Cyber Incident · cybersecurity · Distaster Recovery · Hacking · Malware · Ransomeware

Trick or Treat – Ransomware is a Trick disguised as a Treat

This time of year, causes me to think about cyber lessons learned, malware related questions from customers and colleagues and all the ghoulish activities we have witnessed in 2017. We have seen obvious phishing mails that are clearly spoofed email addresses or URL’s and have provocative messages to drive users to click. These provoke the users to click the message, open an attachment or a click infected URL that cause the execution of the malware. Another common way to be become infected is through compromised websites that can trigger the installation of an unintentional program download.  These are “Tricks” used to cause a user to change their normal behaviors. As we have more and more awareness of Phishing and Ransomware, our ability to be “Tricked” has been reduced, but not eliminated.

Ransomware has now become synonymous with Phishing. The two attack types are merged together into an embedded encryption attack. The statistics are showing that over 90% of all Phishing attacks now contain Ransomware encryption. The technique of the Phishing mails is changing in the business world to draw employees in and cause the attack to be successful. The emails that are now seen include a personalized message with a correct salutation that includes subjects of interest by job category. These are effective attacks and are gaining popularity. Sophistication of social engineering is improving in these types of attacks, while the skilled and resources required by an attacker execute them has diminished rapidly Any criminal can leverage ‘ransomware as a service’ on the dark web and inflict serious damage along with potentially huge financial gains.

Ransomware is also getting in to business systems through the vulnerability of operating systems and software. Targeted attacks are being delivered on outdated security software or system software. These types of attacks are broad and successful as we have seen over the past few months. The Malware enters the organization via targeted attacks of known vulnerabilities and they migrate through systems to infect the entire network and its connected devices.

Ransomware works in a very orchestrated manner. Once the ransomware program has been executed it starts communicating with its host to acquire an encryption key. This happens very quickly. Once the program has its key it encrypts the data on a system. The data is then unusable. Encrypted data can “typically” be recovered using the decryption key, but there are no guarantees given the source of the attack. Once the decryption key is delivered back to the program, the process can then be reversed.

The best preparation an organization can take is to follow common best practices. From updating end-point protection products, to implementing stringent data back-up procedures to patching and updating of software, best practices are not difficult in themselves, but require commitment and focus. These along with a cybersecurity process of Identify, Protect, Detect, Respond and Recover are extremely valuable for any business. Phishing/Ransomware Employee education and training continues to be a highly valuable process to do on a continual basis.

In addition to developing a Cybersecurity process and following a standardized framework, vulnerability scanning and monitoring network behavior are must have proactive countermeasures.

Lastly, nothing is guaranteed to keep your business safe, but, reducing your attack surface area will be worth the investment. The ability to know in real-time if an attack is in process and the knowledge to remediate or immediately take the suspect system off-line, can save you significant time, energy and money, the real “treats” of this Halloween season.

Read more of our Cytellix Cybersecurity blogs –

Cyber Incident · Disaster Recovery · Incident Response · Malware · Ransomeware

Corporate Cyber Incident Response Plan – Do You Even Have One?


Corporate Cyber Incident Response Plan – Do You Even Have One?

I was messaging with a very good friend and colleague this week and we started chatting about incident response plans. We noted that most people have a plan in place at home; he raised examples around personal security elements such as home alarms, dogs, door locks and cameras. The comment that resonated with me most was, you know what to do when you come home and your home has been burglarized. Call the police, insurance company, etc. He went on to pose the question, what about when your company is electronically burglarized? For most organizations, that question is met with silence.

While burglary in the workplace takes on many forms, we will focus on burglary in the form of cyberattacks. The attacker is “stealing” information from your company for monetary purposes. Yes, the cyberattack is intended to take something from you: data, money or both. Cyberattackers work systematically and operationally efficiently to pick either high-value targets or high-probability targets to extort what they are targeting—data, intellectual property, personal identifiable information or cash extortion from a ransomware event. It’s a business and the value to the attacker is what they take for future gains or currency to potentially give you back what they have access to or control of. The results of this are highly distracting, expensive and potentially severely impactful to the business.

Circling back to the concept of corporate cyber incident response, what is your answer? Is the first step to call the authorities and FBI? Is it to pay the ransom? Is it time to deploy your Disaster Recovery (DR) policy? Do you even have a DR plan? Have you identified your critical data?

What exactly is the FBI’s role in cyber? The FBI’s role is to hunt down the “bad guys” and prosecute them, plain and simple. Their role is not to recover your assets, cash or data. Should you call the FBI if you are burglarized (cyberattacked)? Absolutely! We want to shut down as many cyber criminals as possible. Should you pay the ransom? Well, that depends—do you have a data recovery plan implemented that remains unscathed by the encryption tactics used by the attacker? If yes, why would you pay? Sometimes organizations need to make a time vs. money decision, as the time to recover may exceed the threshold a company can accept for their business. Law enforcement suggest not paying the ransom, but your business objectives need to drive your decision.

Many organizations talk about the topic of incident response, but very few have a realistic plan. Some suggestions that can help include: building a plan that includes recovery steps, using realistic scenarios and identifying leaders within your company who will drive those decisions.  Have a true plan of action that is executable. Do a few tests of the plan “dry run” a few scenarios.  Be prepared, be ready, be diligent—the odds prove that this will happen to your company at some point. The small and medium business market is the largest potential target, while also the least prepared. Start today!






cybersecurity · IoT · Malware · Ransomeware

“Flipper” role in protection of our resources – it’s an IoT fish story!

Many may remember the TV series, “Flipper.” For those who do not remember, the theme and plot is as follows: Flipper, a bottle-nose dolphin, helps to protect his lagoon park and preserve its wild inhabitants. He is instrumental in apprehending criminals and thugs in the park.

How does this story draw parallels to cybersecurity?

This past week, an unnamed North American casino experienced a cybersecurity breach via a fish tank. The casino’s self-cleaning fish tank, programmed via sensors to monitor water temperatures and fish feeding schedules, was targeted by hackers. Through the fish tank system, the cyber thugs broke into the casino’s computer network and downloaded sensitive data to a Finland location.

Connecting the dots of this story back to “Flipper,” the idea of observing and monitoring one’s environment is vitally important. Like Flipper—whose role was to apprehend criminals through observation and data collection—we must remain vigilant, and can no longer blindly trust even the most innocent of devices, such as programmed fish tanks.

Fish tanks are now IoT devices on our networks and, as seen in the case of this casino, can create an open door for clever cyber thugs. Today’s cyber thugs and criminals leave breadcrumbs of information that we can collect to understand the risks associated with certain IT decisions. The same advice and best practices apply to fish tanks as they do to any other sensor on our networks. Understand, Monitor, Prevent and Segment to protect your most critical assets: DATA!




cybersecurity · Malware · Ransomeware

Malware & Ransomware: SMB Best Practices


In the wake of the past several weeks of broad and damaging cyber-attacks, it’s important that we talk about proactive measures the small and medium organizations should consider to protect your environment. Many of my colleagues have articulated the damage and origins of the recent attacks: WannaCry & Petya. I find these insights extremely valuable to understand the root and attributions of the malware itself. These publicized reports provide all sized organizations context to the magnitude of the current and future damages these organized type attacks can deliver.
The small and medium business sector has the largest threat landscape for cyber-attacks. The potential damages to the hundreds of thousands of businesses in the USA is an alarming statistic. The questions that consistently are asked by the small and medium business is; what should I do to protect my company? And, how can I afford the equipment, software and human resources required to truly become cyber prepared? Good news! There are options and practical real-world solutions available.
Many smaller organizations don’t have the internal resources to research both the industry standards and proprietary models to understand what is the best cybersecurity approach. A best practice is to use a methodical standards-based approach to build cyber awareness, develop a plan to improve and implement a proactive monitoring solution as an appropriate start to cyber preparedness. Noted below are strategic and tactical plans the small and medium businesses should implement immediately.

Strategic recommendations:

  • Cybersecurity assessment – understand your current posture to identify vulnerabilities
  • Gap analysis – a comprehensive view of what needs improvement
  • Plan of Action – a detailed, real-world and affordable improvement plan
  • Continuous monitoring – become a proactive cyber aware company to know when changes occur

Tactical recommendations for WannaCry & Petya variants:

  • Ensure systems are patched and all antivirus programs are up to date
  • Implement and determine if backup systems are effectively configured
  • Restore only backups that have been securely managed
  • Isolate any unpatched systems
  • Monitor all networks and device connectivity