Sarina Gandy, Author at Cyber Florida at USF

Cybersecurity Workshop for Florida Critical Infrastructure

Document Management System – DMS with arrange folder and files icons. Man setup storage backup online application on computer laptop. Software for archiving, searching, managing files and information.

Join us on 29 October at the Tampa Palms Country Club for a dynamic cybersecurity workshop tailored to Florida’s critical infrastructure sectors.

This event will provide actionable recommendations for enhancing compliance with Florida Statute 282.318 and feature an overview of Cyber Florida’s no-cost solutions and services to strengthen your organization’s cyber defenses.

Participants will also engage in an exciting tabletop exercise hosted by the National Cybersecurity Preparedness Consortium (NUARI), offering hands-on experience in responding to cyber incidents. A free lunch will be provided, along with opportunities to network with cybersecurity experts and industry peers.

Don’t miss this chance to improve your cybersecurity posture and resilience!

Sarina Gandy2024-10-04T09:50:48-04:00September 16, 2024|

Culture, Coaching, and Change: Loren Rosario-Maldonado On Embracing Multidimensional Leadership
Culture, Coaching, and Change: Loren Rosario-Maldonado On Embracing Multidimensional Leadership

Culture, Coaching, and Change: Loren Rosario-Maldonado On Embracing Multidimensional Leadership

Listen

Culture, Coaching, and Change: Loren Rosario-Maldonado On Embracing Multidimensional Leadership

Loren Rosario-Maldonado is a trained culturist, executive career coach, and keynote speaker, and the best-selling author of Becoming the Change. As a culturist and self-defined “rebel with a cause,” Loren specializes in examining how culture shapes everything we do—from the way we think and act to how we interact with the world around us.

In this episode, Loren joins Tashya Denose and Pam Lindemoen to explore the crucial role of emotional intelligence in leadership and why recognizing the multi-dimensional nature of individuals is essential, particularly in industries where human emotions are often overlooked.

Loren also shares her top tips and strategies as an executive coach, discussing the unique challenges women face in the business world and offering advice on how to advance to the next level in your career.

Find Loren on LinkedIn: https://www.linkedin.com/in/lorenrosariomaldonado/

Listen to C.H.O.I.C.E. Chats: https://www.lorenrosario.com/thechoicechatspodcast

Find us on social media: @DoWeBelongPod

Watch the podcast on YouTube: https://www.youtube.com/@cybersecurityfl

Learn more about Cyber Florida: cyberflorida.org

Sarina Gandy2024-09-06T09:42:01-04:00September 6, 2024|

Soul of Cyber with Sarina: CISA’s Jen Easterly on Leading with Resilience
Soul of Cyber with Sarina: CISA’s Jen Easterly on Leading with Resilience

Soul of Cyber with Sarina: CISA’s Jen Easterly on Leading with Resilience

Listen

Soul of Cyber with Sarina: CISA's Jen Easterly on Leading with Resilience

In this brand-new segment of the Do We Belong Here podcast, producer Sarina Gandy brings you the Soul of Cyber where she sits down with influential figures in the cybersecurity world to uncover the essence of who they are beyond their professional achievements.

Join Sarina at the 2024 WiCyS conference for an intimate conversation with Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA). Jen is a combat veteran with over two decades of service in intelligence and cyber operations, a dedicated mother, and an avid Rubik’s cube enthusiast. Her role in the cyber industry has been pivotal in creating transformative policies and fostering a more secure digital landscape.

In this episode, Sarina and Jen dive into:

The impact of being the only woman at the start of her career on her leadership style, including the value of military discipline and the importance of creating effective, diverse teams
Discovering and living your Ikigai, the Japanese concept of “reason for being”
Human resilience and Jen’s personal journey of testing her limits and overcoming challenges
The necessity for leaders to build teams with psychological safety

Tune in to gain unique insights into Jen Easterly’s life, leadership, and the soul of cybersecurity!

Find us on social media – @DoWeBelongPod

Sarina Gandy2024-07-26T11:57:56-04:00July 26, 2024|

Blacksuit Ransomware Updated IOCs
Blacksuit Ransomware Updated IOCs

Blacksuit Ransomware Updated IOCs

I. Targeted Entities

Healthcare sector
Education sector
Government organizations
Manufacturing industries
Retail industries

II. Introduction

New Indicators of Compromise associated with BlackSuit ransomware have been found in recent attacks. BlackSuit is a sophisticated cyber threat known for its double extortion tactics, encrypting and exfiltrating victim data to demand ransom.

III. Additional Background Information

BlackSuit ransomware emerged as a prominent threat actor in the cyber landscape in 2023. It is believed to be a direct successor to the Royal ransomware, itself a descendant of the notorious Conti ransomware group. BlackSuit shares significant code similarities with Royal, including encryption algorithms and communication methods, indicating that the operators behind BlackSuit have inherited and improved upon Royal’s techniques. An analysis made by Trend Micro revealed that BlackSuit and Royal ransomware have a high degree of similarity, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps. Additionally, BlackSuit employs command-line arguments like those used by Royal, though with some variations and additional arguments.

This technical sophistication has allowed BlackSuit to conduct multiple high-profile attacks across various sectors since its emergence. Notably, one of the most significant attacks targeted a U.S.-based healthcare provider in October 2023, resulting in severe operational disruptions. The financial losses from this attack were estimated to be in the millions, including ransom payments and the cost of recovery and mitigation. In another incident, an educational institution suffered a data breach, leading to the exposure of sensitive student and staff information.

Financial gain is the primary motivation behind BlackSuit attacks. The group employs double extortion tactics, demanding ransom not only to decrypt the data but also to prevent the leaked data from being publicly released. This strategy increases the pressure on victims to pay the ransom, highlighting the ruthlessness and effectiveness of BlackSuit’s extortion methods.

Tools Used

Blacksuit ransomware: The main payload used for encrypting victim data.
Bravura Optitune: Legitimate remote monitoring and management (RMM) software used for maintaining remote access.
InfoStealer: Malware designed to steal sensitive information, including credentials and financial data.
NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovering host names and network services.
Process Explorer: A Microsoft Sysinternals tool that provides detailed information about processes running on a system, used for monitoring and debugging.
ProcessHacker: A free tool for monitoring system resources, debugging software, and detecting malware.
PsKill: Microsoft Sysinternals command-line tool used to terminate Windows processes on local or remote systems.
PsSuspend: Microsoft Sysinternals command-line tool used to suspend processes on a local or remote system.
PsExec: A Microsoft Sysinternals tool for executing processes on other systems, primarily used by attackers for lateral movement.
Rclone (suspected): An open-source tool that can manage content in the cloud, often abused by ransomware actors to exfiltrate data from victim machines.

These tools allow BlackSuit to conduct reconnaissance, maintain persistence, and execute their ransomware effectively. The group’s preference for leveraging legitimate software tools makes their activities harder to detect and mitigate. Understanding the tools and methods employed by BlackSuit ransomware is critical for defending against their attacks.

IV. MITRE ATT&CK

T1057 – Process Discovery
- BlackSuit ransomware operators use tools like Process Explorer to list and monitor active processes. This allows them to identify security software, such as antivirus or endpoint detection and response (EDR) tools, which they may attempt to disable to avoid detection and ensure the success of their attack.
T1059 – Command and Scripting Interpreter
- BlackSuit ransomware leverages PowerShell scripts to execute commands and payloads on compromised systems. PowerShell is a powerful scripting language built into Windows, which allows for the automation of administrative tasks. By using PowerShell, attackers can download additional payloads, execute them, and carry out further malicious activities without raising immediate suspicion.
T1082 – System Information Discovery
- BlackSuit may run commands to gather information about the system architecture, OS version, installed software, and hardware details. This information helps attackers tailor their payloads and strategies to the specific environment they are targeting, increasing the chances of a successful attack.
T1083 – File and Directory Discovery
- BlackSuit ransomware may use commands or scripts to enumerate user directories, document folders, and network shares. This helps them identify valuable files to encrypt, maximizing the impact of their attack and increasing the likelihood that victims will pay the ransom to regain access to their data.
T1204 – User Execution
- BlackSuit ransomware operators may send phishing emails with malicious attachments or links. These emails are crafted to appear legitimate, often posing as invoices, delivery notifications, or urgent messages that require immediate attention. When the recipient opens the attachment or clicks the link, the ransomware is executed, leading to the infection of their system.
T1486 – Data Encrypted for Impact
- BlackSuit encrypts critical files on the victim’s system using strong encryption algorithms. After encryption, the attackers demand a ransom for the decryption key needed to restore access to the data. This not only disrupts the victim’s operations but also places them under significant pressure to pay the ransom to recover their data.
T1490 – Inhibit System Recovery
- BlackSuit ransomware might delete Volume Shadow Copies on Windows systems. Volume Shadow Copies are backup snapshots created by the operating system that allow users to restore their data to a previous state. By deleting these backups, the attackers ensure that victims cannot easily recover their data without paying the ransom, thereby increasing the effectiveness of their extortion.

V. Recommendations

Hash Blacklisting and Detection Updates:
- Maintain an up-to-date blacklist of known malicious file hashes associated with BlackSuit and other ransomware variants. Use threat intelligence feeds and security vendors’ databases to identify and block these malicious files at the network perimeter and endpoint levels. Ensure that antivirus and anti-malware solutions are set to receive regular updates for detecting new ransomware variants and their associated hashes. Promptly apply these updates to enhance your organization’s capability to detect and prevent ransomware infections.
Regular Backup and Disaster Recovery Planning:
- Maintain regular backups of critical data and systems, and store them securely, preferably off-site or in a cloud environment with strong encryption. Develop and periodically test a comprehensive disaster recovery plan that includes procedures for restoring data and services in a cyberattack.

Implement Advanced Threat Intelligence and Information Sharing:
- Subscribe to and actively monitor threat intelligence feeds for the latest information on vulnerabilities and threats. Participate in industry and government cybersecurity information-sharing programs to stay informed about emerging threats and best practices.

Enhance Incident Response and Forensic Capabilities:
- Develop and maintain a robust incident response plan that includes procedures for containment, eradication, and recovery. Ensure that forensic capabilities are available to investigate and understand the nature and scope of any breach, to improve defenses and prevent future incidents.

Manage Default Accounts on Enterprise Assets and Software:
- Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

VI. IOCs (Indicators of Compromise)

File Name	Description	SHA-1 Hash	Virus Total Detections
psexec.exe	PsExec	078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b	2
decryptor.exe	Blacksuit Ransomware	141c7c7a2dea1be7304551a1fa0d4e4736e45b079f48eb8ff4c45d6a033b995a	51
netscan.exe	NetScan	18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566	32
sqlite.dll	Suspected information-stealing malware	5c297d9d50d0a784f16ac545dd93a889f8f11bf37b29f8f6907220936ab9434f	38
pskill.exe	PsKill	5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42	1
rclone.exe	Rclone	d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d	2
ProcessHacker.exe	ProcessHacker	bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4	29

Network IOCs	Virus Total Detections
185.73.125[.]96	10

VII. References

Blacksuit (2024) SentinelOne. Available at: https://www.sentinelone.com/anthology/blacksuit/ (Accessed: 08 June 2024).

Montalbano, E. (2024) BlackSuit claims dozens of victims with ransomware, BlackSuit Claims Dozens of Victims With Ransomware. Available at: https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware (Accessed: 08 June 2024).

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Pagliaroni, Yousef Aref, Abdullah Siddiqi, and Nahyan Jamil.

Sarina Gandy2024-07-24T13:34:43-04:00July 24, 2024|

Critical Update: Resolving the Microsoft Windows and CrowdStrike Outage
Critical Update: Resolving the Microsoft Windows and CrowdStrike Outage

Critical Update: Resolving the Microsoft Windows and CrowdStrike Outage

Early this morning, a widespread fault with Microsoft Windows machines running the CrowdStrike Falcon agent caused chaos around the globe – grounding flights, taking banks, hospital systems, and media offline, and causing a massive global disruption to companies and services around the world.

What Happened?

Cybersecurity firm CrowdStrike said that the issue believed to be behind the outage was not a security incident or cyberattack — the problem occurred when it deployed a faulty update to computers running Microsoft Windows.

Microsoft stated, “We have been made aware of an issue impacting Virtual Machines running Windows Client and Windows Server, running the CrowdStrike Falcon agent, which may encounter a bug check (BSOD) and get stuck in a restarting state.”

Steps to Resolve the Issue

Microsoft Azure released a fix for this issue. For detailed instructions, visit: https://azure.status.microsoft/en-gb/status

1. Restart Your Virtual Machines

Many users have reported success by repeatedly restarting their VMs. Although it may take multiple attempts (as many as 15 in some cases), this has proven to be an effective troubleshooting step. You can restart your VMs through the Azure Portal or using the Azure CLI:

Using the Azure Portal: Navigate to your affected VMs and click on ‘Restart.’
Using the Azure CLI or Azure Shell: Follow the instructions here to restart your VMs: Azure CLI Documentation

2. Restore from a Backup

If you have backups from before 19:00 UTC on July 18th, restoring from these backups is a reliable solution. Here’s how you can do it if you are using Azure Backup:

Follow the instructions in this guide: How to Restore Azure VM Data

3. Repair the OS Disk

Another option is to repair the OS disk by attaching it to a repair VM. This allows you to delete the problematic file directly. Here are the steps:

Attach the OS disk to a repair VM through the Azure Portal.
Navigate to the disk and delete the file located at Windows/System32/Drivers/CrowdStrike/C00000291*.sys.
Detach the disk and reattach it to the original VM.

For detailed instructions on repairing the OS disk, refer to: Troubleshoot a Windows VM

.sys Removal Script

This script automatically finds and removes the problematic .sys file on the host. This script can be put on a USB drive and executed with administrative privileges for ease of use across multiple systems.

Ongoing Support

The affected update has been pulled by CrowdStrike. Customers that are continuing to experience issues should reach out to CrowdStrike for additional assistance.

Microsoft is continuing to investigate additional mitigation options for customers and will share more information as it becomes known. For current updates, visit: https://azure.status.microsoft/en-gb/status

Additional Resources

Sarina Gandy2024-07-19T21:03:15-04:00July 19, 2024|

False Promises, Real Losses: Navigating the Dangers of Romance Scams

Romance scams have become a significant financial threat, preying on individuals’ emotions and vulnerabilities. In 2023, consumers have lost $1.14 billion to romance scams, making it one of the most financially damaging forms of imposter fraud.

The financial and emotional toll on victims of romance scams is severe. The Federal Trade Commission (FTC) reported that the median loss per victim in 2023 was $2,000, the highest for any type of imposter scam. Furthermore, romance scams often lead to feelings of betrayal and embarrassment, making it difficult for victims to come forward and seek help. In many cases, victims are isolated from their friends and family, further exacerbating their vulnerability.

Romance scams involve criminals adopting fake online identities to gain victims’ trust and affection. These scammers manipulate victims into sending money or providing access to their financial accounts. Tracy Kitten, the director of fraud and security at Javelin Strategy & Research, emphasizes that these scams are particularly insidious because they exploit emotional connections. Once trust is established, victims are more likely to comply with the scammer’s requests, believing in the authenticity of the relationship.

Methods Used by Scammers

Building Trust: Scammers create convincing online profiles and develop relationships over time. They often claim to be working overseas or in the military, providing plausible excuses for not meeting in person.
Emotional Manipulation: Scammers exploit victims’ emotions, claiming to need money for medical emergencies, travel expenses, or legal fees. They may also use pressure tactics and isolation attempts to maintain control over the victim (Source 1: CNBC, Source 2: FBI).
Platform Selection: Many romance scams begin on social media platforms, with scammers reaching out through unsolicited messages. According to the FTC, 40% of victims who lost money to romance scams in 2022 were initially contacted via social media (Source: CNBC).

Detecting and Preventing Romance Scams

Requests for Money: The most significant red flag is when someone asks for money. Scammers often create urgent situations to prompt financial help.
Too Good to Be True: If a new contact seems overly interested and perfect, it may be a scam.
Refusal to Meet in Person: Scammers usually avoid in-person meetings, citing various excuses.
Isolation Attempts: If someone discourages you from discussing your new relationship with friends or family, be cautious.
Pressure Tactics: Scammers may rush the relationship and pressure you into making quick decisions (Source 1: CNBC, Source 2: FBI).

Steps to Take

Reverse Search Images: Use online tools to verify the authenticity of the profile pictures.
Check Privacy Settings: Limit the information you share publicly on social media.
Take Your Time: Ask detailed questions about the person’s background and verify their answers.
Avoid Financial Transactions: Never send money or share financial information with someone you have only met online.
Meet in Public: If you decide to meet, choose a public location and inform someone you trust about the meeting.

Reporting Scams

If you encounter suspicious profiles or messages online, it’s crucial to report them promptly. Inform the platform you’re using and for more detailed guidance on reporting cybercrimes, visit Cyber Florida’s reporting page at Cyber Florida Reporting. Victims can also find support through organizations like The Cybercrime Support Network, offering counseling and recovery groups.

Information retrieved from the CNBC and the FBI online resources.

More resources:

Sarina Gandy2024-07-18T13:42:35-04:00July 18, 2024|

Do We Belong Here? | A Premiere Event
Do We Belong Here? | A Premiere Event

Do We Belong Here? | A Premiere Event

Join us for the “Do We Belong Here?” Documentary Premiere

We are thrilled to announce the premiere of the “Do We Belong Here?” documentary, created in partnership with Cisco and WiCyS! Join us on 10 September at The Tampa Theatre for an inspiring evening.

The documentary highlights the stories of women in cybersecurity, showcasing their challenges and triumphs. This is not just a premiere but a celebration of our collective efforts to inspire and bring visibility to the incredible journeys of women in cybersecurity. We hope you can join us for an evening of inspiration, connection, and celebration.

Please note that this event will be photographed and video recorded for promotional and archival purposes.

Event Schedule:

5:30 p.m. – Networking
6:30 p.m. – Documentary premiere
8:00 p.m. – Q&A with the Do We Belong Here podcast team

FAQs

Q: Where is The Tampa Theatre located?
A: The Tampa Theatre is located at 711 N Franklin Street, Tampa, FL 33602. You can find parking at nearby lots and garages. https://tampatheatre.org/about/know-before-you-go/

Q: What is the dress code?
A: Business casual, with a touch of glamour! Feel free to wear whatever makes you feel your most fabulous—red carpet looks are encouraged, but not required.

Q: Will snacks and drinks be provided?
A: Each attendee will receive 1 ticket for a small popcorn and 1 ticket for a small soda or water. Additional movie snacks, drinks, and a selection of adult beverages will be available for purchase at the Tampa Theatre.

Q: Is RSVP required?
A: Yes, RSVP is required for this event.

Q: Is there a social media hashtag for the event?
A: Yes! Feel free to share your experience using the hashtags #TellHerStory and #DoWeBelongHere.

Registration has closed for this event. Stay tuned for the online premiere on September 12!

Sarina Gandy2024-09-20T10:25:32-04:00July 16, 2024|

NSA Cybersecurity Services for DoD Contractors
NSA Cybersecurity Services for DoD Contractors

NSA Cybersecurity Services for DoD Contractors

These valuable NSA services are offered for companies with an active DoD (Department of Defense) contract, or with access to non-public, DoD information, several threat-informed cybersecurity solutions to help reduce risk of network compromise and protect sensitive but unclassified information.

learn more

Sarina Gandy2024-07-15T12:08:13-04:00July 15, 2024|

LockBit Operators Utilizing New AV-Bypass Tool
LockBit Operators Utilizing New AV-Bypass Tool