service."

"From talking to several companies hit and with third-party security firms called in to help restore systems, it seems that CTS declined to pay an initial $700,000 ransom demand for a key to unlock infected systems at all customer locations."

What does this mean?

Back up. Back up regularly and frequently. Air gap those backups. Use very, very strong passwords. Do not duplicate credentials. DO NOT DUPLICATE CREDENTIALS. Ensure ties to previous vendors/service providers/employees are broken, repealed, uninstalled, changed, undone, removed, gone.

The following reader post, by throwaway on 12-8-19 at 17:10, should be read cautiously - but the related lessons and advice are valuable:

"CTS was compromised by a weak Connectwise Control password and no 2FA enabled. To make matters worse, they used the same password for their backup platform (Acronis, which didn’t have 2FA at the time, does now). So the attacker encrypted all their client’s devices at the same time that they deleted everyone’s backups. Another layer of making matters worse… They hadn’t uninstalled agents on former clients, so people that had fired them also got encrypted (though luckily had a decent backup).

"Source: We’ve picked up many of their clients. Throwaway because not trying to make enemies – just want to put out a warning to make sure you and your staff don’t make similar mistakes."

Nov 19, 2019: VCPI nursing homes ransomware attack

"VCPI chief executive and owner Karen Christianson said the attack had affected virtually all of their core offerings, including Internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees."

What does this mean?

The krebs article plus a bit of digging and reader posts yields the following info:

This ransomware attack impacted 110 nursing home organizations, 2400 facilities, 80,000 computers across 45 states. The cloud data hosting and remote management company, i.e. the service provider, was the target of the hack and source of the losses.

It appears the malicious infection and encryption activities occurred on the service provider's (VCPI) servers, and all companies that were reliant, solely, on VCPI data management and security are, indeed, the ultimate victims.

Nov 14, 2019: How the most damaging ransomware evades IT security

"We decided to take a closer look at the behaviour of ransomware once it is inside a victim system..."

What does this mean?

Backups should be the first line of defense against any disaster because preventing all possible damage from all possible disasters is impossible. That said, for the ransomware disasters, know thy enemy to keep those backups current, secure and protected.

Nov 5, 2019: New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data

"...when we saw that the ransom note stated that a victim's credentials have been changed, we dismissed it. After testing the ransomware and rebooting the encrypted computer, I discovered that I was unable to login to my account."

"In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public."

What does this mean?

The act of illicit encryption is now being reinforced with enhanced threats.

Nov 5, 2019: Brooklyn Hospital Loses Patient Data In Ransomware Attack

"A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient's data."

What does this mean?

"Backup is the first line of defense."

Oct 28, 2019: The Ransomware Superhero of Normal, Illinois

"Thanks to Michael Gillespie, an obscure programmer at a Nerds on Call repair store, hundreds of thousands of ransomware victims have recovered their files for free."

What does this mean?

"If the world had backups, then we wouldn’t have ransomware."

Oct 28, 2019: 'Definite uptick' - Global wave of ransomware attacks hitting Canadian organizations

The story of a Toronto dentist and his ransomware experience.

"'We were really lucky,' the Toronto dentist said. 'At least we had a good backup.'"

What does this mean?

Dr. Dentist had a backup system in place and functioning. There's no luck involved there, just wisdom at work.

If his backups were disconnected from his network, he was brilliant. If those backups were attached but nicely secured and thus not accessible to the invader, we should assign some luck to his circumstances. Regardless, this is a nice story with a happy ending after some sweat and nervousness passed. Unfortunately, this was also a data breach, which should have been explained as in the BJKP Health Centers article below.

More, from Mr. Callow of Emsisoft:

"Ryuk often causes damage to files it encrypts, making them irrecoverable. 'So data loss is very common in these cases, even if the ransom is paid.'"

Oct 28, 2019: Encrypted - Betty Jean Kerr People's Health Centers, with 152,000 Patient Records Exposed

From St. Louis, Missouri -

"The investigation revealed the following types of information had been encrypted in the attack: Patient names, addresses, dates of birth, Social Security numbers, pharmacy data, health insurance information, dental x-rays, and a limited amount of clinical data. Affected patients had received medical services at Betty Jean Kerr People’s Health Centers between 2011 and September 2, 2019... In total, up to 152,000 individuals have had their sensitive data exposed."

What does this mean?

"A third-party IT firm was engaged to assist with recovery, but it has not been possible to recover the encrypted data."

And that means that there were no backups, or the backups were also encrypted. No information is provided to clarify the losses as related to their backup systems.

Oct 21, 2019: Hacker Breached Servers Belonging to Multiple VPN Providers

"Servers belonging to the NordVPN and TorGuard VPN companies were hacked and attackers stole and leaked the private keys associated with certificates used to secure their web servers and VPN configuration files."

What does this mean?

Aside from recognizing the limitations of VPNs, it is important to acknowledge NordVPN's statement, including this insight:

"The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed."

There are two implications here. First, of course, is a need to evaluate existing or planned remote access to backup systems as well as primary networks and computer systems. Remote access vulnerabilities are becoming increasingly popular gateways for intruders, as seen on this news page. Remote access is convenient for both IT folks and hackers. Every computer owner should consider eliminating remote access applications. Sure, the IT work will cost more, but how does that compare to losses incurred via compromised and encrypted networks and backups?

The second implication is the large-scale consumer willingness, among both businesses and private individuals, to outsource storage and servers. Many would like to believe that the vendors will be better at security issues than in-house IT staff or on-site contractors. Question this assumption with vigor. In this case, we can be certain that the impacted VPN vendors will experience negative market consequences.

Read NordVPNs above statement one more time: the datacenter contractor's servers were insecure, and NordVPN did not know. But NordVPN chose to outsource, chose the contractor and approved of the infrastructure. That is the sole bottom line.

Oct 14, 2019: Pitney Bowes, Ransomware Victim

"Pitney Bowes, the US stamping meter maker, has been infected with ransomware, leaving customers unable to top-up their equipment with credit nor access the corporate web store."

What does this mean?

An astute commentor mentions an important backups implication rarely presented by the popular tech media: "Given these infections often lie hidden for a while, quietly trying to spread across the network, how far back would you go to ensure a clean backup? Pick the wrong one and you get re-ransomwared again at a later date."

Criminal encryption of targets' files is a traumatic act. The importance of maintaining frequent and archived backups, for extended periods and in storage formats and media disconnected from all computers (air-gapped), cannot be overstated. Those that insist on short-interval backup media rotation periods are posed for trouble when valid uncompromised backups are eventually needed.

By retaining long-term base backups, the rebuild of clean systems after a compromise can be simplified and expedited. Otherwise, the rebuilding of multiple machines from scratch is a very expensive and lengthy process.

Oct 6, 2019: Trucking Industry Has Become a Top Target of Ransomware Attacks

"...hackers will spend up to 18 months analyzing a company’s computer system before attacking it. 'These are pretty smart people...' ".

What does this mean?

For 2019, the news media have focused on attacks at hospitals and municipalities. This is because these institutions cannot avoid the publicity. Meanwhile, the rest of our economy is very much under attack, but we can expect most companies to not publicize their victim status.

Sep 26, 2019: How Sparks, Nevada, is rethinking security after ransomware

"At the time of the attack, our backup tape library used LTO3 tapes, storing about 700 gigabytes each. We had to get all of the necessary tapes from an off-site vendor in order to feed them into the tape library one by one — a painfully slow task. It was two weeks before our GIS data was completely back online, as huge image files needed to be restored from small, slow tape backups."

"...I can’t overstate the need for comprehensive backups. We were prepared for the ransomware attack, as our backups were complete and current. But there’s still a disruption to city services and internal workflows while everything gets restored."

What does this mean?

Post-disaster backup availability, the integrity of backup files and restore speed and success all matter. Ransomware consequences that cost hundreds of thousands of dollars, to multiple millions with permanent data losses, now contrast to the trivial cost of building and managing detached backups on reliable, redundant, and chained hard backup drives.

Sep 30, 2019: Baltimore City Information Technology - Biennial Performance Audit Report: IT staff should create and test backups (!)

"We recommend the Chief Information Officer of BCIT:

   Require that the Services 804 and 805 periodically:

   (1) backup data; and

   (2) perform tests and recovery of historical and backup data."

What does this mean?

As Baltimore continues along the recovery path following the May 2019 ransomware event, confusion reigns, at least in media reports that center on the linked audit above. There is little wiggle room in the comptroller's/auditor's directive: back up files and test them. The BCIT response in the document is hazy: well, we back up our servers, but "...more rigorous processes and testing are needed. Additionally, BCIT realizes that the backup process of PC’s is needed as well... (sic)". The unfortunate IT solution: MS Office 365. Compare this response to media reports: Staff for the Baltimore City Information and Technology department (BCIT) routinely saved data on their local servers instead of backing it up on an external cloud system or employees store entity information on their local computers. Regardless of the interpretation, backups were not occurring. It shall be interesting to learn the extent to which BCIT was hampered by intentional budget constraints.

Sep 24, 2019: Local Jeweler Victim of Ransomware Attack

"...25 years of business records encrypted and held hostage in what is known as a ransomware attack."

What to do?

"...we’re going to go back to the old days, when you used to back up your systems on a drive or a memory stick..."

Sep 17, 2019: Ransomware - Cyber-insurance payouts are adding to the problem, warn security experts

"In a number of cases, the victims have given in to the extortion demands of the attackers, often paying cyber criminals hundreds of thousands of dollars for systems to be restored."

"This sometimes happens because restoring the system from backups – if the organisation has backups – takes time, resources and money, and organisations want to be up and running as soon as possible."

Sep 12, 2019: Ransomware attacks - Weak passwords are now your biggest risk

"Brute force and remote desktop attacks have become the most common means of cyber criminals distributing ransomware, overtaking phishing emails and spam as the top technique for conducting file-encrypting malware campaigns."

Sep 10, 2019: Sandboxie Transitions to Open Source

The sandboxie website announcement is posted here.

What does this mean?

Use Sandboxie, and you're computer is safe. Period. Malware commonly tests for a Sandboxie environment and, if found, the malware quietly packs it bags and leaves. Why? Not only does Sandboxie work, but Sandboxie is used by the good guys to find, identify and analyze malware. Malware authors prefer to not be detected and dissected by the white hats. Kudos to Sophos for developing and supporting Sandboxie for so many years, and for pushing forward with a long-term vision and plan for continued Sandboxie availability.

Sep 6, 2019: Multi-Cloud Strategy May Pose Higher Security Risk: Study

"Invariably from a multi-cloud, or really any cloud-based solution, you are increasing the perimeters that can be hacked," he told TechNewsWorld. "You are relinquishing control and increasing the touchpoints, so that the access to the data is wider," Reed added. "Data is valuable to someone, and that is true wherever the data is located."

What does this mean?

Are you thinking of implementing a remote storage component within your redundant backups strategy? Knock yourself out with all the opportunities, but beware: the security hazards are high. If remote OTI (over the internet) storage is necessary, keep it in-house so that you fully own, control and secure your own backups.

Aug 29, 2019: Ransomware hits hundreds of dentist offices in the US

Admin disaster - no Safe, Current, and Secure Backups

"In this case, the software providers are The Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe, a medical records retention and backup solution advertised to dental practice offices in the US." (Emphasis added.)

"The incident is another case of a ransomware gang compromising a software provider and using its product to deploy ransomware on customers' systems."

"A source impacted by the ransomware tells ZDNet that the two companies opted to pay the ransom demand."

More... "In this case, the software providers are The Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe, a medical records retention and backup solution advertised to dental practice offices in the US."

More... "The DDS Safe team provides a three-layer protection system that backs up all patient data online, to a workstation and on an in-office drive — ensuring patient records are not lost after disasters such as floods and fires, according to ADA Business Resources."

Aug 28, 2019: Ransomware attacks that hit 22 Texas local governments may be tied back to the MSP (managed IT services provider) industry

"If hackers penetrated an MSP and associated IT management software in the attacks, the news could further threaten the MSP industry’s overall credibility."

Aug 20, 2019: 22 Texas Towns Hit With Ransomware Attack In 'New Front' Of Cyberassault

"Liska said in cities he has worked with that have been preyed upon by hackers, there are instances in which ponying up for the return of data is the only viable option.

"'Sometimes the reality of the situation may call for it,' he said. 'If the backups aren't working or if the bad guys have encrypted your backups, then unfortunately that's what you're left with.' "

Jul 25, 2019: Malicious malware attack disables county government sites

"This particular ransomware variant – known as RYUK – is especially insidious as it seeks to delete or encrypt system backups."

Home   Features   Backup System Examples   Screenshots   Download   Help and Forum   nokuBT News   Contact

Designed in the spirit of security, privacy and simplicity.
Copyright © 2019 nokuBT
All rights reserved.