CYBER INTELLIGENCE REPORT:
FLORIDA RANSOMWARE INCIDENTS 16–19 USF SCHOOL OF INFORMATION
Report and analysis by Ryan Haggard, MSIS, under the supervision of Mr. “Scuba” Steve Gary, MS, CISSP
|
CYBER FLORIDA
2 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
This image is a representation of the ransom note Maze victims receive after their system becomes compromised.
cyberflorida.org | 3
Foreword Ransomware has become the cyberattack of choice among cybercriminals and other denizens of the Dark Web. Indeed, it’s reached ‘pandemic’ proportions in Florida, especially among the state’s local governments, and it’s something that every chief information security officer, cyber intel analyst, and policymaker must increasingly pay attention to. That’s the purpose of this report. As we know, ransomware infects a computer system—often as a result of a classic spear-phishing attack—and holds the files and data hostage by blocking users’ access until they pay a fee/ransom. In a word, it’s cyber extortion, pure and simple. Unfortunately, it is also too often effective, and the threat—and the ransoms—are growing. Thus, even though many organizations don’t like to report ransomware attacks, especially when they’re forced to pay—the toll is expected to reach $20 billion globally by the end of 2021. And to make matters worse, state and local governments are top targets—we saw that firsthand when Cyber Florida conducted a series of workshops on cybersecurity for over 300 mayors, city managers, and county administrators. Some ransomware attacks are widespread and opportunistic. Others are carefully targeted. In either case, however, the malware most often gets into an organization’s networks and systems through human error…in other words, via poor ‘cyber hygiene’ practices. The good news? That means that cybersecurity awareness and education are an effective first line of defense when it comes to thwarting a ransomware attack. So, too, is an understanding of the threat; that is essential, and that means having good cyber intelligence. As one security analyst noted: “There is no easy win in the war on cyber extortion, and the only way to deal with this threat is to first have proper intelligence—understanding how ransomware works, who it targets, how, and where.” That’s where this report comes in. It’s the first in a series of collaborative products developed by the University of South Florida School of Information’s Cyber Intelligence Program and Cyber Florida to make readers in Florida and elsewhere aware of cyber threats like ransomware so that they can get ahead of the threat.
HON J. Michael ‘Mike’ McConnell Executive Director, Cyber Florida Former Director of U.S. National Intelligence
Randy Borum, PsyD Professor and Director of Intelligence Studies University of South Florida
Copyright ©2020 Florida Center for Cybersecurity, All Rights Reserved. This publication is made available by the Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/ or cybersecurity professional with the sufficient expertise necessary to address your organization’s specific needs. Use of this document does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.
4 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
Executive Summary Ransomware is an increasing threat to Florida public and private sector institutions. Florida has experienced a massive uptick in ransomware incidents, starting in 2019, with significant monetary impact, as well as disruption of critical infrastructure. Fifty percent of targeted Florida organizations refused to pay the ransoms, while 22.2% agreed to pay the requested ransom amount, sometimes costing the organizations hundreds of thousands of dollars. The outcomes in the remaining percentage of Florida organizations is unknown. Public sector organizations composed 77.8% of ransomware victims, and it is unclear whether this is the result of a targeting methodology or indicative of poor cybersecurity practices. There are two known ransomware strains and operators in the Florida cases: Ryuk, operated by Wizard Spider (16.7% of cases), and Maze, operated by the Maze Crew (5.6% of cases). Both organizations are Russia-based cybercriminal groups. Neither organization has proven nation-state links. The ransomware strains and operators are not publicized/ known in the remaining majority of Florida cases. Ransomware is a cost-efficient and time-efficient tool for cybercriminals. Phishing campaigns, compromised websites, etc. can reach many potential victims with minimal effort. A ransomware payload only requires a single point of entry to infect a computer network. This combination creates a situation where ransomware can still infect many networks and receive payment, even if the total infection rate is low. Additionally, the location of these cybercriminal groups in nonextradition countries creates difficulties for disruption and prosecution. The ease-of-use elements combined with proven financial incentives and the lack of mitigating factors, suggest that the use of ransomware will continue.
Cyber Threat Actors Most cyber threat actors are unknown or unidentified in the Florida cases. There are likely multiple groups beyond those identified, given the differences in ransomware programs used and their differing targeting methodologies. The two known groups are Wizard Spider and the Maze Crew. Little is known about these groups outside of their previous attacks. Wizard Spider is a designation given by the cybersecurity firm CrowdStrike1 to a Russian cybercriminal group previously known for operating the TrickBot banking malware2. It is unproven if Wizard Spider is state-sponsored, but analysts lean towards non-sponsorship due to the ransomware naming convention3. The Maze Crew are operators of Maze malware. This is the first known ransomware group to threaten to publish sensitive stolen data as leverage for payment4. The Maze Crew is noted as likely to be Russian, as the servers are located in Russia, and the language check will clear the memory and exit the system if it detects a language in the system from a post-Soviet state (a hallmark of Russian cybercriminal groups)5. Additionally, the ransom notes from Maze malware, as well as the interviews given to Bleeping Computer, all bear hallmarks of Russian syntax, such as: “socially-vital objects.� It is unknown if the Maze Crew is state-sponsored.
Targets The targets appear to be limited to local governments, local emergency services, small/medium-sized businesses, and small non-governmental organizations (NGOs). The key shared factors between the targets are the centralization of information operations infrastructure, relative isolation, limited investigation/retaliatory capability, and moderate payout ability.
cyberflorida.org | 5
There is an information gap concerning the specific targeting methodologies of the unknown groups. Some groups targeted emergency medical services (EMS), while other groups refused to target EMS for moral reasons. The Maze Crew explicitly stated that they avoided encrypting EMS and other “socially significant services” with their ransomware. The Maze Crew stated that “if someone uses our software to block the latter [socially significant services], we will provide a decrypt for free.” Wizard Spider specifically engages in ‘big game hunting,’ targeting medium-large organizations for a high-ransom reward6.
Table 1 List of Florida Ransomware Incidents Target
Ransomware
Paid
Insurance
Date
Additional Notes
Palm Beach City Elections
Unknown
No
Unknown
20167
FBI and DHS never notified. Only came to light in Feb 2020 when IT director was fired for possession of child pornography.
City of Sarasota
Unknown
No
Unknown
Feb 20168
System restored. 10–12TB of data encrypted. $33M ransom.
Town of Palm Beach 911 System
Unknown
No
Unknown
May/June 20169
Attacked two times in three weeks. Restored from backup.
Marion County
Unknown
No
Unknown
Jan 201710
Multiple attacks blocked by IT department.
City of Stuart
Ryuk
No
Unknown
April 201911
Also installed Trickbot. Partial downtime of a week. IT department restored system.
City of Riviera Beach
Unknown
$592,000
Yes
May 201912
City only paid $25,000 deductible to insurance.
City of Key Biscayne
Unknown
Unknown
Unknown
June 201913
Possible ransomware attack, officials silent.
Lake City
Unknown
$480,000
Yes
June 201914
Deductible not publicized.
Lee County
Unknown
Unknown
Unknown
Sept 201915
Possible ransomware attack, officials silent.
Wakulla County School District
Unknown
Yes
Yes
Sept 201916
Center for Facial Restoration (Miramar)
Unknown
No
Unknown
Nov 201917
Patients contacted by hackers as well.
City of Pensacola
Maze
Unknown
No
Dec 201918
$1M ransom, 2GB data published, 6–32GB stolen19.
Florida PRIDE
Unknown
Unknown
Unknown
Dec 201920
6 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
St. Lucie Sheriff’s Dept.
Unknown
No
Unknown
Dec 201921
Restored servers from backup. Downtime: 1 week. Lost 24 hrs of data.
West Palm Beach Arrigo Dodge Car Dealership
Unknown
No
Unknown
Dec 2019
No personal identifying information stolen (PII). Owner paid $285,000 for new computer system.
Tampa Bay Times
Ryuk
No
Unknown
Jan 202023
No data breached, PII unaffected. IT dept. restored system from backups.
Volusia County Libraries
Ryuk
Unknown
Yes
Jan 202024
20 servers and 600 computers encrypted.
North Miami PD
Unknown
Unknown
Unknown
Feb 202025
Computer systems shut down. Little known. Ransom of “millions”
22
Figure 1. Florida Ransomware Incidents 2016-2019
12 10 8 6 4 2 0 2016
2017
2018
2019 Florida Ransomware Incidents
cyberflorida.org | 7
Figure 1 Florida Ransomware Incidents 2016-2019
n Payment n Non-Payment n Unknown
Figure 2 Florida Ransomware Targets: Public Sector vs Private Sector
n Public Sector n Private Sector
Figure 3 Ransomware Strains Used in Florida Incidents
n Maze n Ryuk n Unknown
8 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
Pensacola
Tallahassee
Jacksonville Lake City
Ocala
Daytona Beach Orlando
Tampa Port St. Lucie
Figure 5 Confirmed ransomware incidents in cyan Suspected ransomware incidents in green
Fort Myers
West Palm Beach Fort Lauderdale Miami
Intentions Financial gain has been the exclusive motivation for ransomware deployment in Florida by these cyber criminals. This holds true in every recorded case in Florida thus far. While there is an information gap on the follow-up to many of these cases, there has not been a publicized case of a Florida organization paying out to the criminal groups, and the criminals then not decrypting the files. Likewise, retaliation by the criminal groups to non-payment of the ransom is insufficiently documented for a meaningful analysis.
Tactics, Techniques, and Procedures (TTPs) The deployment of ransomware in Florida mirrors the typical pattern of ransomware deployment elsewhere. There are two general access phases: the initial access to the first device, and then the subsequent spread to all devices connected to that device’s network. The first access phase usually begins with a (spear)phishing attempt wherein the access is gained from opening a file. After the access is gained, the ransomware program is deployed. The ransomware then attempts to spread to all devices that are on the shared network and begins encrypting the files on the network; functionally “locking” the affected
cyberflorida.org | 9
systems26. Some advanced ransomware strains will duplicate and extract files from the network pre-encryption for further blackmail purposes and/or leverage (such as pay-or-release) 27. The victim is usually sent a “read me” text file from the ransomware program, detailing the attacker’s demands and deadlines. While there is not complete data on the ransom amounts demanded from the victim organizations, all incidents where the ransom amount is released publicly were conducted in Bitcoin. Upon successful payment, the attackers would generate the symmetric key to the encryption and then send it to the victim. If the victim refuses to pay, the attackers have the option of keeping the system locked, publishing sensitive extracted information (if they duplicated and extracted files beforehand)28, attacking the replacement system, and so forth. As many of these groups have not been identified, the TTPs for the majority of these groups is unknown.
Wizard Spider Wizard Spider primarily targets large organizations for higher ransom rewards. This diverges from Wizard Spider’s previous concentration on operating the Trickbot banking malware to execute wire fraud. Ryuk is designed specifically to target enterprise environments and is primarily delivered through phishing emails. Once the payload is delivered, a hidden PowerShell script is executed and connects to a remote IP address, from which it downloads and executes a reverse shell onto the now-compromised host. PowerShell anti-logging scripts are then executed; subsequently, network reconnaissance runs using Windows command-line tools and external uploaded tools. After reconnaissance, Service User Accounts are created, and PowerShell Empire is installed29. Ryuk will continue to propagate until an account is found with domain controller access. Once domain controller access is acquired, Ryuk will then spread to individual hosts in the network, and batch scripts are executed to terminate processes, services, remove backups, and finally encrypt the network files. At this point, Ryuk will then inform the victim via a ransom note, entitled ‘RyukReadMe.txt’ or ‘RyukReadMe.html’30. While a number of ransom note templates were recorded, the email address and Bitcoin (BTC) wallet address may change. The email addresses typically contain an address at protonmail.com and tutanota.com. The email names are generally lesser-known actors and directors, though Instagram model names were observed31. The ransom note template has marked similarities to “BitPaymer” ransom notes, however, it is currently unclear to what extent Wizard Spider is copying BitPaymer TTPs or if there is any collaboration between the two groups. The ransom demands vary between 1.7 BTC and 99 BTC; from August 2018 to January 2019, Wizard Spider made 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD. These 52 known transactions range across 47 BTC addresses. CrowdStrike notes that Wizard Spider likely calculates the ransom sum based on the size and value of the victim organization32.
Figure 6 Attack Flow 1: Ryuk33 A sample Ryuk ransomware attack flow (Cybereason).
10 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
The Maze Crew The Maze Crew uses multiple methods of intrusion for its titular ransomware: phishing, drive-by downloads from cloned cryptocurrency sites, malspam campaigns impersonating government agencies and well-known security vendors34, as well as the Spelevo and Fallout exploit kits. Notably, the malspam campaigns are tailored in multiple languages, targeting organizations in the United States and European Union35. The Maze Crew is notoriously active on social media and has conducted interviews with malware researchers37. The Spelevo exploit kit uses a fake business-to-business page (B2B), which delivers the payload via drive-by download (previously the Dridex banking trojan, now Maze ransomware). The Fallout exploit kit can be spread through a fake cryptocurrency application that uses the drive-by download function, conditional upon the detection of specific vulnerabilities38. Once installed, Maze ransomware will attempt to gain as much access as it can, copying and exfiltrating files, then encrypting the original files. It will then immediately delete shadow copies and backups on the infected machines. A text file named “DECRYPT-FILES.txt” is then placed in each of the file directories and contains a URL path that is unique to each victim. This website contains information on payment options, a chatroom, test decrypts for three image files, and an “about us” page39. Maze ransomware sets the ransom amount based on the type of device it detected: standalone server, server in a corporate network, workstation in corporate network, home computer, primary domain controller, backup server, among others. The Maze Crew runs a website (currently “http://mazenews.top/” at the time of writing) where it releases stolen information from companies that refuse to pay the ransom.40.
Tools/Malware
Tactics, Techniques, and Procedures (TTPs) Ryuk was first observed in August 2018, in a public malware repository. Analysis on Ryuk’s code indicates derivation from Hermes ransomware. Hermes ransomware is attributed to the group Stardust Chollima, a component of the North Korean Lazarus Group Advanced Persistent Threat (APT) group, and was sold on hacker forums in 2017, for $300 USD41. Both Ryuk and Hermes target processes and files similarly, though Ryuk has a different logic regarding file access. Both ransomware strains encrypt files using RSA-2048 and AES-25642, and store keys in the executable using Microsoft SIMPLEBLOB format. They both encrypt mounted devices and remote hosts and use Hermes file markets to mark/check if a file has been encrypted. While Hermes will create an RSA public/private key pair (“Victim Key”), Ryuk instead embeds two public RSA keys, creating a unique key for each executable. This design by Ryuk limits the usage of the decryption key to a single system, ensuring that one decryption key is not able to decrypt other victims. While Hermes is used by multiple cybercriminal groups, Ryuk appears to be exclusively used by Wizard Spider43, an impressive feat given that Ryuk’s market share is estimated to make up 15-25% of all ransomware incidents44. Ryuk is under continuous development, different functionalities are regularly added and removed. There are two variants of Ryuk binaries: a dropper and an executable payload45. The dropper is often unable to be recovered, as the executable payload will delete the dropper after launching. Notably, Ryuk has few whitelists regarding non-encryption, which can potentially affect host stability via encryption of system files. The three extensions that are currently whitelisted are “exe”, “dll”, and “hrmlog” (a Hermes debug log filename). Ryuk injects a remote process to encrypt files, after adjusting its token privileges. Ryuk does not have anti-recovery and process/service termination in the executable, instead they are contained within two batch files. The Ryuk anti-recovery commands are noted to be extensive, compared to other ransomware strains,
cyberflorida.org | 11
and have not yet been duplicated46. Lastly, the ransomware will not execute if it detects the host language 0419 (Russian), 0422 (Ukrainian) or 0423 (Belarusian). This is a common practice for malware developers/merchants in Russia to avoid attention from local law enforcement47.
Table 2 Ryuk Bitcoin Information Total Received
# Received
Total value (USD)
Source
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL
55.00
3
$221,685.46
1
1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY
182.99
10
$734,601.91
1
1FtQnqvjxEK5GJD9PthHM4MtdmkAeTeoRt
48.25
4
$188,974.93
1
14aJo5L9PTZhv8XX6qRPncbTXecb8Qohqb
25.00
2
$113,342.70
1
1E4fQqzCvS8wgqy5T7n1DW8JMNMaUbeFAS
0.001
1
$6.47
1
1GXgngwDMSJZ1Vahmf6iexKVePPXsxGS6H
30.00
3
$132,654.91
1
1Cyh35KqhhDewmXy63yp9ZMqBnAWe4oJRr
0.00
0
$0.00
1
15LsUgfnuGc1PsHJPcfLQJEnHm2FnGAgYC
0.00
0
$0.00
1
1CbP3cgi1Bcjuz6g2Fwvk4tVhqohqAVpDQ
13.00
2
$82,917.49
1
1Jq3WwsaPA7LXwRNYsfySsd8aojdmkFnW
35.00
1
$221,979.83
1
129L4gRSYgVJTRCgbPDtvYPabnk2QnY9sq
0.00
0
$0.00
1
1ET85GTps8eFbgF1MvVhFVZQeNp2a6LeGw
3.325
1
$12,661.74
1
1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm
38.99
3
$246,893.95
1
1CW4kTqeoedinSmZiPYH7kvn4qP3mDJQVa
24.077
2
$152,727.13
1
13rTF3AYsf8xEdafUMT5W1E5Ab2aqPhkPi
0.00
0
$0.00
1
17zTcgKhF8XkWvkD4Y1N8634Qw37KwYkZT
0.00
0
$0.00
1
14dpmsn9rmdcS4dKD4GeqY2dYY6pwu4nVV
0.00
0
$0.00
1
17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw
0.00
0
$0.00
1
1KUbXkjDZL6HC3Er34HwJiQUAE9H81Wcsr
10.00
1
$63,358.27
1
12UbZzhJrdDvdyv9NdCox1Zj1FAQ5onwx3
0.00
0
$0.00
1
1NMgARKzfaDExDSEsNijeT3QWbvTF7FXxS
0.00
0
$0.00
1
19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op
25.00
1
$164,774.21
1
BTC Address associated with Ryuk
12 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
Ryuk Bitcoin Information (continued) Total Received
# Received
Total value (USD)
Source
1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ
40.035
4
$259,478.16
1
18eu6KrFgzv8yTMVvKJkRM3YBAyHLonk5G
30.00
1
$198,651.35
1
1C8n86EEttnDjNKM9Tjm7QNVgwGBncQhDs
30.0082
2
$194,113.76
1
12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau
0.00
0
$0.00
1
162DVnddxsbXeVgdCy66RxEPADPETBGVBR
0.00
0
$0.00
1
1ChnbV4Rt7nsb5acw5YfYyvBFDj1RXcVQu
28.00
2
$175,177.98
1
1.7
2
$12,455.95
1
1EoyVz2tbGXWL1sLZuCnSX72eR7Ju6qohH
0.00
0
$0.00
1
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz
0.00
0
$0.00
1
15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4
0.00
0
$0.00
1
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
10.00
2
$64,990.62
1
1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp
15.00
1
$92,934.80
1
1LKULheYnNtJXgQNWMo24MeLrBBCouECH7
0.00
0
$0.00
1
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
50.41
3
$326,477.83
1
1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ
0.00
0
$0.00
1
10
1
$41,034.54
1
BTC Address associated with Ryuk
1K6MBjz79QqfLBN7XBnwxCJb8DYUmmDWAt
1NuMXQMUxCngJ7MNQ276KdaXQgGjpjFPhK
Table 3 Ryuk Indicators of Compromise Hash Type
Source
795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f
SHA256
1
501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9
SHA256
1
fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b
SHA256
1
Indicators of Compromise (Ryuk)
cb0c1248d3899358a375888bb4e8f3fe
2
d4a7c85f23438de8ebb5f8d6e04e55fc
2
3895a370b0c69c7e23ebb5ca1598525d
2
567407d941d99abeff20a1b836570d30
2
c0d6a263181a04e9039df3372afb8016
2
cyberflorida.org | 13
Figure 7 List of Processes Stopped by Ryuk48
Maze Ransomware Maze infected its first target in October 2019, using the Fallout exploit kit, phishing campaigns, and compromised RDP connections49. Maze, previously known as “ChaCha,� was discovered in May 2019, as the payload from the Fallout exploit kit, appended to a fake Abra cryptocurrency exchange website50. Fallout regularly operationalizes exploits from GitHub51. Along with Fallout, Maze also uses the Spelevo exploit kit. Spelevo takes advantage of the CVE-2018-8174 vulnerabilities for Internet Explorer and both CVE-2018-15982 and CVE-2018-4878 vulnerabilities in Flash, and accordingly is limited to Internet Explorer (Roughly 5% of the global browser market share)52. After Maze gains access to the victim environment, the attackers export the target data prior to encryption, and then drop the portable ransomware executable onto the device. After the data is exfiltrated, the ransomware will delete any detected backups in the victim environment and encrypt all files with the ChaCha algorithm. Then it will re-encrypt the encrypted files
14 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
with RSA-2048 and add randomized extensions to the end of each file53. Maze has anti-debugger capabilities, including deletion, avoidance, and proccing infinite loops. Additionally, Maze will self-exfiltrate after clearing the victim system memory if it detects the host language correctly paired with the respective country (exceptions listed in brackets) as: 0419 (Russian), 0422 (Ukrainian), 0423 (Belarusian), 0428 (Tajik [Cyrillic]), 042B (Armenian), 042C (Azerbaijani [Latin]), 0437 (Georgian), 043F (Kazakh), 0440 (Kyrgyz), 0442 (Turkmen), 0443 (Uzbek [Latin]), 0444 (Tatar), 0818 (Romanian {From Moldova only}), 0819 (Russian {Moldova}), 082C (Azerbaijani [Cyrillic]), 0846 (Uzbek [Cyrillic]), 07C1A (Serbian), 06C1A (Serbian [Cyrillic]), 01C1A (Serbian [Cyrillic] {From Bosnia and Herzegovina}, 0281A (Serbian [Cyrillic from Serbia]), 081A (Serbian [Latin])54. Maze is not used explicitly by the Maze Crew, by the operators own admission55. As such, any future alterations to the infection vectors, ransomware code, etc. may change over time.
Table 4 Maze Indicators of Compromise Hash
Source
19AAA6C900A5642941D4EBC309433E783BEFA4CCCD1A5AF8C86F6E257BF0A72E
SHA 256
5656
B950DB9229DB2F37A7EB5368308DE3AAFCEA0FD217C614DAEDB7F334292D801E
SHA 256
56
5d59b107448b2c61849dd0f41fc179df9d60c35355e2d8d0ac9e19b97a3b96dd
SHA 256
56
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
SHA 256
39
49cdc85728bf604a50f838f7ae941977852cc7a2
SHA1
39
8205a1106ae91d0b0705992d61e84ab2
MD5
39
Indicators of Compromise (Maze)
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684 dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b 31c3f7b523e1e406d330958e28882227765c3c5e B345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1 c5938ec75e5b655be84eb94d73adec0f63fbce16 5a900fd26a4ece38de5ca319b5893f96c7e9e2450dbac796c12f85b99238ec18 1e994b5ac039a1c7612bab93248532bf3ed7e6de
58 SHA256
5757
SHA1
57
SHA256
57
SHA1
57
SHA256
57
SHA1
57
cyberflorida.org | 15
Table 6
Table 5 Maze Associated Servers
Maze Associated IP Addresses Country
Source
91.218.114.4
Russia
39
92.63.8.47
5858
91.218.114.26
Russia
39
92.63.32.2
58
91.218.114.11
Russia
39
92.63.37.100
58
91.218.114.31
Russia
39
92.63.194.20
58
91.218.114.25
Russia
39
92.63.17.245
58
91.218.114.37
Russia
39
92.63.32.55
58
91.218.114.32
Russia
39
92.63.11.151
58
91.218.114.38
Russia
39
92.63.194.3
58
91.218.114.79
Russia
39
92.63.15.8
58
91.218.114.77
Russia
39
92.63.29.137
58
92.63.32.57
58
92.63.15.56
58
92.63.11.151
58
92.63.32.52
58
92.63.15.6
58
Associated Servers (Maze)
Associated IP Addresses (Maze)
Source
Table 7 Maze Registry Edits Registry Edits (Maze)
Source
HKEY_LOCAL_MACHINESOFTWAREMicrosoftTracing1473359_RASMANCS
39
HKEY_LOCAL_MACHINESOFTWAREMicrosoftTracing1473359_RASAPI32
39
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings
39
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
39
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
39
HKEY_CURRENT_USERSoftwareMicrosoftSpeechCurrentUserLexicon
39
HKEY_CURRENT_USERSoftwareMicrosoftSpeechPhoneConverters
39
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached
39
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionTaskManager
39
16 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
Assessment Ransomware use is trending upward in Florida, due to its profitability, ease of targeting, and difficulty in prosecution. Public institutions in Florida appear to be the favored target (or conversely may have the poorest cybersecurity practices) and have repeatedly demonstrated a willingness to pay ransom demands. There is nothing that prevents repeat attacks on the same institution; in fact, criminal organizations may further target a previous victim; due to their willingness to pay, and proven vulnerability59. While not yet observed in the Florida cases, some ransomware strains can install backdoors for repeat infection60. Ransomware provides a cost-effective and time-effective option for cybercriminals. Phishing campaigns, compromised websites, and other infection vectors can reach many potential victims with minimal effort and monetary expenditure. A system can be infected from a single entrypoint, further increasing the likelihood of a ransomware group successfully infecting victims. While most of the ransomware strains are not publicized in the Florida cases, the absence of criminal prosecution coupled with the Russia-based cybercriminal group cases (the United States does not have an extradition treaty with the Russian Federation)61, indicate a lack of repercussions for successful and failed incidents. We predict ransomware attacks will continue and will likely continue to increase in frequency and dollar amount of ransom. We recommend using the intelligence provided here to help protect your networks from ransomware.
References Abrams, Lawrence. “Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand,” Bleeping Computer. Published December 11, 2019. https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/ Lawrence Abrams, “Maze Ransomware says computer type determines ransom amount,” Bleeping Computer. Published May 31, 2019. https://www.bleepingcomputer.com/news/security/maze-ransomware-says-computer-type-determines-ransom-amount/ Adriano, Lyle. “Cyberattack postmortem reveals Florida city lost 6GB of data,” Insurance Business America. Published February 12, 2020. https://www.insurancebusinessmag.com/us/news/cyber/cyberattack-postmortem-reveals-florida-city-lost-6gb-of-data-213486.aspx Barrett, Ryan. “Ransomware Is A Repeat Offender: How To Protect Your Business,” Forbes. Published February 28, 2017. https://www.forbes.com/sites/groupthink/2017/02/28/ransomware-is-a-repeat-offender-how-to-protect-your-business/#6f41f7935c94 Carollo, Malena. “Tampa Bay Times hit by ransomware attack,” Tampa Bay Times. Published January 23, 2020. Updated January 24, 2020. https://www.tampabay.com/news/business/2020/01/23/tampa-bay-times-hit-by-ransomware-attack/ Coble, Sarah. “MAZE Relaunches ‘Name and Shame’ Website,” Infosecurity Group. Published January 10, 2020. https://www.infosecurity-magazine.com/news/maze-relaunches-name-and-shame/ Detman, Gary.“St. Lucie County Sheriff’s Office hit by cyber attack,” CBS 12 News, Published December 17, 2019. https://cbs12. com/news/local/st-lucie-county-sheriffs-office-hit-by-cyber-attack Dodia, Rajdeepsinh. “Examining the Ryuk Ransomware,” Zscaler. Published October 10, 2019. https://www.zscaler.com/blogs/ research/examining-ryuk-ransomware
cyberflorida.org | 17
Doris, Tony. “Why Riviera Beach agreed to pay a $600,000 ransom payment to regain data access... and will it work?,” Palm Beach Post. Published June 19, 2019. Updated June 20, 2019. https://www.palmbeachpost.com/news/20190619/why-riviera-beachagreed-to-pay-600000-ransom-payment-to-regain-data-access-and-will-it-work Ferguson, Scott. “North Carolina County Suffers Repeat Ransomware Infections,” Bank Info Security. Published March 21, 2019. https://www.bankinfosecurity.com/north-caroline-county-suffers-repeat-ransomware-infections-a-12217 Fokker, John, and Christiaan Beek. “Ryuk Ransomware Attack: Rush to Attribution Misses the Point,” McAfee. Published January 9, 2019. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ Gatlan, Sergiu. “Ransomware Hits Florida PRIDE On Saturday, Systems Still Down,” Bleeping Computer. Published December 11, 2019. https://www.bleepingcomputer.com/news/security/ransomware-hits-florida-pride-on-saturday-systems-still-down/ Hanel, Alexander. “Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware,” Crowdstrike. Published January 10, 2019. https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ Harper, Mark. “Ryuk Ransomware behind Attack on Florida Library System,” Government Technology. Published February 7, 2020. https://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html Holsman, Melissa E. “Stuart’s city hall ransomware attack “more than likely” caused by phishing email scam,” Naples Daily News. Published April 22, 2019. https://www.naplesnews.com/story/news/local/martin-county/2019/04/22/city-halls-ransomwareattack-may-linked-phishing-email-scam-ryuk/3540067002/ Kim, Christopher. “Maze Ransomware Campaign Spoofs Italian Revenue Agency Correspondence,” Infoblox. 2019. https://www. infoblox.com/wp-content/uploads/threat-intelligence-report-maze-ransomware-campaign-spoofs-Italian-revenue-agency-correspondence.pdf Krebs, Brian. “Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up,” KrebsOnSecurity (Blog). Published December 16, 2019. https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up /#more-49994 Lyngaas, Sean. “FBI warns U.S. companies about Maze ransomware, appeals for victim data,” Cyberscoop. Published January 2, 2020. https://www.cyberscoop.com/fbi-maze-ransomware/ Marion County Board of Commissioners, “Official Minutes,” (Book W, Marion County, January 17, 2017). Pages 5-46. https://frontrunner-mccc.s3.amazonaws.com/785BBB3B-5056-907D-8D7D-CFF8DEFB68E3.pdf Martin, Austin. “Maze Ransomware,” Schneider Downs. Published January 28, 2020. https://www.schneiderdowns.com/ourthoughts-on/maze-ransomware Masters, Greg. “City of Sarasota hit with ransomware,” SC Media. Published August 23, 2016. https://www.scmagazine.com/ home/security-news/city-of-sarasota-hit-with-ransomware/ Meskauskas, Tomas. “Maze Ransomware Exploiting Exploit Kits,” Security Boulevard. Published November 8, 2019. https://securityboulevard.com/2019/11/maze-ransomware-exploiting-exploit-kits/ Mohurle, Savita, and Manisha Patil, “A brief study of WannaCry Threat: Ransomware Attack 2017,” International Journal of Advanced Research in Computer Science. (2017): ISSN No. 0976-5697. https://sbgsmedia.in/2018/05/10/2261f190e292ad93d6887 198d7050dec.pdf Mundo, Alexandre. “Ransomware Maze,” McAfee. Published March 26, 2020. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ Ng, Alfred. “Another Florida city pays hackers over ransomware attack,” Cnet. Published June 26, 2019. https://www.cnet.com/ news/another-florida-city-pays-hackers-over-ransomware-attack/
18 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
Ogranovich, Vlad. “WATCH WHERE YOU BROWSE - THE FALLOUT EXPLOIT KIT STAYS ACTIVE,” Cybereason. Published July 3, 2019. https://www.cybereason.com/blog/watch-where-you-browse-the-fallout-exploit-kit-stays-active Oza, Shyam. “Ryuk Ransomware — Malware of the Month, January 2020,” Security Boulevard. Published January 24, 2020. https:// securityboulevard.com/2020/01/ryuk-ransomware-malware-of-the-month-january-2020/ Parks, Miles. “Behind The Ransomware Attack On Palm Beach County Elections In 2016,” NPR. Published February 17, 2020. https://www.npr.org/2020/02/17/806729389/behind-the-ransomware-attack-on-palm-beach-county-elections-in-2016 Pinkas, Noa, Lior Rochberger, and Matan Zatz, “Triple Threat: Emotet deploys trickbot to steal data and spread Ryuk.” Cybereason. Published April 2, 2019. https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware Schweers, Jeffrey. “Wakulla School Board gets data back after hiring cyber hacker hostage negotiator,” Tallahassee Democrat. Published September 20, 2019. https://www.tallahassee.com/story/news/local/state/2019/09/20/wakulla-school-board-hires-cyber-hacker-data-hostage-negotiator/2385103001/ Smalls II, C. Isaiah. “Another city hit by ransomware attack. This time the police department is the target.” Miami Herald. Published February 8, 2020. https://www.miamiherald.com/news/local/community/miami-dade/north-miami/article240101368.html Smith, Bill. “Lee County computer system still down; virus attack follows trend,” News-Press (USA Today). Published September 23, 2019. https://www.news-press.com/story/news/local/2019/09/23/lee-county-victim-increasingly-sharp-cyber-attack-experts-say/2418654001/ Title 18—Crimes and Criminal Procedure, Chapter 209— Extradition, 2002 (US) s 3181 (14 May 2020) Umawing, Jovi. “Threat spotlight: the curious case of Ryuk ransomware,” Malwarebytes Labs. Published December 12, 2019. Last Updated December 19, 2019. https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-ofryuk-ransomware/ Velasquez Jr, Tony. “Hackers paralyze computer system of Arrigo Dodge Chrysler Jeep, demand ransom,” ABC 25 WPBF News, Updated December 11, 2019. https://www.wpbf.com/article/west-palm-beach-car-dealership-hit-by-ransomware/30202071 Walter, Kathleen. “Town of Palm Beach fights ransomware attack on 911 system,” CBS 12 News. Published June 9, 2016. https:// cbs12.com/news/local/town-of-palm-beach-fights-ransomware-attack-on-911-system Wile, Rob. “Key Biscayne recovering from cyberattack after hackers hit a third city in Florida,” Miami Herald. Published June 27, 2019. Updated July 1, 2019. https://www.miamiherald.com/news/business/article232011757.html Zmudzinski, Adrian. “Maze Hacker Group Claims Infecting Insurance Giant Chubb with Ransomware,” Cointelegraph. Published March 29, 2020. https://cointelegraph.com/news/maze-hacker-group-claims-infecting-insurance-giant-chubb-with-ransomware “Ransomware Attacks Reported by Florida and Texas Healthcare Providers,” Hipaa Journal. Published January 10, 2020. https:// www.hipaajournal.com/ransomware-attacks-reported-by-florida-and-texas-healthcare-providers/ “Ransom.Maze”, Malwarebytes Labs. No date. https://blog.malwarebytes.com/detections/ransom-maze/
cyberflorida.org | 19
Endnotes Alexander Hanel, “Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware,” Crowdstrike. Published January 10, 2019. https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ 1
Jovi Umawing, “Threat spotlight: the curious case of Ryuk ransomware,” Malwarebytes Labs. Published December 12, 2019. Last Updated December 19, 2019. https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-ofryuk-ransomware/ 2
John Fokker and Christiaan Beek, “Ryuk Ransomware Attack: Rush to Attribution Misses the Point,” McAfee. Published January 9, 2019. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ 3
Adrian Zmudzinski, “Maze Hacker Group Claims Infecting Insurance Giant Chubb with Ransomware,” Cointelegraph. Published March 29, 2020. https://cointelegraph.com/news/maze-hacker-group-claims-infecting-insurance-giant-chubb-with-ransomware 4
Alexandre Mundo, “Ransomware Maze,” McAfee. Published March 26, 2020. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ 5
See note 1 above.
6
Miles Parks, “Behind The Ransomware Attack On Palm Beach County Elections In 2016,” NPR. Published February 17, 2020. https://www.npr.org/2020/02/17/806729389/behind-the-ransomware-attack-on-palm-beach-county-elections-in-2016 7
Greg Masters, “City of Sarasota hit with ransomware,” SC Media. Published August 23, 2016. https://www.scmagazine.com/ home/security-news/city-of-sarasota-hit-with-ransomware/ 8
Kathleen Walter, “Town of Palm Beach fights ransomware attack on 911 system,” CBS 12 News. Published June 9, 2016. https:// cbs12.com/news/local/town-of-palm-beach-fights-ransomware-attack-on-911-system 9
Marion County Board of Commissioners, “Official Minutes,” (Book W, Marion County, January 17, 2017). Pages 5-46. https://frontrunner-mccc.s3.amazonaws.com/785BBB3B-5056-907D-8D7D-CFF8DEFB68E3.pdf 10
Melissa E. Holsman, “Stuart’s city hall ransomware attack “more than likely” caused by phishing email scam,” Naples Daily News. Published April 22, 2019. https://www.naplesnews.com/story/news/local/martin-county/2019/04/22/city-halls-ransomwareattack-may-linked-phishing-email-scam-ryuk/3540067002/ 11
Tony Doris, “Why Riviera Beach agreed to pay a $600,000 ransom payment to regain data access... and will it work?,” Palm Beach Post. Published June 19, 2019. Updated June 20, 2019. https://www.palmbeachpost.com/news/20190619/why-rivierabeach-agreed-to-pay-600000-ransom-payment-to-regain-data-access-and-will-it-work 12
Rob Wile, “Key Biscayne recovering from cyberattack after hackers hit a third city in Florida,” Miami Herald. Published June 27, 2019. Updated July 1, 2019. https://www.miamiherald.com/news/business/article232011757.html 13
Alfred Ng, “Another Florida city pays hackers over ransomware attack,” Cnet. Published June 26, 2019. https://www.cnet.com/ news/another-florida-city-pays-hackers-over-ransomware-attack/ 14
Bill Smith, “Lee County computer system still down; virus attack follows trend,” News-Press (USA Today). Published September 23, 2019. https://www.news-press.com/story/news/local/2019/09/23/lee-county-victim-increasingly-sharp-cyber-attack-experts-say/2418654001/ 15
Jeffrey Schweers, “Wakulla School Board gets data back after hiring cyber hacker hostage negotiator,” Tallahassee Democrat. Published September 20, 2019. https://www.tallahassee.com/story/news/local/state/2019/09/20/wakulla-school-board-hires-cyber-hacker-data-hostage-negotiator/2385103001/ 16
20 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
“Ransomware Attacks Reported by Florida and Texas Healthcare Providers,” Hipaa Journal. Published January 10, 2020. https:// www.hipaajournal.com/ransomware-attacks-reported-by-florida-and-texas-healthcare-providers/ 17
Lawrence Abrams, “Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand,” Bleeping Computer. Published December 11, 2019. https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/ 18
Lyle Adriano, “Cyberattack postmortem reveals Florida city lost 6GB of data,” Insurance Business America. Published February 12, 2020. https://www.insurancebusinessmag.com/us/news/cyber/cyberattack-postmortem-reveals-florida-city-lost-6gb-of-data-213486.aspx 19
Sergiu Gatlan, “Ransomware Hits Florida PRIDE On Saturday, Systems Still Down,” Bleeping Computer. Published December 11, 2019. https://www.bleepingcomputer.com/news/security/ransomware-hits-florida-pride-on-saturday-systems-still-down/ 20
Gary Detman, “St. Lucie County Sheriff’s Office hit by cyber attack,” CBS 12 News, Published December 17, 2019. https://cbs12. com/news/local/st-lucie-county-sheriffs-office-hit-by-cyber-attack 21
Tony Velasquez Jr, “Hackers paralyze computer system of Arrigo Dodge Chrysler Jeep, demand ransom,” ABC 25 WPBF News, Updated December 11, 2019. https://www.wpbf.com/article/west-palm-beach-car-dealership-hit-by-ransomware/30202071 22
Malena Carollo, “Tampa Bay Times hit by ransomware attack,” Tampa Bay Times. Published January 23, 2020. Updated January 24, 2020. https://www.tampabay.com/news/business/2020/01/23/tampa-bay-times-hit-by-ransomware-attack/ 23
Mark Harper, “Ryuk Ransomware behind Attack on Florida Library System,” Government Technology. Published February 7, 2020. https://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html 24
C. Isaiah Smalls II, “Another city hit by ransomware attack. This time the police department is the target.” Miami Herald. Published February 8, 2020. https://www.miamiherald.com/news/local/community/miami-dade/north-miami/article240101368.html 25
Savita Mohurle and Manisha Patil, “A brief study of WannaCry Threat: Ransomware Attack 2017,” International Journal of Advanced Research in Computer Science. (2017): ISSN No. 0976-5697. https://sbgsmedia.in/2018/05/10/2261f190e292ad93d6887 198d7050dec.pdf 26
Sarah Coble, “MAZE Relaunches ‘Name and Shame’ Website,” Infosecurity Group. Published January 10, 2020. https://www. infosecurity-magazine.com/news/maze-relaunches-name-and-shame/ 27
Brian Krebs, “Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up,” KrebsOnSecurity (Blog). Published December 16, 2019. https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up /#more-49994 28
See Note 1 above.
29
See note 2 above.
30
See note 1 above.
31
See note 1 above.
32
Noa Pinkas, Lior Rochberger, and Matan Zatz, “Triple Threat: Emotet deploys trickbot to steal data and spread Ryuk.” Cybereason. Published April 2, 2019. https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware 33
Sean Lyngaas, “FBI warns U.S. companies about Maze ransomware, appeals for victim data,” Cyberscoop. Published January 2, 2020. https://www.cyberscoop.com/fbi-maze-ransomware/ 34
cyberflorida.org | 21
Christopher Kim, “Maze Ransomware Campaign Spoofs Italian Revenue Agency Correspondence,” Infoblox. 2019. https://www. infoblox.com/wp-content/uploads/threat-intelligence-report-maze-ransomware-campaign-spoofs-Italian-revenue-agency-correspondence.pdf 35
See note 5 above.
36
See note 17 above.
37
Vlad Ogranovich, “WATCH WHERE YOU BROWSE - THE FALLOUT EXPLOIT KIT STAYS ACTIVE,” Cybereason. Published July 3, 2019. https://www.cybereason.com/blog/watch-where-you-browse-the-fallout-exploit-kit-stays-active 38
Austin Martin, “Maze Ransomware,” Schneider Downs. Published January 28, 2020. https://www.schneiderdowns.com/ourthoughts-on/maze-ransomware 39
See note 26 above.
40
See note 1 above.
41
See note 2 above.
42
See note 1 above
43
See note 23 above.
44
Shyam Oza, “Ryuk Ransomware — Malware of the Month, January 2020,” Security Boulevard. Published January 24, 2020. https://securityboulevard.com/2020/01/ryuk-ransomware-malware-of-the-month-january-2020/ 45
See note 1 above.
46
See note 3 above.
47
Rajdeepsinh Dodia, “Examining the Ryuk Ransomware,” Zscaler. Published October 10, 2019. https://www.zscaler.com/blogs/ research/examining-ryuk-ransomware 48
See note 37 above.
49
Tomas Meskauskas, “Maze Ransomware Exploiting Exploit Kits,” Security Boulevard. Published November 8, 2019. https://securityboulevard.com/2019/11/maze-ransomware-exploiting-exploit-kits/ 50
See note 36 above.
51
See note 48 above.
52
See note 37 above.
53
See note 5 above.
54
See note 17 above.
55
“Ransom.Maze”, Malwarebytes Labs. No date. https://blog.malwarebytes.com/detections/ransom-maze/
56
See note 5 above.
57
Lawrence Abrams, “Maze Ransomware says computer type determines ransom amount,” Bleeping Computer. Published May 31,
58
22 | Cyber Intelligence Report: Florida Ransomware Incidents 2016-2019
2019. https://www.bleepingcomputer.com/news/security/maze-ransomware-says-computer-type-determines-ransom-amount/ Scott Ferguson, “North Carolina County Suffers Repeat Ransomware Infections,” Bank Info Security. Published March 21, 2019. https://www.bankinfosecurity.com/north-caroline-county-suffers-repeat-ransomware-infections-a-12217 59
Ryan Barrett, “Ransomware Is A Repeat Offender: How To Protect Your Business,” Forbes. Published February 28, 2017. https://www.forbes.com/sites/groupthink/2017/02/28/ransomware-is-a-repeat-offender-how-to-protect-your-business/#6f41f7935c94 60
Title 18—Crimes and Criminal Procedure, Chapter 209— Extradition, 2002 (US) s 3181 (14 May 2020)
61
cyberflorida.org | 23
To learn more, visit: cyberflorida.org/resources/for-organizations/
Copyright Š2020 Florida Center for Cybersecurity, All Rights Reserved. This publication is made available by the Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization’s specific needs. Use of this site does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.
C Y B E R F LO R I D A . O R G | 8 1 3 - 9 74 -2 6 0 4 | 4 2 0 2 E . F O W L E R AV E . , TA M PA , F L 3 3 6 2 0