A ransomware group known as Vice Society has taken credit for an attack on California’s Bay Area Rapid Transit (BART) police that saw unredacted police reports published on the Dark Web. A review by NBC News found six documents that included information on endangered children, including names and birthdates. Anyone named in a BART police report may be impacted by the leak, which included more than 120,000 documents.
The Dark Web Threat from Ransomware
Risks from ransomware have changed over the last several years. These were once regarded as nuisance attacks on unwary, underprepared victims, who would have their systems and data held for a cryptocurrency “ransom” that would provide a de-encryption key. Threats to post data on the Dark Web were typically an intimidation tactic aimed at victims who refused to pay the criminals.
Hackers have since evolved their tactics and methodology. Ahead of a ransomware attack, it is now common for hackers to create a duplicate of the target’s data and systems. This allows them to ask for two ransoms: One to unencrypt systems, and a second to keep data off the Dark Web. This allows criminals to make twice as much money as they would from a straightforward ransomware attack. Paying the ransom is no guarantee of protection; criminals will post it online if they believe they can monetize it. Certain types of data, including credit card numbers, Social Security numbers and passwords, will almost certainly be sold by hackers.
The Dark Web Threat Against BART
Reporting on the recent BART hack suggests that only part of the police department’s system was compromised. This is similar to another attack against The Guardian, which saw criminals exfiltrate personal information, including passport data and bank accounts. Those data, which have not yet been published online, were acquired as part of a wide-ranging attack against the media stemming from a phishing attack.
In BART’s case, investigators suggested that criminals published the police reports to the Dark Web as punishment for failing to pay the ransom. The risk remains for The Guardian; once criminals have sensitive data, they are likely to try and make money through future extortion attempts or simply by selling it.
This exposes one of the hidden threats that criminals exploit: Less-secure systems connected to highly secure systems. BART revealed that criminals only breached the system that held police reports, while The Guardian faced a wide-ranging attack that succeeded in exfiltrating a subset of personnel data.
Both cases could point to systems that are partially but not fully secured. In many organizations, there are dedicated systems for functions such as document storage or HR. Access to these systems may have robust front-end protection but lack defenses against intrusions from someone who has breached those defenses. In other cases, access to data-use and retrieval systems may be secure, but the data are held in a less-secure environment.
These situations arise when organizations rely on older systems or third-party solutions, which is often necessary. Any integration between systems generates potential cyber risk. Sensitive data are coveted by cyber criminals, who will find any way to access the records themselves, with or without access to systems normally used for data retrieval.
Dark Web Monitoring Reveals Breaches
Regular Dark Web monitoring is the best protection against breaches and ransomware attacks. In some cases, Dark Web chatter can alert an organization to a pending attack. Dark Web monitoring can also reveal a breach, if regular review discovers new or unexpected data circulating or offered for sale.
Every organization that collects and stores sensitive data, which include any non-public records about employees, clients or business operations, should know what is already on the Dark Web and have alerts in case new data are found. Protect Now provides affordable Dark Web monitoring as part of our cyber security suite built for SMBs in the real estate, legal and financial sectors. We also offer Virtual CISO services that can help organizations integrate and secure legacy and third-party systems, as well as cyber security training to prevent phishing attacks. To learn more, contact us online or call us at 1-800-658-8311.