Have your computers been hit by the ProLock ransomware? You might want to read this before you pay any money to the criminals behind the attack.
The FBI issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.
Early this month, the FBI issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.
“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.
“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”
Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.
The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.
The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.
According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.
“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.
“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”
In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.
According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.
“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.
“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.
“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”
(SecurityAffairs – ProLock, hacking)
The post FBI warns US organizations of ProLock ransomware decryptor not working appeared first on Security Affairs.
Redcar and Cleveland Borough Council became the latest UK organisation to become the victim of a mass ransomware attack which started on 8th February. The north-east Council's servers, PCs, mobile devices, websites and even phone lines have been down for three weeks at the time of writing. A Redcar and Cleveland councillor told the Guardian it would take several months to recover and the cost is expected to between £11m and £18m to repair the damage done. A significant sum for the cash-strapped council, which confirmed their outage as ransomware caused 19 days after the attack. The strain of ransomware involved and the method initial infiltration into the council's IT systems has yet to be confirmed.
The English FA shut down its investigation into allegations Liverpool employees hacked into Manchester City's scouting system. The Manchester club also made news headlines after UEFA banned it from European competition for two years, a ban based on alleged stolen internal email evidence obtained by a hacker. Read The Billion Pound Manchester City Hack for further details.
The UK government said GRU (Russian military intelligence) was behind a massive cyber-attack which knocked out more than 2,000 websites in the country of Georgia last year, in "attempt to undermine Georgia's sovereignty". Foreign Secretary Dominic Raab described it as "totally unacceptable".
The United States deputy assistant secretary for cyber and communications, Robert Strayer, said he did not believe the UK government's January 2020 decision to allow Huawei limited access to UK's 5G infrastructure was final. 'Our understanding is that there might have been some initial decisions made but conversations are continuing," he told the BBC. Read The UK Government Huawei Dilemma and the Brexit Factor for more on UK government's Huawei political, economic and security debate.
Following Freedom of Information requests made by Viasat, it reported UK government employees had either lost or stolen 2,004 mobiles and laptops between June 2018 and June 2019.
According to figures by the FBI, cybercriminals netted £2.7bn ($3.5bn) from cyber-crimes report 2019, with phishing and extortion remaining the most common method of scamming people. These FBI reported cybercrime losses have tripled over the past 5 years. The FBI concluded that cyber scam techniques are becoming more sophisticated, making it harder for original people to tell "real from fake". A new Kaspersky report backs up the FBI, finding a 9.5% growth in financial phishing during the final quarter of 2019.
The Labour party is facing data protection fines of up £15m for failing to protect their members' personal data. The Information Commissioner's Office confirmed the Labour Party would be the focus of their investigation since it is legally responsible for securing members' information as the "data controller".
If you have a 'Ring' smart camera doorbell (IoT) device then may have noticed Two-Factor Authentication (2FA) was mandated in February. Ring's stance of enforcing a strengthening of security may be related to several recent high-profile home camera hack reports.
The facial recognition company Clearview AI advised a hacker stole its client list database. The firm works with law enforcement agencies and gained notoriety after admitting it had scrapped billions of individuals photos off the internet.
- The Billion Pound Manchester City Hack
- Keys to the Kingdom, Smart Cities Security Concerns
- Cyber Security Roundup for February 2020
- Redcar Council took down by Ransomware Attack: Council using Pen and Paper for 3 weeks and counting
- US Cyber-Boss tells the UK to 'think again' on Huawei
- MGM Hack Exposes Personal Data of 10.6 million Guests on Hacking Forum
- UK says Russia's GRU behind Massive Georgia Cyber-Attack
- Cybercrime Profits reached £2.7bn from Cybercrimes reported to FBI alone in 2019
- ISS World Hack leaves Thousands of Employees Offline
- Sports Retail Giant Decathlon Leaks 123 Million Records via a Misconfigured database
- Thousands of Mobiles and Laptops lost by the UK Government in a Year
- The United States charges Chinese Military Hackers with Equifax Breach
- Data Breach hits Agency overseeing White House Communications
- Labour could be fined up to £15m for failing to Protect Members’ Data
- The FA shutdown probe on claims of Liverpool FC Hacking Manchester City’s Youth Scouting System
- Ring Mandates MFA Logins
- Clearview AI Facial-Recognition has Client list Stolen
- Microsoft Patches 99 Vulnerabilities, including 13 Critical for Windows, IE. ChakraCore, and Flash
- Microsoft Patches IE Vulnerability being Exploited in the Wild
- Flaw in Philips Smart Light Bulbs Exposes WiFi Network to Hackers
- Adobe Patch Tuesday: Critical vulnerabilities in Flash Player, Framemaker Patched
- Adobe, VMWare issue Patches for Critical Vulnerabilities a week after Patch Tuesday
- Adobe Patches Critical Magento Security Vulnerabilities
- Critical Vulnerability Found in IBM ServeRAID Manager
- Google issues Chrome Update Patching to Zero Day
- Google Patches Bluetooth Vulnerability impacting most Android devices
- Critical Flaw in OpenSMTPD Found and Patched
- Cisco issues 17 Security Updates
- Five High-Level Flaws Patched in Cisco Discovery Protocol
- Dell Patches SupportAssist Vulnerability
- Mozilla issues Patches for Firefox 73, Firefox ESR 68.5 and Thunderbird 68.5
- Microsoft Exchange Servers Open to Remote Hacking due to Major Flaw
- TA505 Phishing Campaign uses HTML redirectors to Spread Info Stealer
- Metamorfo Banking Malware Spreads around the World
- Hidden Cobra adds to its Malware Arsenal: CISA
- Phishers using Strong Tactics and Poor Bait in Office 365 Scam
- Emotet Now Using Wi-Fi To Spread Malware
- Android Banking Trojan steals Google Two-Factor Authentication codes
- Unpatched VPN Servers Hit by Apparent Iranian APT Groups
- Detecting Ryuk Ransomware
- Nominet CISO Stress Report
- Financial Phishing grew by 9.5% during Holiday Shopping Season
Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware
Jeff Bezos met federal investigators in April 2019 after they received information about the alleged hack of the billionaire’s mobile phone by Saudi Arabia, the Guardian has been told.
Bezos was interviewed by investigators at a time when the FBI was conducting an investigation into the Israeli technology company NSO Group, according to a person who was present at the meeting.Continue reading...
On Dec. 29, 2016, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report confirming FireEye’s long held public assessment that the Russian government likely sponsors the groups that we track as Advanced Persistent Threat (APT) 28 and APT29. We have tracked and profiled these groups through multiple investigations, endpoint and network detections, and continuous monitoring, allowing us to understand the groups’ malware, operational changes and motivations. This intelligence has been critical to protecting and informing our clients and exposing this threat.
FireEye first publicly announced that the Russian government likely sponsors APT28 in a report released in October 2014. APT28 has pursued military and political targets in the U.S. and globally, including U.S. political organizations, anti-doping agencies, NGOs, foreign and defense ministries, defense attaches, media outlets, and high profile government and private sector entities. Since at least 2007, APT28 has conducted operations using a sophisticated set of malware that employs a flexible, modular framework allowing APT28 to consistently evolve its toolset for future operations. APT28’s operations closely align with Russian military interests and the 2016 breaches, and pursuant public data leaks demonstrate the Russian government's wide-ranging approach to advancing its strategic political interests.
In July 2015, we released a report focusing on a tool used by APT29, malware that we call HAMMERTOSS. In detailing the sophistication and attention to obfuscation evident in HAMMERTOSS, we sought to explain how APT29’s tool development effort defined a clandestine, well-resourced and state-sponsored effort. Additionally, we have observed APT29 target and breach entities including government agencies, universities, law firms and private sector targets. APT29 remains one of the most capable groups that we track, and the group’s past and recent activity is consistent with state espionage.
The Joint Analysis Report also includes indicators for another group we (then iSIGHT Partners) profiled publicly in 2014: Sandworm Team. Since 2009, this group has targeted entities in the energy, transportation and financial services industries. They have deployed destructive malware that impacted the power grid in Ukraine in late 2015 and used related malware to affect a Ukrainian ministry and other financial entities in December 2016. Chiefly characterized by their use of the well-known Black Energy trojan, Sandworm Team has often retrofitted publicly available malware to further their offensive operations. Sandworm Team has exhibited considerable skill and used extensive resources to conduct offensive operations.