Garmin
Garmin was hit by WastedLocker on the 23rd. Multi-day outage of Connect, flyGarmin, and the customer-services infrastructure. The Evil Corp attribution and the OFAC sanctions question complicates the ransom decision.
Travelex
Travelex hit by Sodinokibi (REvil) on New Year's Eve. Business is operationally offline twelve days later. The CVE-2019-19781 connection is the operational story.
Maze and the leak-as-pressure pattern
Allied Universal's leak appeared on the Maze operators' site this week. The pattern of publishing exfiltrated data to coerce ransom payment is, on this case, formal. The ransomware threat model has changed.
Norsk Hydro
Norsk Hydro hit by LockerGoga on Tuesday morning. Smelter operations in multiple countries running on manual control. The transparency of the response is exemplary; the operational cost will be enormous.
Bad Rabbit
Tuesday's outbreak — affecting Russian and Ukrainian organisations primarily — uses drive-by web compromise plus credential-theft lateral movement. Echoes of NotPetya, with refinements.
WannaCry
Ransomware using the EternalBlue exploit hit the NHS and tens of thousands of organisations across at least 150 countries on Friday. The patching window from March was four weeks. The cost will be much larger than the ransom takings.
2014
The year retrospective. 2014 has been the year that under-appreciated infrastructure has been demonstrated as fragile at multiple layers — Heartbleed in OpenSSL, goto fail in Apple TLS, Shellshock in bash, POODLE in SSLv3.
GameOver Zeus
Operation Tovar is the most operationally substantive bot-takedown I have written about in seven years. Five hundred thousand to one million infected hosts, $100 million in damages, and a peer-to-peer C2 infrastructure that was hostile-forked by the takedown coalition.