Always Providing You With Ongoing Information

Posts tagged ‘Malware’

Ransomware

Image result for ransomware

What is a ransomware attack?

Ransomware is a form of malicious software — malware — which encrypts documents on a PC or even across a network. Victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware.

A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes if vital files and documents (think spreadsheets and invoices) are suddenly encrypted and inaccessible. But that’s not the only way to get infected.

What is the history of ransomware?

While ransomware exploded last year, increasing by an estimated 748 percent, it’s not a new phenomenon: the first instance of what we now know as ransomware appeared in 1989.

Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims — mostly in the healthcare industry — on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user ‘renew their license’ with ‘PC Cyborg Corporation ‘ by sending $189 or $378 to a post office box in Panama.

 

aids-info-demand-500.png
The AIDS demand for payment — by post. Image: Sophos

 

How did ransomware evolve?

This early ransomware was a relatively simple construct, using basic cryptography which mostly just changed the names of files, making it relatively easy to overcome.

But it set off a new branch of computer crime, which slowly but surely grew in reach — and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.

One of the most successful variants was ‘police ransomware’, which tried to extort victims by claiming to be associated with law enforcement. It locked the screen with a ransom note warning the user they’d committed illegal online activity, which could get them sent to jail.

However, if the victim paid a fine, the ‘police’ would let the infringement slide and restore access to the computer by handing over the decryption key.

police-ransomware-sophos.png
An example of ‘police ransomware’ threatening a UK user. Image: Sophos

.

What are the main types of ransomware?

Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.

Perhaps the most notorious form of ransomware is Locky, which terrorised organizations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a $17,000 ransom to have its networks restored.

 

Locky remained successful because those behind it regularly update the code to avoid detection. They even update it with new functionality, including the ability to make ransom demands in 30 languages, so criminals can more easily target victims around the world. Locky became so successful, it rose to become most prevalent forms of malware in its own right.

Cryptowall is another form of ransomware which has found great success for a prolonged period of time. Starting life as doppelganger of Cryptolocker, it’s gone onto become one of the most successful types of ransomware.

One of the most common forms of ransomware distributed in this way is Cerber, which infected hundreds of thousands of users in just a single month. The original creators of Cerber are selling it on the Dark Web, allowing other criminals to use the code in return for 40 percent of each ransom paid.

Cerber ransomware became so successful that it surpassed Locky — which appeared to mysteriously disappear over Christmas, although reemerged in April with new attack techniques — to become the most dominant form of ransomware on the web, accounting for 90 percent of ransomware attacks on Windows as of mid-April 2017.

 

 

The cryptography behind Cerber is so advanced that there’s currently no decryption tools available to help those infected by the latest versions.

Cerber now comes with the ability to steal to steal bitcoin wallet and password information, in addition to encrypting files.

In exchange for giving up some of the profits for using Cerber, wannabe cyber-fraudsters are provided with everything they need in order to successfully make money through the extortion of victims.

What is WannaCry ransomware?

In the biggest ransomware attack to date, WannaCry — also known as WannaCrypt and Wcry — caused chaos across the globe in an attack which started on Friday 12 May 2017. WannaCrypt ransomware demands $300 in bitcoin for unlocking encrypted files — a price which doubles after three days. Users are also threatened, via a ransom note on the screen, with having all their files permanently deleted if the ransom isn’t paid within a week.

wannacry-talos.jpg
WannaCry ransomware infected Windows XP systems across the globe. Image: Cisco Talos

 

More than 300,000 victims in over 150 countries fell victim to the ransomware over the course of one weekend, with businesses, governments, and individuals across the globe all affected.

Healthcare organisations across the UK had systems knocked offline by the ransomware attack, forcing patient appointments to be cancelled and hospitals telling people to avoid visiting Accident and Emergency departments unless it was entirely necessary.

Of all the countries affected by the attack, Russia was hit the hardest, according to security researchers, with the WannaCry malware crashing Russian banks, telephone operators, and even IT systems supporting transport infrastructure. China was also hit hard by the attack, with 29,000 organizations in total falling victim to this particularly vicious form of ransomware.

Other high-profile targets included the car manufacturer Renault which was forced to halt production lines in several locations as the ransomware played havoc with systems.

What all the targets had in common is that they were running unsupported versions of Microsoft Windows, including Windows XP, Windows 8, and Windows Server 2003.

The ransomware worm is so potent because it exploits a known software vulnerability called EternalBlue. The Windows flaw is one of many zero-days which apparently was known by the NSA — before being leaked by the Shadow Brokers hacking collective. Microsoft released a patch for the vulnerability earlier this year — but only for the most recent operating systems.

In response to the attack, Microsoft took the unprecedented step of issuing patches for unsupported operating systems to protect against the malware.

 

It was almost three months before the WannaCry attackers finally withdrew the funds from the WannaCry bitcoin wallets — they made off with a total of $140,000 thanks to fluctuations in the value of bitcoin.

But despite critical patches being made available to protect systems from WannaCry and other attacks exploiting the SMB vulnerability, a large number of organisations seemingly chose not to apply the updates.

 

 

petya-ransom-note.jpg
Petya ransom note Image: Symantec

 

But that’s a relatively modest loss in comparison to other victims of the attack: shipping and supply vessel operator Maersk and goods delivery company FedEx have both estimated losses of $300m due to the impact of Petya.

In February 2018, the governments of the United Kingdom, the United States, Australia and others officially declared that the NotPetya ransomware had been the work of the Russian military. Russian denies any involvement.

What is Bad Rabbit ransomware?

October 2017 saw the third high profile ransomware attack of the year when organizations in Russia and Ukraine fell victim to a new variant of Petya ransomware.

Dubbed Bad Rabbit, it infected at least three Russian media organisations while also infiltrating the networks of several Ukrainian organisations including the Kiev Metro and Odessa International Airport – at the time, the airport said it had fallen victim to a ‘hacker attack’.

The initial attack vector used to distribute Bad Rabbit was drive-by downloads on hacked websites – some of which had been compromised since June. No exploits were used, rather visitors were told they had to install a phony Flash update, which dropped the malware.

badrabbit.png
Bad Rabbit ransom note Image: Kaspersky Lab

Like NotPetya before it, Bad Rabbit spread through networks using a leaked NSA hacking tool – but this time it was via the EternalRomance SMB vulnerability, rather than the EternalBlue exploit.

Analysis of Bad Rabbit shared much of its code – at least 67 percent – with Peyta and researchers at Cisco Talos concluded that this, combined with how it uses SMB exploits, means there’s “high confidence” in a link between the two forms of ransomware – and that they could even share the same author.

Bad Rabbit was named after the text which appeared at the top of the Tor website hosting the ransom note. Some security researchers joked it should’ve been named after the lines in the code referencing characters from Game of Thrones.

 

spritecoin-ransomware-ransom-note.png
SpriteCoin ransomware demands payment in Monero. Image: Fortinet.

How do you prevent a ransomware attack?

With email being by far the most popular attack vector for ransomware, you should provide employees with training on how to spot an incoming malware attack. Even picking up on little indicators like poor formatting or that an email purporting to be from ‘Microsoft Security’ is sent from an obscure address which doesn’t even contain the word Microsoft within it might save your network from infection. The same security policies that protect you from malware attacks in general will go some way towards protecting your company from ransom demands too.

At the very least, employers should invest in antivirus software and keep it up-to date, so that it can warn users about potentially malicious files. Backing up important files and making sure those files can’t be compromised during an attack in another key.

How long does it take to recover from a ransomware attack?

Simply put, ransomware can cripple a whole organization — an encrypted network is more or less useless and not much can be done until systems are restored.

If your organization is sensible and has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.

 

FedEx said that it may not be able to recover all the systems affected by the Petya cyberattack, meaning that while the company is back up and running, some machines won’t ever be able to be restored.

Outside of the immediate impact ransomware can have on a network, it can result in an ongoing financial hit.

How do I get rid of ransomware?

The ‘No More Ransom’ initiative — launched in July 2016 by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies including Kaspersky Lab and McAfee — offers free decryption tools for ransomware variants to help victims retrieve their encrypted data without succumbing to the will of cyber extortionists.

Initially launching as a portal offered portal offers decryption tools four for families of ransomware — Shade, Rannoh, Rakhn, and CoinVault — the scheme is regularly adding more decryption tools for even more versions of ransomware including Crypt XXX, MarsJoke, Teslacrypt, Wildfire and Nemucod.

The portal — which also contains information and advice on avoiding falling victim to ransomware in the first place — is updated as often as possible in an effort to ensure tools are available to fight the latest forms of ransomware.

No More Ransom has grown from offering a set of four tools to carrying 52 decryption tools covering hundreds of families of ransomware. So far, these tools have decrypted tens of thousands of devices, depriving criminals of millions in ransoms.

The platform is now available in over 29 languages with more than 100 partners across the public and private sectors supporting the scheme.

no-more-ransom.jpg
The No More Ransom portal offers free ransomware decryption tools. Image: Europol

Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware — many of these will post updates about these tools on their company blogs as soon as they’ve cracked the code.

 A decryption tool was recently released which may be able to help if your PC has been hit by one of the original versions of the Petya malware — the so-called Red Petya, Green Petya, and GoldenEye — and may enable you to recover the lost files (although it can’t help with PetrWrap or those hit by the Petya/NotPetya global attack). However, these tools don’t always work so it is always wise to make additional backups.

Another way of working around a ransomware infection is to ensure your organization regularly backs up data offline.

Should I pay a ransomware ransom?

There are those who say victims should just pay the ransom, citing it to be the quickest and easiest way to retrieve their encrypted data — and many organizations do pay even if law enforcement agencies warn against it.

WARNING: if word gets out that your organization is an easy target for cybercriminals because it paid a ransom, you could find yourself in the crosshairs of other cybercriminals who are looking to take advantage of your weak security.

 

Advertisements

New Ransomeware Thanatos On The Prowl

Snapshotbluecoat4_001

When the Thanatos Ransomware infects a computer it will use a new key for each encrypted file. The problem, according to researcher Francesco Muroni, is that these keys are never saved anywhere. This means that if a user pays the ransom, the ransomware developer does not have a method that will actually be able to decrypt each file. Therefore, it is not recommended that victims pay the Thanatos ransom for any reason.

While the encryption part of Thanatos is a mess, the ransomware  is the first to accept Bitcoin Cash as a ransom payment.

While Thanatos accepts both Bitcoin and Etherum as a ransom payment, this is the first time that Bitcoin Cash has been accepted as shown in the ransom note below.

Thanatos Ransom Note

Thanatos Ransom Note

How Thanatos Encrypts a File

When encrypting files it will append the .THANATOS extension to an encrypted file’s name. For example, a file named test.jpg would be encrypted and renamed as test.jpg.THANATOS.

Thanatos Encrypted Files
Thanatos Encrypted Files

After the encryption process is completed, it will then connect to iplogger.com/1t3i37 URL in order to keep track of the amount of victims that have been infected.

Finally, it will generate an autorun key called “Microsoft Update System Web-Helper” that opens the README.txt ransom note every time a user logs in. This ransom note can be seen in the article’s previous section.

This ransom note contains instructions to send a $200 USD ransom payment to one of the listed Bitcoin, Ethereum, or Bitcoin Cash addresses. The user is then instructed to contact thanatos1.1@yandex.com with their unique victim ID in order to receive a decryption program.

 If anyone is infected with this ransomware, they should contact us about the possible creation of a brute force program.

How to protect yourself from the Thanatos Ransomware

 First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.

UK Researcher Who Stopped WannaCry outbreak Arrested in U.S.

A security researcher Marcus Hutchins, 22, a British national, who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas. Hutchins was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends have confirmed.

A Justice Department spokesperson has confirmed on the phone that his arrest is in relation to his alleged role “in creating and distributing the Kronos banking Trojan.”

The indictment was dated July 11, about two weeks before he flew to the US to attend the annual security conference. The Justice Department has been after those involved with the notorious Kronos malware for more than two years.

Hutchins, also known as @MalwareTechBlog, stormed to fame after he found a kill switch in the malware, known as WannaCry, amid a global epidemic of ransomware. Hutchins registered a domain name that stemmed the infection.

He was hailed as a hero for stopping the attack, which gripped UK hospitals and other major industries around the world.

 

 

 

Reporting or Avoiding Malware/Ransomware

knickers3_001

What you should Do

  • Contain the attack: Disconnect infected devices from your network to keep ransomware from spreading.
  • Restore your computer: If you’ve backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
  • Contact law enforcement: Report ransomware attacks to the Internet Crime Complaint Center, FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937) or an FBI field office. Include any contact information (like the criminals’ email address) or payment information (like a Bitcoin wallet number). This may help with investigations.

Install Reputable Security Software: Your computer should have anti-virus and anti-spyware software, and a firewall. Viruses can be planted in emails or attachments to emails, in programs or files that you download, and even in Web sites that you visit. These viruses have the potential to wipe out your computer files.  Anti-virus software scans everything that enters your computer, looking for these viruses. Spyware is software that tracks your computer activity, gathering information without your knowledge. Anti-spyware software blocks or removes spyware. You may obtain the anti-virus and anti-spyware software separately or as a package. For lists of security tools from legitimate security vendors, visit staysafeonline.org.

Use a Firewall: A firewall is a virtual barrier between your computer and the Internet. Everything coming into or leaving your computer must go through the firewall, which blocks anything that doesn’t meet specific security criteria. Before purchasing separate firewall hardware or software, check your operating system to see if there is a built-in firewall and whether it is turned on.

Update Operating System and Software Frequently: Computer and software companies frequently update their programs to include protection against new security threats. Update your operating system and software whenever new versions become available gives you an added measure of security. If available, activate automatic security updates so you will be alerted when updates are issued.

Avoid “Free” Security Scans: Be suspicious of an offer of a “free security scan,” especially when faced with an unexpected pop-up, email, or an ad that claims “malicious software” has been found on your computer.

Create and Protect Strong Passwords: Create strong email passwords and protect them with the following tips:

  • The longer the password, the tougher it is to crack.  Use at least 10 characters.
  • Mix letters, numbers, and special characters.  Try to be random – don’t use your name, birthdate, or common words.
  • Don’t use the same password for different accounts.  If it’s stolen from you, it can be used to take over all your accounts.
  • Don’t share passwords on the phone, in texts or by email.  Legitimate companies will not send you messages asking for your password.
  • Keep your passwords in a secure place, out of plain sight.

Use a Pop-up Blocker: Don’t click on links or open attachments in emails unless you know what they are, even if the emails seem to be from friends or family.

Use the Spam Filter: Utilize your email program’s automatic spam filter, which reduces the number of unwelcome email messages that make it to your inbox. Delete, without opening, any spam or “junk mail” that gets through the filter.

Backup Important Data: Copy important files onto a removable disc or an external hard drive, and store it in a safe place. If your computer is compromised, you’ll still have access to your files.

 

 

Android Users ,There’s A New Malware On The Loose

afro_001

There’s a new type of malware on the loose—and over a million Android devices have already been infected. Although, most of the infected devices are in Asia, 19 percent of them are in America, and 13,000 more devices are hacked each day. It’s the largest breach of Google accounts ever, and it’s definitely cause for concern.

You can pick up the malware aka Gooligan, by downloading seemingly harmless apps from sources other than the Google Play store. Once downloaded, Gooligan gains access to all of your data, including Gmail, Google Docs, Google Drive, Google Play and more.

Even though Gooligan has access to a lot of your personal data, it doesn’t appear to use it. Instead, Gooligan downloads apps from Google Play in a scam designed to collect advertising revenue. These apps may provide Gooligan’s creators with cash for each download or show ads to generate income. Compromised Google accounts may also leave reviews on these fraudulent apps to make them appear more legitimate to other users.

Here’s an easy way to check if you’re infected. Security firm Check Point has created a tool that shows if your email address is among the compromised accounts. If your device is compromised, you’ll want to do a clean installation of Android on your device

How to keep your device secure

  • Install the latest version of Android, including the security patches. Your carrier should provide instructions when updates are available.
  • Don’t download apps from anywhere other than the Google Play store. Newer versions of Android will warn you if you try to download apps from elsewhere. Pay attention when it does!
  • Run a reputable anti-virus application. While anti-virus protection can sometimes be frustrating — anti-virus apps can accidentally identify non-malware as malware — it can help keep your phone secure. Try AVAST, AVG, Kaspersky, McAfee or Norton, all of which are free and known for their solid desktop anti-virus protection.

Watch Out For “Ransomware”

 

Snapshothat8new8_001

A new malware called Ransomware is part of a phishing campaign and sending thousands of ominous-looking emails that contain the recipient’s home address.The email demands money for an arbitrary service, along with a link that purports to be an “overdue invoice.

When you click that link and open the file (which looks like a Word document), and you’ll become the latest victim of Ransomware — that is, malware that encrypts your files and locks you out of your computer until you pay a ransom.The longer you wait, the larger the ransom you must pay.

More Reading here

 

Tag Cloud

%d bloggers like this: