Radiohead Refuses Ransom, Releases Stolen Tracks
The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”
US Border Protection Breached by Contractor
A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.
Billions of Spam Emails Sent Everyday
The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.
Ransomware Hits Washington Food Bank
The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.
Retro Game Site Breached
The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.
The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.
Good news for the victims of the
pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.
French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.
“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.
“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”
French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.
The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).
The pyLocky Decryptor could be downloaded from the following link:
The decryptor has as pre-requisite the installation of the Java Runtime.
“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”
Let me remind you that the
The post French authorities released the PyLocky decryptor for versions 1 and 2 appeared first on Security Affairs.
The Belgian manufacturer of aeronautical equipment ASCO was forced to close its operations in Belgium, Germany, Canada and the United States after a ransomware attack at its Zaventem plant in Belgium.
ASCO is one of the world’s largest manufacturers of aeronautical equipment and provides high-end aeronautical equipment, such as lifting devices, mechanical assemblies and functional components, to various aviation giants such as Boeing. Airbus, Lockheed Martin, Bombardier Aerospace and Embraer.
The computer systems at the Zaventem plant in Belgium, which also serves as headquarters, were attacked last Friday by a ransomware attack, forcing the company to close its factories in Belgium, Germany, Canada and the United States to mitigate the impact of the attack.
ASCO employees sent on leave for an indefinite period
ASCO, acquired last year by the American company Spirit AeroSystems, also sent about 1,000 of its 1,400 employees to these factories due to an extended shutdown and was asked not to return to work until new order. However, the company’s non-production offices in France and Brazil are currently operational.
ASCO has not yet issued any official statement regarding the attack on ransomware, nor has it communicated the details of the ransom demand, that the company intends to respond to the complaint or that the infection has caused the loss of intellectual property secrets. However, the company told the Brussels Times that it had not yet detected any theft or loss of information.
Andrea Carcano, CPO of the co-founder of Nozomi Networks, warned that it was never advisable to pay ransom in these situations. “There is no guarantee that criminals will restore the systems. Organizations must prepare for this type of event and have a plan to limit the damage and the reputation of the brand.
The attack comes two months after the European Commission approved the acquisition of the company by Spirit Aerosystems, based in the United States. The acquisition in cash of SRIF, the parent company of the Belgian-based aircraft components manufacturer, for a total amount of $ 650 million (£ 512 million) was announced in May 2018
The first EU regulatory review was stopped in October 2018 when Spirit withdrew its first contract notice to the Commission due to regulatory concerns. The company resumed the regulatory process in February 2019 after informing the European Commission on 30th January.
There was no press release or announcement from both companies. The LinkedIn and Twitter accounts of both companies did not provide any confirmation or acknowledgment of the attack until the report was released.
The aeronautics industry has been the target of hackers recently. When an airline is purchased, the new owner is more likely to go with the legacy systems instead of integrating them and updating them completely. New airlines are better equipped and have control on their IT system.
In terms of ransomware, prevention is better than cure. Keep all your systems are up-to-date with the latest patches and that there are no security vulnerabilities or that can leave an organization exposed to attackers.
The post Aviation Equipment Major ASCO Victim of Ransomware Attack appeared first on .
Aircraft parts manufacturer ASCO has temporarily suspended operations worldwide after falling victim to a ransomware attack. As reported by Data News, ASCO decided that it would shut down its headquarters in Zaventem, a Belgian municipality situated within the province of Flemish Brabant, as a result of the attack. This suspension is expected to place approximately […]… Read More
The post Aircraft Parts Manufacturer Halts Operations After Ransomware Attack appeared first on The State of Security.
Malware infections could be devastating for production environments, a
ransomware infection halts production operations for days at airplane parts manufacturer ASCO.
ASCO, is of the world’s largest manufacturers of aerospace components
The company has offices and production plants in Belgium, Canada, Germany the US, Brasil, and France. ASCO provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.
After the incident, nearly 1,000 employees out of 1400 were sent home for the entire week, on paid leave.
As a result of having IT systems crippled by the ransomware infection, the company has sent home approximately 1,000 of its 1,400 workers.
“Employees of the Asco company in Zaventem are technically unemployed for a few days because the company’s servers have been hacked. The company confirms that it has been hit by a cyber attack since Friday. A complaint has been submitted to the police.” states VRT (Flemish Radio and Television Broadcasting
The company reported the incident to the local authorities and hired third-party experts to investigate the attack.
“We have informed all competent authorities in this area of this cyber attack and have brought in external experts to solve the problem,” says HR director Vicky Welvaert. “We are currently working on it with all our might.” Welvaert does not want to comment on whether the problem is now under control or from when the business activities will be restarted.
According to the media, the
At the time is not clear if the company decided to pay the ransom to restore its systems rapidly or simply restore its backups.
Despite ASCO should be a privileged target for cyber spies, its representatives told The Brussels Times that there is currently no evidence of theft of information.
“The company also notified the authorities, and told the paper there is currently no evidence of the theft of information, but that it is taking the situation very seriously.” reported The Brussels Times.
“Although ransomware attacks are usually only about money, a company like Asco, which has connections in the defence sector, could also be a targe”
The post Ransomware paralyzed production for at least a week at ASCO factories appeared first on Security Affairs.
ASCO Industries, a manufacturer of aerospace components with headquarters in Zaventem, Belgium, has been hit with ransomware, which ended up disrupting its production around the world. The attack reportedly started on Friday and the extent of the internal damage is still unknown. About ASCO Industries ASCO Industries is a privately held company that was acquired by Kansas-based Spirit AeroSystems in 2018. At the time it had 1,400 employees world-wide. It designs and manufactures wing components, … More
The post Ransomware disrupts worldwide production for Belgian aircraft parts maker appeared first on Help Net Security.
The City of Lake City has confirmed that a “Triple Threat” ransomware attack affected the functionality of several of its computer systems. According to its Facebook statement, the Floridian municipality became the target of a ransomware program known as “Triple Threat” on 10 June 2019. This malware allegedly combined three different attack vectors to target […]… Read More
The post Lake City Reveals It Suffered a ‘Triple Threat’ Ransomware Attack appeared first on The State of Security.
A King County food bank said it will need help recovering from a ransomware infection that affected its computer network. At around 02:00 on 5 June, bad actors targeted the severs of Auburn Food Bank with ransomware. The crypto-malware, which according to Bleeping Computer was a variant of GlobeImposter 2.0, affected all of the food […]… Read More
The post Food Bank Needs Help Recovering from Ransomware Attack appeared first on The State of Security.
Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.
If you notice this notice…
If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.
But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.
The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.
- Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
- Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
- Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).
AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.
The cost of cybercrime, updated
Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.
The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.
Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.
Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.
Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.
This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.
Links we liked
Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.
If you confuse them, you lose them: a post about clear security communication. MORE
This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE
Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE
A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE
Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE
The hacker and pentester Tinker shares his experience in a revealing interview. MORE
So it turns out most hackers for hire are just scammers. MORE
The cybersecurity landscape and the role of the military. MORE
What are you doing this afternoon? Just deleting my private information from the web. MORE
The first quarter profits for Norsk Hydro sank after the Norwegian aluminum and renewable energy company fell victim to a ransomware attack. According to Reuters, Norsk Hydro’s gains fell to 559 million Norwegian crowns (approximately $64.3 million at the time of reporting) in the first quarter of 2019. That number is down from 3.15 billion […]… Read More
The post Norsk Hydro Q1 2019 Profits Sank Following Ransomware Attack appeared first on The State of Security.
As ransomware continues to become complex year-after-year, there is only one weapon to overcome the challenge raised by cybercriminals – backup system. We are in the age of cloud-storage services ranging from corporate-level to free package supported by advertising. Of course, there is always the traditional NAS and hard drive backups which vary in cost per gigabyte. Given the increasing sophistication of attack methods, there is a concern that the future damage from malware to increase, hence a reliable and effective backup plan should exist for all organizations. Therefore, what is required of the IT departments in various organizations worldwide is a preliminary measure to contain, if not fully reverse ransomware damage. The two pillars are “prevention” of infection through introduction of anti-virus software and “protection” of data by backup in case of emergency. These should have been implemented as part of information security measures before a firm officially starts its day 1 of operations.
However, in the case of ransomware measures, the latter is actually said to be more important. The former is, of course, important in preventing infection, but it is difficult to cope with attacks that use unknown methods, zero-day exploits. If damage occurs due to an infection, no one can reliably use the PC or files contained in the local hard drive, which will have a huge impact on business continuity. Given the possibility that infection cannot be avoided, it is clear that the backup issue needs to be settled early.
The first requirement is “data storage destination.” Companies back up systems and data to various media, but in recent years the adoption of NAS has also increased, driven by lower prices. Hard drives are dirt cheap compared to a decade ago. However, their use is not suitable for ransomware measures because ransomware spreads the infection over the network. Network-aware attacks also makes online NAS and external drives vulnerable. It is likely to be encrypted since the backup is connected live on the network and its contents fully accessible by the operating system’s shell. Given this point, it is necessary to select a medium that can be completely isolated from the network as the backup destination.
The second point is “backup target.” A large amount of data exists in PCs and various applications in companies, and in the past, backups have been performed focusing on those with high business importance in consideration of operation time. However, from the viewpoint of protecting information assets, the entire system must be recovered quickly in the event of an emergency, and not only some applications and user data, but also data related to the system must be included in the entire backup target.
The last requirement is “frequency of backups and retention period of data.” Backup is a highly effective measure, but it is not all-around. In order to reduce the impact on the business at the time of recovery, it is necessary to make the time lag between “now” and backup time as short as possible. To do so, you should increase the frequency of backups, while some ransomware will start working after several months of infiltration. Long-term data retention is also required to ensure data security. As in the past, backups such as 1-2 weeks daily or monthly are not enough, and a fundamental review of backup methods and operation methods is required.
The reason that ransomware infection has spread so much is that storage connected to a network such as NAS or DAS can be recognized as a storage location of data from the OS. The only way is to use a system that is not always online, but only connects to the workstations and servers every time a backup or restore process needs to run. This can be accomplished by tape backup systems, operating systems does not mount these ancient media directly. These days, the property of tape backup is not a disadvantage, but an advantage. A safe and reliable backup which cannot be accessed by the ransomware code provides the greatest protection against malicious data encryption.
The post The Feasibility Of Tape Backup Against Ransomware appeared first on .
Eurofins Scientific, an international group of laboratories headquartered in Brussels, revealed that a ransomware attack disrupted some of its IT systems. On 3 June, the food, pharmaceutical and environmental laboratory testing provider revealed that its IT security monitoring teams had discovered a ransomware attack over the weekend that had affected several of its IT systems. […]… Read More
The post Eurofins Scientific Says Ransomware Attack Disrupted Some IT Systems appeared first on The State of Security.
Ransomware continues to pose a serious threat to organizations of all sizes. In a new paper, “Project Almanac: A Time-Traveling Solid State Drive,” University of Illinois students Chance Coats and Xiaohao Wang and Assistant Professor Jian Huang from the Coordinated Science Laboratory look at how they can use the commodity storage devices already in a computer, to save the files without having to pay the ransom. Recovering data encrypted by a variety of ransomware families … More
The post Researchers fight ransomware attacks by leveraging properties of flash-based storage appeared first on Help Net Security.
The cyber threat landscape is evolving every second, with thousands of new potential threats being detected every single day. With people becoming more and more conscious about their privacy and private data, such evolving threats can have a significant impact on the personal and financial life of people. In order…
Experts at PaloAlto Networks spotted a new Shade ransomware campaigns targeting news countries, including in the U.S. and Japan.
Researchers observed a new wave of Shade ransomware attacks against targets in several countries, including the US and Japan.
Shade is considered one of the most dangerous threats in the cyber crime scenario, it has been active at least since 2014 when a massive infection was observed in Russian. The Shade infections increased during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size.
“Our results indicate the majority of recent Shade executables have also targeted users outside of Russia.” reads the analysis published by Paloalto Networks.
“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada,”
Moth of the victims belongs to high-tech, wholesale and education sectors.
Shade has been distributed through malspam campaigns and exploit kits, experts pointed out that its executable (EXE) remains “remarkably consistent” since its discovery in 2014.
Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt,
“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.” reads the message left on the background.
The README.txt files include instructions to contact the crooks via an email address in order to receive information on how to make the payments.
The researchers noticed that all the Malspam campaigns spreading the Shade ransomware were retrieving an executable file from a compromised server.
“By focusing on the executable in this chain of events, we can determine where Shade ransomware infection attempts have occurred.” continues the report.
“AutoFocus has a Shade ransomware tag that identifies any items associated with Shade.” explains PaloAlto Networks. “We searched on attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search on packed executable (PE) files sent through a URL over TCP port 80.”
Experts discovered that most of the URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian language countries.
Technical details, including Indicators of Compromise (IoCs) are reported in the analysis published by the experts.
The post Shade Ransomware is very active outside of Russia and targets more English-speaking victims appeared first on Security Affairs.
It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.
Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.
Hoorays on hold
Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.
Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.
The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.
In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.
The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.
Here’s a quick recap of those lessons for individuals and businesses:
- Keep software patched and up to date
- Employ reputable antivirus software and keep it up to date
- Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
- Make staff and those who use your computers aware of the risks and how to work securely online
By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”
Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.
The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.
Steps to keeping out ransomware
By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:
- Implement geo-blocking for suspicious domains and regions
- Review backup processes
- Conduct regular testing of restore process from backup tapes
- Review your incident response process
- Implement a robust cybersecurity training programme
- Implement network segmentation
- Monitor DNS logs for unusual activity.
The guide goes into more detail on each bullet point, and is available to download from this link.
Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)
Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.
Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.
The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.
In today’s world data is everything, and to store and process this large amount of data, everyone started using computing devices. So, application server’s which are used for storing this precious data on computing devices include MYSQL, MongoDB, MSSQL, etc. But unfortunately, no one is conscious about its security. In…
Remember the malvertising campaigns in the early days where are adverts showing you are the nth visitor, and you have a prize to claim for being the coveted nth visitor on a website? Of course these days the chance of seeing a Flash-based animated advert like that, since Google Chrome itself autoblocks scam-like adverts by default as part of the Google Safe Browsing initiative, which Firefox browser also features. The demise of malvertising through adverts does not end with the anemic Flash-based variants though, as cybercriminals are now using Bitcoins (well, sort of people’s desire for it) to convince people when they visit a dodgy website controlled by them.
Imagine that a malvertising website offers its visitor a $30 worth of Bitcoin, not that huge but with enough “visits” may enable someone to afford some stuff in eBay or an Amazon gift card-level of a prize. However, this malvertising website installs keyloggers, banking trojans or ransomware which will harm the victim at a later time. Another similar but unrelated number of websites offer referral prize in Ethereum (another cryptocurrency alternative to Bitcoin), with one website claiming that successful users who can refer 1,000 visitors to the website will earn him/her $750 worth of Ethereum.
Both websites offer a download they call “Bitcoin Collector” which claims to be an easy mining program for Windows, which will provide “free Bitcoins” for the user, but instead caused the computer to mine cryptocurrency instead for the author at the expense of the user. One of the most common trojan horse of this category is one named BotCollector.exe, often comes from a .zip file downloaded from a malvertising website.
“When you execute the included BotCollector.exe, it will launch a program called ‘Freebitco.in – Bot’ that does not appear to do much. In reality, though, this is a Trojan that pretends to be a bitcoin generator but simply launches a malware payload. It does this by copying a file at geobaze\patch\logo.png to logo.exe and executing it (planting itself deep into the Windows operating system)”, explained Lawrence Abrams of Bleepingcomputer.com.
BotCollector.exe was previously observed to carry a different behavior, it used to be the main payload for the ransomware named “Marozka Tear”. Being unsophisticated ransomware, Marozka Tear’s author used a public free Gmail account (email@example.com) in order for its victim to contact him/her for the payment of the ransom instead of having a sophisticated “shopping cart” for collecting payments. The Bleepingcomputer team stopped the ransomware from being profitable with their release of a free decryptor program that reverses the encryption of user files without paying Marozka Tear’s author.
At the time of this writing, the two hidden payloads of the new variant of BotCollector that have not yet fully dissected by the BleepingComputer team. But initial checks show it can be compared to a full-blown espionage-type of malware that can record keystrokes, take screenshots, capture browser history, sends any user files to its author and even the capability to copy the information of a crypto wallet.
The post Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising appeared first on .
Some key online operations in the U.S city of Baltimore have been impacted following a ransomware attack.
Reports reveal that all online payment gateways and emails have been totally affected, bringing them all to a standstill, in Baltimore following a ransomware attack that happened in the first week of May. The hackers who have launched the ransomware strike are demanding a hefty amount as ransom for freeing all systems in the city.
Security experts have found that the ransomware attack on Baltimore has been executed using the EternalBlue exploit. The EternalBlue exploit, about which we have already written on many occasions, was developed by the U.S NSA (National Security Agency) exploit and was reportedly leaked by the Shadow Brokers hacker group in April 2017. It was using this exploit that cybercriminals launched the extremely devastating WannaCry attack in May 2017 and then the NotPetya attack in June 2017. EternalBlue exploits a vulnerability in the implementation of Microsoft’s SMB (Server Message Block) protocol and allows cybercriminals to execute remote commands on their target computers. Microsoft had released a patch for the issue in March 2017, but many users hadn’t installed the patch when the WannaCry attack and then the NotPetya attack happened. Even now, as per reports, there are millions of systems worldwide that are vulnerable to EternalBlue.
Reports say that the ransomware attack in Baltimore has impacted thousands of computers and has also affected many important services including health alerts, water bills, real estate sales etc. It’s also reported that as per a ransom note that was recovered from a computer in the city, the ransomware has been identified as RobbinHood, a relatively new ransomware variant.
A New York Times report dated May 22, 2019, says, “On May 7, the city discovered that it was a victim of a ransomware attack, in which critical files are encrypted remotely until a ransom is paid.”
The report further says, “The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading, but not before it took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations.”
It’s also reported that at least 1,500 pending home sales have been delayed. However, the city has put into place an offline fix this week to allow the transactions to proceed.
As regards the ransom note, the New York Times report says, “A copy of a digital ransom note, obtained by The Baltimore Sun, stated that the city could unlock the seized files for a price: three Bitcoins (nearly $24,000) per system or 13 Bitcoins (about $102,000) for them all…The price of this decentralized, hard-to-track virtual currency fluctuates wildly. On the day of the attack, the ransom would have cost about $17,000 per system, or less than $75,000 for them all.)”
The ransom note reads- “We won’t talk more, all we know is MONEY!…Hurry up! Tik Tak, Tik Tak, Tik Tak!”
The city officials have reportedly decided not to pay the ransom as of now. Mayor Bernard Young has reportedly told local reporters, as regards paying the ransom- “Right now, I say no. But in order to move the city forward? I might think about it. But I have not made a decision yet.”
The post Ransomware Attack Impacts Baltimore Emails, Online Payments appeared first on .
2019 is shaping up as a year when ransomware infection frequency declined by orders of magnitude, compared to the year 2017 when such malware variant made headlines for causing trouble for millions globally. It was very hard not to notice the everyday news about a firm or a public agency becoming the newest victim of ransomware and their struggle with the ransom demand (the money the victims have to pay to restore their files). Of course, that does not mean that news about company X becoming a ransomware target, it still happens but very far few in-between.
Some other ransomware was too old, predated WannaCry for years, but making a comeback this year, 2019. This scenario is what Shade ransomware is exhibiting at the moment, last known active in the wild five years ago in 2014 by Kaspersky Labs. Palo Alto’s Unit42 team meanwhile detected some instances of its resurrection in the United States, India, Thailand, Canada, and Japan.
“Recent reports of malspam pushing Shade ransomware have focused on distribution through Russian language emails. However, Shade decryption instructions have always included English as well as Russian text. The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014,” explained Brad Duncan, Unit 42’s Threat Intelligence Analyst.
The way Shade ransomware spreads are no different from any contemporary malware of our time. The sample Shade ransomware examined by Unit 42 was proliferating using spam emails. The strongest campaign for this ransomware infection was when there was a huge number of spam emails way back Feb 2019. These emails had an attached pdf or a compressed zip file, with the body of the email describing the attachment as a billing statement from the victim’s service provider.
The wallpaper set by the user will be replaced by a black background with red text announcing the infection saying: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”
Unlike the previous iteration of Shade ransomware, the newer variant has a direct destination, as the most number of infection cases are in the United States, it was previously wreaking havoc in India, Thailand and Japan’s Windows-based computers. There is also visible indications that certain sectors of specific geographical location are targeted, with victims usually from the telecommunications, wholesale/retail and education industries. Unit 42’s hypothesis points to non-Russian speaking countries as the most vulnerable of receiving spam emails carrying Shade malware.
The post A Brief Look At The Shade Ransomware (2019 variant) appeared first on .
Here’s a new ransomware that not only encrypts files and programs on a computer, but attempts to brute force credentials as well.
GetCrypt, a new ransomware that’s being installed through malvertising campaigns and which redirects victims to the RIG exploit kit, encrypts all files on a computer and then demands ransom for decrypting the files. An interesting thing about this ransomware is that it attempts to brute force credentials on the infected systems as well.
Exploit kit researcher nao_sec had discovered the ransomware, which works by redirecting victims to a page hosting the RIG exploit kit. A BleepingComputer report says, “This ransomware was discovered by exploit kit researcher nao_sec who alerted BleepingComputer when they saw being installed via the RIG exploit kit in Popcash malvertising campaigns. When a victim is redirected to a page hosting the exploit kit, malicious scripts will try to exploit vulnerabilities found on the computer.”
If this turns successful, the GetCrypt ransomware is downloaded and installed into Windows.
Lawrence Abrams of BleepingComputer writes that nao_sec’s tweet was also seen by security researcher Vitali Kremez, who then analyzed the ransomware and found some interesting features.
The most notable among his observations is that the ransomware, after being executed by the RIG exploit kit, checks if the Windows language is set to Russian, Ukrainian, Kazakh or Belarusian and then, if it is set to any of these languages, gets terminated and doesn’t encrypt the computer. If the ransomware finds that the Windows is not set to any of the above-mentioned languages, it would examine the CPUID of the computer and then use it to create a 4-character string, which would be used as the extension for encrypted files. Then it runs the vssadmin.exe delete shadows /all /quiet command and clears the Shadow Volume Copies. Then, the whole system is scanned for files to encrypt. The ransomware doesn’t target any particular kind of files for encryption; instead it encrypts all files, except those that are located in or under certain folders, namely :\$Recycle.Bin, :\ProgramData, :\Users\All Users, :\Program Files, :\Local Settings, :\Windows, :\Boot, :\System Volume Information and :\Recovery AppData.
GetCrypt reportedly uses the Salsa20 and RSA-4096 encryption algorithms to encrypt files and during encryption, uses the 4-character string it had created earlier as the extension. Simultaneously, it would also create a ransom note. The ransom note, named decrypt my files #.txt, is created in each folder that is encrypted and on the desktop too. It advises the victim to contact firstname.lastname@example.org for instructions regarding ransom payment. The ransomware also changes the desktop background to an image that contains a detailed message. The message says that the system has been infected and all files have been encrypted, and also gives instructions as to what needs to be done to get the files decrypted.
GetCrypt, like many other ransomware infections, also attempts to encrypt files on network shares during the encryption process, but in a rather different manner. The BleepingComputer report explains, “When encrypting, GetCrypt will utilize the WNetEnumResourceW function to enumerate a list of available network shares…If it cannot connect to a share, it will use an embedded list of usernames and passwords to bruteforce the credentials for shares and mount them using the WNetAddConnection2W function.”
“While encrypting unmapped network shares is not unusual, this is the first time we have seen a ransomware try to brute force shares so that they can connect to them from the infected computer,” the report further notes.
Anyhow, it’s possible to decrypt files on a system that has been infected with GetCrypt ransomware. The decryptor has been released. The victim can use the decryptor to decrypt all encrypted files, but it can be done only if an original unencrypted copy of a file that has been encrypted during the infection is available. The decryptor has to be run on an encrypted file and its original unencrypted version as well. Following this, the decryptor would brute force the decryption key and get all files decrypted.
Well, that once again proves the need of having offline back up of files, something that we’ve always been discussing in many of our posts. Backups can get you unencrypted versions of files, which could aid the decryption process in case your system has been infected with the GetCrypt ransomware.
The post GetCrypt Ransomware Encrypts Files, Brute Forces Credentials appeared first on .
Security researchers have released a tool that enables victims of GetCrypt ransomware to recover their affected files for free. On 23 May, web security and antivirus software provider Emsisoft announced the release of its GetCrypt decrypter. This utility asks victims of the ransomware to supply both an encrypted copy and the original version of a […]… Read More
Cybercriminals continue to evolve the sophistication of their attack methods, from tailored ransomware and custom coding for some attacks, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, according to the Fortinet latest report. Pre- and post-compromise traffic Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for … More
The post Cybercriminals continue to evolve the sophistication of their attack methods appeared first on Help Net Security.
For the second time in a few days, experts at Emsisoft released a free
decrypter, this time to help victims of the GetCrypt ransomware.
Security experts at Emsisoft released a new decrypted in a few days, it could be used for free by victims of the GetCrypt
“Attention! Your computer has been attacked by virus-encoder! All your files are now encrypted using cryptographycalli strong aslgorithm. Without the original key recovery is impossible.
TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI It is in your interest to respond as soon as possible to ensure the restoration of your files. P.S only in case you do not recive a response from the first email address within 48 hours, [redacted]. It is in your interest to respond as soon as possible to ensure the restoration of your files.
P.S only in case you do not recive a response from the first email address within 48 hours,
Victims can download the
In order to decrypt the files, victims have to provide an encrypted version of a file and the original of the same file.
A few days ago, Emsinsoft released a free Decrypter for JSWorm 2.0
The post Emsisoft released a free Decrypter for the GetCrypt ransomware appeared first on Security Affairs.
Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.
Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.
JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.
Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:
“:HI SIRI, DEMONSLAY AND AMIIIIGO!!! HOW ARE YOU?”
“:ID-RANSOMWARE, IT’S JUST THE BEGINING [sic] OF SOMETHING NEW…”
Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the
“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.
Once infected a computer, the JSWorm 2.0
- Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
- Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
- Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.
Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:
- Download the Emsisoft JSWorm 2.0 Decrypter.
- Run the executable and confirm the license agreement when asked.
- Click “Browse” and select the ransom note file on your computer.
- Click “Start” to decrypt your files. Note that this may take a while.
Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.
Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.
From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.
How it can enter into your system?
It enters into your system by phishing mail as shown in below fig:
Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.
What Emotet can do?
It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.
According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.
Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.
What Quick-Heals Telemetry says:
As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.
How can I remove Emotet?
If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.
As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.
- Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
- Don’t open any link in the mail received from an unknown/untrusted source.
- Don’t download attachments received by an unknown/untrusted source.
- Don’t enable ‘macros’ for Microsoft’s office documents.
- Educate yourself and others for keeping strong passwords.
- Use two-factor authentication where-ever possible.
Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.
To read more about the detailed analysis of the Emotet, download this PDF.
There has been a major decline in ransomware and malware attacks, with Ireland having some of the lowest rates globally, according to the latest report released by Microsoft. This is a significant change from 2017, following a prolific series of attacks that targeted supply chains globally. Initial predictions were that these would increase, however, improvements in cybersecurity measures and detection have impacted on the success rates of these attacks. In fact, there has been a … More
The post Ransomware and malware attacks decline, attackers adopting covert tactics appeared first on Help Net Security.
The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.
From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.
Should you be concerned?
WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.
So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone. Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.
How to Prevent
Update the WhatsApp app.
- Open the Apple AppStore App
- Search for WhatsApp Messenger
- Tap 'Update' and the latest version of WhatsApp will be installed
- App Version 2.19.51 and above fixes the vulnerability
- Open Google Play Store
- Tap the menu in the top left corner
- Go to “My Apps & Games”
- Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
- App Version 2.19.134 and above fixes the vulnerability
How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability
Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay.
To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.
- New Meltdown: Researchers discover New Hardware Vulnerability in Modern Intel Processors
- Vulnerability CVEs
This is an important security advisory related to a recently patched Critical remote code execution vulnerability in Microsoft Windows Remote Desktop Service (RDP). The vulnerability is identified as “CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability”. MSRC blog mentions This vulnerability is pre-authentication and requires no user interaction. In other…
This is news! A laptop containing six of the most dangerous of malware created till date is up for auction.
A Samsung NC10-14GB 10.2-Inch Blue Netbook, which contains six such malware strains which together have caused damages worth $95B over the years, has been put up for auction. This laptop has in fact been isolated and airgapped so as to prevent the spread of the malware that it contains. (Well, we know that if you are an expert, you might be cynical about the effectiveness of airgapping; but technically speaking, it’s supposed to help curb the spread of malware!).
It’s illegal to sell malware for operational purposes in the U.S. The seller of the malware-packed laptop, as per reports, has devised a way to get around this issue by calling it art. This laptop, which runs on Windows XP SP3, is now called ‘The Persistence of Chaos’.
A Forbes report dated May 15, 2019, says, “The singular laptop is an air-gapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008) running Windows XP SP3 and loaded with the malware and restart script. It also comes with a power cord, just in case the 11-year-old battery isn’t still holding a viable charge.” The report further adds, “It’s currently sitting on a white cube in a room somewhere in New York City and is being sold under the guise of art as “The Persistence of Chaos”. It’s certainly subversive and skirts the legalities of selling malware (it’s illegal to sell for operational purposes), but hey, anarchy is entertaining.”
The infected laptop is a creation of performance artist Guo O Dong in collaboration with cybersecurity company Deep Instinct. Curtis Silver, who has authored the Forbes report, has quoted Guo O Dong as telling him via email, “I created The Persistence of Chaos because I wanted to see how the world responds to and values the impact of malware.”
The six strains of malware that the laptop contains are
WannaCry – The ransomware that spread all across the world and made a devastating impact on over 200,000 computers across over 150 countries.
Mydoom – The fastest-spreading email worm till date, Mydoom was first seen in January 2004 and worked mainly by sending junk email through infected computers and at the same time appearing as a transmission error.
Sobig – First detected to be infecting computer systems in August 2003, this malware, which is a worm and a trojan, is the second fastest spreading worm as of 2018. It deactivated itself in September 2003.
BlackEnergy – The malware that was first seen in 2007 and then worked by generating bots for executing DDoS attacks that were distributed via email spam. At a later stage of evolution, it would drop an infected DLL component directly to the local application data folder.
ILOVEYOU – This malware, which spread through an email attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’, was sent from an infected person to people in his contact list. Once the attachment gets opened, a script is started that would overwrite random types of files- Office files, audio files, image files, etc. Seen since May 2000.
DarkTequila – This malware, which has been active since 2013 and seen impacting systems in Latin America, spreads through spear phishing and infected USB drives. Hackers use DarkTequila to steal corporate data, bank credentials, and personal data as well.
Curtis Silver observes in his Forbes report, “On a base level the goal if we believe light grey text on a white background, is to sell this malware infused laptop under the blanket of art for academic purposes. On a deeper level, it’s a statement of social anarchy, of controlled chaos and an exposé of how fragile our machine-connected lives really are.”
This is a very relevant observation because news relating to this laptop (if it has all the malware that it claims to have), is in all respects, a worrying thing.
The post Laptop Running Six Most Dangerous Malware up for Auction appeared first on .
During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.
In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.
If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).
The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.
ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.
By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.
Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.
DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.
To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.
To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.
Following the attack life-cycle, the next phase is account compromise: did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.
We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.
Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.
The next phase is privilege escalation. In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.
A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.
Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.
This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.
Encryption of Data
The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers’ tolerance) for downtime, and many other factors.
For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?
Take Action Today
These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. Educate yourself with more information on Cisco Ransomware Defense solutions. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.
The post Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today appeared first on Cisco Blog.
Mayor Bernard C. “Jack” Young had assured the residents of Baltimore that the city’s emergency system will start functioning normally, even as they fight ransomware attacks on their computer networks.
FBI agents are investigating the cyber breach, which was first discovered Tuesday morning, and the city’s IT department is working to fix the problem with “some outside help,” Young said. Director of the IT department, Frank Johnson, confirmed that the city’s computers were infected with a “very aggressive” form of ransomware called “RobinHood,” which locks up or holds city files for ransom until the money is paid to the hackers responsible for the malware.
FBI agents are investigating the cybersecurity violations that was first discovered on Tuesday morning, and the city’s IT department is working to resolve the issue with “outside assistance,” Young said. IT Director Frank Johnson confirmed that the city’s computers were infected with a “very aggressive” form of ransomware called “RobinHood,” which locked city files for ransom until they paid money to the hackers who were responsible for this crisis.
Lester Davis, Young’s spokesman, confirmed that there were no personal data of the city residents stolen from the city’s computer system.
Technicians are currently working to find the cause of the problem and determine what is really involved. He and Young refused to comment on the scope of the attack. They said it is under investigation and could not give a time limit when the problem could be resolved.
Young said he would not pay a ransom to the hackers or anybody.
The residents who wanted to pay for water bills, parking tickets, and other expenses need to “return to the manual,” Young said, pay them in person. Late fees for these payments are also temporarily suspended.
“We can say with confidence that public safety systems are up and operational,” Johnson said. “For now, if anybody needs to contact the city the best way to do it is to pick up the plain old telephone and give us a call.”
All city employees work today, even though they are not able to access their emails or files, said Young. If the attack keeps the employees from doing their jobs, the mayor said he would ask them if they would “go out and help us cleanse the city.” Cybersecurity is the second threat to the city in more than a year.
In March 2018, the city delivery system 911 was violated and the call service had to be temporarily put into manual mode, which meant that information about incoming callers could not be forwarded electronically. The system has fully recovered within 24 hours.
Immediately after the 2018 attack, Johnson said the attack was a case of ransomware. An investigation revealed that systems were left vulnerable because of some internal change made to the system’s firewall by a technician who was troubleshooting an unrelated communication issue within the computer-aided dispatch system, Johnson noted.
Johnson said Wednesday that the city has “very, very good capability” for stopping cyber-attacks, and includes cybersecurity awareness in its training for city employees. He added that the city’s IT infrastructure has been assessed several times since he took control of the department in late 2017 and has gotten “multiple clean bills of health.”
He refused to say how often the computer and the city system were updated.
Similar ransomware attacks have occurred in recent years in airports, hospitals, private companies, and other cities, and city officials point out that hacking is not just in Baltimore.
“This could happen anywhere,” Young said. “I don’t care what kind of system you put in place, they always find a way to infect the system.”
The post FBI Investigating Baltimore Ransomware Attack appeared first on .
Dharma Ransomware Employs Diversion Tactics
Researchers recently discovered a new ransomware variant that displays an ESET AV removal screen once launched in order to divert the a victim’s attention from the silent encryption taking place. Initially dropped by an email spam campaign, the payload comes as a password protected zip archive, with the password made available in the body of the email to entice curious readers. In addition to the ESET removal instructions, the archive also contains a traditional ransom demand with instructions for purchasing and transferring Bitcoin.
Binance Crypto-Exchange Hacked
At least 7,000 Bitcoin were illicitly removed from the hot wallet of Binance, an international cryptocurrency exchange, in a single transaction. By compromising the personal API keys and bypassing two-factor authentication, the hackers were able to access the wallet and steal roughly $41 million worth of Bitcoin. The complete details of the breach are still unknown.
Global Malvertiser Sentenced in US
A man operating several fake companies distributing hundreds of millions of malicious ads across the globe has been arrested and is facing charges after his extradition to the U.S. For nearly five years, Mr. Ivanov and his co-conspirators created dozens of malvertising campaigns, usually starting a new one immediately after the previous one was flagged by a legitimate ad network. While this is not the only case of malvertising campaigns causing chaos on the web, it is one of the first to see actual indictments.
Robbinhood Ransomware Shuts Down Two US Cities
Both Baltimore City Hall and the city of Amarillo, Texas, were victims of a variant of Robbinhood ransomware this week. Following the attack, citizens of both cities will be seeing online bill payment options temporarily offline as they work to restore networks that were damaged or disconnected to stop the spread of the infection. This is the second cyber attack to hit both cities within the past year, with Potter County, Texas recovering from a similar attack just a couple weeks ago. Neither city has released more information on the ransom amount or when the attack began.
Freedom Mobile Exposes Payment Credentials
An unencrypted database containing millions of customer records for Freedom Mobile, a Canadian telecom provider, was discovered to be left freely available to the public. While the database was secured in less than a week, the time it was left accessible to criminals is cause for concern. The data contained full payment card information, including essentially everything a criminal would need to commit identity fraud against millions of people. Though Freedom Mobile claims the 15,000 were affected, it calls into question the practices used to store their sensitive data.
For the second time in a year, Baltimore city government computers have been infected by ransomware. Malicious hackers are demanding that a ransom is paid for the safe recovery of encrypted files on affected computers and servers.
Read more in my article on the Tripwire State of Security blog.
The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.
DBIR 2019 Key Takeaways
- Financial gain remains the most common motivate behind data breaches (71%)
- 43% of breaches occurred at small businesses
- A third (32%) of breaches involved phishing
- The nation-state threat is increasing, with 23% of breaches by nation-state actors
- More than half (56%) of data breaches took months or longer to discover
- Ransomware remains a major threat, and is the second most common type of malware reported
- Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
- Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
- Espionage is a key motivation behind a quarter of data breaches
- 60 million records breached due to misconfigured cloud service buckets
- Continued reduction in payment card point of sale breaches
- The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike
- Defence Secretary Gavin Williamson sacked over Huawei leak
- Daily Telegraph publishes details of a meeting about using the Chinese telecoms firm to help build the UK's 5G network
- Huawei row: Inquiry to be held into National Security Council leak
- Is Huawei a Threat to UK National Security?
- What's the greater risk to UK 5G, Huawei backdoors or DDoS?
- Backdoors found in Huawei-supplied Vodafone equipment between 2011 and 2012
- Microsoft researchers find NSA-style backdoor in Huawei laptops
- 5G cyber-attack: What would be the effect on the UK?
- Huawei: Why UK is at odds with its cyber-allies
- NCSC: Huawei threat to national security
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111". Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.
The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them.
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.
I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.
- How Business can address the Security Concerns of Online Shoppers
- Third Party Security Risks to Consider and Manage
- Huawei to be given limited access to UK 5G Network
- The NCSC launches Cyber Security tool for UK Businesses and Authorities
- German Drug Manufacturer Beyer hit by Malware Attack originating from China
- Aebi Schmidt latest Manufacturer dealing with Ransomware Cyberattack
- 540M Facebook Member Records exposed by an Unsecure AWS S3 Bucket
- Microsoft will drop Password Expiration Policies in Windows 10 and in Windows Server
- 'Assange Supporters’ Claim to Hack Yorkshire Councils
- Hackers beat University Cyber-Defences in Two Hours
- App leaves over 2 Million WiFi Network Passwords Exposed on Open Database
- Two in Three Hotel Websites Leak Guest Booking Details and Allow Access to Personal Data
- Yahoo to pay £90M in latest settlement of Massive Breach
- Hackers nab emails and more in Microsoft Outlook, Hotmail, and MSN Compromise
- 4 in 5 IT Chiefs are delaying Security Patches to avoid Business Disruption
- A Public Database Exposed the Medical Records of 150,000 Rehab Patients
- Amnesty Intl. says Cyberattack on Hong Kong office appears linked to known APT group
- Cyber-Attacks ‘Damage’ National Infrastructure
- Microsoft Patches 75 Vulnerabilities, including 14 Critical for Windows, IE\Edge, Chakra and Adobe Flash
- Adobe Releases fixes 21 Vulnerabilities in Acrobat and Acrobat Reader
- Machines running popular AV software go unresponsive after Microsoft Windows update
- Apache Tomcat Vulnerability Results in Remote Code Execution
- Adobe’s Patch Tuesday includes Security Updates for Flash Player and AIR
- Attackers Exploit WordPress Zero Day following Disclosure
- WinRAR Exploit used by MuddyWater APT phishing gang
- ISC Patches Three Vulnerabilities in BIND
- Flawed P2P technology Threatens Millions of IoT Devices
- The Economy of Credential Stuffing Attacks
- ShadowHammer code Found in several Video Games
- Researchers uncover new ‘TajMahal’ APT framework, plus a new Gaza Cybergang malware campaign
- Baldr Stealer Malware Active in the Wild With ongoing Updates
- TA505 Targets Financial and Retail using 'Undetectable' Methods
- Lazarus Targets Mac Users With Malware
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.
As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number.
A Federal Election Commission proposal aims to help presidential and congressional campaigns steer clear of hacking operations by allowing nonprofits to provide cybersecurity free of charge.
Trend Micro researchers uncovered a sextortion scheme targeting Italian-speaking users. Based on IP lookups of the spam emails’ senders, they appear to have been sent via the Gamut spam botnet.
Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.
On April 18, the systems of The Weather Channel in Atlanta, Georgia, were infected by ransomware, disrupting the channel’s live broadcast for 90 minutes.
A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.
Trend Micro delves deeper into this vulnerability by expounding on what it is, how it can be exploited, and how it can be addressed.
A hacker stole thousands of documents related to the inner workings of the Mexican embassy in Guatemala and posted them online.
The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.
Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Phishing Attacks and Ransomware appeared first on .
The UK is one of the few countries that has seen a year-on-year reduction in ransomware attacks, a new study has found.
According to the 2019 SonicWall Cyber Threat Report, ransomware infections in the UK decreased by 59% in the past year, a stark contrast to the 11% increase globally.
Has the UK learned a lesson?
Several experts believe the UK’s astounding resilience to ransomware is a direct result of 2017’s WannaCry attack. The ransomware tore through organisations across the globe but struck most acutely in the UK – at the NHS in particular.
The attack did little to demonstrate the financial appeal of ransomware for crooks. The incident became so high profile that most organisations learned that it wasn’t worth paying the ransom, and those behind the attack struggled to recoup the money that was paid into their Bitcoin account.
Likewise, the attack didn’t provide an accurate reflection of how incidents normally play out. The malware is usually most successful when it stays under the radar and catches out organisations that lack backup protocols, thereby seemingly forcing them to comply with the blackmailer’s request.
However, WannaCry taught the UK two huge lessons – that ransomware is dangerous and that organisations need to plan for it.
Bill Conner, president and CEO of SonicWall, said that, following WannaCry, “you guys [the UK] were all over [ransomware].”
The attack prompted the UK government, along with the National Cyber Security Centre and UK-based businesses, to confront ransomware head on.
“Most of the vendors in the UK and their customers put solutions in place to protect against multiple family variants of ransomware,” said Conner.
There are two key steps to protecting your organisation from ransomware. First, you should regularly back up your important files. This enables you to delete infected files and restore them from backups.
The process will take a long time – often more than 24 hours – but the loss in productivity will almost certainly be less costly than paying a ransom. Plus, you need to factor in issues other than simply the cost of returning to business. There’s the possibility that crooks won’t keep their word once you’ve paid up. Equally, there’s the risk that complying with their demands has made yourself a target for future attacks.
It’s therefore always advisable to use backups where possible rather than paying a ransomware.
Of course, it’s even better if you don’t get infected at all, and the best way to do that is to boost staff awareness of ransomware. That brings us to the second key step to protecting your organisation.
Most ransomware (and malware generally) is delivered via phishing scams. Cyber criminals plant the malicious code in an attachment and trick employees into downloading it. If you can train your staff to spot a malicious email and report it, you can dramatically reduce the risk of becoming infected.
Get started with staff awareness
Our Phishing and Ransomware – Human patch e-learning course makes staff awareness training simple.
This ten-minute course introduces employees to the threat of phishing and ransomware, and describes the link between the two. Armed with this knowledge, your staff will be able to detect suspicious emails and know how to respond.
The post UK-based organisations are getting better at preventing ransomware appeared first on IT Governance Blog.
For several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages. Infection of Jcry ransomware starts with a compromised website. As…
We round up interesting research and reporting about security and privacy from around the web. This month: healthy GDPR, gender rebalance, cookie walls crumble, telecom threats and incident response par excellence.
A healthy approach to data protection
Ireland’s Department of Health is now considering amendments to the Health Research Regulations, with data protection as one of the areas under review. The Health Research Consent Declaration Committee, which was formed as part of the Health Research Regulations made under GDPR, confirmed the possible amendments in a statement on its website.
GDPR triggered significant changes to health research because of the obligations on data protection impact assessments. Our senior data protection consultant Tracy Elliott has blogged about this issue.
The newly announced engagement process may lead to changes to the Health Research Regulations “where any such amendments are sound from a policy perspective and legally feasible”, the HRCDC said. There’s a link to a more detailed statement on the proposed amendments at this link.
A welcome improvement
Women now make up almost a quarter of information security workers, according to new figures from ISC(2). For years, female participation in security roles hovered around the 10-11 per cent mark. The industry training and certification group’s latest statistics show that figure is much higher than was generally thought.
Some of this increase is due to the group widening its parameters beyond pure cybersecurity roles. The full report shows that higher percentages of women security professionals are attaining senior roles. This includes chief technology officer (7 per cent of women vs. 2 per cent of men), vice president of IT (9 per cent vs. 5 per cent), IT director (18 per cent vs. 14 per cent) and C-level or executive (28 per cent vs. 19 per cent).
“While men continue to outnumber women in cybersecurity and pay disparity still exists, women in the field are buoyed by higher levels of education and certifications, and are finding their way to leadership positions in higher numbers,” ISC(2) said.
The trends are encouraging for any girls or women who are considering entering the profession; as the saying goes, if you can see it, you can be it. (The report’s subtitle is ‘young, educated and ready to take charge’.) After the report was released, Kelly Jackson Higgins at Dark Reading tweeted a link to her story from last year about good practice for recruiting and retaining women in security.
Great walls of ire
You know those annoying website pop-ups that ask you to accept cookies before reading further? They’re known as cookie walls or tracker walls, and the Dutch data protection authority has declared that they violate the General Data Protection Regulation. If visitors can’t access a website without first agreeing to be tracked, they are being forced to share their data. The argument is that this goes against the principle of consent, since the user has no choice but to agree if they want to access the site.
Individual DPAs have taken different interpretations on GDPR matters. SC Magazine quoted Omar Tene of the International Association of Privacy Professionals, who described the Dutch approach as “restrictive”.
This might be a case of GDPR solving a problem of its own making: The Register notes that cookie consent notices showed a massive jump last year, from 16 per cent in January to 62.1 per cent by June.
Hanging on the telephone
Is your organisation’s phone system in your threat model? New research from Europol’s European Cybercrime Centre and Trend Micro lifts the lid on network-based telecom fraud and infrastructure attacks. The Cyber-Telecom Crime Report includes case studies of unusual attacks to show how they work in the real world.
By accessing customers’ or carriers’ accounts, criminals have a low-risk alternative to traditional forms of financial fraud. Among the favoured tactics are vishing, which is a voice scam designed to trick people into revealing personal or financial information over the phone. ‘Missed call’ scams, also known as Wangiri, involve calling a number once; when the recipient calls back, thinking it’s a genuine call, they connect to a premium rate number. The report includes the eye-watering estimate that criminals make €29 billion per year from telecom fraud.
Trend Micro’s blog takes a fresh angle on the report findings, focusing on the risks to IoT deployments and to the arrival of 5G technology. The 57-page report is free to download from this link. Europol has also launched a public awareness page about the problem.
From ransom to recovery
Norsk Hydro, one of the world’s largest aluminium producers, unexpectedly became a security cause célèbre following a “severe” ransomware infection. After the LockerGoga variant encrypted data on the company’s facilities in the US and Europe, the company shut its global network, switched to manual operations at some of its plants, and stopped production in others.
Norsk Hydro said it planned to rely on its backups rather than paying the ransom. Through it all, the company issued regular updates, drawing widespread praise for its openness, communication and preparedness. Brian Honan wrote: “Norsk Hydro should be a case study in how to run an effective incident response. They were able to continue their business, although at a lower level, in spite of their key systems being offline. Their website contains great examples of how to provide updates to an issue and may serve as a template for how to respond to security breaches.”
Within a week, most of the company’s operations were back running at capacity. Norsk Hydro has released a video showing how it was able to recover. Other victims weren’t so lucky. F-Secure has a good analysis of the ransomware that did the damage, as does security researcher Kevin Beaumont.
Links we liked
Remember the Melissa virus? Congratulations, you’re old: that was 20 years ago. MORE
For parents and guardians: videos to spark conversations with kids about online safety. MORE
A look behind online heists on Mexican banks that netted perpetrators nearly $20 million. MORE
While we’re on the subject, more cybercriminal tactics used against financial institutions. MORE
This is a useful high-level overview of the NIST cybersecurity framework. MORE
This campaign aims to hold tech giants to account for fixing security and privacy issues. MORE
How can security awareness programmes become more effective at reducing risk? MORE
An excellent security checklist for devices and accounts, courtesy of Bob Lord. MORE
Shodan Monitor alerts organisations when their IoT devices become exposed online. MORE
- Is Huawei a Threat to UK National Security?
- Huawei: The company and the security risks
- The assessment of the Chinese state as hostile towards Western nations is key in understanding why Huawei is considered a risk
- Should we worry about Huawei?
- Why has the UK not blocked Huawei?
Why Huawei matters in five charts
- EU Cybersecurity Act to enable certification of connected devices
One of the world’s biggest aluminium producers, Norsk Hydro, suffered production outages after a ransomware outbreak impacted its European and US operations. Damages from ransomware attack on Norsk Hydro reach as high as $40M.
Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”. According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.
The top 10 biggest breaches of 2018 according to 4iQ were:
- Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
- Aadhaar, India – (Open third party device) 1.1 billion people affected
- Marriott Starwood Hotels – (Hacked) 500 million guests PII
- Exactis – (Open device) 340 million people and businesses.
- HuaZhu Group – (Accidental Exposure) 240 million records
- Apollo – (Open device) 150 million app users.
- Quora – (Hacked) 100 million users.
- Google+ – (API Glitch) 52.2 million users.
- Chegg – (Hacked) 40 million accounts
- Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
- Millions of Facebook Passwords exposed Internally for Years
- Security Flaw put RBS Customers at risk of Cyber-Attack
- Norwegian Aluminium producer Norsk Hydro hit by Extensive Cyber Attack, costing up $40M
- Health Apps pose 'unprecedented’ Privacy Risks
- Microsoft Researchers find NSA-style Backdoor in Huawei Laptops
- EU ignores US call to ban Huawei in 5G rollout
- 809 Million Emails Leaked from accessible MongoDB Database
- European Parliament adopts Cybersecurity Act to counter Chinese IT threat
- Huawei: Chinese Telecoms giant 'still a Security Threat to UK' - GCHQ
- Huawei ban would delay 5G rollout: Three
- Citrix Discloses Security Breach of Internal Network, 6Tb of Sensitive Data Stolen
- Equifax neglected Cybersecurity prior to Breach, Senate report finds
- Insurance Companies collaborate to offer Cybersecurity Ratings
- ShadowHammer Attack installed Backdoors on a Million ASUS devices
- ICO helps Developers Produce Compliant Data Products via Sandbox Service
- Security Flaw put RBS Customers at Risk of Cyber-Attack
- 100,000 Leaked Authentication Secrets on GitHub, 89% Sensitive Insurer refuses Payout to DLA Piper over NotPetya Cyberattack
- Microsoft Patches 64 Vulnerabilities, including 17 Critical for Windows, IE, MS XML, ActiveX, Chakra and Adobe Flash
- Adobe Patches Critical Flaws in Photoshop CC, Cold Fusion and Digital Editions
- Chrome Updated to Combat an Exploited Zero Day
- Apple Patches more than 50 Vulnerabilities
- Cisco may have Released a Faulty Patch in Most Recent Update
- Mozilla Plugs Two Critical Security holes in Thunderbird
- Critical Flaw in Magento e-Commerce Platform Exposes 300,000 e-Commerce Websites to SQL injection
- Mirai Variant adds 11 News Exploits, Shifting Focus to Enterprise IoT Devices
- Microsoft grabs APT35/Charming Kitten websites in court ordered take down
- Yatron Ransomware Plans to Spread Using EternalBlue NSA Exploits
- Elfin, aka APT33, targets U.S., Saudi Arabian firms in Cyberespionage Campaign
The risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.
That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.
It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.
Breaches on the Rise
Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.
A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.
The IoT Factor
Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.
To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.
The Dark Web
The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.
With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.
Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.
According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.
“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.
Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.
Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.
Ways to Safeguard Medical Data
Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.
Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.
Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.
Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.
Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.
How to Protect IoT Devices
According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.
- Change default usernames and passwords
- Isolate IoT devices on their protected networks
- Configure network firewalls to inhibit traffic from unauthorized IP addresses
- Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
- Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
- Ensure devices and their associated security patches are up-to-date
- Apply cybersecurity best practices when connecting devices to a wireless network
- Invest in a secure router with appropriate security and authentication practices
The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.
We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.
Ransom vs ruin
Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.
Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.
Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.
Ready to report
If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).
By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.
In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.
Old flaws in not-so-new bottles
More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.
Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.
SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.
From a shrug to a shun
Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”
If you notice this notice…
Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.
It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.
Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.
Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.
Things we liked
Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE
Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE
You give apps personal information. Then they tell Facebook (PAYWALL). MORE
Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE
This 190-second video explains cybercrime to a layperson without using computers. MORE
Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE
Tips for improving cyber risk management. MORE
Here’s what happens when you set up an IoT camera as a honeypot. MORE
Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.
You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.
Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.
Still, given the benefits we get from these devices, they are probably here to stay. We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.
Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.
So, whether you have one IoT device, or many, it’s worth learning how to use them safely.
Follow these smart home safety tips:
- Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
- Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
- Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
- Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.
In wake of the growing incidences of targeted cyber-attacks on enterprises using Cryptojacking, due to its ease of deployment and instant return on investments; it rather comes as a surprise that malware authors are still counting on Ransomware for targeting consumers and home users. Yes, you heard it right! According…
In collaboration with Bill Siegel and Alex Holdtman from Coveware.
At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the point. Since then, collective industry peers discovered additional technical details on Ryuk’s inner workings, the overlap between Ryuk and Hermes2.1, and a detailed description of how the ransomware is piggybacking the infamous and ever evolving Trickbot as a primary attack vector. In this blog post we have teamed up with Coveware to take a closer look at the adversary and victim dynamics of Ryuk Ransomware. We structured our research using the Diamond threat model and challenged our existing hypotheses with fresh insights.
Introduction to The Diamond Model
Within Cyber Threat intelligence research, a popular approach is to model the characteristics of an attack using The Diamond Model of Intrusion Analysis. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim.
For the Ryuk case described above the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.
Diamond model of Intrusion Analysis
The Diamond Model offers a holistic view of an intrusion that is a helpful guideline to shape the direction of intelligence research. By searching for relationships between two elements one can gather new evidence. For instance, by analyzing and reverse engineering a piece of malware one might uncover that a certain server is being used for command and control infrastructure, thus linking capability with infrastructure (as shown below).
Linking Infrastructure and Capability
Alternatively, one might search underground forums to find information on adversaries who sell certain pieces of malware, thus linking an adversary with a capability. For instance, finding the underground forum advertisement of Hermes2.1.
Linking Adversary and Capability
Analysis of Competing Hypotheses
In our earlier publication we explained The Analysis of Competing Hypotheses (ACH), the process of challenging formed hypotheses with research findings.
By following this method, we concluded that the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.
In order to construct a hypothesis with the least falsifying evidence we welcome research published by our industry peers to dissimilate insights that challenge our hypotheses. When we combined all the evidence with links on the diamond model, we discovered that one essential link wasn’t made, the link between adversary and victim.
Seeking New Insights Between Adversary and Victim
Despite published research, the direct link between adversary and victim remained relatively unexplored. Unlike most cybercrime, ransomware and digital extortion frequently creates a strong social connection between adversary and victim. The adversary has certain needs and views the victim as the means to fulfill those needs. The connection between an adversary and victim often generates valuable insights, especially in cases where (extensive) negotiation take place.
Luckily, one of our NoMoreRansom partners, Coveware, is specialized in ransomware negotiations and has gained valuable insights help us link adversary and victim.
The social connection between Adversary and Victim
Ransom Amounts and Negotiations
By aggregating ransomware negotiation and payment data, Coveware is able to identify strain-specific ransomware trends. With regards to Ryuk, it should be noted that ransom amounts average more than 10x the average, making it the costliest type of ransomware. Coveware also observed that some Ryuk ransoms were highly negotiable, while others were not. The bar-belled negotiation results generated an average ransom payment of $71k, a 60% discount from an average opening ask of $145k.
The bar-belled negotiation outcomes meant that some victims were stonewalled. These victims either lost their data or took on staggering financial risk to pay the ransom. The outcomes also imply that in certain cases the adversary would rather receive infrequent large windfalls (often in excess of 100BTC), while in other cases the adversary was keen to monetize every attack and accept lower amounts to ensure payment. This difference in modus operandi suggests that more than one cyber-criminal group is operating Ryuk ransomware.
Ransom Note and Negotiation Similarities and Differences
Similarities between Bitpaymer and Ryuk ransom notes have been observed before. While it is not uncommon for ransom notes to share similar language, sequences of phrases tend to remain within the same ransomware family. Slight copy+paste modifications are made to the ransom text as a variant is passed along to different groups, but large alterations are rarely made. Below is a comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right).
A comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right)
The shared language implies that text once unique to a Bitpaymer campaign was borrowed for a Ryuk campaign, possibly by an operator running simultaneous ransom campaigns of both Bitpaymer and Ryuk or the imitation can be considered as the sincerest form of flattery.
Different Initial Email Response May Be Different Adversaries?
A more dramatic scripted communication difference has been observed in the initial email response from Ryuk adversaries. The initial email response is typically identical within ransomware families belonging to the same campaign. When significant differences in length, language, and initial ransom amount appear in the initial email response we are comfortable assuming they belong to unique groups with unique modus operandi. This would mean that Ryuk in being spread by more than one actor group.
Below are two such Ryuk examples:
Post Payment Bitcoin Activity
A final indicator that multiple groups are running simultaneous Ryuk campaigns can be observed in the activity of bitcoin after it hits a ransom address. Surprisingly, despite the differences between negotiation outcome and initial communications, Coveware observed little difference between the BTC wallets (blacked out to protect victims) associated with the above cases. Initial comparison showed no meaningful discrepancy in difference between the time of a ransom payment and the time of a corresponding withdraw. Additionally, the distribution of funds upon withdrawal was consistently split between two addresses. Coveware will continue to monitor the funds associated with campaigns for meaningful indicators.
Ryuk Negotiating Profiles
With few exceptions, the rest of the email replies during a Ryuk extortion negotiation are extremely short and blunt. Typical replies and retorts are generally less than 10 written words and often just a single number if the ransom amount is the point of discussion. This correspondence is unique to Ryuk.
One reply did contain quite a remarkable expression; “à la guerre comme à la guerre,” to contextualize the methods and reasons for the cyber criminals’ attacks on western companies. The French expression originates from the seventeenth century and literally translates to “in war as in war” and loosely translates to: “In Harsh times one has to do with what’s available”. The striking thing about this expression is that is prominently featured in volume 30 of the collected works of the Soviet Revolutionary leader Vladimir Lenin. Lenin uses the expression to describe the struggle of his people during the war against western capitalism.
This concept of “The capitalistic West versus the Poor east” is actually something McAfee ATR sees quite often expressed by cyber criminals from some of the Post-Soviet republics. This expression may be a clear indicator of the origin and cultural view of the criminals behind Ryuk.
Ryuk poses existential risk to certain industries
Even though the average ransom discounts of Ryuk are large (~60%), the absolute level of the ransom is extreme. Accordingly, we have seen evidence that links ransom demands to the size of the network footprint of the victim company. However, this doesn’t mean that the ransom demand correlates to the victims actual operational and financial size.
Companies in the IT Hosting and the Freight and Logistics industries have been particularly susceptible to this discrepancy. Coveware has assisted at least 3 companies that have had to unwind their business when an affordable ransom amount, could not be reached. Typically, downtime costs are 10x the ransom amount, but in these industries downtime costs can be particularly extreme.
IT Hosting companies are of note as the size and number of their servers can make them appear like a large organization. Unfortunately, the business of hosting involves high fixed costs, low operating margins, and zero tolerance of downtime by end clients. Hosting companies that get attacked typically have a few hours to restore service before their clients drop them for alternatives. Moreover, these companies suffer irreparable harm to their reputations, and may trigger SLA breaches that leave them exposed to liability. The inability to pay a six-figure ransom has caused multiple hosting companies to shut down.
Freight and Logistics firms are also acutely exposed. These firms also present like larger firms given the volume of data they move and their network footprint. Additionally, attacks against Freight and Logistics firms can cause immediate supply chain issues for the victims’ end clients, who are subsequently forced to route through other service providers. Similar to IT Hosting, Freight and Logistics firms have low operating margins and end clients with little tolerance for service interruptions. The inability to pay or negotiate a large ransom has materially impacted several firms in this industry.
Ryuk Decryptor findings and issues
When victims do pay the exorbitant ransom amount, the criminals will provide a decryptor to unlock a their files. This decryptor is actually framework that needs to be loaded with a victim’s private RSA key, provided by the criminals, in order to decrypt. Ensuring that the provided decryptor will only work for this specific victim. This setup allows the criminals to quickly load a victim’s key in the framework and offer a custom decryptor with minimal code change while the underlaying framework remains the same.
From Coveware’s experience we have learned that the decryption process is quite cumbersome and full of possible fatal errors. Luckily Coveware was able to share the Ryuk decryptor with McAfee ATR in order to take a closer look at the issues and level of sophistication of the decryptor.
Once launched the first thing the decryptor does is to search the HKEY_CURRENT_USER Hive for a value pair named “svchos” in the path “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” and delete the specific entry. This removes the persistence of the malware. Afterwards it will reboot the system and remove any remaining Ryuk malware still receding on the system.
Deleting the “svchos” value from the registry.
Once rebooted the user needs to run the tool again and the decryptor will provide two options to decrypt.
- Decryption per file
- Automatic decryption
The main interface of the Ryuk decryptor with the different menu options.
HERMES File Marker
During the decryption process we have found that the decryptor searches for the known file marker string HERMES which is located in the encrypted file.
The HERMES marker clearly visible within the file
The fact that Ryuk ransomware adds HERMES filemarker string was already known, but discovering this specific check routine in the decryptor strengthens the hypotheses that Ryuk is a slightly modified version of Hermes2.1 ransomware kit that is sold online even more.
While examining the decryptor we were astonished by the lack of sophistication and the amount of errors that resided within the code. Some of the most prominent issues were:
- If there is a space in the Windows file path the decryptor will fail the decryption process.
- If there is a quotation mark (“) in the file path the decryptor will report an error that it cannot find the specific file.
- The decryptor uses the “GetVersionExW” function to determine the windows version, from Windows 8.1. the value returned by this API has changed and the decryptor isn’t designed to handle this value.
- The decryptor doesn’t remove the .RYUK extension and replace it with the original extension. So, there is no way the name of the file can give an indication towards the type of the file, something that can be extremely labor intensive for enterprise victims.
- When choosing the manual option in the decryptor, the user has to supply a path of the specific file or choose “0” to finish. However, choosing a “0” will put the decryptor into an infinite loop.
Looking at the decryptor, it is very worrisome to see that the criminals behind Ryuk can get away with such bad programming. It shows a clear lack of empathy towards their victims and the absence of solid coding skills. Victims who do pay the exorbitant ransom demand are far from in the clear. The decryptor offered by the criminals has a very high risk of malfunctioning, resulting in permanent damage to their precious files. Victims should always make an exact copy of the encrypted hard disk before trying to use the decryptor.
Call to action in piecing the different parts together
By combining all the fresh insights with the information that was already discovered by ourselves and industry peers we can start defining our leading hypotheses around Ryuk. Based on this hypothesis, we will actively look for falsifying evidence. We encourage the security community to participate in this process. We realize that only by collaboration can we piece the different parts of the Ryuk puzzle together.
By now it should be without question that involvement of the DPRK is the least likely hypothesis. Our leading Hypothesis on Ryuk until proven otherwise is;
Ryuk is a direct descendant from Hermes2.1 with slight modifications, based on the code overlap in the ransomware as well as the decryptor. Ryuk is not designed to be used in a largescale corporate environment, based on all the scalability issues in the decryptor. At this moment there are several actors or actor-groups spreading Ryuk, based on the extortion modus operandi and different communications with the victims. The actors or actor-groups behind Ryuk have a relationship with one of the Post-Soviet republics, based on the Russian found in one of the encrypted files and the cultural references observed in the negotiations. The actors behind Ryuk most likely have an affiliation or relationship with the actors behind Trickbot and, based on their TTP, are better skilled at exploitation and lateral movement than pure Ransomware development.
In the last seven months Ryuk has proven to be a highly profitable form of ransomware, despite the poor programming behind it and its decryptor. The criminals have proven to be ruthless and several of their victims were forced to wind down their businesses after they were unable to afford the exorbitant ransom.
When a company does give in to the high demands it is extra painful to see a situation occur where they are permanently unable to recover their files due to the faulty decryptor.
A solid data loss prevention strategy still remains the best advice against all forms of ransomware, for general prevention advice please visit NoMoreRansom. Always seek professional assistance when you are faced with a targeted ransomware attack such as Ryuk.
Emotet Known for constantly changing its payload and infection vectors like spam mail, Malicious Doc and even Malicious JS files. It compromised a very high number of websites on the internet. Emotet malware campaign has existed since 2014. It comes frequently in intervals with different techniques and variants to deliver malware…
Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.
Nosy Quizzes & Questionnaires
Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.
Creepy Crypto Scams
While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.
Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.
Romance & “Sextortion” Scams
The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.
And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.
Topical News Hooks
Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.
In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.
Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.
Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.
Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.
So, now that you know what to look out for, here are our top tips for sidestepping the scammers:
- Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
- Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
- Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
- Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
- Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
- Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.
As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making a donation instead of a ransom payment. While CryptoMix has used this guise in the past, they’ve recently upped the ante by using legitimate information from crowdfunding pages for sick children to further disguise this scheme.
So, how does CryptoMix trick users into making ransom payments? First, the victim receives a ransom note containing multiple email addresses to contact for payment instructions. When the victim contacts one of the email addresses, the “Worldwide Children Charity Community” responds with a message containing the profile of a sick child and a link to the One Time Secret site. This website service allows users to share a post that can only be read once before it’s deleted. CryptoMix’s developers use One Time Secret to distribute payment instructions to the victim and explain how their contribution will be used to provide medical help to sick children. The message claims that the victim’s data will be restored, and their system will be protected from future attacks as soon as the ransom is paid. In order to encourage the victim to act quickly, the note also warns that the ransom price could double in the next 24 hours.
After the victim makes the payment, the ransomware developers send the victim a link to the decryptor. However, they continue to pretend they are an actual charity, thanking the victim for their contribution and ensuring that a sick child will soon receive medical help.
CryptoMix’s scam tactics show how ransomware developers are evolving their techniques to ensure they make a profit. As ransomware threats become stealthier and more sophisticated, it’s important for users to educate themselves on the best techniques to combat these threats. Check out the following tips to help keep your data safe from ransomware:
- Back up your data. In order to avoid losing access to your important files, make copies of them on an external hard drive or in the cloud. In the event of a ransomware attack, you will be able to wipe your computer or device and reinstall your files from the backup. Backups can’t always prevent ransomware, but they can help mitigate the risks.
- Never pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments.
- Use security software. Adding an extra layer of security with a solution such as McAfee Total Protection, which includes Ransom Guard, can help protect your devices from these types of cyberthreats.
The post Children’s Charity or CryptoMix? Details on This Ransomware Scam appeared first on McAfee Blogs.
Senior analyst Ryan Sherstobitoff contributed to this report.
During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.
The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.
How McAfee approaches attribution
Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.
Ryuk attack: putting the pieces together
In October 2017, we investigated an attack on a Taiwanese bank. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term pseudo-ransomware to describe this attack. The malware was Hermes version 2.1.
One of the functions we often see in ransomware samples is that they will not execute if the victim’s system language is one of the following:
- 419 (Russian)
- 422 (Ukrainian)
- 423 (Belarusian)
That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:
What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?
In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.
This post contains a link to an article in the Russian security magazine Xakep.ru (“Hacker”) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week’s attack on newspaper printing services.
Ryuk, according to Wikipedia, refers to a Japanese manga character from the series “Death Note.” Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.
Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.
The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.
Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.
Let’s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:
We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables’ rich headers, they are also identical.
From a call-flow perspective, we notice the similarities and evolution of the code:
The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.
The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.
Attribution: analyzing competing hypotheses
In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim’s site.
Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.
Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.
The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.
The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.