Category Archives: ransomware

Cyber News Rundown: Radiohead Hit by Ransomware Hack

Reading Time: ~ 2 min.

Radiohead Refuses Ransom, Releases Stolen Tracks

The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”

US Border Protection Breached by Contractor

A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.

Billions of Spam Emails Sent Everyday

The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.

Ransomware Hits Washington Food Bank

The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.

Retro Game Site Breached

The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.

The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.

French authorities released the PyLocky decryptor for versions 1 and 2

Good news for the victims of the pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.

French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.

“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology  (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.

“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”

French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.

The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).

pyLocky Decryptor

The pyLocky Decryptor could be downloaded from the following link:

https://www.cybermalveillance.gouv.fr/wp-content/uploads/2019/02/PyLocky_Decryptor_V1_V2.zip

The decryptor has as pre-requisite the installation of the Java Runtime.

“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”

The malware researcher Michael Gillespie analyzed the decryptor and noticed the presence of 2 hardcoded private RSA keys that were likely obtained by French police from the access to the C2 server hosted on the Tor network.

Let me remind you that the decryptor doesn’t clean the infected systems.

Pierluigi Paganini

(SecurityAffairs – pyLocky Decryptor, malware)

The post French authorities released the PyLocky decryptor for versions 1 and 2 appeared first on Security Affairs.

Aviation Equipment Major ASCO Victim of Ransomware Attack

The Belgian manufacturer of aeronautical equipment ASCO was forced to close its operations in Belgium, Germany, Canada and the United States after a ransomware attack at its Zaventem plant in Belgium.

ASCO is one of the world’s largest manufacturers of aeronautical equipment and provides high-end aeronautical equipment, such as lifting devices, mechanical assemblies and functional components, to various aviation giants such as Boeing. Airbus, Lockheed Martin, Bombardier Aerospace and Embraer.

The computer systems at the Zaventem plant in Belgium, which also serves as headquarters, were attacked last Friday by a ransomware attack, forcing the company to close its factories in Belgium, Germany, Canada and the United States to mitigate the impact of the attack.

ASCO employees sent on leave for an indefinite period

ASCO, acquired last year by the American company Spirit AeroSystems, also sent about 1,000 of its 1,400 employees to these factories due to an extended shutdown and was asked not to return to work until new order. However, the company’s non-production offices in France and Brazil are currently operational.

ASCO has not yet issued any official statement regarding the attack on ransomware, nor has it communicated the details of the ransom demand, that the company intends to respond to the complaint or that the infection has caused the loss of intellectual property secrets. However, the company told the Brussels Times that it had not yet detected any theft or loss of information.

Andrea Carcano, CPO of the co-founder of Nozomi Networks, warned that it was never advisable to pay ransom in these situations. “There is no guarantee that criminals will restore the systems. Organizations must prepare for this type of event and have a plan to limit the damage and the reputation of the brand.

The attack comes two months after the European Commission approved the acquisition of the company by Spirit Aerosystems, based in the United States. The acquisition in cash of SRIF, the parent company of the Belgian-based aircraft components manufacturer, for a total amount of $ 650 million (£ 512 million) was announced in May 2018

The first EU regulatory review was stopped in October 2018 when Spirit withdrew its first contract notice to the Commission due to regulatory concerns. The company resumed the regulatory process in February 2019 after informing the European Commission on 30th January.

There was no press release or announcement from both companies. The LinkedIn and Twitter accounts of both companies did not provide any confirmation or acknowledgment of the attack until the report was released.

The aeronautics industry has been the target of hackers recently. When an airline is purchased, the new owner is more likely to go with the legacy systems instead of integrating them and updating them completely. New airlines are better equipped and have control on their IT system.

In terms of ransomware, prevention is better than cure. Keep all your systems are up-to-date with the latest patches and that there are no security vulnerabilities or that can leave an organization exposed to attackers.

Also, Read:

Ransomware Attack Impacts Baltimore Emails, Online Payments

FBI Investigating Baltimore Ransomware Attack

 

The post Aviation Equipment Major ASCO Victim of Ransomware Attack appeared first on .

Aircraft Parts Manufacturer Halts Operations After Ransomware Attack

Aircraft parts manufacturer ASCO has temporarily suspended operations worldwide after falling victim to a ransomware attack. As reported by Data News, ASCO decided that it would shut down its headquarters in Zaventem, a Belgian municipality situated within the province of Flemish Brabant, as a result of the attack. This suspension is expected to place approximately […]… Read More

The post Aircraft Parts Manufacturer Halts Operations After Ransomware Attack appeared first on The State of Security.

Ransomware paralyzed production for at least a week at ASCO factories

Malware infections could be devastating for production environments, a ransomware infection halts production operations for days at airplane parts manufacturer ASCO.

ASCO, is of the world’s largest manufacturers of aerospace components

The company has offices and production plants in Belgium, Canada, Germany the US, Brasil, and France. ASCO provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.

A ransomware attack has paralyzed the production in ASCO plants across several countries worldwide. The attack reportedly started on Friday and at the time of writing the current extent of the internal damage is still unknown.

After the incident, nearly 1,000 employees out of 1400 were sent home for the entire week, on paid leave.

ASCO

As a result of having IT systems crippled by the ransomware infection, the company has sent home approximately 1,000 of its 1,400 workers.

“Employees of the Asco company in Zaventem are technically unemployed for a few days because the company’s servers have been hacked. The company confirms that it has been hit by a cyber attack since Friday. A complaint has been submitted to the police.” states VRT (Flemish Radio and Television Broadcasting Organisation). “The public prosecutor says there are traces of “ransomware” found on the computers, with hackers asking ransom to re-release the blocked computers.

The company reported the incident to the local authorities and hired third-party experts to investigate the attack.

“We have informed all competent authorities in this area of ​​this cyber attack and have brought in external experts to solve the problem,” says HR director Vicky Welvaert. “We are currently working on it with all our might.” Welvaert does not want to comment on whether the problem is now under control or from when the business activities will be restarted.

According to the media, the ransomware first hit the Zaventem plant in Belgium, but immediately after ASCO also shut down for precaution production factories in Germany, Canada, and the US.

At the time is not clear if the company decided to pay the ransom to restore its systems rapidly or simply restore its backups.

Despite ASCO should be a privileged target for cyber spies, its representatives told The Brussels Times that there is currently no evidence of theft of information.

“The company also notified the authorities, and told the paper there is currently no evidence of the theft of information, but that it is taking the situation very seriously.” reported The Brussels Times.

“Although ransomware attacks are usually only about money, a company like Asco, which has connections in the defence sector, could also be a targe”

Pierluigi Paganini

(SecurityAffairs – ASCO, ransomware)

The post Ransomware paralyzed production for at least a week at ASCO factories appeared first on Security Affairs.

Ransomware disrupts worldwide production for Belgian aircraft parts maker

ASCO Industries, a manufacturer of aerospace components with headquarters in Zaventem, Belgium, has been hit with ransomware, which ended up disrupting its production around the world. The attack reportedly started on Friday and the extent of the internal damage is still unknown. About ASCO Industries ASCO Industries is a privately held company that was acquired by Kansas-based Spirit AeroSystems in 2018. At the time it had 1,400 employees world-wide. It designs and manufactures wing components, … More

The post Ransomware disrupts worldwide production for Belgian aircraft parts maker appeared first on Help Net Security.

Lake City Reveals It Suffered a ‘Triple Threat’ Ransomware Attack

The City of Lake City has confirmed that a “Triple Threat” ransomware attack affected the functionality of several of its computer systems. According to its Facebook statement, the Floridian municipality became the target of a ransomware program known as “Triple Threat” on 10 June 2019. This malware allegedly combined three different attack vectors to target […]… Read More

The post Lake City Reveals It Suffered a ‘Triple Threat’ Ransomware Attack appeared first on The State of Security.

Food Bank Needs Help Recovering from Ransomware Attack

A King County food bank said it will need help recovering from a ransomware infection that affected its computer network. At around 02:00 on 5 June, bad actors targeted the severs of Auburn Food Bank with ransomware. The crypto-malware, which according to Bleeping Computer was a variant of GlobeImposter 2.0, affected all of the food […]… Read More

The post Food Bank Needs Help Recovering from Ransomware Attack appeared first on The State of Security.

Security roundup: June 2019

Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.

If you notice this notice…

If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.

But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.

The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.

  • Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
  • Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
  • Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).

AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.

The cost of cybercrime, updated

Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.

The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.

Ross Anderson, professor of security engineering at Cambridge University and a contributor to the research, has written a short summary. The full 32-page study is free to download as a PDF here.

Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.

Ransom-go-round

Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.

Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.

This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.

Links we liked

Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.

If you confuse them, you lose them: a post about clear security communication. MORE

This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE

Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE

A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE

Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE

The hacker and pentester Tinker shares his experience in a revealing interview. MORE

So it turns out most hackers for hire are just scammers. MORE

The cybersecurity landscape and the role of the military. MORE

What are you doing this afternoon? Just deleting my private information from the web. MORE

The post Security roundup: June 2019 appeared first on BH Consulting.

Norsk Hydro Q1 2019 Profits Sank Following Ransomware Attack

The first quarter profits for Norsk Hydro sank after the Norwegian aluminum and renewable energy company fell victim to a ransomware attack. According to Reuters, Norsk Hydro’s gains fell to 559 million Norwegian crowns (approximately $64.3 million at the time of reporting) in the first quarter of 2019. That number is down from 3.15 billion […]… Read More

The post Norsk Hydro Q1 2019 Profits Sank Following Ransomware Attack appeared first on The State of Security.

The Feasibility Of Tape Backup Against Ransomware

As ransomware continues to become complex year-after-year, there is only one weapon to overcome the challenge raised by cybercriminals – backup system. We are in the age of cloud-storage services ranging from corporate-level to free package supported by advertising. Of course, there is always the traditional NAS and hard drive backups which vary in cost per gigabyte. Given the increasing sophistication of attack methods, there is a concern that the future damage from malware to increase, hence a reliable and effective backup plan should exist for all organizations. Therefore, what is required of the IT departments in various organizations worldwide is a preliminary measure to contain, if not fully reverse ransomware damage. The two pillars are “prevention” of infection through introduction of anti-virus software and “protection” of data by backup in case of emergency. These should have been implemented as part of information security measures before a firm officially starts its day 1 of operations.

However, in the case of ransomware measures, the latter is actually said to be more important. The former is, of course, important in preventing infection, but it is difficult to cope with attacks that use unknown methods, zero-day exploits. If damage occurs due to an infection, no one can reliably use the PC or files contained in the local hard drive, which will have a huge impact on business continuity. Given the possibility that infection cannot be avoided, it is clear that the backup issue needs to be settled early.

The first requirement is “data storage destination.” Companies back up systems and data to various media, but in recent years the adoption of NAS has also increased, driven by lower prices. Hard drives are dirt cheap compared to a decade ago. However, their use is not suitable for ransomware measures because ransomware spreads the infection over the network. Network-aware attacks also makes online NAS and external drives vulnerable. It is likely to be encrypted since the backup is connected live on the network and its contents fully accessible by the operating system’s shell. Given this point, it is necessary to select a medium that can be completely isolated from the network as the backup destination.

The second point is “backup target.” A large amount of data exists in PCs and various applications in companies, and in the past, backups have been performed focusing on those with high business importance in consideration of operation time. However, from the viewpoint of protecting information assets, the entire system must be recovered quickly in the event of an emergency, and not only some applications and user data, but also data related to the system must be included in the entire backup target.

The last requirement is “frequency of backups and retention period of data.” Backup is a highly effective measure, but it is not all-around. In order to reduce the impact on the business at the time of recovery, it is necessary to make the time lag between “now” and backup time as short as possible. To do so, you should increase the frequency of backups, while some ransomware will start working after several months of infiltration. Long-term data retention is also required to ensure data security. As in the past, backups such as 1-2 weeks daily or monthly are not enough, and a fundamental review of backup methods and operation methods is required.

The reason that ransomware infection has spread so much is that storage connected to a network such as NAS or DAS can be recognized as a storage location of data from the OS. The only way is to use a system that is not always online, but only connects to the workstations and servers every time a backup or restore process needs to run. This can be accomplished by tape backup systems, operating systems does not mount these ancient media directly. These days, the property of tape backup is not a disadvantage, but an advantage. A safe and reliable backup which cannot be accessed by the ransomware code provides the greatest protection against malicious data encryption.

Also, Read

Bad Actors Still Raking Profit From Ransomware

Five Important Things about Data Security

Brief Look At The Shade Ransomware (2019 variant)

The post The Feasibility Of Tape Backup Against Ransomware appeared first on .

Eurofins Scientific Says Ransomware Attack Disrupted Some IT Systems

Eurofins Scientific, an international group of laboratories headquartered in Brussels, revealed that a ransomware attack disrupted some of its IT systems. On 3 June, the food, pharmaceutical and environmental laboratory testing provider revealed that its IT security monitoring teams had discovered a ransomware attack over the weekend that had affected several of its IT systems. […]… Read More

The post Eurofins Scientific Says Ransomware Attack Disrupted Some IT Systems appeared first on The State of Security.

Researchers fight ransomware attacks by leveraging properties of flash-based storage

Ransomware continues to pose a serious threat to organizations of all sizes. In a new paper, “Project Almanac: A Time-Traveling Solid State Drive,” University of Illinois students Chance Coats and Xiaohao Wang and Assistant Professor Jian Huang from the Coordinated Science Laboratory look at how they can use the commodity storage devices already in a computer, to save the files without having to pay the ransom. Recovering data encrypted by a variety of ransomware families … More

The post Researchers fight ransomware attacks by leveraging properties of flash-based storage appeared first on Help Net Security.

What makes Quick Heal’s Next Generation Suite of Features a SMART choice to protect your privacy?

The cyber threat landscape is evolving every second, with thousands of new potential threats being detected every single day. With people becoming more and more conscious about their privacy and private data, such evolving threats can have a significant impact on the personal and financial life of people. In order…

Shade Ransomware is very active outside of Russia and targets more English-speaking victims

Experts at PaloAlto Networks spotted a new Shade ransomware campaigns targeting news countries, including in the U.S. and Japan.

Researchers observed a new wave of Shade ransomware attacks against targets in several countries, including the US and Japan.

Shade is considered one of the most dangerous threats in the cyber crime scenario, it has been active at least since 2014 when a massive infection was observed in Russian. The Shade infections increased during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size.

“Our results indicate the majority of recent Shade executables have also targeted users outside of Russia.” reads the analysis published by Paloalto Networks.

“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada,” 

Moth of the victims belongs to high-tech, wholesale and education sectors.

Shade has been distributed through malspam campaigns and exploit kits, experts pointed out that its executable (EXE) remains “remarkably consistent” since its discovery in 2014.

Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt,

“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.” reads the message left on the background.

Shade Ransomware 2

The README.txt files include instructions to contact the crooks via an email address in order to receive information on how to make the payments.

The researchers noticed that all the Malspam campaigns spreading the Shade ransomware were retrieving an executable file from a compromised server.

“By focusing on the executable in this chain of events, we can determine where Shade ransomware infection attempts have occurred.” continues the report.

“AutoFocus has a Shade ransomware tag that identifies any items associated with Shade.” explains PaloAlto Networks. “We searched on attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search on packed executable (PE) files sent through a URL over TCP port 80.”

Experts discovered that most of the URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian language countries.

Technical details, including Indicators of Compromise (IoCs) are reported in the analysis published by the experts.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Shade, ransomware, malware)

The post Shade Ransomware is very active outside of Russia and targets more English-speaking victims appeared first on Security Affairs.

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

APT-27 like Newcore RAT, Virut exploiting MySQL for targeted attacks on enterprise

In today’s world data is everything, and to store and process this large amount of data, everyone started using computing devices. So, application server’s which are used for storing this precious data on computing devices include MYSQL, MongoDB, MSSQL, etc. But unfortunately, no one is conscious about its security. In…

Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising

Remember the malvertising campaigns in the early days where are adverts showing you are the nth visitor, and you have a prize to claim for being the coveted nth visitor on a website? Of course these days the chance of seeing a Flash-based animated advert like that, since Google Chrome itself autoblocks scam-like adverts by default as part of the Google Safe Browsing initiative, which Firefox browser also features. The demise of malvertising through adverts does not end with the anemic Flash-based variants though, as cybercriminals are now using Bitcoins (well, sort of people’s desire for it) to convince people when they visit a dodgy website controlled by them.

Imagine that a malvertising website offers its visitor a $30 worth of Bitcoin, not that huge but with enough “visits” may enable someone to afford some stuff in eBay or an Amazon gift card-level of a prize. However, this malvertising website installs keyloggers, banking trojans or ransomware which will harm the victim at a later time. Another similar but unrelated number of websites offer referral prize in Ethereum (another cryptocurrency alternative to Bitcoin), with one website claiming that successful users who can refer 1,000 visitors to the website will earn him/her $750 worth of Ethereum.

Both websites offer a download they call “Bitcoin Collector” which claims to be an easy mining program for Windows, which will provide “free Bitcoins” for the user, but instead caused the computer to mine cryptocurrency instead for the author at the expense of the user. One of the most common trojan horse of this category is one named BotCollector.exe, often comes from a .zip file downloaded from a malvertising website.

“When you execute the included BotCollector.exe, it will launch a program called ‘Freebitco.in – Bot’ that does not appear to do much. In reality, though, this is a Trojan that pretends to be a bitcoin generator but simply launches a malware payload. It does this by copying a file at geobaze\patch\logo.png to logo.exe and executing it (planting itself deep into the Windows operating system)”, explained Lawrence Abrams of Bleepingcomputer.com.

BotCollector.exe was previously observed to carry a different behavior, it used to be the main payload for the ransomware named “Marozka Tear”. Being unsophisticated ransomware, Marozka Tear’s author used a public free Gmail account (india2lock@gmail.com) in order for its victim to contact him/her for the payment of the ransom instead of having a sophisticated “shopping cart” for collecting payments. The Bleepingcomputer team stopped the ransomware from being profitable with their release of a free decryptor program that reverses the encryption of user files without paying Marozka Tear’s author.

At the time of this writing, the two hidden payloads of the new variant of BotCollector that have not yet fully dissected by the BleepingComputer team. But initial checks show it can be compared to a full-blown espionage-type of malware that can record keystrokes, take screenshots, capture browser history, sends any user files to its author and even the capability to copy the information of a crypto wallet.

Also, Read:

Hackers Steal Around $41 Million in Bitcoin from Binance

South Korean Bitcoin Exchange Bithumb Hacked

Hacker Stole 200+ Bitcoin from Electrum Wallet

Is Bitcoin Just A Bubble That Will Burst In 2019

Using BitCoins: The Basics

The post Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising appeared first on .

Ransomware Attack Impacts Baltimore Emails, Online Payments

Some key online operations in the U.S city of Baltimore have been impacted following a ransomware attack.

Reports reveal that all online payment gateways and emails have been totally affected, bringing them all to a standstill, in Baltimore following a ransomware attack that happened in the first week of May. The hackers who have launched the ransomware strike are demanding a hefty amount as ransom for freeing all systems in the city.

Security experts have found that the ransomware attack on Baltimore has been executed using the EternalBlue exploit. The EternalBlue exploit, about which we have already written on many occasions, was developed by the U.S NSA (National Security Agency) exploit and was reportedly leaked by the Shadow Brokers hacker group in April 2017. It was using this exploit that cybercriminals launched the extremely devastating WannaCry attack in May 2017 and then the NotPetya attack in June 2017. EternalBlue exploits a vulnerability in the implementation of Microsoft’s SMB (Server Message Block) protocol and allows cybercriminals to execute remote commands on their target computers. Microsoft had released a patch for the issue in March 2017, but many users hadn’t installed the patch when the WannaCry attack and then the NotPetya attack happened. Even now, as per reports, there are millions of systems worldwide that are vulnerable to EternalBlue.

Reports say that the ransomware attack in Baltimore has impacted thousands of computers and has also affected many important services including health alerts, water bills, real estate sales etc. It’s also reported that as per a ransom note that was recovered from a computer in the city, the ransomware has been identified as RobbinHood, a relatively new ransomware variant.

A New York Times report dated May 22, 2019, says, “On May 7, the city discovered that it was a victim of a ransomware attack, in which critical files are encrypted remotely until a ransom is paid.”

The report further says, “The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading, but not before it took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations.”

It’s also reported that at least 1,500 pending home sales have been delayed. However, the city has put into place an offline fix this week to allow the transactions to proceed.

As regards the ransom note, the New York Times report says, “A copy of a digital ransom note, obtained by The Baltimore Sun, stated that the city could unlock the seized files for a price: three Bitcoins (nearly $24,000) per system or 13 Bitcoins (about $102,000) for them all…The price of this decentralized, hard-to-track virtual currency fluctuates wildly. On the day of the attack, the ransom would have cost about $17,000 per system, or less than $75,000 for them all.)”

The ransom note reads- “We won’t talk more, all we know is MONEY!…Hurry up! Tik Tak, Tik Tak, Tik Tak!”

The city officials have reportedly decided not to pay the ransom as of now. Mayor Bernard Young has reportedly told local reporters, as regards paying the ransom- “Right now, I say no. But in order to move the city forward? I might think about it. But I have not made a decision yet.”

Also, Read:

Still No Solution: Ransomware Attack Against Wolverine Solutions Group

Onslow County Utility Hit with Ransomware Attack

Port of San Diego, The Newest Victim of Ransomware Attack

Beware of 10 Past Ransomware Attacks

The post Ransomware Attack Impacts Baltimore Emails, Online Payments appeared first on .

A Brief Look At The Shade Ransomware (2019 variant)

2019 is shaping up as a year when ransomware infection frequency declined by orders of magnitude, compared to the year 2017 when such malware variant made headlines for causing trouble for millions globally. It was very hard not to notice the everyday news about a firm or a public agency becoming the newest victim of ransomware and their struggle with the ransom demand (the money the victims have to pay to restore their files). Of course, that does not mean that news about company X becoming a ransomware target, it still happens but very far few in-between.

Some other ransomware was too old, predated WannaCry for years, but making a comeback this year, 2019. This scenario is what Shade ransomware is exhibiting at the moment, last known active in the wild five years ago in 2014 by Kaspersky Labs. Palo Alto’s Unit42 team meanwhile detected some instances of its resurrection in the United States, India, Thailand, Canada, and Japan.

“Recent reports of malspam pushing Shade ransomware have focused on distribution through Russian language emails. However, Shade decryption instructions have always included English as well as Russian text. The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014,” explained Brad Duncan, Unit 42’s Threat Intelligence Analyst.

The way Shade ransomware spreads are no different from any contemporary malware of our time. The sample Shade ransomware examined by Unit 42 was proliferating using spam emails. The strongest campaign for this ransomware infection was when there was a huge number of spam emails way back Feb 2019. These emails had an attached pdf or a compressed zip file, with the body of the email describing the attachment as a billing statement from the victim’s service provider.

The pdf or zip file attached aren’t normal files, but just a launcher for executing a malicious Javascript code that will download the actual Shade malware from the command and control servers. The payload itself has not seen any significant changes compared to the Shade variant that Kaspersky Labs first examined in 2014. Once the Shade payload is downloaded, it is executed automatically by the script contained in the zip/pdf file – this is when the encryption of files and generation of text-based warning notification occurs.

The wallpaper set by the user will be replaced by a black background with red text announcing the infection saying: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”

Unlike the previous iteration of Shade ransomware, the newer variant has a direct destination, as the most number of infection cases are in the United States, it was previously wreaking havoc in India, Thailand and Japan’s Windows-based computers. There is also visible indications that certain sectors of specific geographical location are targeted, with victims usually from the telecommunications, wholesale/retail and education industries. Unit 42’s hypothesis points to non-Russian speaking countries as the most vulnerable of receiving spam emails carrying Shade malware.

Also, Read:

Beware of 10 Past Ransomware Attacks

Two Nasty No-Ransom “PewDiePie” Ransomwares, Trouble For Many

Georgia County Hit by Ransomware, Shells out $400,000

The post A Brief Look At The Shade Ransomware (2019 variant) appeared first on .

GetCrypt Ransomware Encrypts Files, Brute Forces Credentials

Here’s a new ransomware that not only encrypts files and programs on a computer, but attempts to brute force credentials as well.

GetCrypt, a new ransomware that’s being installed through malvertising campaigns and which redirects victims to the RIG exploit kit, encrypts all files on a computer and then demands ransom for decrypting the files. An interesting thing about this ransomware is that it attempts to brute force credentials on the infected systems as well.

Exploit kit researcher nao_sec had discovered the ransomware, which works by redirecting victims to a page hosting the RIG exploit kit. A BleepingComputer report says, “This ransomware was discovered by exploit kit researcher nao_sec who alerted BleepingComputer when they saw being installed via the RIG exploit kit in Popcash malvertising campaigns. When a victim is redirected to a page hosting the exploit kit, malicious scripts will try to exploit vulnerabilities found on the computer.”

If this turns successful, the GetCrypt ransomware is downloaded and installed into Windows.

Lawrence Abrams of BleepingComputer writes that nao_sec’s tweet was also seen by security researcher Vitali Kremez, who then analyzed the ransomware and found some interesting features.

The most notable among his observations is that the ransomware, after being executed by the RIG exploit kit, checks if the Windows language is set to Russian, Ukrainian, Kazakh or Belarusian and then, if it is set to any of these languages, gets terminated and doesn’t encrypt the computer. If the ransomware finds that the Windows is not set to any of the above-mentioned languages, it would examine the CPUID of the computer and then use it to create a 4-character string, which would be used as the extension for encrypted files. Then it runs the vssadmin.exe delete shadows /all /quiet command and clears the Shadow Volume Copies. Then, the whole system is scanned for files to encrypt. The ransomware doesn’t target any particular kind of files for encryption; instead it encrypts all files, except those that are located in or under certain folders, namely :\$Recycle.Bin, :\ProgramData, :\Users\All Users, :\Program Files, :\Local Settings, :\Windows, :\Boot, :\System Volume Information and :\Recovery AppData.

GetCrypt reportedly uses the Salsa20 and RSA-4096 encryption algorithms to encrypt files and during encryption, uses the 4-character string it had created earlier as the extension. Simultaneously, it would also create a ransom note. The ransom note, named decrypt my files #.txt, is created in each folder that is encrypted and on the desktop too. It advises the victim to contact getcrypt@cock.li for instructions regarding ransom payment. The ransomware also changes the desktop background to an image that contains a detailed message. The message says that the system has been infected and all files have been encrypted, and also gives instructions as to what needs to be done to get the files decrypted.

GetCrypt, like many other ransomware infections, also attempts to encrypt files on network shares during the encryption process, but in a rather different manner. The BleepingComputer report explains, “When encrypting, GetCrypt will utilize the WNetEnumResourceW function to enumerate a list of available network shares…If it cannot connect to a share, it will use an embedded list of usernames and passwords to bruteforce the credentials for shares and mount them using the WNetAddConnection2W function.”

“While encrypting unmapped network shares is not unusual, this is the first time we have seen a ransomware try to brute force shares so that they can connect to them from the infected computer,” the report further notes.

Anyhow, it’s possible to decrypt files on a system that has been infected with GetCrypt ransomware. The decryptor has been released. The victim can use the decryptor to decrypt all encrypted files, but it can be done only if an original unencrypted copy of a file that has been encrypted during the infection is available. The decryptor has to be run on an encrypted file and its original unencrypted version as well. Following this, the decryptor would brute force the decryption key and get all files decrypted.

Well, that once again proves the need of having offline back up of files, something that we’ve always been discussing in many of our posts. Backups can get you unencrypted versions of files, which could aid the decryption process in case your system has been infected with the GetCrypt ransomware.

Also, Read:

Beware of 10 Past Ransomware Attacks

How to Remove Pewcrypt Ransomware

Two Nasty No-Ransom “PewDiePie” Ransomwares, Trouble For Many

The post GetCrypt Ransomware Encrypts Files, Brute Forces Credentials appeared first on .

Free Decryptor Released for GetCrypt Ransomware

Security researchers have released a tool that enables victims of GetCrypt ransomware to recover their affected files for free. On 23 May, web security and antivirus software provider Emsisoft announced the release of its GetCrypt decrypter. This utility asks victims of the ransomware to supply both an encrypted copy and the original version of a […]… Read More

The post Free Decryptor Released for GetCrypt Ransomware appeared first on The State of Security.

Cybercriminals continue to evolve the sophistication of their attack methods

Cybercriminals continue to evolve the sophistication of their attack methods, from tailored ransomware and custom coding for some attacks, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, according to the Fortinet latest report. Pre- and post-compromise traffic Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for … More

The post Cybercriminals continue to evolve the sophistication of their attack methods appeared first on Help Net Security.

Emsisoft released a free Decrypter for the GetCrypt ransomware

For the second time in a few days, experts at Emsisoft released a free decrypter, this time to help victims of the GetCrypt ransomware.

Security experts at Emsisoft released a new decrypted in a few days, it could be used for free by victims of the GetCrypt ransomware to decrypt their files encrypted by the malware.

The GetCrypt ransomware is served through the RIG exploit kit, it leveragesSalsa20 and RSA-4096 to encrypt the victims’ files.

GetCrypt is a ransomware spread by the RIG exploit kit, and encrypts victim’s files using Salsa20 and RSA-4096. It appends a random 4-character extension to files that is unique to the victim.” reads the post published by Emsisoft.

The ransomware drops on the infected systems the file “# DECRYPT MY FILES #.txt” containing the follwing ransom note:

“Attention! Your computer has been attacked by virus-encoder! All your files are now encrypted using cryptographycalli strong aslgorithm. Without the original key recovery is impossible.

TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI It is in your interest to respond as soon as possible to ensure the restoration of your files. P.S only in case you do not recive a response from the first email address within 48 hours, [redacted]. It is in your interest to respond as soon as possible to ensure the restoration of your files. 

P.S only in case you do not recive a response from the first email address within 48 hours,
[redacted]

Victims can download the decrypter for free at the following URL:

https://www.emsisoft.com/decrypter/download/getcrypt

In order to decrypt the files, victims have to provide an encrypted version of a file and the original of the same file.

GetCrypt ransomware

A few days ago, Emsinsoft released a free Decrypter for JSWorm 2.0


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – GetCrypt ransomware, cybercrime)

The post Emsisoft released a free Decrypter for the GetCrypt ransomware appeared first on Security Affairs.

Emsisoft released a free Decrypter for JSWorm 2.0

Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.

Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.

JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.

Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:

“:HI SIRI, DEMONSLAY AND AMIIIIGO!!! HOW ARE YOU?”

and

“:ID-RANSOMWARE, IT’S JUST THE BEGINING [sic] OF SOMETHING NEW…”

Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the ransomware that infected their machines. Since January 2019, experts observed encrypted files uploaded from South Africa, Italy, France, Iran, Vietnam, Argentina, United States, and other countries.

“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.

Once infected a computer, the JSWorm 2.0 ransomware will perform the following actions:

  • Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
  • Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
  • Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.

Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:

  1. Download the Emsisoft JSWorm 2.0 Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer.
  4. Click “Start” to decrypt your files. Note that this may take a while.
JSWorm decrypter

Done!

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – JSWorm 2.0. ransomware)

The post Emsisoft released a free Decrypter for JSWorm 2.0 appeared first on Security Affairs.

What is Emotet?

Estimated reading time: 4 minutes

Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.

Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.

From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.

How it can enter into your system?

It enters into your system by phishing mail as shown in below fig:

Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.

What Emotet can do?

It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.

Impact:

According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.

Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.

What Quick-Heals Telemetry says:

As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.

How can I remove Emotet?

If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.

As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.

Preventive measures

  1. Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
  2. Don’t open any link in the mail received from an unknown/untrusted source.
  3. Don’t download attachments received by an unknown/untrusted source.
  4. Don’t enable ‘macros’ for Microsoft’s office documents.
  5. Educate yourself and others for keeping strong passwords.
  6. Use two-factor authentication where-ever possible.

Conclusion:

Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.

To read more about the detailed analysis of the Emotet, download this PDF.

The post What is Emotet? appeared first on Seqrite Blog.

Ransomware and malware attacks decline, attackers adopting covert tactics

There has been a major decline in ransomware and malware attacks, with Ireland having some of the lowest rates globally, according to the latest report released by Microsoft. This is a significant change from 2017, following a prolific series of attacks that targeted supply chains globally. Initial predictions were that these would increase, however, improvements in cybersecurity measures and detection have impacted on the success rates of these attacks. In fact, there has been a … More

The post Ransomware and malware attacks decline, attackers adopting covert tactics appeared first on Help Net Security.

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.

WhatsApp

The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.
iOS

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
Android
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.


Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

CVE-2019-0708 – A Critical “Wormable” Remote Code Execution Vulnerability in Windows RDP

This is an important security advisory related to a recently patched Critical remote code execution vulnerability in Microsoft Windows Remote Desktop Service (RDP). The vulnerability is identified as “CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability”. MSRC blog mentions This vulnerability is pre-authentication and requires no user interaction. In other…

Laptop Running Six Most Dangerous Malware up for Auction

This is news! A laptop containing six of the most dangerous of malware created till date is up for auction.

A Samsung NC10-14GB 10.2-Inch Blue Netbook, which contains six such malware strains which together have caused damages worth $95B over the years, has been put up for auction. This laptop has in fact been isolated and airgapped so as to prevent the spread of the malware that it contains. (Well, we know that if you are an expert, you might be cynical about the effectiveness of airgapping; but technically speaking, it’s supposed to help curb the spread of malware!).

It’s illegal to sell malware for operational purposes in the U.S. The seller of the malware-packed laptop, as per reports, has devised a way to get around this issue by calling it art. This laptop, which runs on Windows XP SP3, is now called ‘The Persistence of Chaos’.

A Forbes report dated May 15, 2019, says, “The singular laptop is an air-gapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008) running Windows XP SP3 and loaded with the malware and restart script. It also comes with a power cord, just in case the 11-year-old battery isn’t still holding a viable charge.” The report further adds, “It’s currently sitting on a white cube in a room somewhere in New York City and is being sold under the guise of art as “The Persistence of Chaos”. It’s certainly subversive and skirts the legalities of selling malware (it’s illegal to sell for operational purposes), but hey, anarchy is entertaining.”

The infected laptop is a creation of performance artist Guo O Dong in collaboration with cybersecurity company Deep Instinct. Curtis Silver, who has authored the Forbes report, has quoted Guo O Dong as telling him via email, “I created The Persistence of Chaos because I wanted to see how the world responds to and values the impact of malware.”

The six strains of malware that the laptop contains are

WannaCry – The ransomware that spread all across the world and made a devastating impact on over 200,000 computers across over 150 countries.

Mydoom – The fastest-spreading email worm till date, Mydoom was first seen in January 2004 and worked mainly by sending junk email through infected computers and at the same time appearing as a transmission error.

Sobig – First detected to be infecting computer systems in August 2003, this malware, which is a worm and a trojan, is the second fastest spreading worm as of 2018. It deactivated itself in September 2003.

BlackEnergy – The malware that was first seen in 2007 and then worked by generating bots for executing DDoS attacks that were distributed via email spam. At a later stage of evolution, it would drop an infected DLL component directly to the local application data folder.

ILOVEYOU – This malware, which spread through an email attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’, was sent from an infected person to people in his contact list. Once the attachment gets opened, a script is started that would overwrite random types of files- Office files, audio files, image files, etc. Seen since May 2000.

DarkTequila – This malware, which has been active since 2013 and seen impacting systems in Latin America, spreads through spear phishing and infected USB drives. Hackers use DarkTequila to steal corporate data, bank credentials, and personal data as well.

Curtis Silver observes in his Forbes report, “On a base level the goal if we believe light grey text on a white background, is to sell this malware infused laptop under the blanket of art for academic purposes. On a deeper level, it’s a statement of social anarchy, of controlled chaos and an exposé of how fragile our machine-connected lives really are.”

This is a very relevant observation because news relating to this laptop (if it has all the malware that it claims to have), is in all respects, a worrying thing.

Also, Read:

Wolters Kluwer Cloud Accounting & Tax System Down To Malware Attack

The Fileless Malware Attacks Are Here To Stay

Japanese Government to Deploy Defensive Malware

Kodi Hardware Add-on Users, Mostly At Risk With Malware

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post Laptop Running Six Most Dangerous Malware up for Auction appeared first on .

Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today

During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.

In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.

Figure 1: Phases of an attack.

If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).

Initial Attack

The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.

ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.

By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.

User Actions

Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.

DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.

To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.

To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.

Account Compromise

Following the attack life-cycle, the next phase is account compromise:  did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.

We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.

Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.

Privilege Escalation

The next phase is privilege escalation.  In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.

A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.

Lateral Movement

Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.

This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.

Encryption of Data

The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers’ tolerance) for downtime, and many other factors.

For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?

Take Action Today

These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. Educate yourself with more information on Cisco Ransomware Defense solutions. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.

The post Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today appeared first on Cisco Blog.

FBI Investigating Baltimore Ransomware Attack

Mayor Bernard C. “Jack” Young had assured the residents of Baltimore that the city’s emergency system will start functioning normally, even as they fight ransomware attacks on their computer networks.

FBI agents are investigating the cyber breach, which was first discovered Tuesday morning, and the city’s IT department is working to fix the problem with “some outside help,” Young said. Director of the IT department, Frank Johnson, confirmed that the city’s computers were infected with a “very aggressive” form of ransomware called “RobinHood,” which locks up or holds city files for ransom until the money is paid to the hackers responsible for the malware.

FBI agents are investigating the cybersecurity violations that was first discovered on Tuesday morning, and the city’s IT department is working to resolve the issue with “outside assistance,” Young said. IT Director Frank Johnson confirmed that the city’s computers were infected with a “very aggressive” form of ransomware called “RobinHood,” which locked city files for ransom until they paid money to the hackers who were responsible for this crisis.

Lester Davis, Young’s spokesman, confirmed that there were no personal data of the city residents stolen from the city’s computer system.

Technicians are currently working to find the cause of the problem and determine what is really involved. He and Young refused to comment on the scope of the attack. They said it is under investigation and could not give a time limit when the problem could be resolved.

Young said he would not pay a ransom to the hackers or anybody.

The residents who wanted to pay for water bills, parking tickets, and other expenses need to “return to the manual,” Young said, pay them in person. Late fees for these payments are also temporarily suspended.

“We can say with confidence that public safety systems are up and operational,” Johnson said. “For now, if anybody needs to contact the city the best way to do it is to pick up the plain old telephone and give us a call.”

All city employees work today, even though they are not able to access their emails or files, said Young. If the attack keeps the employees from doing their jobs, the mayor said he would ask them if they would “go out and help us cleanse the city.” Cybersecurity is the second threat to the city in more than a year.

In March 2018, the city delivery system 911 was violated and the call service had to be temporarily put into manual mode, which meant that information about incoming callers could not be forwarded electronically. The system has fully recovered within 24 hours.

Immediately after the 2018 attack, Johnson said the attack was a case of ransomware. An investigation revealed that systems were left vulnerable because of some internal change made to the system’s firewall by a technician who was troubleshooting an unrelated communication issue within the computer-aided dispatch system, Johnson noted.

Johnson said Wednesday that the city has “very, very good capability” for stopping cyber-attacks, and includes cybersecurity awareness in its training for city employees. He added that the city’s IT infrastructure has been assessed several times since he took control of the department in late 2017 and has gotten “multiple clean bills of health.”

He refused to say how often the computer and the city system were updated.

Similar ransomware attacks have occurred in recent years in airports, hospitals, private companies, and other cities, and city officials point out that hacking is not just in Baltimore.

“This could happen anywhere,” Young said. “I don’t care what kind of system you put in place, they always find a way to infect the system.”

Source: https://baltimore.cbslocal.com/2019/05/10/fbi-investigating-baltimore-city-ransomware-attack/

Related Resources:

Baltimore Shuts Down Its Servers As the City Is Hit By Ransomware

How to Remove Pewcrypt Ransomware

Beware of 10 Past Ransomware Attacks

Community Efforts Against Ransomware

The post FBI Investigating Baltimore Ransomware Attack appeared first on .

Cyber News Rundown: Dharma Diversion

Reading Time: ~2 min.

Dharma Ransomware Employs Diversion Tactics

Researchers recently discovered a new ransomware variant that displays an ESET AV removal screen once launched in order to divert the a victim’s attention from the silent encryption taking place. Initially dropped by an email spam campaign, the payload comes as a password protected zip archive, with the password made available in the body of the email to entice curious readers. In addition to the ESET removal instructions, the archive also contains a traditional ransom demand with instructions for purchasing and transferring Bitcoin.

Binance Crypto-Exchange Hacked

At least 7,000 Bitcoin were illicitly removed from the hot wallet of Binance, an international cryptocurrency exchange, in a single transaction. By compromising the personal API keys and bypassing two-factor authentication, the hackers were able to access the wallet and steal roughly $41 million worth of Bitcoin. The complete details of the breach are still unknown.

Global Malvertiser Sentenced in US

A man operating several fake companies distributing hundreds of millions of malicious ads across the globe has been arrested and is facing charges after his extradition to the U.S. For nearly five years, Mr. Ivanov and his co-conspirators created dozens of malvertising campaigns, usually starting a new one immediately after the previous one was flagged by a legitimate ad network. While this is not the only case of malvertising campaigns causing chaos on the web, it is one of the first to see actual indictments.

Robbinhood Ransomware Shuts Down Two US Cities

Both Baltimore City Hall and the city of Amarillo, Texas, were victims of a variant of Robbinhood ransomware this week. Following the attack, citizens of both cities will be seeing online bill payment options temporarily offline as they work to restore networks that were damaged or disconnected to stop the spread of the infection. This is the second cyber attack to hit both cities within the past year, with Potter County, Texas recovering from a similar attack just a couple weeks ago. Neither city has released more information on the ransom amount or when the attack began.

Freedom Mobile Exposes Payment Credentials

An unencrypted database containing millions of customer records for Freedom Mobile, a Canadian telecom provider, was discovered to be left freely available to the public. While the database was secured in less than a week, the time it was left accessible to criminals is cause for concern. The data contained full payment card information, including essentially everything a criminal would need to commit identity fraud against millions of people. Though Freedom Mobile claims the 15,000 were affected, it calls into question the practices used to store their sensitive data.

The post Cyber News Rundown: Dharma Diversion appeared first on Webroot Blog.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Cyber Security Roundup for April 2019

The UK government controversially gave a green light to Huawei get involved with the building of the UK's 5G networks, although the Chinese tech giant role will be limited to non-sensitive areas of the network, such as providing antennas. This decision made by Theresa May came days after US intelligence announced Huawei was Chinese state funded, and amidst reports historical backdoors in Huawei products, stoking up the Huawei political and security row even further this month, and has resulted in the UK Defence Secretary, Gavin Williamson, being sacked. 
The National Cyber Security Centre (NCSC) launched a free online tool called "Exercise in a Box", designed by the UK cyber intelligence boffins to help organisations prepare in managing major cyber attacks.  The premise, is the tool will help UK organisations avoid scenarios such as the 2017’s Wannacry attacks, which devastated NHS IT systems and placed patient lives at risk.
 
German drug manufacturing giant, Beyer, found a malware infection, said to originate from a Chinese group called "Wicked Panda".  The malware in question was WINNIT, which is known in the security industry and allows remote access into networks, allowing hackers to deliver further malware and to conduct exploits. In my view, the presence of WINNIT is a sure sign a covert and sustained campaign by a sophisticated threat actor, likely focused on espionage given the company's sector.  Beyer stressed there was no evidence of data theft, but were are still investigating. 
 
Another manufacturing giant severely hit by a cyber attack this month was Aebi Schmidt. A ransomware outbreak impacted its business' operations globally, with most of the damage occurring at their European base. The ransomware wasn't named, but it left multiple Windows systems, on their presumably flat network infrastructure, paralyzed.
 
Facebook may have announced the dawn of their "privacy evolution" at the end of April, but their privacy woes still continue, after Upguard researchers found and reported 540 Million Facebook member records on an unsecured AWS S3 bucket. The "Cultura Colectiva" dataset contained 146GB of data with 540 million records showing comments, likes, reactions, account names, Facebook IDs and more. Looks like Facebook really have their work cut in restoring their consumer's faith in protecting their privacy.
 
UK businesses saw a significant increase in cyber attacks in 2019 according to a report by insurer Hiscox, with 55% of respondents reporting they had faced a cyber attack in 2019, up from 40% from last year.
 
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111".  Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.

The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them. 
 
Microsoft Outlook.com, Hotmail and MSN users are reported as having their accounts compromised. TechCrunch revealed the breach was caused due to the hackers getting hold of a customer support tech's login credentials. Over two million WiFi passwords were found exposed on an open database by the developer of WiFi Finder. The WiFi Finder App helps to find and log into hotspots.  Two in every three hotel websites leak guest booking details and personal data according to a report. Over 1,500 hotels in 54 countries failed to protect user information.
 
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.

I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.

BLOG
 NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

This Week in Security News: Phishing Attacks and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.

Read on:

New Report Finds 25% of Phishing Attacks Circumvent Office 365 Security

As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number. 

New Twist in the Stuxnet Story

What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.

Cybersecurity Proposal Pits Cyber Pros Against Campaign Finance Hawks

A Federal Election Commission proposal aims to help presidential and congressional campaigns steer clear of hacking operations by allowing nonprofits to provide cybersecurity free of charge.

New Sextortion Scheme Demands Payment in Bitcoin Cash

Trend Micro researchers uncovered a sextortion scheme targeting Italian-speaking users. Based on IP lookups of the spam emails’ senders, they appear to have been sent via the Gamut spam botnet.  

This Free Tool Lets You Test Your Hacker Defenses

Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.

Ransomware Hits County Offices, Knocks The Weather Channel Offline

On April 18, the systems of The Weather Channel in Atlanta, Georgia, were infected by ransomware, disrupting the channel’s live broadcast for 90 minutes. 

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.

Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat

Trend Micro delves deeper into this vulnerability by expounding on what it is, how it can be exploited, and how it can be addressed. 

Hacker Dumps Thousands of Sensitive Mexican Embassy Documents Online

A hacker stole thousands of documents related to the inner workings of the Mexican embassy in Guatemala and posted them online.

Cybersecurity: UK Could Build an Automatic National Defense System, Says GCHQ Chief

The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.

Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Phishing Attacks and Ransomware appeared first on .

UK-based organisations are getting better at preventing ransomware

The UK is one of the few countries that has seen a year-on-year reduction in ransomware attacks, a new study has found.

According to the 2019 SonicWall Cyber Threat Report, ransomware infections in the UK decreased by 59% in the past year, a stark contrast to the 11% increase globally.

Has the UK learned a lesson?

Several experts believe the UK’s astounding resilience to ransomware is a direct result of 2017’s WannaCry attack. The ransomware tore through organisations across the globe but struck most acutely in the UK – at the NHS in particular.

The attack did little to demonstrate the financial appeal of ransomware for crooks. The incident became so high profile that most organisations learned that it wasn’t worth paying the ransom, and those behind the attack struggled to recoup the money that was paid into their Bitcoin account.

Likewise, the attack didn’t provide an accurate reflection of how incidents normally play out. The malware is usually most successful when it stays under the radar and catches out organisations that lack backup protocols, thereby seemingly forcing them to comply with the blackmailer’s request.

However, WannaCry taught the UK two huge lessons – that ransomware is dangerous and that organisations need to plan for it.

Bill Conner, president and CEO of SonicWall, said that, following WannaCry, “you guys [the UK] were all over [ransomware].”

The attack prompted the UK government, along with the National Cyber Security Centre and UK-based businesses, to confront ransomware head on.

“Most of the vendors in the UK and their customers put solutions in place to protect against multiple family variants of ransomware,” said Conner.

Ransomware solutions

There are two key steps to protecting your organisation from ransomware. First, you should regularly back up your important files. This enables you to delete infected files and restore them from backups.

The process will take a long time – often more than 24 hours – but the loss in productivity will almost certainly be less costly than paying a ransom. Plus, you need to factor in issues other than simply the cost of returning to business. There’s the possibility that crooks won’t keep their word once you’ve paid up. Equally, there’s the risk that complying with their demands has made yourself a target for future attacks.

It’s therefore always advisable to use backups where possible rather than paying a ransomware.

Of course, it’s even better if you don’t get infected at all, and the best way to do that is to boost staff awareness of ransomware. That brings us to the second key step to protecting your organisation.

Most ransomware (and malware generally) is delivered via phishing scams. Cyber criminals plant the malicious code in an attachment and trick employees into downloading it. If you can train your staff to spot a malicious email and report it, you can dramatically reduce the risk of becoming infected.

Get started with staff awareness

Our Phishing and Ransomware – Human patch e-learning course makes staff awareness training simple.

This ten-minute course introduces employees to the threat of phishing and ransomware, and describes the link between the two. Armed with this knowledge, your staff will be able to detect suspicious emails and know how to respond.

The post UK-based organisations are getting better at preventing ransomware appeared first on IT Governance Blog.

Security roundup: April 2019

We round up interesting research and reporting about security and privacy from around the web. This month: healthy GDPR, gender rebalance, cookie walls crumble, telecom threats and incident response par excellence.

A healthy approach to data protection

Ireland’s Department of Health is now considering amendments to the Health Research Regulations, with data protection as one of the areas under review. The Health Research Consent Declaration Committee, which was formed as part of the Health Research Regulations made under GDPR, confirmed the possible amendments in a statement on its website.

GDPR triggered significant changes to health research because of the obligations on data protection impact assessments. Our senior data protection consultant Tracy Elliott has blogged about this issue.

The newly announced engagement process may lead to changes to the Health Research Regulations “where any such amendments are sound from a policy perspective and legally feasible”, the HRCDC said. There’s a link to a more detailed statement on the proposed amendments at this link.

A welcome improvement

Women now make up almost a quarter of information security workers, according to new figures from ISC(2). For years, female participation in security roles hovered around the 10-11 per cent mark. The industry training and certification group’s latest statistics show that figure is much higher than was generally thought.

Some of this increase is due to the group widening its parameters beyond pure cybersecurity roles. The full report shows that higher percentages of women security professionals are attaining senior roles. This includes chief technology officer (7 per cent of women vs. 2 per cent of men), vice president of IT (9 per cent vs. 5 per cent), IT director (18 per cent vs. 14 per cent) and C-level or executive (28 per cent vs. 19 per cent).

“While men continue to outnumber women in cybersecurity and pay disparity still exists, women in the field are buoyed by higher levels of education and certifications, and are finding their way to leadership positions in higher numbers,” ISC(2) said.

The trends are encouraging for any girls or women who are considering entering the profession; as the saying goes, if you can see it, you can be it. (The report’s subtitle is ‘young, educated and ready to take charge’.) After the report was released, Kelly Jackson Higgins at Dark Reading tweeted a link to her story from last year about good practice for recruiting and retaining women in security.

Great walls of ire

You know those annoying website pop-ups that ask you to accept cookies before reading further? They’re known as cookie walls or tracker walls, and the Dutch data protection authority has declared that they violate the General Data Protection Regulation. If visitors can’t access a website without first agreeing to be tracked, they are being forced to share their data. The argument is that this goes against the principle of consent, since the user has no choice but to agree if they want to access the site.

Individual DPAs have taken different interpretations on GDPR matters. SC Magazine quoted Omar Tene of the International Association of Privacy Professionals, who described the Dutch approach as “restrictive”.

This might be a case of GDPR solving a problem of its own making: The Register notes that cookie consent notices showed a massive jump last year, from 16 per cent in January to 62.1 per cent by June.

Hanging on the telephone

Is your organisation’s phone system in your threat model? New research from Europol’s European Cybercrime Centre and Trend Micro lifts the lid on network-based telecom fraud and infrastructure attacks. The Cyber-Telecom Crime Report includes case studies of unusual attacks to show how they work in the real world.

By accessing customers’ or carriers’ accounts, criminals have a low-risk alternative to traditional forms of financial fraud. Among the favoured tactics are vishing, which is a voice scam designed to trick people into revealing personal or financial information over the phone. ‘Missed call’ scams, also known as Wangiri, involve calling a number once; when the recipient calls back, thinking it’s a genuine call, they connect to a premium rate number. The report includes the eye-watering estimate that criminals make €29 billion per year from telecom fraud.

Trend Micro’s blog takes a fresh angle on the report findings, focusing on the risks to IoT deployments and to the arrival of 5G technology. The 57-page report is free to download from this link. Europol has also launched a public awareness page about the problem.  

From ransom to recovery

Norsk Hydro, one of the world’s largest aluminium producers, unexpectedly became a security cause célèbre following a “severe” ransomware infection. After the LockerGoga variant encrypted data on the company’s facilities in the US and Europe, the company shut its global network, switched to manual operations at some of its plants, and stopped production in others.

Norsk Hydro said it planned to rely on its backups rather than paying the ransom. Through it all, the company issued regular updates, drawing widespread praise for its openness, communication and preparedness. Brian Honan wrote: “Norsk Hydro should be a case study in how to run an effective incident response. They were able to continue their business, although at a lower level, in spite of their key systems being offline. Their website contains great examples of how to provide updates to an issue and may serve as a template for how to respond to security breaches.”

Within a week, most of the company’s operations were back running at capacity. Norsk Hydro has released a video showing how it was able to recover. Other victims weren’t so lucky. F-Secure has a good analysis of the ransomware that did the damage, as does security researcher Kevin Beaumont.

Links we liked

Remember the Melissa virus? Congratulations, you’re old: that was 20 years ago. MORE

New trends in spam and phishing, whose popularity never seems to fade. MORE and MORE

For parents and guardians: videos to spark conversations with kids about online safety. MORE

A look behind online heists on Mexican banks that netted perpetrators nearly $20 million. MORE

While we’re on the subject, more cybercriminal tactics used against financial institutions. MORE

This is a useful high-level overview of the NIST cybersecurity framework. MORE

This campaign aims to hold tech giants to account for fixing security and privacy issues. MORE

How can security awareness programmes become more effective at reducing risk? MORE

An excellent security checklist for devices and accounts, courtesy of Bob Lord. MORE

Shodan Monitor alerts organisations when their IoT devices become exposed online. MORE

The post Security roundup: April 2019 appeared first on BH Consulting.

Cyber Security Roundup for March 2019

The potential threat posed by Huawei to the UK national infrastructure continues to be played out. GCHQ called for a ban on Huawei technology within UK critical networks, such as 5G networks, while Three said a Huawei ban would delay the UK 5G rollout, and the EU ignored the US calls to ban Huawei in 5G rollouts, while promoting the EU Cybersecurity certification scheme to counter the Chinese IT threat, which is all rather confusing.  Meanwhile, Microsoft Researchers found an NSA-style Backdoor in Huawei Laptops, which was reported to Huawei by Microsoft, leading to the flaw being patched in January 2019.
A serious security flaw placed Royal Bank of Scotland (RBS) customers at risk. The vulnerability was discovered by PenTest Partners in the bank provided 'Heimdal Thor', security software, which was meant to protect NatWest customers from cyber-attacks but actually permitted remote injection commands at the customer's endpoint. PenTest Partners said "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details. To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it's often all too easy to compromise home wi-fi setups.
 
Facebook made negative security headlines yet against after they disclosed that 20,000 of their employees had access to hundreds of millions of their user account passwords for years.

One of the world’s biggest aluminium producers, 
Norsk Hydrosuffered production outages after a ransomware outbreak impacted its European and US operations.  Damages from ransomware attack on Norsk Hydro reach as high as $40M.

Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”.  According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.

Credit monitoring Equifax admitted in a report it didn't follow its own patching schedule, neglecting to patch Apache Struts which led to a major 2017 breach which impacted 145 million people.  The report also said Equifax delayed alerting their customers for 6 weeks after detecting the breach.

ASUS computers had backdoors added through its software update system, in an attack coined “ShadowHammer”. Kaspersky researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific devices. Asus patched the vulnerability but questions still remain.


The top 10 biggest breaches of 2018 according to 4iQ were:
  1. Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
  2. Aadhaar, India – (Open third party device) 1.1 billion people affected
  3. Marriott Starwood Hotels – (Hacked) 500 million guests PII
  4. Exactis – (Open device) 340 million people and businesses.
  5. HuaZhu Group – (Accidental Exposure) 240 million records
  6. Apollo – (Open device) 150 million app users.
  7. Quora – (Hacked) 100 million users.
  8. Google+ – (API Glitch) 52.2 million users.
  9. Chegg – (Hacked) 40 million accounts 
  10. Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Barracuda Networks reported the top 12 phishing email subject lines, after they analysed 360,000 phishing emails over a three-month period.
BLOG
NEWS

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

How To Secure Your Smart Home

Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.

You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.

Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.

Still, given the benefits we get from these devices, they are probably here to stay.  We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.

Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.

So, whether you have one IoT device, or many, it’s worth learning how to use them safely.

Follow these smart home safety tips:

  • Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
  • Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
  • Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
  • Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Secure Your Smart Home appeared first on McAfee Blogs.

Quick Heal Threat Report – Cryptojacking rising but Ransomware still #1 threat for consumers

In wake of the growing incidences of targeted cyber-attacks on enterprises using Cryptojacking, due to its ease of deployment and instant return on investments; it rather comes as a surprise that malware authors are still counting on Ransomware for targeting consumers and home users. Yes, you heard it right! According…

Ryuk, Exploring the Human Connection

In collaboration with Bill Siegel and Alex Holdtman from Coveware.

 

At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the point. Since then, collective industry peers discovered additional technical details on Ryuk’s inner workings, the overlap between Ryuk and Hermes2.1, and a detailed description of how the ransomware is piggybacking the infamous and ever evolving Trickbot as a primary attack vector. In this blog post we have teamed up with Coveware to take a closer look at the adversary and victim dynamics of Ryuk Ransomware. We structured our research using the Diamond threat model and challenged our existing hypotheses with fresh insights.

Introduction to The Diamond Model

Within Cyber Threat intelligence research, a popular approach is to model the characteristics of an attack using The Diamond Model of Intrusion Analysis. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim.

For the Ryuk case described above the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.

Diamond model of Intrusion Analysis

The Diamond Model offers a holistic view of an intrusion that is a helpful guideline to shape the direction of intelligence research. By searching for relationships between two elements one can gather new evidence. For instance, by analyzing and reverse engineering a piece of malware one might uncover that a certain server is being used for command and control infrastructure, thus linking capability with infrastructure (as shown below).

Linking Infrastructure and Capability

Alternatively, one might search underground forums to find information on adversaries who sell certain pieces of malware, thus linking an adversary with a capability. For instance, finding the underground forum advertisement of Hermes2.1.

Linking Adversary and Capability

Analysis of Competing Hypotheses

In our earlier publication we explained The Analysis of Competing Hypotheses (ACH), the process of challenging formed hypotheses with research findings.
By following this method, we concluded that the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

In order to construct a hypothesis with the least falsifying evidence we welcome research published by our industry peers to dissimilate insights that challenge our hypotheses. When we combined all the evidence with links on the diamond model, we discovered that one essential link wasn’t made, the link between adversary and victim.

Seeking New Insights Between Adversary and Victim

Despite published research, the direct link between adversary and victim remained relatively unexplored. Unlike most cybercrime, ransomware and digital extortion frequently creates a strong social connection between adversary and victim. The adversary has certain needs and views the victim as the means to fulfill those needs. The connection between an adversary and victim often generates valuable insights, especially in cases where (extensive) negotiation take place.

Luckily, one of our NoMoreRansom partners, Coveware, is specialized in ransomware negotiations and has gained valuable insights help us link adversary and victim.

The social connection between Adversary and Victim

Ransom Amounts and Negotiations

By aggregating ransomware negotiation and payment data, Coveware is able to identify strain-specific ransomware trends. With regards to Ryuk, it should be noted that ransom amounts average more than 10x the average, making it the costliest type of ransomware. Coveware also observed that some Ryuk ransoms were highly negotiable, while others were not. The bar-belled negotiation results generated an average ransom payment of $71k, a 60% discount from an average opening ask of $145k.

The bar-belled negotiation outcomes meant that some victims were stonewalled. These victims either lost their data or took on staggering financial risk to pay the ransom. The outcomes also imply that in certain cases the adversary would rather receive infrequent large windfalls (often in excess of 100BTC), while in other cases the adversary was keen to monetize every attack and accept lower amounts to ensure payment. This difference in modus operandi suggests that more than one cyber-criminal group is operating Ryuk ransomware.

Ransom Note and Negotiation Similarities and Differences

Similarities between Bitpaymer and Ryuk ransom notes have been observed before. While it is not uncommon for ransom notes to share similar language, sequences of phrases tend to remain within the same ransomware family. Slight copy+paste modifications are made to the ransom text as a variant is passed along to different groups, but large alterations are rarely made. Below is a comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right).

A comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right)

The shared language implies that text once unique to a Bitpaymer campaign was borrowed for a Ryuk campaign, possibly by an operator running simultaneous ransom campaigns of both Bitpaymer and Ryuk or the imitation can be considered as the sincerest form of flattery.

Different Initial Email Response May Be Different Adversaries?

A more dramatic scripted communication difference has been observed in the initial email response from Ryuk adversaries. The initial email response is typically identical within ransomware families belonging to the same campaign. When significant differences in length, language, and initial ransom amount appear in the initial email response we are comfortable assuming they belong to unique groups with unique modus operandi. This would mean that Ryuk in being spread by more than one actor group.

Below are two such Ryuk examples:

 

Post Payment Bitcoin Activity

A final indicator that multiple groups are running simultaneous Ryuk campaigns can be observed in the activity of bitcoin after it hits a ransom address. Surprisingly, despite the differences between negotiation outcome and initial communications, Coveware observed little difference between the BTC wallets (blacked out to protect victims) associated with the above cases. Initial comparison showed no meaningful discrepancy in difference between the time of a ransom payment and the time of a corresponding withdraw. Additionally, the distribution of funds upon withdrawal was consistently split between two addresses. Coveware will continue to monitor the funds associated with campaigns for meaningful indicators.

Ryuk Negotiating Profiles

With few exceptions, the rest of the email replies during a Ryuk extortion negotiation are extremely short and blunt. Typical replies and retorts are generally less than 10 written words and often just a single number if the ransom amount is the point of discussion. This correspondence is unique to Ryuk.

One reply did contain quite a remarkable expression; “à la guerre comme à la guerre,” to contextualize the methods and reasons for the cyber criminals’ attacks on western companies. The French expression originates from the seventeenth century and literally translates to “in war as in war” and loosely translates to: “In Harsh times one has to do with what’s available”. The striking thing about this expression is that is prominently featured in volume 30 of the collected works of the Soviet Revolutionary leader Vladimir Lenin. Lenin uses the expression to describe the struggle of his people during the war against western capitalism.

This concept of “The capitalistic West versus the Poor east” is actually something McAfee ATR sees quite often expressed by cyber criminals from some of the Post-Soviet republics. This expression may be a clear indicator of the origin and cultural view of the criminals behind Ryuk.

Ryuk poses existential risk to certain industries

Even though the average ransom discounts of Ryuk are large (~60%), the absolute level of the ransom is extreme. Accordingly, we have seen evidence that links ransom demands to the size of the network footprint of the victim company. However, this doesn’t mean that the ransom demand correlates to the victims actual operational and financial size.

Companies in the IT Hosting and the Freight and Logistics industries have been particularly susceptible to this discrepancy. Coveware has assisted at least 3 companies that have had to unwind their business when an affordable ransom amount, could not be reached. Typically, downtime costs are 10x the ransom amount, but in these industries downtime costs can be particularly extreme.

IT Hosting companies are of note as the size and number of their servers can make them appear like a large organization. Unfortunately, the business of hosting involves high fixed costs, low operating margins, and zero tolerance of downtime by end clients.  Hosting companies that get attacked typically have a few hours to restore service before their clients drop them for alternatives. Moreover, these companies suffer irreparable harm to their reputations, and may trigger SLA breaches that leave them exposed to liability.  The inability to pay a six-figure ransom has caused multiple hosting companies to shut down.

Freight and Logistics firms are also acutely exposed. These firms also present like larger firms given the volume of data they move and their network footprint. Additionally, attacks against Freight and Logistics firms can cause immediate supply chain issues for the victims’ end clients, who are subsequently forced to route through other service providers. Similar to IT Hosting, Freight and Logistics firms have low operating margins and end clients with little tolerance for service interruptions. The inability to pay or negotiate a large ransom has materially impacted several firms in this industry.

Ryuk Decryptor findings and issues

When victims do pay the exorbitant ransom amount, the criminals will provide a decryptor to unlock a their files. This decryptor is actually framework that needs to be loaded with a victim’s private RSA key, provided by the criminals, in order to decrypt. Ensuring that the provided decryptor will only work for this specific victim. This setup allows the criminals to quickly load a victim’s key in the framework and offer a custom decryptor with minimal code change while the underlaying framework remains the same.

From Coveware’s experience we have learned that the decryption process is quite cumbersome and full of possible fatal errors. Luckily Coveware was able to share the Ryuk decryptor with McAfee ATR in order to take a closer look at the issues and level of sophistication of the decryptor.

Once launched the first thing the decryptor does is to search the HKEY_CURRENT_USER Hive for a value pair named “svchos” in the path “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” and delete the specific entry. This removes the persistence of the malware. Afterwards it will reboot the system and remove any remaining Ryuk malware still receding on the system.

Deleting the “svchos” value from the registry.

Once rebooted the user needs to run the tool again and the decryptor will provide two options to decrypt.

  • Decryption per file
  • Automatic decryption

The main interface of the Ryuk decryptor with the different menu options.

HERMES File Marker

During the decryption process we have found that the decryptor searches for the known file marker string HERMES which is located in the encrypted file.

The HERMES marker clearly visible within the file

The fact that Ryuk ransomware adds HERMES filemarker string was already known, but discovering this specific check routine in the decryptor strengthens the hypotheses that Ryuk is a slightly modified version of Hermes2.1 ransomware kit that is sold online even more.

Decryptor Issues

While examining the decryptor we were astonished by the lack of sophistication and the amount of errors that resided within the code. Some of the most prominent issues were:

  • If there is a space in the Windows file path the decryptor will fail the decryption process.
  • If there is a quotation mark (“) in the file path the decryptor will report an error that it cannot find the specific file.
  • The decryptor uses the “GetVersionExW” function to determine the windows version, from Windows 8.1. the value returned by this API has changed and the decryptor isn’t designed to handle this value.
  • The decryptor doesn’t remove the .RYUK extension and replace it with the original extension. So, there is no way the name of the file can give an indication towards the type of the file, something that can be extremely labor intensive for enterprise victims.
  • When choosing the manual option in the decryptor, the user has to supply a path of the specific file or choose “0” to finish. However, choosing a “0” will put the decryptor into an infinite loop.

Looking at the decryptor, it is very worrisome to see that the criminals behind Ryuk can get away with such bad programming. It shows a clear lack of empathy towards their victims and the absence of solid coding skills. Victims who do pay the exorbitant ransom demand are far from in the clear. The decryptor offered by the criminals has a very high risk of malfunctioning, resulting in permanent damage to their precious files. Victims should always make an exact copy of the encrypted hard disk before trying to use the decryptor.

Call to action in piecing the different parts together

By combining all the fresh insights with the information that was already discovered by ourselves and industry peers we can start defining our leading hypotheses around Ryuk. Based on this hypothesis, we will actively look for falsifying evidence. We encourage the security community to participate in this process. We realize that only by collaboration can we piece the different parts of the Ryuk puzzle together.

By now it should be without question that involvement of the DPRK is the least likely hypothesis. Our leading Hypothesis on Ryuk until proven otherwise is;

Ryuk is a direct descendant from Hermes2.1 with slight modifications, based on the code overlap in the ransomware as well as the decryptor. Ryuk is not designed to be used in a largescale corporate environment, based on all the scalability issues in the decryptor. At this moment there are several actors or actor-groups spreading Ryuk, based on the extortion modus operandi and different communications with the victims. The actors or actor-groups behind Ryuk have a relationship with one of the Post-Soviet republics, based on the Russian found in one of the encrypted files and the cultural references observed in the negotiations. The actors behind Ryuk most likely have an affiliation or relationship with the actors behind Trickbot and, based on their TTP, are better skilled at exploitation and lateral movement than pure Ransomware development.

Conclusion

In the last seven months Ryuk has proven to be a highly profitable form of ransomware, despite the poor programming behind it and its decryptor. The criminals have proven to be ruthless and several of their victims were forced to wind down their businesses after they were unable to afford the exorbitant ransom.

When a company does give in to the high demands it is extra painful to see a situation occur where they are permanently unable to recover their files due to the faulty decryptor.

A solid data loss prevention strategy still remains the best advice against all forms of ransomware, for general prevention advice please visit NoMoreRansom. Always seek professional assistance when you are faced with a targeted ransomware attack such as Ryuk.

The post Ryuk, Exploring the Human Connection appeared first on McAfee Blogs.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

Children’s Charity or CryptoMix? Details on This Ransomware Scam

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making a donation instead of a ransom payment. While CryptoMix has used this guise in the past, they’ve recently upped the ante by using legitimate information from crowdfunding pages for sick children to further disguise this scheme.

So, how does CryptoMix trick users into making ransom payments? First, the victim receives a ransom note containing multiple email addresses to contact for payment instructions. When the victim contacts one of the email addresses, the “Worldwide Children Charity Community” responds with a message containing the profile of a sick child and a link to the One Time Secret site. This website service allows users to share a post that can only be read once before it’s deleted. CryptoMix’s developers use One Time Secret to distribute payment instructions to the victim and explain how their contribution will be used to provide medical help to sick children. The message claims that the victim’s data will be restored, and their system will be protected from future attacks as soon as the ransom is paid. In order to encourage the victim to act quickly, the note also warns that the ransom price could double in the next 24 hours.

After the victim makes the payment, the ransomware developers send the victim a link to the decryptor. However, they continue to pretend they are an actual charity, thanking the victim for their contribution and ensuring that a sick child will soon receive medical help.

CryptoMix’s scam tactics show how ransomware developers are evolving their techniques to ensure they make a profit. As ransomware threats become stealthier and more sophisticated, it’s important for users to educate themselves on the best techniques to combat these threats. Check out the following tips to help keep your data safe from ransomware:

  • Back up your data. In order to avoid losing access to your important files, make copies of them on an external hard drive or in the cloud. In the event of a ransomware attack, you will be able to wipe your computer or device and reinstall your files from the backup. Backups can’t always prevent ransomware, but they can help mitigate the risks.
  • Never pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments.
  • Use security software. Adding an extra layer of security with a solution such as McAfee Total Protection, which includes Ransom Guard, can help protect your devices from these types of cyberthreats.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Children’s Charity or CryptoMix? Details on This Ransomware Scam appeared first on McAfee Blogs.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

Senior analyst Ryan Sherstobitoff contributed to this report.

During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.

The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.

How McAfee approaches attribution

Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.

Ryuk attack: putting the pieces together

In October 2017, we investigated an attack on a Taiwanese bank. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term pseudo-ransomware to describe this attack. The malware was Hermes version 2.1.

One of the functions we often see in ransomware samples is that they will not execute if the victim’s system language is one of the following:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:

What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?

In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.

This post contains a link to an article in the Russian security magazine Xakep.ru (“Hacker”) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week’s attack on newspaper printing services.

Manga connection

Ryuk, according to Wikipedia, refers to a Japanese manga character from the series “Death Note.” Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.

Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.

The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.

Technical indicators

Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.

Let’s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:

We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables’ rich headers, they are also identical.

From a call-flow perspective, we notice the similarities and evolution of the code:

The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.

The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.

Attribution: analyzing competing hypotheses

In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim’s site.

Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.

The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.