Oct 232018

J. M. Porup reports:

Burning malware is like Hercules fighting the nine-headed Hydra. For every head he cuts off, two more grow back in its place. That’s the lesson from a new report by Cylance today, and one both enterprise network defenders—and the public at large—should pay attention to.

Cyber mercenaries sell malware to oppressive regimes in the Middle East, which then use that malware to attack their own citizens, research from the Citizen Lab suggested earlier this year. The current regimes in Turkey and Egypt compel local ISPs to run Canadian-made Sandvine/Procera deep packet inspection middleboxes that inject the malware into unencrypted HTTP downloads of popular software like Avast, VLC Player and WinRAR. Large numbers of users in Egypt, Turkey and Syria (near the border with Turkey) are affected.

Read more on CSO Online.

Oct 202018

On October 5, HHS received a  HIPAA breach notification from the National Ambulatory Hernia Institute in California.  According to the notification, the incident affected 15,974 patients.

A notice prominently displayed on NAHI’s site explains that there was a ransomware incident on September 13.


URGENT NOTICE: Our office has experienced a Ransomware attack on September 13th 2018. The attack was tied to an email address [email protected]. If you were treated by one of our physicians prior to July 19th, 2018 your demographic information may have been compromised. If your information was not in our possession prior to July 19th, 2018 there is no possibility that your information was compromised.

Potentially compromised information includes: Full name, Address, Date of birth, Social Security Number, Diagnosis and Appointment date/time information.

If you believe your personal information has been compromised we recommend that you obtain an Identity Monitoring Service for a period of at least one year.

Our office has moved all of our data to an off-site server, continues to investigate this matter, and has taken steps to eliminate the possibility of a future breach including the purchase of a more robust firewall and antivirus.

This notice is being provided voluntarily.

If you have further questions, please call our office at 800-962-3766.

It is not clear to me why they say they are providing the notice “voluntarily” if they are actually required to disclose it by HIPAA and HITECH.  They do not say that they could definitively rule out access and/or acquisition.  Then, too, they do not indicate whether they paid any ransom demanded or if there was no need to pay because they had a full and intact backup or removal instructions.

The [email protected] email address has been associated with Gamma ransomware. More information on this type of Crysis ransomware and its removal can be found on pcrisk.

Oct 202018

WISH-TV reports:

The Indiana National Guard revealed Thursday that a state, nonmilitary server with identifying information of its personnel was the subject of a ransomware attack.

The Guard said in a news release from Master Sgt. Jeff Lowry:

“As a result of this action we are in the process of notifying personnel that may be affected, and that they should be alert for suspicious activity or fraudulent accounts being opened in their name.”

Read more on WISH-TV

Oct 152018

WNCT reports:

The Onslow Water and Sewer Authority‘s internal computer system, including servers and personal computers, was hit by a ransomware attack Saturday.


ONWASA began experiencing persistent virus attacks from a polymorphic malware known as EMOTET on October 4……..  At what ONWASA officials said may have been a timed event, the malware launched a sophisticated virus known as RYUK at 3 a.m. on Saturday.

Read more on WNCT. Some good reporting provides us with more details than we usually find in media reports of this kind.