Background

Recently, a hacker known as PeteRepete leaked over 533 million Facebook users’ personal information online. There were no passwords in the database, but it did contain full names, phone numbers, email addresses, employer information, and a few other pieces of information from Facebook users’ profiles. GroupSense confirmed only a small portion of the records contained email addresses, but almost all of the records contained a phone number. 

Security ratings services have become a popular way for companies to assess their own cybersecurity posture, as well as that of their partners. And, while they are useful for establishing a data baseline of competence, they are often relied on as something more than that. For example, they’re used in boardrooms as “eye candy” to portray the state of company cyber-risk, with supply chain partners to manage third-party risk and, even more frightening, by insurance companies to create risk profiles for cyber-insurance policies.

Imagine, for a moment, that you own a small business -- say, a regional dairy farm producing milk, ice cream, yogurt, and other products. And, like so many companies in the food manufacturing sector, you get hit by ransomware. You can’t access any of the data you need to run your business -- so you don’t know which products to ship, where to ship them, what prices you’ve negotiated, who’s paid and who hasn’t… everything is locked up. And, the clock is ticking -- you can’t tolerate extended downtime or products will spoil and customers will defect to other vendors.

As ransomware attacks continue to surge across the globe, the demand for negotiation services has also increased -- and been hard to fill.

Big Game Hunting, the targeted large-scale ransomware campaign, is now regarded as the primary cyber threat to organizations across all sectors including financial, healthcare, and government in 2021. Leaking stolen data in an effort to pressure victims into paying is part of a broader trend across the BGH ecosystem. In the recent headlines, the ransomware operators go beyond the traditional dominance of Windows operating systems and now target VMware ESXi hypervisor. In this Ransomware Battleground, let’s look at how SPRITE SPIDER(Defray777 Ransomware) and CARBON SPIDER (Parkside Ransomware) operate in volume tactics. How do Cybercrime actors now back to use Linux variants of ransomware configured specifically to affect ESXi hosts?

In this talk, we will cover:
- What are Big Game Hunting tactics? And what did ransomware operator behavior change during Covid-19? (from POS to ESXi)
- How do you defend encrypting virtual infrastructure in your corporate network? Credential harvesting and payload ingesting?
- Why is Agentless Zero Trust Isolation and Ransomware Kill Switch the answer to stop Hypervisor "Jackpotting"?

Overview

Users quickly adopted the cloud storage tool Dropbox at the start of the COVID-19 pandemic to alleviate file sharing issues and facilitate group work. Updates to Dropbox Spaces, a project management tool, reflect this shift, easing communications for remote work.¹ The file-sharing company seeks to enhance collaboration and information-sharing within a distributed workforce, both now and in the future.

Threat actors have successfully targeted defense contractors over the years because they haven’t fully secured their networks, thus creating serious vulnerabilities in U.S. national security. To combat this challenge, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework was born.

First a pandemic, then a major economic crisis . . .why not throw in an epic cyber attack? GroupSense CEO Kurtis Minder breaks it down for #FedHeads Francis Rose and Robert Shea and throws in a few ransomware war stories, too. Chilling.

A regular user of underground forums and illicit online marketplaces with a track record of selling stolen credentials that can be used to access government, university and corporate networks is attempting to sell access to systems belonging to a large city in Arizona, the cybersecurity intelligence firm GroupSense told StateScoop.

The cybersecurity industry is often rife with hype around the topic of automation, with both IT security teams and malicious hacking groups steadily incorporating more tools and processes that can rapidly and automatically scan networks or process large datasets at speeds far faster than humans.

Kurtis Minder has spent the past year negotiating six-figure ransom demands from gangs of ruthless criminals. Not for the safe return of kidnap victims, but for the release of valuable data that is being held hostage by hackers. Ransomware attacks, which see hackers lock up data or computer systems until they are paid off, have been one of the biggest cyber security headaches for the private and public sectors in the past year.

Ransomware has been one of the most devastating malware threats that organizations have faced over the past few years, and there's no sign that attackers will stop anytime soon. It’s just too profitable for them. Ransom demands have grown from tens of thousands of dollars to millions and even tens of millions because attackers have learned that many organizations are willing to pay.

GroupSense, a digital risk protection services company, today announced several milestones from a successful 2020, including doubling its customers base, recording 60 percent year-over-year revenue growth and adding eight strategic partnerships, among many other accomplishments.

Ever thought of hiring a ransomware negotiator, or becoming one yourself? On today’s episode, Kurtis Minder of GroupSense tells us what makes a good ransomware negotiator, why setting the right tone is crucial in a successful negotiation, and why, in the right situation, you can get away with referring to a ransomer as “grasshopper.”

ARLINGTON, Va., Jan. 19, 2021 /PRNewswire/ -- GroupSense, a digital risk protection services company, today announced it has signed a deal with a major U.S. city to provide its COVID-19 Vaccine Threat Protection offering. This first-of-its-kind service offering uses cyber threat monitoring, similar to the approach GroupSense uses in its Election Threat Protection offering. This service provides the most comprehensive package available to protect the city and its millions of residents against COVID-19 vaccine misinformation, disinformation and supply disruptions from cyberattacks, including ransomware attacks.

Researchers see one bright spot as far-right extremists turn to private and encrypted online platforms: Friction.

In many ways, the beginning of 2021 isn’t just one of the most welcome New Years of the modern era — it could also be a turning point between the pre-COVID and post-COVID worlds. 

Driving the news: Extremism researchers worry the threat is more diffuse than the openly plotted Jan. 6 attack in Washington, with far-right groups taking to non-mainstream channels to plan nationwide disruption and broadly whip up anger and calls to arms.

CyberSocial IV: 

‘21 and Over!

2020 Threat Intel Recap and Look Ahead

With the emergency approval of COVID-19 vaccines, many are (rightfully) starting to see the proverbial light at the end of the tunnel. Although GroupSense is hopeful 2021 will bring health, prosperity, and recovery from the global public health crisis, we are also cognizant of numerous cyber security threats that may derail the mass-vaccination process. Below are five of the many threats GroupSense expects to see as the world moves forward with COVID-19 vaccination efforts.

You were hit with ransomware. You panic. You search “ransomware response” or “ransomware repair” and among the top results is a link that reads “Recover Encrypted Files - Guaranteed.” Sounds like you found the solution! None of us wants to pay the ransomware operators. If there is a legitimate solution that avoids sending tens of thousands (if not millions) of dollars via cryptocurrency to threat actors overseas, it’s worth paying for.

Background

The cyber security industry is reeling from another large scale, targeted attack. What was initially reported as a breach of FireEye red team tools on December 8th has now been exposed as a much wider, potentially catastrophic breach affecting the SolarWinds Orion software. SolarWinds stated a threat actor inserted malware,  SUNBURST or Solorigate, into a service providing trojanized software updates for its Orion platform, used by public and private companies to track IT resources. To date (December 16th, 2020), as many as 18,000 organizations have been affected by SUNBURST, announced SolarWinds. On December 14, Reuters and the Washington Post reported the U.S. Department of Homeland Security (DHS), the State Department, and the National Institutes of Health (NIH) were also compromised as a result of the infected Orion distribution.

The world’s most popular messaging and social media apps are rolling out new privacy features allowing users to send content that will self-delete after a short time. On November 5, WhatsApp announced “disappearing messages” that are automatically erased after a week; on November 12, WhatsApp’s parent company Facebook introduced “vanish mode” for Messenger and Instagram, seamlessly deleting messages after users leave their chat. And on November 17, Twitter launched “Fleets,” messages with 24-hour lifespans.

Ransomware became deadly in 2020.

Joe has a story about how Emotet is being used in phishing emails through thread hijacking, Dave's story is a two-fer: one is about bad guys using image manipulation and the other has Elon Musk giving away Bitcoin again taking advantage of the US election, The Catch of the Day is from a listener named John about an email-based vishing attack, and later in the show, later in the show, we welcome back Kurtis Minder of GroupSense on the burgeoning ransomware negotiation industry. 

Last month, two agencies of the US Treasury department issued advisories warning against paying ransomware.

As a part of our series about “5 Things You Need To Know To Tighten Up Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Kurtis Minder, CEO and co-founder of GroupSense.

For every high-profile ransomware incident in the headlines, there are many more that never get reported. Particularly among small- and medium-sized businesses, often with small IT and cybersecurity teams, a ransomware attack can be an existential problem.

Republished from October 2019

Kurtis Minder, CEO of GroupSense, joins Dennis Fisher to discuss the delicate process of ransomware negotiations and how enterprises are dealing with infections today.

It's not very clear what room for maneuvering is left for incident response companies to assist their clients with ransomware attacks and whether providing information about the attackers, engaging with them to test whether they're able to actually decrypt files or to negotiate a lower ransom would qualify as "facilitating" a transaction under the OFAC regulations. "Frankly, that puts us in an interesting situation with a client, where we say: 'Hey, we are not able to facilitate payments. Can we still negotiate on your behalf? Absolutely. And we can validate all the keys and do all of those things to get you to the point where you can do a transaction but we cannot do a transaction'," Kurtis Minder, CEO of threat intelligence firm GroupSense, tells CSO.

Kurtis Minder, CEO of GroupSense, a company that offers ransomware negotiation services, told SC Media that most large ransomware groups with multiple concurrent victims deploy automatic, pre-determined answers through the early stages of a negotiation until it progresses far enough to warrant human interaction. Similar to the business world, ransomware managers are seemingly looking to make sure their workers’ time is being spent wisely.

Webinar on October 28th at 1:00 pm EDT

Threat intelligence firm GroupSense is one recent example. Earlier this month, the company introduced a new service that it says can help ransomware victims navigate a slew of issues following an attack. According to GroupSense, it can help organizations evaluate and confirm attacks, negotiate with threat actors to reduce ransom demands, manage cryptocurrency payments, arrange for the destruction of any stolen data, and carry out other post-transaction activities.

Webinar on October 21st at 10:00 am!

No one ever expects it to happen to them. But with ransomware and cybercrime on the rise, it’s more likely than ever to discover that ransomware has locked down your system and cybercriminals are holding your data hostage. Kurtis Minder, an expert ransomware negotiator, advises executive teams when their worst cybersecurity nightmares come to life. Join us for an interview with Kurtis as we discuss:

While FBI is urging ransomware victims not to pay any ransom to hackers as it encourages crime, a Cybersecurity firm from Virginia says that it will offer a ransomware consultation and negotiation service on an official note to deal with a situation.

Twitter is a fun and easy way to engage with pop culture and maybe even spark a spirited discussion. Many of us on twitter can retweet/share without thinking or researching what tweets truly say, causing them to spread quickly to a larger audience. But, the sad fact is, some tweets might end up being misinformation or disinformation, especially politically-oriented tweets.

In August 2020, Microsoft posted an article focused on email authentication utilizing their Azure Active Directory (AD) authentication and the use of Multi-Factor Authentication (MFA).

The COVID-19 pandemic has created many security challenges that will persist long after the crisis ends. As time passes, it appears that work-from-home will become more permanent. Couple that with rushed digital transformation projects and inflamed security vulnerabilities that if not addressed quickly will lead to serious security and compliance problems. As we look to 2021, here are some challenges security teams must address:

MADISON - Foreign actors are using social media to target Native American populations in an effort to create disruption and sow division ahead of the 2020 election, according to preliminary research from cyber reconnaissance company GroupSense.

With the 2020 U.S. Presidential Election coming up in just two months, cybersecurity concerns are taking center stage for average citizens and politicians. That said, the likelihood of election results being impacted by an attack are slim, security researchers say. The focus should be on other problem-plagued election infrastructure issues that are ripe for attack.

Using his social media megaphone, President Trump has pushed once-fringe beliefs into the consciousness of everyday Americans.

ARLINGTON, Va., Aug. 18, 2020 /PRNewswire/ -- GroupSense, a threat intelligence company, today announced a special package of its Election Threat Protection offering for state and city governments. This package of services includes a readiness assessment, pre-election preparations, and cyber threat monitoring both during and after an election. This approach to election security protects city and state governments and their citizens from cyberattacks on voting technology, mis/disinformation campaigns, ransomware attacks, hacktivism, physical threats and other crimes.

What’s the single most valuable product in the world? 

Kurtis Minder joined Security Guy TV for a quick discussion on election security for the upcoming 2020 election. 

The strange realities of 2020 have perfectly played to the kind of fear QAnon thrives on, driving record online interest in the conspiracy theory.

The QAnon conspiracy is picking up steam abroad, particularly in Europe, where populist movements are on the rise.

Kurtis Minder joins Security Guy TV as part of the RSA pre-show interview to discuss the differences between "data" and "intelligence." 

Question: How should I securely destroy/discard my devices?

A 2020 study on US consumers and cybercrime recorded nearly 1,500 significant data breaches in 2019 resulting in the exposure of more than 164 million sensitive records. Meanwhile, one executive of a major US accounting firm argued that 2020 may be one of the most fraud-rich environments in our nation's history.

Threat intelligence is an important piece of any size organization’s cybersecurity system. But effective threat intelligence often fails is because threat analysis teams aren’t aligning themselves to the business, so they may be looking at the big picture of threats rather than for specific industry vertical threats. In the age of big data and data privacy regulations, this could be leaving an organization open to a damage data breach.

ARLINGTON, Va., June 26, 2020 /PRNewswire/ -- GroupSense, a cyber reconnaissance company, today announced it will host an online expert roundtable discussion, titled "Threat Intel in the Real World," on Wednesday, July 1 at 2:30 p.m. EDT. The roundtable is open to the public – people who would like to attend can register now. The roundtable will also be available to view on-demand, beginning immediately after the conclusion of the live session.  Attendees will have the opportunity to ask questions to roundtable members.

Find out what happens…when intel analysts stop being polite…and start getting real.

Today’s typical enterprise security team subscribes to at least four, often more, intelligence feeds, which analysts must comb through to find relevant information for operationalization. As a result, most threat intel has become “yet another tool to manage.” It’s simply not practical to expect every security organization to be able to hire threat intelligence analysts to make sense out of the feeds. Vendors need to deliver “threat-analyst-in-a-box” capabilities, so intelligence can be operationalized with minimal intervention.

Kurtis Minder, GroupSense CEO, talks with Charlene O'Hanlon about the black market and Dark Web activities as they pertain to COVID-19.

Dave shares a story of an attempt on his father's Verizon account, Joe has the story of an Amazon gift card phishing attempt, The Catch of the Day is a funny phishing email, and later in the show, Joe checks in with Kurtis Minder from GroupSense. They dig a little deeper into some of the topics Kurtis discussed in his previous appearance on our show. 

Dan Patterson: Kurtis Minder works for GroupSense, and they have been tracking some of the most outrageous coronavirus scams. Kurtis, what are you seeing right now that people need to pay attention to?

David Raviv will be hosting Kurtis Minder for a virtual fireside chat to talk operational security and other cyber security topics. Hear what he has to say at the meetup tomorrow at 5:00 pm EST by signing up!

BACKGROUND:

With the average cost to bring a new drug to market surging upwards of $2.5 billion, our client
wanted to get in front of any mentions of trial drugs before they were officially available. GroupSense worked closely with the client, a global pharmaceutical company, to fight back against IP fraud.

ISSUE:
Our threat intelligence analysts identified a syndicate claiming to have access to name-brand medications. Whether the activities were from the physical theft of medication, or manufacturing of counterfeit drugs, the end result was the same: a negative impact on the client's reputation. A response was needed.

IMPACT:
Armed with superior intelligence provided by GroupSense, our client quickly took action to prevent further activities from the threat actor group responsible. Understanding how an individual threat actor or group operates empowered our client to modify their own processes in the future to prevent recurrences.

Humans were the weak link in this tech giant’s supply chain. Motivated by easy access to dark web marketplaces, assembly line workers had no qualms about using their access to  intellectual property for personal gain.

Information and cybersecurity audits are a fundamental part of the M&A due diligence process. Given the impact of a breach on potential valuation, market acceptance, public relations and brand value, the security posture of a business being considered for an acquisition is a key element in understanding the liability, risk and value of the business.

As the COVID-19 pandemic pushes the above-ground economy to the brink of a major recession, the cybercrime economy appears to still be hard-charging ahead. And yet, the virus has rapidly reshaped the way business is being done on the dark web, as buyers and sellers jump on the opportunity to capitalize on global fears, as well as dramatic shifts in supply and demand.

Videoconferencing tools may help bridge the communication gap credit unions are currently facing during the coronavirus, but at what cost?

Business continuity has been strained as credit union employees work remotely. To help with that, many management teams have turned to videoconferencing to keep their institutions running and employees informed.

However, the last few weeks have unveiled a host of cybersecurity concerns with the popular video messaging platform Zoom. There have been problems with end-to-end encryption, and hackers have been able to access the webcams of users. As a result, thousands of personal photos and email addresses of users have been exposed. And that's just the tip of the iceberg for Zoom's cyber vulnerabilities.

Despite this, credit unions are still using the software.

Dave warns of fake QR code websites stealing Bitcoin, Joe has the return of classic cons, the Catch of the Day forgets one crucial element, and later in the show, our interview with Kurtis Minder. He’s with a company called GroupSense and they’ve been commemorating the 20th anniversary of the Dark Web.

What the Podcast Talks About:

With trillions of dollars of financial aid being made available to help individuals and organizations weather the COVID-19 pandemic, it should come as no surprise there is now a massive wave of attempts being made to divert those funds into the hands of cybercriminals.

GroupSense named Adam Bregenzer as chief technology officer and Jeffrey Duran as chief marketing officer. Prior to joining GroupSense, Bregenzer was a senior engineering manager at Venmo. Duran, who has had stints with Verizon and U.S. Army Cyber Command, most recently was vice president of marketing for threat investigation company Nisos.

Talent – Digital Risk Mitigation: GroupSense has named Adam Bregenzer as chief technology officer and Jeffrey Duran as chief marketing officer.

ARLINGTON, Va., April 13, 2020 /PRNewswire/ -- GroupSense, a digital risk protection company, today announced it has named Adam Bregenzer as chief technology officer and Jeffrey Duran as chief marketing officer. Bregenzer will be responsible for the direction and implementation of GroupSense's technology roadmap, particularly in the area of frictionless delivery of finished, actionable digital risk intelligence into customer security operations. Duran, a veteran of the cybersecurity industry, will lead the vision and strategy for the company's marketing operations.

The $2 trillion Coronavirus Aid, Relief, and Economic Security Act will provide economic relief to millions of businesses and taxpayers during the coronavirus pandemic. This stimulus bill may recall the last time government injected a huge sum of money into the U.S. economy— via the 2009 American Recovery and Reinvestment Act, following the 2008 mortgage crisis. But this time, the fraud risks are far more extensive due to the emergence of cyber crime.

Please join us for insights on what your organization can do now and moving forward to proactively prevent fraud in these uncertain times. Our group of fraud experts will explore the risks posed by recent events with a focus on how fraud professionals can minimize risk through a series of tools and techniques, and help their organizations to keep going.

Question: How do I make sure my work-from-home users install updates?

Cybersecurity practitioners who scan the dark web for threats against a client, or its stolen assets, also commonly spot data or assets belonging to non-client organizations and offer courtesy reports to those businesses.

The dark web, a segment of the internet used by outlaws, dissidents, and hackers to share information without scrutiny, will turn 20 years old this month.

According to AT&T's A CEO Guide to Navigating the Threat Landscape report, approximately, 50 percent of data breaches are first detected by the breached company's employees. What about the other 50 percent? Those notifications are more-or-less evenly distributed across law enforcement, customers and service providers. 

Darknet groups where corporate employees illegally peddle inside information come with their own sets of rules.

In the hidden corners of the internet, company insiders routinely offer access to their employers’ computer systems, sensitive client information and even advance looks at financial statements and business deals, security professionals say. Experts say little can be done to stop them.

While we're all being encouraged to sing 'Happy Birthday' as we wash our hands to ward off the COVID-19 virus, you might like to know that you can sing it to the Dark Web, which turns 20 this month.

The dark web has been around for 20 years, and in “celebration” we’ve put together a timeline of the major events from these past two decades. It’s important to note that many events have formed it into the dark web we see today. This is only a taste of its history…

Alliance – Risk Mitigation: GroupSense, a digital risk protection company, and Grant Thornton LLP, one of the nation’s largest audit, tax and advisory firms, have teamed to offer a digital crime mitigation solution, the companies say.

ARLINGTON, Va., March 2, 2020 /PRNewswire/ -- GroupSense, a digital risk protection company, and Grant Thornton LLP, one of the nation's largest audit, tax and advisory firms, have teamed to offer a digital crime mitigation solution. The new solution couples GroupSense's operationally ready intelligence, gathered through both automated and human reconnaissance, with Grant Thornton's cyber and fraud risk, data privacy and due diligence offerings to give Grant Thornton clients a powerful, tailored solution for identifying and mitigating vulnerabilities in their digital environments. 

Question: How should I answer a nontech exec who asks, "How secure are we?"

SAN FRANCISCO, Feb. 25, 2020 /PRNewswire/ -- RSA Conference -- GroupSense, a digital risk protection company, today announced it was honored with the "Most Innovative Security Team of the Year" award as part of the InfoSec Awards program from Cyber Defense Magazine (CDM), one of the industry's most influential electronic information security magazines.

Kurtis Minder joins Security Guy TV as part of the RSA pre-show interview to discuss how companies are overwhelmed with intelligence and how a human element can improve their security processes.

Spoofed emails may be an Iranian espionage effort. And the confessed Ninendo hacker cops a plea. Craig Williams from Cisco Talos with updates on Emotet. Guest is Kurtis Minder from GroupSense on the Pros and Cons of notifying breached companies at 6:15.

Using biometrics for authentication has always been a source of controversy. At face value, it seems like a fool-proof way to authenticate users (everyone has unique fingerprints, right?). But dig a level deeper, and biometric access management systems store that fingerprint (or iris, or facial map, or walking gait) as data. And, we all know what happens to data if it’s not protected properly. Which brings us to the big problem with biometrics: while passwords can be changed if there’s a data breach, fingerprints and other biometric data are permanent. One breach of a biometrics database is all it takes for someone to lose their identity for a lifetime.

ARLINGTON, Va., Jan. 14, 2020 /PRNewswire/ -- GroupSense, a digital risk management company, and Cybraics, a security analytics and artificial intelligence (AI) company, today announced a strategic technology partnership. GroupSense's customer-specific, operationally ready intelligence, which is gathered and pre-processed through both automated and human reconnaissance, combined with Cybraics' advanced AI-based threat detection, will provide enterprises with an unparalleled end-to-end security-as-a-service offering to prevent and remediate cyberattacks.

Question: Are there any tools that can help me find misconfigurations in my AWS S3 cloud buckets?

Question: Should I have a security travel policy to protect devices and sensitive data, particularly when our staff are crossing international borders?

We've all been there. The battery percentage on your mobile is in the red and you forgot your charger. And, you're expecting an important call. Luckily, you remember there's a public charging station at the discount department store at the local strip mall. 

“All it takes is faith and trust, oh! and something I forgot: dust,” Peter Pan tells Wendy, John, and Michael in Disney’s 1953 adaptation of J.M. Barrie’s novel. But after a widespread breach of the entertainment company’s new Disney+ accounts, at least one cybersecurity research company is indicating that its new streaming service needs more than a magical concoction to fly among those it’d qualify as reasonably secure.

As a CISO, you constantly worry if today is the day you’ll have a security incident. It’s a common problem. There are huge expectations on you and your team, but the support from the business is not always in line with those expectations.

Stolen digital information accelerates and enables fraud. This simple truth is changing the way organizations think about protecting themselves from fraudsters. A recent example drives this point home. Ridesharing has become part of our daily life—Uber and Lyft are ubiquitous across the United States and abroad. Not long ago, someone began ordering rides and then contacting the drivers via phone. This is possible given that rideshare applications offer up the driver’s phone number once a ride is hailed. The fraudster would spoof the calling number to look like it came from the rideshare HQ and then tell the driver to cancel their ride with “Mark,” which the driver recognized as the passenger’s name, and pull over.

One of the most fundamental aspects in the world of intelligence is the application of a process known as The Intelligence Cycle.  It enables intelligence professionals regardless of the area of focus – from Counterterrorism to Cyber security – to establish a plan of action and execute on that plan to deliver a high-quality intelligence product to the client.