The Average Payment for Ransom Demands Dropped by 38% in Q2 of 2021

As per the recent report by ransomware incident response organization Coveware, there is a 38% decline in the average ransom paid by victims of attacks from Q1 to Q2, 2021. Quarter 2’s average ransom payment of $136,576 indicates a 40% lower median payment of $47,008.

One of the major components that reduced ransom payments is a lesser incidence of attacks by two main ransomware groups, Ryuk and Clop. The two are regarded for their huge ransom demands. As opposed to many attacks being executed by one or two groups, there is currently a rising number of differing ransomware-as-a-service brands that usually require reduced ransom payments. In Q2, Sodinokibi (REvil) was the busiest RaaS operation doing 16.5% of attacks. The other ransomware groups activities are as follows: Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk was just accountable for 3.7% of attacks and 3.3% of attacks for Clop.

Currently, the Sodinokibi gang has become silent subsequent to the Kaseya attack and seems to have been closed; nevertheless, the group has de-activated operations before only to reactivate with another ransomware variant. Even though the operators have retired, the affiliates that perform the attacks previously are possibly to just turn to a substitute RaaS operation therefore attack volume might not be impacted.

The most well-known vectors employed in attacks have been varying in the last couple of months. In Q1 of 2021, there was a rise in brute force attacks on Remote Desktop Protocol (RDP) while software vulnerabilities exploitation along with phishing attacks is going down. In Q2, RDP compromises and application vulnerability exploits equally diminished and email phishing went up, as phishing and RDP compromises right now are just as prevalent. The software program vulnerabilities exploitation is the attack vector chosen for specific attacks on big businesses, and those attacks are generally done only by the most innovative RaaS operations with high operating funds that permit them to obtain one-day exploits or purchase access to huge networks.

In Q2, over 75% of ransomware attacks were on companies with less than 1,000 staff. The reason is, these smaller firms are unlikely to invest in security awareness training for staffing and email security to prohibit phishing attacks. They are additionally more probable to reveal RDP online. Small firms are likewise more inclined to outsource security to MSPs. MSPs continue to be a big target, as an attack on an MSP can enable the attacker to then target all MSP’s customers.

The report has shown a drop in the efficiency of double extortion practices. This is where prior to file encryption, sensitive data are copied. Ransom demand is issued in exchange for the decryption key and an extra payment is demanded to stop the publicity or selling of stolen information. In Q2, 81% of attacks involve data exfiltration before encrypting files, higher than Q1’s 76%.

Nonetheless, payment to make sure of data removal is currently more improbable. In 2020, 65% of victims that could recover data from backups files compensated the attackers to avert the posting of stolen information, however, in Q2 of 2021 the percent was merely 50%.

The most hit industries in quarter 2 were the professional services (13.3%), healthcare (10.8%), and the public sector (16.2%). Coveware proposes that these sectors might not be particularly targeted, rather they are merely the least difficult to attack. For example, the number of attacks on law companies went up but that was mainly a result of the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately made use of by law agencies.

Coveware reports that the normal recovery time from a ransomware attack decreased by 15% in Q2, with victims normally experiencing 23 days of outages subsequent to an attack; nonetheless, this was ascribed to a rise in data-only attacks in which there’s no material business disruption.

Senate Introduces Cyber Incident Notification Act of 2021

The Cyber Incident Notification Act of 2021 is a draft government breach notification bill circulated by a bipartisan group of senators last June. This bill requires all government agencies, contractors, and companies regarded as essential to U.S. national security to submit to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) a report of data breaches and security occurrences within 24 hours of discovery. On July 21, there was an amended bill officially presented in the Senate.

Senators Mark Warner (D-VA), Susan Collins (R-ME), and Marco Rubio (R-FL) introduced the bill. Now, there are 12 more senators from both parties that have included their names in the bill.

The bill is going to deal with a few of the important concerns that have emerged in the aftermath of the latest cyberattacks that affected U.S. critical infrastructures, such as the SolarWinds Orion supply chain attack as well as the ransomware attacks on Colonial Pipeline and JBS.

The SolarWinds breach showed how extensive the domino effects of these attacks could be, impacting hundreds or actually thousands of organizations linked to the preliminary target, according to Sen. Warner. Depending on voluntary reporting is not enough to safeguard critical infrastructure. There should be a programmed federal standard so that any time essential sectors of the economy are impacted by a breach, the national government’s full resources may be used to respond to and hold off its effect.

The goal of the new law is to make sure of prompt federal government knowledge of cyber-attacks that present a risk to national security, as the bill allows the creation of a typical operating picture of cyber threats at the national level.

Security incidents that necessitate the issuance of notifications to CISA include those that:

  • Involve or are presumed to involve a nation-state, an Advanced Persistent Threat (APT) actor, or a transnational organized crime group.
  • Can hurt U.S. national security interests, international relations, or the American economy.
  • Have important national consequences, such as affecting civil liberties, public confidence, or public health and safety of U.S. citizens.
  • Has possibilities of affecting CISA systems.
  • Have ransomware involvement

When reporting a security event or cyber threat, companies must include the following details: a description of the incident, the systems and networks impacted, an estimate of the date of occurrence of the incident, provide data regarding any exploited vulnerabilities, any tactics, techniques, and procedures (TTPs) identified. Actionable cyber threat data will be given to the government and private sector organizations and the public to enable taking immediate action to counter risks. The bill provides CISA 48 hours to take action on reports of an attack and request details regarding the security event.

To encourage companies to submit data breach reports, the bill consists of liability protections for breached entities to secure against possible lawsuits that may crop up from sharing security breaches and permits anonymized personal information to be used when submitting breach reports.

The bill calls for the Department of Homeland Security to operate with the help of other federal institutions to create a set of reporting requirements and to balance those criteria with the regulatory specifications in place during the date of enactment.

The inability to report a security event to CISA can be penalized, pending the decision of the Administrator of the General Services Administration. The highest financial penalty is going to be 0.5% of gross income for the prior fiscal year. Another likely sanction is the elimination from federal contracting itineraries.

According to Sen. Rubio, it is crucial that American companies act promptly as soon as an attack happens. The longer a cyberattack is not reported, the more problems it may cause. Making sure of immediate reporting will help safeguard the health and safety of many Americans and will enable the government to locate those accountable.

U.S. Government Introduces New One-Stop Ransomware Site

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have reported the introduction of a new online resource that will work as a one-stop-shop giving facts to assist the public and private sector establishments cope with the escalating ransomware threat.

The new learning resource – StopRansomware.gov – is an interagency resource that offers instruction on ransomware security, identification, and response in just one place.

The new resource gives general facts concerning ransomware, such as what ransomware is and how cybercriminals use it to extort cash from public and private sector companies. Detailed data is given on how companies could enhance their security position and protect against attacks, which include ransomware best practices, bad practices to steer clear of, cyber hygiene ideas, FAQs, and training tools.

The site has a newsroom with the most recent ransomware-associated advice, together with notifications from CISA, the Department of Treasury, the FBI, and other government agencies regarding the ever-changing strategies, techniques, and methods that cybercriminals use in their attacks.

Ransomware attack victims can file a report of the attacks via the website to either CISA, the FBI, or the United States Secret Service, with the attack report automatically transmitted to all relevant agencies to make sure that the breach is explored, threat details is shared, and steps are undertaken to determine the perpetrators and have them taken to court.

Companies are being prompted to make use of the new resource to know the danger of ransomware, minimize risk and, in case of an attack, know what actions to undertake to control the harm brought about and make sure the quickest possible recovery.

Cybercriminals have launched attacks on critical infrastructure, small companies, hospitals, police authorities, educational institutions, and more. These attacks specifically affect Americans’ everyday life and the safety of our country. Department of Homeland Security Secretary Alejandro Mayorkas urges every entity all over the country to utilize this new resource to discover how to secure themselves from ransomware and cut down their cybersecurity risk.

Lake County Health Department Informs 25,000 Patients Regarding Two Data Breaches

The Lake County Health Department in Illinois made an announcement that it has experienced two data breaches that possibly affected the personal data and protected health information (PHI) of about 25,000 patients.

The first data breach happened in 2019 when a Lake County Health worker routed an unencrypted email message from their email account at work to an internal employee’s personal email. With the email was an attached spreadsheet containing medical record requests from December 2016 until June 2019. The requests were made via a third-party firm that managed the release of data requests on behalf of the Lake County Health Department. The spreadsheet contained the names of 24,241 patients together with dates pertinent to the vendor.

On July 22, 2019, Lake County Health found out about the breach; nevertheless, notification letters were sent to impacted patients only on July 2021. The almost two-year delay was because Lake County Health officers did not think the notification letters were necessary, since no PHI was compromised; but the Department of Health and Human Services did not agree with that analysis and demanded the issuance of notification letters because PHI might have been exposed.

Another data breach was identified on May 14, 2021 that concerned a Google spreadsheet comprising names, birth dates, email addresses, telephone numbers, and 705 individuals’ COVID-19 vaccination status. The spreadsheet was kept in the employee’s personal Google Drive account. Although Google Drive may be HIPAA compliant if used in healthcare in conjunction with other G Suite services, personal Google accounts are not HIPAA-compliant. Google can view the data in personal Google accounts and utilizes that data to offer customized services and adverts. All impacted people were senior citizens who had looked for data on COVID-19 vaccinations. Those people have already received notifications.

Although both privacy incidents ended in the exposure of patient data, Lake County Health mentioned internal risk checks were done and there is no evidence found that suggests unauthorized individuals acquired any exposed information or misused it.

Since the data breach, Lake County Health Department has enforced measures to avoid identical breaches later on, such as encrypting all email messages and improving monitoring.

OIG Survey Reports Insufficient Oversight of Cybersecurity of Networked Medical Devices in Hospitals

The HHS’ Office of Inspector General (OIG) has done an audit to find out the level to which the Medicare Accreditation Organizations (AOs) and Centers for Medicare and Medicaid Services (CMS) demand healthcare providers implement a cybersecurity strategy for networked devices and the strategies utilized to evaluate the cybersecurity of networked medical devices.

Cybersecurity controls are necessary to safeguard medical devices that are linked to the web, internal hospital systems, or other medical devices. With no such controls, unauthorized individuals could access the devices and cause harm to patients. Networked medical devices can include MRIs, ultrasound, computed tomography, endoscopy, and nuclear medicine systems, in addition to systems that connect with clinical lab analyzers like laboratory data systems. OIG reported that a big hospital may have approximately 85,000 medical devices linked to its system.

These devices are typically isolated from other systems, they could link to a similar system as the electronic health record (EHR) system. When there are inadequate cybersecurity controls, they may be possibly vulnerable to an attack that may affect critical healthcare systems. Although there were no identified instances of cyberattacks carried out particularly to cause problems to patients, patients may unintentionally be hurt as a consequence of an attack done for other motives. In Germany in 2020, a patient passed away due to a ransomware attack. With no access to hospitals, the patient was brought to another facility and died prior to getting treatment.

The CMS has some cybersecurity prerequisites for hospitals but depends on state survey organizations and Medicare accreditation organizations (AOs) to examine Medicare-partner hospitals. Those surveys are done once in 3 years. The Social Security Act calls for AOs’ survey protocols to be comparable to or stricter than those by CMS.

For the study, OIG provided written interview questions to the CMS and performed phone interviews with 4 AOs. The study showed the CMS survey protocol doesn’t include cybersecurity specifications for networked medical devices and AOs don’t ask hospitals to use cybersecurity programs addressing networked medical devices.

OIG found that AOs at times assess selected facets of device cybersecurity. The study showed two AOs had equipment servicing specifications, which may give minimal information about medical device cybersecurity. In case hospitals determined networked device cybersecurity in their emergency-preparedness risk checks, AOs would evaluate their mitigation programs; but the majority of hospitals didn’t determine device cybersecurity in the risk assessments regularly. AOs might additionally look at networked devices when evaluating hospital safety measures for medical record privacy. Neither the CMS nor the AOs had any programs to revise their survey prerequisites, later on, to include networked devices or cybersecurity in general.

OIG has proposed the CMS to determine and apply a way of managing the cybersecurity of networked medical devices in its quality supervision of hospitals, in consultation with HHS and other partners. CMS agreed with the proposition and is thinking about more ways to properly highlight the value of implementing cybersecurity on networked medical devices by healthcare providers.

OIG recommended a number of ways that the CMS can enhance its monitoring and evaluation of medical device cybersecurity. For instance, the CMS can utilize language as it looks at cybersecurity being part of maintaining device security during operating situations, emphasize the risk that unsecured medical devices linked to the EHR can be a threat to protected health information (PHI), and may additionally tell hospitals to comply with HIPAA specifications, such as the HIPAA Security Rule. The CMS can additionally advise surveyors to inquire hospitals whether they have cybersecurity of networked devices in place when they conducted their hazard vulnerability analyses.

NIST Creates Critical Software Definition for U.S. Government Agencies

President Biden’s Cybersecurity Executive Order calls for all government institutions to re-assess their process to cybersecurity, establish new techniques of checking software, and employ advanced security strategies to lower risk, for instance, multi-factor authentication, encryption for data in transit and at rest, and employing a zero-trust approach to safety.

One of the initial demands of the Executive Order was to get the National Institute of Standards and Technology (NIST) to issue a definition of critical software that the Cybersecurity and Infrastructure Security Agency (CISA) is going to employ to make a listing of all software programs included in the Executive Order and for developing security regulations that federal agencies need to comply with when acquiring and implementing the software. These actions will help to protect against cyberattacks like the SolarWinds Orion supply chain attack that led to the access of the networks of various government agencies by state-sponsored Russian cyber attackers.

The Executive Order expected NIST to release its critical software definition in 45 days. NIST required suggestions from the private and public industry and many government agencies when defining what critical software truly is.

One of the objectives of the EO is to support in creating a security standard for critical software solutions utilized throughout the Federal Government. The status of software as EO-critical will subsequently push for added activities, such as how the Federal Government buys and deals with deployed critical software.”

NIST described critical software as software or software dependencies that have at least one of the following features:

  1. Software created to operate with upgraded privileges or employed to handle privileges.
  2. Software with direct or privileged access to network or computer assets.
  3. Software developed to regulate access to files or functional technology.
  4. Software that executes a function vital to trust.
  5. Software that runs outside of common trust boundaries with privileged access.

The earlier mentioned definition concern all software programs, whether it is crucial to devices or hardware parts, stand-alone application, or cloud-based software utilized for or deployed in production systems or employed for operational requirements. That definition addresses an extensive selection of software programs, like security tools, operating systems, access management applications, hypervisors, network monitoring software, web browsers, and other software program made by private providers and offered to federal agencies, or software designed internally by government agencies for use in federal networks, which include government off-the-shelf application.

NIST has proposed for federal agencies to primarily concentrate on carrying out the demands of the Executive Order on standalone, on-premises software program that has critical security capabilities or has substantial potential to produce problems when compromised. Then, federal agencies ought to go onto other categories of application, for example web-based software, software that manages data access, and software elements in boot-level and operational technology software.

NIST has publicized a record of EO-critical software program, though CISA will release a more detailed completed checklist soon.

Ransomware Attack on Reproductive Biology Associates, UF Health Central Florida and Georgia Hospital System

The fertility clinic Reproductive Biology Associates in Georgia has reported a ransomware attack in April that allowed attackers to exfiltrate files made up of the personal data and protected health information (PHI) of roughly 38,000 patients.

The attackers acquired access to a file server that contains embryology information on April 7, 2021, and used ransomware to encrypt data files on April 16, 2021. The records included the sensitive data of patients of Reproductive Biology Associates along with its affiliate My Egg Bank North America. The compromised PHI included complete names, addresses, Social Security numbers, lab test data, and data associated with the handling of human tissue.

The breach investigation ended on June 7, 2021. Although there is no formal confirmation of the ransom payment, Reproductive Biology Associates stated the attackers had all the stolen data deleted and all encrypted information was already restored.

Reproductive Biology Associates is continually monitoring the web and dark websites for evidence of misuse of the stolen information. Impacted persons received offers of free credit monitoring and identity theft protection services. A third-party cybersecurity company also helped enhance the security of its systems to avoid other attacks.

UF Health Ransomware Attack Affects Patient Care

UF Health Central Florida experienced a ransomware attack on May 31, 2021 that impacted Leesburg Hospital and The Villages Regional Hospital. After the attack, the healthcare provider enforced emergency downtime procedures and continued to provide care to patients, though staff members used pen and paper to record patient information.

After more than 2 weeks since the attack occurred, the hospitals still implement EHR downtime procedures as UF Health works on restoring its systems and impacted information. Now, the attack is negatively impacting patient care.

As per the latest report on WESH 2 News, staff at the impacted hospitals mentioned they still cannot access the EHR, cannot get medication details, and cannot confirm whether patients have certain allergies. Employees are likewise encountering delays obtaining laboratory reports. Employees at the hospital talked to reporters and mentioned a number of patients were getting one medication if a different one was requested, and medicines that are due are not available. One employee expressed concern that something might happen in case they administer a medication that was believed to be ordered but wasn’t.

It is presently uncertain if UF Health expects to give the ransom payment and if patient data was stolen. A UF Health spokesperson cannot confirm the date when systems will be re-established.

Georgia Hospital System Encounters Ransomware Attack

St. Joseph’s/Candler (SJ/C) hospital system based in Savannah, GA reported a ransomware attack on June 17, 2021. The attack blocked access to computer systems and so the hospital implemented emergency protocols. Staff is currently using pen and paper to log patient information.

The attack was discovered immediately and action was undertaken to isolate systems to restrict the problems caused; nevertheless, it is still premature to say which patient information, if any, was impacted and if the attackers acquired patient information before the ransomware encrypted files.

SJ/C stated that it is continuing patient care operations using set-up backup procedures and other downtime measures. The hospital doctors, nurses and personnel are prepared to deliver care during these types of circumstances and are dedicated to doing everything possible to offset disruption and offer continuous patient care.

Avaddon Ransomware Operation Shuts Down and Gives Decryption Keys

The Avaddon ransomware-as-a-service operation was stopped on June 11 and the threat group gave to all its victims the decryption keys. Bleeping Computer was given an email containing a password and a hyperlink to a password-protected ZIP file. The file contained the private keys for 2,934 of Avaddon’s ransomware attack victims. The keys were verified as genuine by Emsisoft and Coveware, with the former currently having given a free decryptor that may be utilized by all Avaddon ransomware attack victims to decrypt their documents.

Avaddon is a fairly new ransomware-as-a-service operation that began in March 2020. The threat group behind the operation got affiliates to carry out attacks and provided them with a site through which they can create copies of the ransomware to do their own cyberattacks. All ransoms created were then distributed to the affiliate as well as the RaaS operator.

It is common for RaaS operations to instantly cease and release the keys for victims that have not yet given payment, however, the timing of the deactivation indicates the RaaS operator may have gotten anxious with the elevated focus of government authorities and law enforcement agencies on ransomware gangs.

After the JBS and Colonial Pipeline ransomware attacks, the White House instructed the Department of Justice to centralize its efforts on ransomware investigations and consider attacks similar to terrorist attacks. Deputy press secretary Karine Jean-Pierre of the White House mentioned that it would likewise be giving the message that responsible states ought not to foster ransomware criminals and that it will be engaging with the Russian government to persuade it to take action against ransomware groups that operate in the country.

The G7 nations furthermore committed to doing something on ransomware attacks and released a statement calling on Russia and other nations possibly harboring ransomware gangs to make a move to distinguish, disrupt, and make individuals accountable for performing ransomware attacks, abusing virtual currency for ransom laundering, and conduct other cybercrimes. President Biden is likewise anticipated to talk to Vladimir Putin at the Geneva summit on June 16 concerning ransomware groups operating from Russia.

Right after the DarkSide ransomware attack on Colonial Pipeline that interrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang stated it was shutting down. The REvil and Avaddon gangs released a joint declaration saying they were changing their regulations and won’t allow their affiliates to perform ransomware attacks on critical infrastructure companies, governments, healthcare companies, and educational organizations. It would look like that this was not sufficient for the Avaddon ransomware group. It remains to be seen whether the operation has been shut down completely or if the operator of the ransomware is simply laying low for some time. It isn’t unusual for ransomware operations to stop then rebrand and begin their attacks a couple of weeks or months later.

Emsisoft threat analyst Brett Callow explained to Bleeping Computer that the present actions by law enforcement have made some attackers worried; this is the outcome. Let’s wish others will go down too.

IT Security Company COO is Facing Lawsuit Due to Cyberattack on Georgia Medical Center

The Chief Operating Officer of an IT security company has been sued over a financially inspired cyberattack on Gwinnett Medical Center located in Lawrenceville, GA in September 2018.

Vikas Singla, 45 years old, of Marietta, GA is the COO of Securolytics, a network security firm in the metro-Atlanta region. On June 8, 2021, a federal grand jury indicted Singla for allegedly getting access to the systems of the healthcare organization, disrupting its phone and network printer services, and stealing information from a Hologic R2 digitizing gadget.

The Department of Justice stated that the attack was performed, in part, for financial gain and commercial gain. Based on court documents a minimum of 10 protected computers were ruined in the incident. It is uncertain if Singla, or his IT firm, had any prior business partnership with Gwinnett Medical Center and the reason why the healthcare provider was targeted.

Singla was indicted in the U.S. District Court for the Northern District of Georgia on June 10, 2021 and was charged with 17 counts of causing intentional damage to a protected computer and one count of acquiring records from a secured computer. Singla is looking at a maximum sentence of 10 years in jail for each of the intentional damage to a protected computer counts and up to a jail term of 5 years for the theft of data count.

It is believed that Singla did not act alone. Based on the indictment, Singla was assisted and abetted by other people, though they haven’t been named. Singla pleaded not guilty to the allegations and has been freed on bond. There is no trial date yet.

Criminal disruptions of hospital computer networks could have terrible outcomes, mentioned Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. It is the department’s commitment to hold responsible anyone who endangers the lives of individuals by destroying computers that are needed in the work of our health care system.

This attack on a hospital not merely could have had devastating effects, but patients’ personal PHI was also compromised stated Special Agent in Charge Chris Hacker of the FBI’s Atlanta Field Office. The FBI and our law enforcement partners are driven to hold liable, those who purportedly put patients’ health and safety in danger while compelled by greed.

Third-Party Phishing Attack Affects Approximately 34,862 Lafourche Medical Group Patients

Urgent care center operator Lafourche Medical Group based in Louisiana has notified 34,862 patients concerning a security breach that possibly affected some of their protected health information (PHI).

Lafourche Medical Group found out on March 30, 2021 that an external accountant had responded to a phishing email that spoofed one of the company owners of Lafourche Medical Group and revealed login credentials to the hacker. The compromised credentials were utilized to obtain access to the group’s Microsoft 365 account.

A third-party IT firm assisted with the investigation, however, uncovered no evidence that suggests the compromise of its on-premise systems or cloud-based electronic medical record system; nonetheless, the credentials might have been employed to see or get data from its Microsoft 365 environment, which included a few patient information. Due to the size of the email system, it was impossible to know all potential patient data that might have been contained in the system, reported in the substitute breach notice of Lafourche Medical Group.

Clinical information wasn’t breached; nevertheless, emails were employed to communicate selected patient data for invoicing and other clinic purposes. The types of information frequently transmitted through email include names, addresses, e-mail addresses, dates of birth, dates of service, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating specialist names, and lab test results.

A more powerful vetting process was put in place for business associates and a third-party IT firm was employed to re-evaluate its computer system and security steps and to endorse best practices for enhancing data safety. A number of measures were already enforced to enhance security, including strengthening the firewall and spam and malware filters, employing stricter password policies, incorporating multi-factor authentication for mobile access, and retraining the employees on cybersecurity, social engineering, and phishing.

Breach of Records at LogicGate and Hoboken Radiology

The risk and compliance company LogicGate has discovered a security breach that resulted in the potential compromise of the protected health information (PHI) of 47,035 people.

LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform.

The Risk Cloud Platform is employed by organizations to identify and deal with compliance risks and take care of information protection and security requirements. All backup files kept in AWS S3 buckets are coded, however, the attacker had used stolen credentials to decrypt information. The backup records included customer information that was loaded to their Risk Cloud environment before February 23, 2021. LogicGate stated it failed to determine any decrypt events connected with clients’ saved attachments.

It is presently uncertain if the attacker exfiltrated any customer information and there was no information published regarding the way the credentials were acquired.

Hoboken Radiology Notifies Patients About Potential Breach of Medical Photos and PHI

Hoboken Radiology based in New Jersey has begun sending notifications to patients regarding a security breach that happened between June 2, 2019 and December 1, 2020. In a recent press release, Hoboken Radiology stated it obtained a notification on November 3, 2020 regarding suspicious activity on its medical imaging server.

Third-party cybersecurity professionals were employed to inspect the incident and determine if any patient data had been acquired by unauthorized individuals. The investigation is still in progress, however, it was confirmed that there were suspicious relationships from an external source during the earlier mentioned dates. The impacted server comprised patient information which could have possibly been viewed or obtained by unauthorized persons.

An analysis of files on the server confirmed they included a variety of patient data such as names, genders, dates of birth, treatment dates, referring physician names, patient ID numbers, accession numbers, medical photos, and a description of those pictures. There were no compromised Social Security numbers, payment card information, financial details, and medical insurance data.

Although it was established that there was an unauthorized access to the server, no proof was identified that indicates the actual or attempted improper use of patient information. Policies, procedures, and processes associated with storage of and access to personal records are being evaluated and will be kept up to date to better take care of patient records down the road.

Hoboken Radiology already reported the breach to the proper authorities however there is no publication of the information on the HHS’ Office for Civil rights portal, therefore it is uncertain specifically how many people were affected.

FBI Warns About Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has published a TLP:WHITE Flash alert concerning serious Conti ransomware attacks aimed at healthcare providers and first responder systems. According to the FBI, the Conti ransomware gang by now had attacked 16 healthcare providers and first responder networks within the United States.

Aside from healthcare organizations, the ransomware gang likewise tried to execute ransomware attacks on emergency medical support, 911 dispatch centers, municipalities, and law enforcement agencies. The attacker is widely recognized to have carried out cyberattacks on 400 organizations all over the world, including the most current attacks on Ireland’s Department of Health (DoH) and Health Service Executive (HSE). To date, the attacker had a total of 290 victims within the United States.

Conti ransomware is deemed to be operated by the Wizard Spider, a cybercrime group in Russia, and functions as a ransomware-as-a-service (RaaS) operation. The ransomware group is known to have attacked big firms asking for large ransom amounts of up to $25 million. The ransom demanded from each victim depends on the extent of the encryption and the determined ability of the victim to pay.

Just like many ransomware attacks today, before file encryption, the Conti ransomware gang exfiltrates sensitive data and uses it to threaten the victims saying it will sell or publish the stolen information if the ransom is not paid. Within 8 days, the victims must pay the ransom. Even if the victims do not make contact with the gang, the gang contacts them by using encrypted email like ProtonMail or Voice Over Internet Protocol (VOIP) services within 2-8 days of threatening them into paying.

Attacks usually start with phishing emails having weaponized hyperlinks or email attachments or using compromised Remote Desktop Protocol (RDP) credentials. Prior to deploying the Emotet botnet, the hackers employed malicious Word documents that have loaded PowerShell scripts, at first to stage Cobalt Strike after that to create the Emotet Trojan within the system, which allowed the attacker to transfer their ransomware payload. The threat group is similarly widely recognized to use the TrickBot Trojan in their attacks. From the initial compromise up to the ransomware deployment, it typically takes 4 days to 3 weeks, and frequently, the ransomware payload is created using dynamic link libraries (DLLs).

The threat group employs living-off-the-land techniques for advance privileges and move laterally on the internal networks, just like Mimikatz and Sysinternals. Right after files encryption, the gang normally remains inside the network and beacons out using Anchor DNS. The ransomware gang utilizes remote access tools to signal local and international VPS systems to posts 80, 443, 8443, typically using port 53 for persistence. Ongoing indicators of attacks include the creation of new accounts and usage of tools such as Sysinternals, along with disabled sensors and nonstop HTTP and DNS beacons.

The FBI does not support paying ransoms since it isn’t an assurance that data will be retrieved or stolen information will not be offered for sale or posted. The FBI has cautioned all Conti ransomware attack affected individuals to reveal information about the attacks such as boundary records showing chats between international IP addresses, Bitcoin wallet information, benign samples of encrypted files and/or decryptor files.

The FBI has published these mitigations to be used for protecting against Conti as well as any ransomware attack:

  1. Consistently back up data, verify backups, and keep backups on air-gapped systems.
  2. Keep a few copies of sensitive and exclusive data on servers that are segregated physically and aren’t available from the systems where data is found.
  3. Execute system segmentation.
  4. Use multi-factor authentication.
  5. Employ patches and update systems, software programs, and firmware as soon as possible.
  6. Use strong passwords and consistently modify network systems and accounts passwords.
  7. Remove links in incoming email communications.
  8. Attach email banners in each incoming email coming from outside sources.
  9. Do regular user account evaluations for accounts having administrator privileges.
  10. Just use secure networks and never connect using public Wi-Fi networks.
  11. Use a VPN equipped with remote access.
  12. Make certain that all personnel get regular security awareness training.

Michigan Man Charged With Theft and Sale of PII of UPMC Workers

A Michigan guy has pleaded guilty to hacking into the human resource databases of the University of Pittsburgh Medical Center in 2013 and 2014 and stealing 65,000 UPMC workers’ personally identifiable information (PII) and W-2 information.

Justin Sean Johnson, 30 years old, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT professional also called as The DearthStar and Dearthy Star on darknet forums. After 6 years of hacking the databases and vending stolen records, Johnson was accused by a federal grand jury in Pittsburgh and was detained for aggravated identity theft, conspiracy and wire fraud.

Johnson at first hacked into UPMC’s Oracle PeopleSoft HR database in December 2013 and accessed the PII of 23,500 UPMC workers. Between January 2014 and February 2014, Johnson viewed the data source several times per day and downloaded PII. Johnson then sold the stolen information on darknet marketplaces like AlphaBay to crooks who utilized the records in 2014 to file lots of fake 1040 tax returns.

Based on a Department of Justice press release, the scheme brought about approximately $1.7 million fraudulent tax refunds being paid by the IRS. The tax refunds were converted to Amazon.com gift cards that were employed to buy high-value products that were delivered to Venezuela. Johnson was compensated roughly $8,000 in Bitcoin for the stolen UPMC workers’ data.

Besides the robbery and selling of UPMC worker PII, between 2014 to 2017 Johnson stole and marketed about 90,000 sets of PII on darknet forums. That data was later utilized to do identity theft and bank fraud.

Johnson recently confessed to 2 counts of a 43-count indictment and currently is waiting for sentencing. Johnson will have a maximum of 5 years jail term and will pay a fine of up to $250,000, along with a compulsory 24-months in prison and a penalty of as much as $250,000 for aggravated identity theft.

The U.S. Secret Service Special Agent in Charge Timothy Burke stated that the healthcare industry has come to be an appealing target of hackers seeking to update personal information and use it for fraud, and so the Secret Service is determined to detect and arrest those that do crimes against our Nation’s critical systems for their personal benefit.

Three other people have pleaded guilty to crimes done relating to the scheme. Maritza Maxima Soler Nodarse from Venezuela pleaded guilty in 2017 to committing conspiracy to defraud the United States with regards to the processing of falsified tax refunds. Yoandy Perez Llanes of Cuba pleaded guilty in 2017 to buying Amazon.com gift cards to launder the funds. Justin. A. Tollefson from Spanaway, WA pleaded guilty in 2017 to using stolen identities to file fake income tax returns.

CISA Publishes Guidance on Expelling Attackers from Systems After the SolarWinds Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance on expelling threat actors from systems compromised in the SolarWinds Orion supply chain attacks and, which include following breaches of Active Directory and M365 environments.

The attacks were ascribed to threat actors associated with the Russian Foreign Intelligence Service (SVR). After getting network access via the update process of SolarWinds Orion, the threat actor chose targets of interest for more compromise and overlooked multi-factor authentication solutions and shifted laterally into Microsoft 365 settings by exposing federated identity solutions. A lot of the targets picked for additional compromise include government agencies and bureaus and critical infrastructure corporations, even though private sector companies may additionally have encountered more comprehensive compromises.

The guidance is applicable to expelling threats from on-premises and cloud environments and comprises a 3-phase remediation strategy. CISA remarks that malicious compromises are distinct to every single victim, thus careful thought should be given to every step and the guidance then implemented to the distinct environment of every breached company to guarantee success.

All three phases are necessary to totally evict an attacker from on-premises or cloud settings, therefore cutting corners should never be used. Failing to observe all steps can lead to extensive, long-term unseen Advanced Persistent Threat (APT) activity, extended theft of information, and crumbling of public faith in victims’ sites.

The guidance gives the strategy for evicting attackers from a network, nevertheless will never offer precise information regarding the needed steps to be undertaken.

Any attempt to expel an adversary from the system calls for a pre-eviction step, an eviction stage, and a post-eviction step. The pre-eviction stage refers to affirming tactics, techniques, and procedures (TTTPs) connected with the attacks and thoroughly checking out the true extent of the breach. In the course of the remediation process, action will be considered to strengthen security and develop more resilient systems; nonetheless, the eviction method is difficult, labor-intensive, and will involve business networks to be detached from the world wide web for 3-5 days.

A complete risk assessment needs to be performed before any eviction effort to fully grasp the likely effects on critical business capabilities. There will possibly be an interruption to business procedures, and so it is important that the remediation attempts are appropriately prepared, the effect on the business is entirely known, and suitable resources are provided to reduce disruption.

After finishing all eviction steps, organizations go into the post-eviction step which consists of validating that the attacker has been expelled. This stage involves combining detection components, setting up endpoint forensics and detection tools for intense collection, and retaining vigilance, with actions undertaken over the 60 days subsequent to finishing the eviction step.

Extended caution is essential because this threat actor has shown extraordinary persistence with follow-on action.

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise – is available on this page.

CaptureRx Ransomware Attack Impacts Multiple Healthcare Provider Clients

CaptureRx provides 340B administrative services to healthcare companies in San Antonio, TX and it reported a ransomware attack that led to the stealing of files that include its customers’ patients protected health information (PHI).

The provider found out about the security incident on February 19, 2021. A breach investigation confirmed on February 6, 2021 that unauthorized persons obtained access to patient files with sensitive data. CaptureRx conducted an analysis of the stolen files, which was completed on March 19, 2021. Then, the provider sent breach notifications to the impacted healthcare company clients starting on March 30 up to April 7, 2021.

Since the attack, CaptureRx has made efforts together with the healthcare providers affected to notify all the men and women whose data was compromised. The attackers potentially accessed the following types of data: names, birth dates, and prescription records. For a number of patients, their medical record numbers were affected as well.

CaptureRx had established security solutions to secure that the privacy of healthcare data, nevertheless the attackers still successfully circumvented that protection. Soon after the attack, the provider analyzed and enhanced its policies and protocols. The employees also acquired supplemental training to lessen the possibility of more security breaches in the future.

It is unclear at this time how many of CaptureRx’s healthcare firm clients nor the total number of individuals impacted by the breach. The breach affected the following medical providers:

  • Thrifty Drug Stores (Thrifty White) has an undetermined number of patients at this time
  • Faxton St. Luke’s Healthcare based in New York, also a Mohawk Valley Health System affiliate, takes care of 17,655 patients.
  • Gifford Health Care based in Randolph, VT takes care of 6,777 patients.

CaptureRx claimed the breach investigation report didn’t come across any evidence that points to any real or attempted misuse of the stolen information; even so, the affected persons are advised to keep an eye on their account and explanation of benefits statements to check for fraudulent orders.

Network Intrusions and Ransomware Attacks Catch Up With Phishing as Primary Breach Cause

Network intrusion occurrences have overtaken phishing as the major reason of healthcare data security problems, which has been the primary reason behind data breaches in the last 5 years.

In 2020, 58% of the security occurrences handled by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network attacks, most frequently concerning the usage of ransomware.

This is the 7th successive year of publishing the BakerHostetler 2021 Data Security Incident Response (DSIR) Report. The report offers information regarding the present threat landscape and gives risk mitigation and breach response intelligence to assist companies to better protect against attacks and enhance their incident resolution. The report is based on the results of over 1,250 data security cases handled by the firm in 2020, which involved many attacks on healthcare institutions and their providers.

Ransomware attacks are today the perfect attack method for a lot of cybercriminal groups and have been shown to be very rewarding. By exfiltrating information before encryption, victims not just have to make payments to retrieve their files, but in addition to avoiding the publicity or vending of sensitive information. This new double extortion technique has really been very successful and data exfiltration before file encryption is currently expected. All through 2020, ransomware attacks continued to increase in occurrence and seriousness.

BakerHostetler states that the ransom payments required and the amount being paid went up significantly in 2020, just as the number of threat groups/ransomware variants employed in the attacks. There were just 15 in 2019; last year, the number had gone up to 75.

Of all the cases inspected and monitored by BakerHostetler in 2020, the biggest ransom payment was for above $65 million. In 2019, the greatest ransom demand reported was $18 million. Payments are frequently given to quicken recovery, make sure data retrieval, and to avoid the selling or exposure of information. In 2020, the biggest ransom paid was over $15 million – higher than only more than $5 million in 2019 – and the average ransom payment increased two times more from only $303,539 in 2019 to $797,620 in 2020.

In health care, the average preliminary and median ransom demand were $4,583,090 and $1.6 million, respectively. The average and median payments were $910,335 and $332,330, respectively. The average and median numbers of people impacted were 39,180 and 1,270, respectively. The average time to acceptable recovery of data was 4.1 days. The average and median price of the forensic investigation were $58,963 and $25,000, respectively.

Throughout all industry groups, 70% of ransom notes stated sensitive information was stolen and 90% of investigations discovered some proof of data exfiltration. 25% of cases led to data theft therefore, notifications were sent to affected persons. 20% of victims paid the attackers although they can get their data from backups.

Upon payment of ransoms, in 99% of cases, the transaction was done by a third party for the affected company, and in 98% of instances, a valid encryption key was given to enable data recovered. It required an average of 13 days from encryption to retrieval of data.

24% of all security occurrences were due to phishing. Phishing attacks usually caused Office 365 account control (21%), data theft (24%), ransomware attacks (26%), and network intrusion (33%).

2020 had a persistent spike in ransomware along with a growth in large supply chain matters, and more stretching of the capability of the incident response industry. Companies worked to rapidly control incidents – in spite of difficulties in merely having passwords altered and endpoint, detection and response tools implemented to remote employees.

It is more widespread now for breach victims to file legal action. The pattern for lawsuits being submitted when breaches affect less than 100,000 people continued to grow in 2020, which is escalating the cost of data breaches. HIPAA enforcement activity additionally kept on at higher levels, though in 2020 most of the financial penalties given were for HIPAA Right of Access violations, instead of fines associated with security breaches.

PHI Exposed Because of Cyberattacks on HME Specialists and Sapphire Community Health

HME Specialists LLC, dba Home Medical Equipment Holdco, encountered an email security breach that resulted in the likely exposure of 153,013 individuals’ protected health information (PHI).

HME Specialists identified suspicious activity in its email system and immediately secured all breached email accounts and engaged an expert cybersecurity agency to do a forensic analysis to know the extent and nature of the security breach. The cybersecurity agency revealed on March 11, 2021 that a number of breached email accounts held PHI and that unauthorized people had email account access between June 24 and July 14, 2020.

The accounts contained information including names, birth dates, medical diagnosis and/or other clinical records, along with a number of driver’s license numbers, credit card numbers, account information, usernames, passwords, and Social Security numbers. There isn’t any particular evidence identified that indicates the attacker obtained or misused any information within the breached accounts.

HME Specialists sent by mail notifications to the impacted individuals who had an existing address in the storage system and advised them to keep monitoring their financial accounts and explanation of benefits and beware of fake transactions. All individuals whose Social Security numbers were compromised received free credit monitoring services.

Additional technical safety actions were set up for employee email accounts like multi-factor authentication. The employees also get more training on increasing awareness of the risks of malicious emails.

Ransomware Attack on Sapphire Community Health

Sapphire Community Health established in Hamilton, MT was attacked by ransomware resulting in the probable exposure of 4,000 patients’ PHI. On February 18, 2021, the provider found out about the ransomware attack because the employees couldn’t access files. To manage the problem, the healthcare provider deactivated data systems and took the appropriate scanning and recovery measures.

The breach didn’t affect the medical record system, nonetheless several encrypted files containing patient data such as names, birth dates, and addresses. A few people also had their financial account data and/or Social Security numbers for a few people were exposed.

The investigators of the breach didn’t come across any proof that indicates the exfiltration of any patient information prior to the ransomware deployment. The healthcare provider sent breach notifications to all affected people and implemented more security measures to stop other attacks.

NSA/CISA/FBI: Patch Immediately to Avoid Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension between Russia and the United States is growing due to the ongoing cyberattacks on public and private sector institutions and the U.S. government by Russian government hackers. The National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) issued a joint alert alerting about the ongoing Russian Foreign Intelligence Service (SVR) exploitation of software vulnerabilities.

The attacks have been ascribed to the Cozy Bear Advanced Persistent Threat (APT) Group – also known as APT29/The Dukes – which is connected with the SVR. The APT group is doing extensive scanning and exploitation of software flaws in vulnerable systems to obtain access to credentials that permit them to obtain more access to devices and networks for spying activities. The FBI, NSA and CISA, have given information regarding five software vulnerabilities that the SVR still successfully exploit to get access to networks and devices.

The FBI, NSA, and CISA have earlier provided mitigations that could be applied to protect against these vulnerabilities’ exploitation. Patches are accessible to resolve all software vulnerabilities. Although a lot of organizations have now patched the vulnerabilities, they might have actually been exploited and systems compromised. Steps ought to be taken to know whether systems were breached and if actions were done to offset the loss of sensitive information that can enable Russia to acquire a strategic or competitive advantage.

The SVR hackers commonly exploited the following 5 software vulnerabilities:

1. CVE-2018-13379 is identified in Fortinet FortiGate VPNs. Unauthenticated attackers will be able to obtain system files through HTTP resource requests. The affected versions include Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12

2. CVE-2019-9670 is discovered in the Synacor Zimbra Collaboration Suite. It is an XML External Entity injection (XXE) vulnerability. The affected versions include 8.7.x before 8.7.11p10.

3. CVE-2019-11510 is identified in Pulse Secure VPNs. An unauthenticated remote attacker may send a specially designed Uniform Resource Identifier (URI) to carry out an arbitrary file read. The affected versions include PCS 8.2 before 8.2R12.1, 8.3 prior to 8.3R7.1, and 9.0 before 9.0R3.4.

4. CVE-2019-19781 is discovered in Citrix Application Delivery Controller and Gateway Directory. This traversal vulnerability allows an unauthenticated attacker to carry out arbitrary code The affected versions include the Citrix ADC and Gateway versions prior to 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.

5. CVE-2020-4006 is identified in VMware Workspace One Access. This Command injection vulnerability permits an attacker to have a valid password to implement commands with unlimited privileges on the root operating system. The affected versions include the VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Vrealize Suite Lifecycle Manager 8.x, and VMware Cloud Foundation 4.0 – 4.1.

NSA, CISA, and FBI strongly urge all cybersecurity stakeholders to examine their networks for signs of compromise associated with all five vulnerabilities and the strategies mentioned in the alert and to urgently carry out proper mitigations,” stated in the notification.

Official Association of SolarWinds Orion Supply Chain Attack

The United States government has likewise formally charged the Russian government of organizing and running the massive SolarWinds Orion supply chain attack, which allowed the SVR to acquire access to about 18,000 computers around the world and perform more comprehensive attacks on cybersecurity organizations of the United States and its allies Malwarebytes, FireEye, Mimecast – and federal agencies in the U.S. Russia has additionally been officially incriminated of being involved in activities with the intention of troubling the U.S. presidential election in November 2020.

Sanctions Enforced on Russia by President Biden

President Biden has approved an executive order hindering property and putting new limitations on Russia’s sovereign debt to make it more difficult for the government to raise cash. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken steps against 16 entities and 16 people for their part in the campaign to affect the 2020 U.S. presidential election, under the command of the Russian government.

All property and assets of those entities and persons that are covered by U.S. jurisdiction were blocked and the entities and people were included in OFAC’s SDN list. U.S. people were forbidden from having dealings with them. Russian Technology businesses under the sanctions were Neobit, SVA, AST, Pasit, Positive Technologies, and ERA Technologies.

VMware Patches High Severity Vulnerabilities Identified in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

VMware has introduced patches to fix two high severity vulnerabilities that affected vRealize Operations, which is its AI-powered IT operations management system for private, hybrid, and multiple-cloud environments. The vulnerabilities likewise impacted its other products – vRealize Suite Lifecycle Manager and VMware Cloud Foundation.

The first vulnerability CVE-2021-21975 is a server-side request forgery vulnerability that a remote attacker could exploit to use the functions of a server and gain access to or manipulate data that must not be directly accessed. An attacker can exploit the vulnerability by transmitting a specially created request to an insecure vRealize Operations Manager API endpoint that will enable the attacker to steal admin credentials. The vulnerability has an assigned CVSS rating of 8.6 out of 10.

The second vulnerability identified in the vRealize Operations Manager API is monitored as CVE-2021-21983, which is an arbitrary file write vulnerability. It has an assigned CVSS rating of 7.2 out of 10. An attacker could exploit the vulnerability to write files to the root photon operating system. But the attacker must first have admin credentials to be authenticated and be able to take advantage of the vulnerability.

The problem is that the two vulnerabilities can be chained together so that an attacker could do execute arbitrary code remotely in the vRealize Operations system. To be able to exploit the vulnerabilities, it is necessary that the attacker has access to the vRealize Operations Manager API.

The vulnerabilities in vRealize Operations Manager versions 7.5.0 to 8.3.0 had been fixed by VMWare. End-users of the vRealize Operations system are instructed to update and get a secure edition of the platform immediately to avoid vulnerabilities exploitation.

If a user can’t do a prompt update, VMware has given an option that entails working with the casa-security-context.xml and taking away a configuration line and then rebooting the CaSA service on the impacted device. Igor Dimitenko of security company Positive Technologies identified the vulnerabilities.

Hacker of Verkada Security Camera Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The US. government has indicted the Swiss hacktivist who acquired access to the surveillance cameras of the California startup company Verkada in March 2021 for computer criminal activities spanning from 2019 to present. Her crimes included obtaining and publicly exposing source code and exclusive information of company and government victims in and outside the United States.

Till Kottmann, 21 years old, also known as ‘tillie crimew’ and ‘deletescape’ lives in Lucerne, Switzerland. She is a member of a hacking collective called APT 69420 / Arson Cats. Lately, Kottman confessed to getting access to the Verkada security cameras utilized by a lot of big corporations, such as Tesla, Cloudflare, Okta, Nissan, and also educational institutions, correctional establishments, and hospitals. He accessed the live streams of security camera and archived video footage from March 7 to March 9, 2021, and published their screenshots and videos online.

Ethical hackers generally exploit vulnerabilities and access systems to address the vulnerabilities before bad actors can exploit them. They report the vulnerabilities to the entities involved, and then steps are undertaken to resolve the security issues before publicly announcing the details. In Kottmann’s case, she did not follow responsible disclosure procedures. She publicly disclosed sensitive data attained from victims’ networks, and did not notify the breached organizations instantly before disclosing the stolen information.

On March 18, 2021, a grand jury in the Western District of Washington indicted Kottmann for a number of computer breach and identity and data theft activities from 2019 up to today. The Kottmann’s indictment includes charges of one count of aggravated identity theft, one count of conspiracy to commit computer fraud and abuse, a few counts of wire fraud, and one count of conspiracy to commit wire fraud.

Conspiracy to commit computer fraud and abuse bears a prison term of 5 years maximum, the wire fraud and conspiracy to commit wire fraud charges bears a prison term of 20 years maximum, and the identity theft charge has a obligatory 24-month prison term, which extends consecutively to other sentences.

Based on the indictment, Kottmann and co-conspirators accessed the computer systems of over 100 corporations and government agencies and exposed the stolen data on the Internet. Kottmann frequently attacked git and other source code databases, and copied the source code, files, and other top-secret data, which usually involved access codes, and hard-coded information, and other ways of getting access to company networks. She utilized the stolen information for further attacks, normally cloning more data from victims’ networks prior to publishing the stolen information on the web.

The indictment states that Kottmann will speak with the press and publish data on social media platforms regarding what she does to involve others and expand the hacking activity as well as her own name in the hacking community.

The FBI’s cyber task force headed Kottmann’s investigation. With Swiss law enforcement’s release of a search warrant of Kottmann’s house located in Lucerne on March 12, 2021, the FBI was able to seize computer equipment. Lately, the FBI took over a domain, which Kottmann managed and used to publicly disclose stolen information.

Stealing credentials and information, and publishing source code and private and sensitive data online can increase vulnerabilities for everybody from big corporations to individual customers.