View Our Novel Coronavirus (COVID-19) Resource Center for Latest Guidance
Mar 13, 2020
Tue, Mar 17, 2020
In recent weeks, our cyber experts have been collecting intelligence from a variety of sources, including government agencies worldwide, on how cyber criminals and nation-state actors are taking advantage of the confusion and problems relating to the novel coronavirus (COVID-19). The following notes are provided as general guidance to bolster awareness and help avoid social engineering attacks.
Cyber-criminals recognize that corporations and public-sector institutions are anxious to learn the latest authoritative information concerning COVID-19. They take advantage of this to create opportunities to induce employees to open emails and click on links. They may do this by crafting compelling subject lines (such as COVID-19: Latest Updates from the Centers for Disease Control) and using URLs highly similar to the official addresses—perhaps with the addition of a dash or a change from “.com” to another top-level domain.
Their objective is to compel the email recipient to take an action like clicking on a link which results in the downloading of malware ranging from ransomware to remote access trojans providing the criminals with ongoing access to your network. While our usual advice is “trust but verify,” the reality here is that you must be very careful about what you trust at all. Make note:
Be careful about any links included in emails pretending to come from official agencies and before you accept information, be sure it is coming from a known official and accurate source.
Ransomware may only be the tip of the iceberg. We are seeing increasing reports of ransomware being deployed only after criminals carefully examine the network, often looking to identify backup files (even if they are in a remote “cloud-based” system) so that they can have the ransomware encrypt not only your primary files, but your backup as well. If they succeed, the victim will be more likely to feel that they must pay the ransom to restore their operations.
Particularly troubling is the growing trend of ransomware attackers stealing sensitive employee, customer or intellectual property such as business plans, financials or trade secrets, and use the ransomware to cover their tracks. Even if you pay the ransom and regain control of your files, the criminals may have a copy that they can sell on the dark web.
We have seen the rapid rise of sites seeking contributions ostensibly to assist those affected by COVID-19. Unfortunately, while there are many valid sites, criminals seek to exploit the charitable nature of individuals and corporations and get them to send funds to fake donation sites. Certainly, we encourage individual and corporate charitable donations to assist those in need of help in a crisis, but we strongly recommend that contributions be made through known and thoroughly vetted charitable organizations.
Many organizations are facing the need to have employees work at home rather than in their regular work locations. While some organizations have planned for this eventuality and have engineered their networks to provide appropriate security and privacy controls, others have not done so, and are being forced to make rapid changes to accommodate displaced workers. Rapid changes may not have permitted the time to put adequate controls and security measures in place. Here are a few areas to focus on:
The one thing that is certain is that cyber criminals are hard at work looking for ways to take advantage of work disruptions associated with COVID-19 and governments’ orders designed to reduce the spread of the disease. Don’t let your company’s technology be an avoidable victim.
Kroll continue to monitor developments relating to crisis response, cyber threats, valuations and financial stress caused by the COVID-19 pandemic. We will continue to provide guidance as we gather and analyze information from our client work and our analyst’s evaluation of information available to us through official and other sources. If our experts can help you assess and manage the risks to your business, contact us as soon as possible. Additional guidance is available in our Coronavirus Resource Center.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.