Current Threats, Security Awareness Newsletters

Ransomware, Spear Phishing, and Current Threats

Posted on May 28, 2021Share on

man with a max sitting behind laptop with a key and padlock holding a pirate flag while another man hands him a money bag

Another month has passed and we are closer to getting back to some sort of normalcy. Yet, with IT Security “normal” never changes. Cybercriminals don’t let the changes of the world slow them down. Instead, that only makes them work harder. And as we move back to what we hope is more normal for our day-to-day lives, that change in the world’s daily routines is yet another opportunity for cybercriminals to take advantage.

I know it seems that I cover some topics relentlessly but it is necessary to share information about some things as often as I can until everyone understands the threats and risks, especially as the threats and risks may change.

Ransomware

If you watch or listen to the news at all you can’t help but hear the stories about the latest ransomware attacks. Ransomware has been around as early as the late 1980s and has changed tremendously over time. Early on the usual victims were in the healthcare industry, but now it hits everywhere.  As an example of this, you may remember WannaCry that wreaked havoc around the world in mid-May 2017. In one weekend, over 300,000 victims in more than 150 countries fell prey to WannaCry. The attackers demanded $300 in bitcoin for unlocking files that they had encrypted. The ransom doubled after three days, and the files would be permanently deleted if the ransom was not paid within a week.

Ransomware is one form of malware that basically shuts down your ability to use your computer. That is because the malware you got from clicking on bad links on an infected website or opening bad attachments has actually encrypted the files on your computer and the only one who can open the files is the one with encryption key! You can also get hit by ransomware by other methods including via social media, web servers that have not been properly secured and/or updated, and even across the network.

In recent past there have several cities hit by ransomware, crippling their healthcare, industrial, and transportation industries. These cities include Atlanta, Baltimore, New Orleans, Pensacola, and Tulsa. And everyone knows about the recent attack on Colonial Pipeline.

So, how does this affect you, the Institute, and/or the University? You first have to think of the sector or industry in which you work. According to an article in TechRepublic, the top five business sectors that are targeted by ransomware are:

  1. Healthcare
  2. The Legal Sector
  3. Agriculture (farming and food production)
  4. Education
  5. Manufacturing

The cybercriminal is looking to make millions from those who are willing to pay to get their own data returned. You do all the work, they steal it right out from under you, and you think that you can get it back by paying the ransom? It isn’t that easy. First, they don’t get just one individual in an organization because that is typically less than $500 in bitcoin. Instead, they want to bring down an industry so they can get millions of dollars like Columbia Pipeline paid. And in many instances, paying the ransom will not get you all or any of your data back.

How can you protect your data and NOT have to pay a ransom in the event of an attack? You back up your data regularly. There is a simple and essential trick to the backup, as well. You must keep at least one copy of the backup in a different place than your computer. If this means you take an external hard drive home with you after your backup is done, then keep it in a safe location at home and bring it back when you do your regular backup. Never keep that backup hard drive attached to the computer you are backing up because if ransomware hits that computer, your attached external hard drive is also infected.

Those whose data is classified as business critical, high, or moderate are required by policy to do these regular backups and store offsite. If your data is classified as low, I would still recommend a regular backup just so you have the data in case something happens, including a computer malfunction. If you need help with this, please email me and let me know.

Spear Phishing

Spear phishing…what an annoyance this one is! This time I want to highlight the main things you should always remember when it comes to what spear phishing is/is not.

  1. Spear phishing is NOT a compromised email account. In fact, other than spoofing the address, the cybercriminal has no connection to the email account.
  2. This is a targeted email using information taken from social media posts and usually departmental websites.
  3. This email is NOT from whom it appears to be, as you can see if you click to reply (the spoofed @utk address changes to an @gmail address).
  4. This email is from a cybercriminal who is trying to make lots of money by using very little effort.
  5. You are NOT the only recipient, as the sender sent the email to all your coworkers using the BCC: function.
  6. You look as though you are the only recipient of the email in hopes of getting you to think your supervisor must really need you and only you can help.
  7. Your supervisor is NOT in a meeting.
  8. The person impersonating your supervisor does not want you to call to see what he/she wants because you will realize it is not your supervisor.
  9. Your supervisor or co-worker will NOT ask you to buy $1000 in gift cards and email the codes.
  10. The person impersonating your supervisor will ask you to buy these gift cards and email the codes because that is the whole motive for this type of scam…free money!

Please see Important Information About Spear Phishing for more information. I review and update this document as needed, but there isn’t much that has changed over time.

Current Threat Alert  

Voice Mail Emails

Key things to notice:

  • You receive an email saying that you have a voice mail message.
  • The voice mail message looks absolutely nothing like the ones you are used to getting from Telephone Services, or your phone service provider if you are off-campus.
  • The sender is Cisco Unity Connection Message System, but the sender’s address has nothing to do with Cisco.
  • These emails seem to be going to individuals, as well as Active Directory email groups.

Important facts:

  • UTK’s Telephone Services has not changed the way they send voice mail messages.
  • If you are off-campus, you can check with your provider to see if they have changed these emails, if they send voice mail in your email.
  • The “unsubscribe here” link takes you to active.com’s calendar of events…nothing to do with Cisco, voice mail, or unsubscribing.
  • The “Listen To Your Voice Mail” button takes to you a page for logging into Office 365, but it is not UT’s Office 365.

Please forward these emails to OIT Abuse using the Reporting Phishing Attempts instructions.

Email from Educator Review Retirement

Key things to notice:

  • The email subject is typically “State Retirement Assistance for The University of Tennessee, Knoxville Personnel”.
  • The salutation is generally “Employee your last name”.
  • You are given an opportunity to schedule a call with a representative to talk about state, federal, and individual retirement benefits.

The most important thing to know about this email is that it in no way, shape, or form is associated with the University of Tennessee, Knoxville, or any other UT campus or institute. The information they have about you is easily attainable from public records, but they will want more of your information. Please forward these emails to OIT Abuse using the Reporting Phishing Attempts instructions.

Fax Emails from “Utk”

Key things to notice:

  • The sender is “Utk,” but UTK does not use lower-case for the t and the k.
  • While the sender is “Utk” the sender’s address is not from @utk.edu.
  • There may an inserted block that say, “This sender has been verified from Utk.edu safe senders list.” Again, this is not UTK and is not verified by UTK.edu.
  • The only attachment should be “Malware Alert Text.txt,” which says that malware has been detected and all other attachments have been removed. (Just please trust me on this particular message.)

I continue to ask that you do not open any attachment of which you are unsure, including the Malware Alert Text attachment. After begging people not to open unexpected attachments I don’t want to start confusing you now. Please forward to me anything of which you are unsure and I will help you.

I am so proud of the Institute’s faculty and staff for being so security conscious. It is wonderful to know that our people think or ask before they click. I hope you know that you can ask me about anything IT security-related at any time. I am here to help you so that the Institute’s assets and data stay secure. After all, you have all put in a lot of time and effort to make the Institute and its mission so valuable.

Thank you all for all that you do!

Sandy

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu