Mums and dads being ‘held to ransom’ by cyber crims

 

Businesses are having their vital files hijacked and held to ransom by international cyber-criminals who are so brazen and professional they now offer IT support to those who buy or rent their malicious software.

Hackers are targeting everyone from mums and dads working from home to some of Australia's biggest companies, with thousands of businesses and millions of individuals falling victim each year.

Large businesses and banks are paying up to $200 million a year to protect themselves from cyber-criminals, with security experts saying hackers are increasingly hitting large companies to get huge ransoms, under a practise known as "Big Game Hunting.''

Those who don't pay up face the additional threat of having their stolen data auctioned off on the dark web to other criminals.

Last week thousands of Australian construction, transport, media and aerospace companies were held to ransom for $3400 each to access their own files after an organised crime group put a virus in their systems.

Between July 12-14, more than 2000 messages were sent to firms confirming their "orders" had been processed but a link to the fake goods contained a virus that locked them out of their own company files.

The crime group then demanded $3400 be paid within 48 hours via a bitcoin account or QR code to unlock and decrypt their own company files. Just how many companies fell for the latest mass attack was unclear.

The email lure to hold firms to ransom include clickable files with headings including "Payment Notification", "Transaction for your invoice", "Overdue payment", "Paid Invoices", "Sales Invoice", "Status update", "Document needed", "New Order", "Receipt for your invoice".

Leading cyber security company Proofpoint said yesterday the ransomware campaign was launched by a well known hacking group known as TA547, identified as targeting Australian emails since November 2017.

They said the group typically distributed high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries but notably construction, transportation, entertainment and media, aerospace and manufacturing.

Australia's cyber cop, the Australian Signal Directorate's Australian Cyber Security Centre (ACSC), has declined to comment.

Global cyber security leader Palo Alto Networks’ regional security chief Sean Duca. Picture: Jonathan Ng
Global cyber security leader Palo Alto Networks’ regional security chief Sean Duca. Picture: Jonathan Ng

Companies whose Australian operations have been disrupted by cyber attackers this year include beverage giant Lion, BlueScope Steel, transport giant Toll and foreign currency exchange Travelex.

Global cyber security leader Palo Alto Networks' regional security chief Sean Duca said business email compromises were the biggest issue in Australia, where a person was tricked into authorising a money transfer.

A cybercriminal will analyse a potential victim's emails then send a series of emails supposedly from a named colleague, mentioning a personal fact about a partner or holiday to make it sound legitimate, then ask them to quickly authorise a missed transfer payment to a supplier.

On average each trick costs businesses $300,000, with the overall cost to the economy through losses and insurance more than $1 billion.


"Right now the literally mums and dads, the 2.2 billion small to medium enterprises that make up 96 per cent of companies in Australia, they are being targeted by business email compromise groups," said Mr Duca, whose firm's customers include Interpol and the Australian Federal Police.

In May Telstra launched its multimillion-dollar "cleaner pipes" cyber security initiative to protect customers from malware, ransomware and phishing. The initiative collects data globally to identify and block malicious attacks.

In one month it found 500 accounts infected with banking Trojans targeting customers and 50 phishing domains.

Michael Sentonas, chief technology officer at global cyber security company CrowdStrike, said there were 500 billion cyber "events'' happening around the globe every 24 hours.

"It's a whole range of intrusion attempts, standard activity on machines our customers are using,'' he said.

"The threat level has gone up around the world exponentially in the last 12 months; the last six months it's been absolutely staggering.

"Where there's an active hacker or attackers that are financially motivated trying to scam people around the word, the first five months of this year we saw a 331 per cent increase over the same period in 2019.''

Crowd Strike cyber security’s Chief Technology Officer Michael Sentonas. Picture: Sam Ruttyn
Crowd Strike cyber security’s Chief Technology Officer Michael Sentonas. Picture: Sam Ruttyn

He said Prime Minister Scott Morrison was "not overdramatising'' when he said in June that "everything'' in Australia was under attack.

"I'm having conversations with people in manufacturing, health care, logistics, big tech, small-medium businesses, government departments,'' he said.

"Universities, academics, think tanks, they're all being targeted for different reasons."

Mr Sentonas said e-crime "simply dwarfed'' the number of attacks by foreign government spies so far this year.

"About 61 per cent of attacks that we monitor are attributed to e-crime and 39 per cent is targeted state-sponsored activity (this year). We've never seen a number like that,'' he said.

"For example the previous year was 25 per cent e-crime.''

He said the criminal gangs, which came from all over the world include Russia, were highly-organised and professional.

"You can buy ransomware, you can rent ransomware. You can get a support contract which guarantees the effectiveness of your ransomware and you get better support than what you would going to a legitimate business here in Australia,'' he said.

"That's the world we've evolved to.''


Some of the attackers targeting Australian businesses have used ransomware known as Maze, which encrypted data for ransom, but also copied it and stored it in the cloud.

"So in this particular example they're asking for a higher than usual amount of money because now you've also got the threat of having an incident where they're releasing all your sensitive data onto the internet and what they're doing is extracting the most amount of money they can from an organisation,'' he said.

Another group using ransomware was a cyber-criminal gang known as REvil, Sodin, or Sodinikibi, which was also active in Australia.

Mr Sentonas said REvil was auctioning sensitive stolen data to the highest-bidder on the dark web.

"We saw one example in the last 24 hours where a successful bidder will get three databases, more than 22,000 files, from an agricultural company. You have to deposit 5000 dollars in virtual currency with a starting price of $50,000,'' he said.

He urged people not to pay ransoms, saying there was no guarantee the data would be returned.

Australia's former national cybersecurity adviser Alistair MacGibbon said ransomware was one of the fastest-growing crimes in the world.

"It's definitely a criminal activity. We have on occasions seen nation states also carry out that type of destructive behaviour but largely it's a criminal one,'' he said.

Cyber security expert Alastair MacGibbon. Picture: Roy VanDerVegt
Cyber security expert Alastair MacGibbon. Picture: Roy VanDerVegt


Mr MacGibbon, who is chief strategy officer at new Australian firm CyberCX, said while most scrutiny focused on theft of private data, he believed the real threat was erosion of trust in online systems.

"If we can't trust the data, now think about banking or property ownership.

"How do I prove that I own a property these days? And how do I prove the money I have in my bank account? These are digitally stored things. What happens if I can't trust those anymore to make my decisions?"

On Thursday, one of the world's largest social media companies, Twitter, was hacked, with the intruders taking control of high-profile accounts including presumptive Democratic presidential nominee Joe Biden, and urging money for a Bitcoin scam. Twitter later said the hack had been a "co-ordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.''

This likely means some Twitter employees were scammed into clicking on a malicious attachment which then gave the hackers access to Twitter's IT systems.


Originally published as Mums and dads being 'held to ransom' by cyber crims



‘Catastrophic’: Union responds to university restructure

Premium Content ‘Catastrophic’: Union responds to university restructure

Concerns about flow-on effects for staff and students

Have your say on plan to charge for recycled water

Premium Content Have your say on plan to charge for recycled water

Do you think irrigators should pay for recycled water?

Man had weapon, drugs inside bag at Coffs train station

Premium Content Man had weapon, drugs inside bag at Coffs train station

A machete was also found at the location by police.