Category Archives: RANSOMWARE

Huge Locky ransomware campaign sends 23M messages in 24 hours

Locky ransomware is making a comeback, with one of the largest attacks this year. Here’s how to protect your business.

www.scamsfakes.com

White smudge letter background with metal folder icon and red skull filled with random letters ransomware concept 3D illustration

Earlier this week, a Locky ransomware campaign sent more than 23 million messages out across the US in one of the largest attacks in the second half of 2017, according to a post from AppRiver.

Ransomware dominated the cyberthreat landscape in 2016, increasing more than 600% over the year before, with Locky attacks leading the way. As noted by ZDNet, at the start of 2017 distribution of Locky sharply declined, with Cerber variants taking its place.

But Locky made a comeback in recent months, and this massive attack shows just how dangerous it can be. On Monday, just as many US workers were arriving to their offices, the malicious email campaign began inundating their inboxes. The malware traffic spike began that morning just after 7 a.m. CST, the post noted.

The emails in the attack were “extremely vague,” Troy Gill, manager of security research at AppRiver, wrote in the post. They included subject lines such as “please print,” “documents,” “photos,” “images,” “scans,” and “pictures.”

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Each message included a ZIP attachment that contained a Visual Basic Script (VBS) file nested inside a secondary ZIP file, the post say. When a user clicks on it, the VBS file starts a downloader that reaches out to “greatesthits[dot]mygoldmusic[dotcom]” to pull the latest Locky ransomware.

After that, Locky begins encrypting all files on the user’s machine, and adding [.]lukitus to those encrypted files.

Once the victim’s files have all been encrypted, the attackers change their desktop background to an image with instructions for decryption. They also place an HTM file named “Lukitus[dot]htm” on the desktop.

Then, the victim is instructed to install a TOR browser, and is provided a Darkweb site to pay 0.5 Bitcoins, or about $2,150. Once the payment is made, the attackers promise to redirect the victim to the decryption service.

This attack is still occurring, the post noted. On Monday, AppRiver had quarantined more than 5.6 million messages in the campaign. And there currently are no publicly shared methods to reverse this Locky strain, Gill wrote.

AppRiver recommends the following tips to protect your computer from ransomware attacks:

1. Run regular software and hardware updates. These updates often contain security patches to holes that ransomware and other malware variants exploit. Automatic software updates are the best option, but if not possible, then you should set up alerts for the newest updates. You should also set a max number of times they can “snooze” the alert.

2. Have layered, redundant security in place. Ransomware is often delivered via an email attachment or malvertisement on the web. By having email and web protection, you can prevent ransomware from ever entering your network.

3. Back up your files. A secure backup allows you to rid your network of malware and then restore your files, so you don’t have to pay a criminal and hope he keeps his word to un-encrypt your data.

For more tips on how to avoid and mitigate ransomware attacks, click here

www.scamsfakes.com

Henry Sapiecha

The top 10 extremely destructive ransomware attacks of 2017, to date

Ransomware variants NotPetya, WannaCry, and Locky are among those that wreaked havoc for businesses worldwide this year.

 

Laptop in a dark room with red skull and crossbones on glowing binary code screen background

www.scamsfakes.com

Ransomware continues to dominate the cybersecurity landscape in 2017, with businesses large and small paying millions of dollars to unlock encrypted files. These attacks appeared in 64% of all malicious emails sent in Q3, and with major successful campaigns such as NotPetya and WannaCry, show no signs of slowing down, according to a new report from security firm Webroot, released Tuesday.

“This past year was unlike anything we’ve ever seen,” David Dufour, vice president of engineering and cybersecurity at Webroot, said in a press release. “Attacks such as NotPetya and WannaCry were hijacking computers worldwide and spreading new infections through tried-and-true methods. This list is further evidence that cybercriminals will continue to exploit the same vulnerabilities in increasingly malicious ways. Although headlines have helped educate users on the devastating effects of ransomware, businesses and consumers need to follow basic cybersecurity standards to protect themselves.”

Here are the top 10 worst ransomware attacks of 2017 so far, according to Webroot:

1. NotPetya

NotPetya started as a fake Ukranian tax software update, and went on to infect hundreds of thousands of computers in more than 100 countries over the course of just a few days. This ransomware is a variant of Petya, but uses the same exploit behind WannaCry. It hit a number of firms in the US and caused major financial damage: For example, the attack cost pharmaceutical giant Merck more than $300 million in Q3 alone, and is on track to hit that amount again in Q4.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

2. WannaCry

WannaCry (also known as WannaCrypt) has been one of the most devastating ransomware attacks in history, affecting several hundred thousand machines and crippling banks, law enforcement agencies, and other infrastructure. It was the first strain of ransomware to use EternalBlue, which exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol.

3. Locky

Locky is currently the top payload in terms of ransomware and across all malware families, according to a report from security firm Proofpoint. While Locky was 2016’s most popular ransomware strain, new variants called Diablo and Lukitus also surfaced this year, using the same phishing email attack vector to initiate their exploits.

4. CrySis

CrySis—typically spread by hacking into Remote Desktop Services and manually installing the ransomware—started last year in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware, Webroot noted, because cybercriminals can compromise administrators and machines that control entire organizations. In May, some 200 master keys were released allowing victims to decrypt and unlock their systems, ZDNet reported.

5. Nemucod

The Nemucod ransomware family has been active since at least 2015, and arrives in the form of a phishing email that appears to be a shipping invoice. Then, it downloads malware and encryption components stored on compromised websites.

SEE: End user data backup policy (Tech Pro Research)

6. Jaff

Jaff arose in May 2017, and heavily mimics tactics used by Locky. It uses the Necurs botnet to send millions of spam emails to targets globally over just a few hours, and demands victims pay 1.79 Bitcoins—currently more than $6,000.

7. Spora

Spora ransomware is distributed when cybercriminals hack legitimate websites and add JavaScript code, making a pop-up alert appear that prompts users to update their Chrome browsers. Upon infection, the ransomware can steal credentials from victims, making money from both extorting ransoms and potentially selling the stolen information, as ZDNet noted.

8. Cerber

Cerber uses ransomware-as-a-service to allow non-technical cybercriminals to extort payments from victims, with the developers of the malware taking a cut of the money gained.

9. Cryptomix

Cryptomix is one of the few types of ransomware that does not have a type of payment portal available on the dark web, the report noted. Instead, victims must wait for the cybercriminals who locked their machine to email them instructions for payment in Bitcoin.

10. Jigsaw

Jigsaw, first seen in 2016, embeds an image of the clown from the Saw movies into a spam email. When the user clicks it, the ransomware encrypts their files, but also deletes files if the user takes too long to make the ransom payment of $150, according to Webroot.

To learn more about how your business can avoid ransomware attacks like these, click here.

MORE STUFF TO KNOW BELOW ABOUT SCAMS & RANSOMWARE

www.scamsfakes.com  

Henry Sapiecha

WannaCry researcher denies in court about creating banking malware

The security researcher rose to fame for curbing the spread of the WannaCry ransomware recently

A security researcher who helped curb a global outbreak of the WannaCry ransomware earlier this year has told a court he is not guilty of charges of allegedly creating a notorious banking malware.

Marcus Hutchins, 22, said he was not guilty during a hearing at a Las Vegas court after he was arrested and detained earlier this week.

The news was confirmed by his attorney Adrian Lobo, speaking on Facebook Live to local reporter Christy Wilcox, at the court house.

Hutchins was granted bail on a bond of $30,000 during a hearing at a Las Vegas court.

But he will “not be released today lawyers says could not get bail in time,” according to Wilcox in a tweet.

He will not be allowed access to devices with an internet connection, said Wilcox, and he will be tagged to be monitored at all times.

Hutchins, also known as @MalwareTechBlog, stormed to fame earlier this year after he found a kill switch in the malware, known as WannaCry, amid a global epidemic of ransomware in May.

By registering a domain found in the code, he stopped the spread of the malware.

The Justice Department announced Thursday that it was charging Hutchins with malicious activity, unrelated to the WannaCry cyberattack.

The security researcher, a British native, was arrested shortly before boarding a flight home. He had been attending the Def Con security conference late last month. He was briefly detained in a federal detention facility in Nevada, then later questioned by the FBI at its field office in Las Vegas.

Hutchins was later indicted, along with an unnamed defendant, on six charges relating to allegations that he created the Kronos malware, a trojan that can steal banking usernames and passwords from victims’ computers.

He was also charged with five other counts, including wiretapping — thought to relate to the interception of passwords; and violating the controversial Computer Fraud and Abuse Act, which serve as the basis of US hacking laws.

Hutchins will appear at a court in Wisconsin, where the case was filed, on August 8.

Developing… more soon. www.crimefiles.net

Henry Sapiecha

WannaCry Ransomware said to be hitting speed cameras in Victoria

Radio 3AW has reported that 55 speed and intersection cameras have been hit with WannaCry ransomware.

WannaCry ransomware attack on desktop screen, notebook and smartphone, internet cyber attack with Anonymous calling on smart phone to get the ransoms payment to decrypt the code

The WannaCry ransomware that claimed hundreds of thousands of victims across 150 countries has hit speed and intersection cameras in Victoria, Radio 3AW has reported.

According to the radio station, 55 cameras in the state belonging to vehicle monitoring and enforcement service Redflex were infected with the ransomware after a rogue USB was inserted by someone performing maintenance on the now-infected cameras.

It is understood that the infection came as a result of “human error” rather than a targeted attack aimed at holding the Australian state to ransom.

The cameras are not connected to the internet, however, which means the ransomware has not been spread throughout the field, 3AW told its listeners on Thursday.

Redflex Traffic Systems — which has its Australian head office located in Melbourne — said it has a patch to fix the infected devices, according to the report.

“The department is in the process of removing the virus from the affected cameras. The remaining sites will be rectified in the next couple of days,” a Justice and Regulation spokesperson is quoted as telling 3AW.

“The software virus has not impacted the accuracy of the camera system. All infringements during this period have been captured correctly, and no infringements have been affected by the virus.”

WannaCry has caused the cameras to intermittently reboot, however,

While WannaCry hit over 300,000 organisations around the world, only a tiny percentage of victims have given in to the demands of hackers.

According to a bot watching the Bitcoin wallets tied to the ransomware attack, just 335 payments had been made as of June 20, 2017, netting the perpetrators 51.9 bitcoins — a figure worth approximately $140,326.

It is unknown how long the cameras have been infected and how long Redflex has known about the issue.

NOTE> Around 600 speeding infringements have been withdrawn by the department as a result

Henry Sapiecha

 

WannaCrypt: Cyber attack rolls into Asia but global spread slows

London/Washington: The global WannaCrypt “ransomware” cyber attack spread more slowly on Monday with no major infections reported, as attention shifted to investment and government policy implications of lax cyber security.

There were 213,000 infected machines in 112 countries as of 1000 GMT (8pm AEST) on Monday, according to Czech security firm Avast, making it one of the largest coordinated attacks to hit computers across the world.

The countries most affected by WannaCrypt or WannaCry were the same as Friday: Russia, Taiwan, Ukraine and India, Avast’s data showed.

The number of infections has fallen dramatically since Friday’s peak when more than 9,000 computers were being hit per hour. By afternoon on the US East Coast, new infections had fallen to the low hundreds of machines and continue to decline, Avast said.

Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.

Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.

Tom Bossert, US President Donald Trump’s homeland security adviser, said people “should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat,” speaking on Good Morning America.

The perpetrators of the attack are still not known. Mr Bossert said that while US officials had not ruled out the possibility that it was a “state action,” he said it appeared to be criminal, given the ransom requests.

Some victims were ignoring official advice and paying the $US300 ($405) ransom demanded by the cyber criminals to unlock their computers, which was due to double to $US600 ($809) on Monday for computers hit by Friday’s first wave.

So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.

This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $US600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.

As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $US55,169 (around $74, 000), from 209 payments, according to calculations made by Reuters using publicly available data.

Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him “the customer service provided by the criminals is second-to-none,” with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

Renault-Nissan said output had returned to normal at nearly all its plants. PSA Group, Fiat Chrysler, Volkswagen, Daimler, Toyota and Honda said their plants were unaffected.

Shares in firms that provide cyber security services jumped on the prospect of companies and governments spending more money on defenses, led by Israel’s Cyren Ltd and US firm FireEye Inc..

Cisco Systems rose 2.8 per cent, making it the leading gainer in the Dow Jones Industrial Average, which was up more than 100 points in afternoon trading, as investors focused more on opportunities the attack presented rather than the risk it posed to corporations.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

Individual European countries and the United States saw infections at a rate of only 10 per cent to 20 per cent of the most affected countries, according to the researcher who stumbled on the “kill switch”.

The virus hit computers running older versions of Microsoft Corp software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company’s shares were down about 1 per cent on Monday, in a slightly higher broad market.

Infected computers appear to be largely out-of-date devices. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

The US Senate Intelligence Committee is monitoring the attack and expects to receive a briefing in the coming days from the Trump administration, a panel aide said.

Attack used NSA-devised tool

In a blog post on Sunday, Microsoft President Brad Smith confirmed what researchers had already widely concluded: the attack made use of a hacking tool built by the US National Security Agency that had leaked online in April.

He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

Russian President Vladimir Putin, noting the technology’s link to the US spy service, said it should be “discussed immediately on a serious political level.”

“Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,” he said.

In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.

“The government’s response has been chaotic,” the British Labour Party’s health spokesman Jon Ashworth said. “If you’re not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack.”

Britain’s NHS is the world’s fifth-largest employer after the US and Chinese militaries, Wal-Mart Stores and McDonald’s. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.

Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: “No. It was clear (that) warnings were given to hospital trusts.”

British health minister Jeremy Hunt said on Monday it was “encouraging” that a predicted second spike of attacks had not occurred, but the ransomware was a warning to public and private organisations.

Impact in Asia

China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world’s second-largest economy would cope. However, officials and security firms said the spread was starting to slow.

“The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days,” said Chinese Internet security company Qihoo 360.

A patient waits at Dharmais Cancer Hospital in Jakarta as the hospital’s information system is in trouble by cyberattack.. Photo: AP

An official from Cybersecurity Administration China (CAC) told local media on Monday the ransomware had affected industry and government computer systems but the spread was slowing.

Energy giant PetroChina said payment systems at some petrol stations were hit although it had restored most of the systems.

Elsewhere in Asia, Conglomerate Hitachi Ltd said the attack had affected its systems over the weekend, leaving them unable to receive and send emails or open attachments in some cases.

At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, attacks affected scores of computers. By late morning, some people were still manually filling out forms, but 70 per cent of systems were online.

India’s government said it received only a few reports of attacks and urged those hit not to pay any ransom. No major Indian corporations reported disrupted operations.

Reuters

Henry Sapiecha

Hackers reportedly hold Disney film for ransom

Even as many businesses are worried about hackers taking control of their computers as part of the worldwide WannaCry ransomware crisis, Disney may be facing a slightly different ransom situation of its own.

Hackers have obtained a copy of an upcoming Disney film and are threatening to release more and more snippets of it unless the company pays a “huge sum” of bitcoins, according to the Hollywood Reporter.

Citing remarks that chief executive Bob Iger made to employees Monday, THR reports that the film could be the latest entry in the Pirates of the Caribbean franchise, or perhaps Cars 3. The company is reportedly refusing to pay.

A spokesman for Disney didn’t immediately respond to a request for comment. But the report marks the latest attempt by hackers to wring Hollywood for cash. It comes two weeks after Netflix confirmed that hackers were responsible for leaking new episodes of its hit series, Orange Is the New Black.

It is unclear how much the hackers demanded of Netflix, but the company refused to pay.

The Washington Post

Henry Sapiecha

Global cyber-attack: Security blogger halts ransomware ‘by accident’

 

A UK security researcher has told the BBC how he “accidentally” halted the spread of the malicious ransomware that has affected hundreds of organisations, including the UK’s NHS.

The 22-year-old man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate the ransomware after hearing about the global cyber-attack.

He managed to bring the spread to a halt when he found what appeared to be a “kill switch” in the rogue software’s code.

“It was actually partly accidental,” he told the BBC, after spending the night investigating. “I have not slept a wink.”

Although his discovery did not repair the damage done by the ransomware, it did stop it spreading to new computers, and he has been hailed an “accidental hero”.

“I would say that’s correct,” he told the BBC.

Cyber-attack scale ‘unprecedented’

NHS ‘robust’ after cyber-attack

“The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation.”

What exactly did he discover?

The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer.

But the web address it was trying to contact – a long jumble of letters – had not been registered.

MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was.

By doing so, he unexpectedly triggered part of the ransomware’s code that told it to stop spreading.

Analysis: How did it start?

What is the ransomware?

This type of code is known as a “kill switch”, which some attackers use to halt the spread of their software if things get out of hand.

He tested his discovery and was delighted when he managed to trigger the ransomware on demand.

“Now you probably can’t picture a grown man jumping around with the excitement of having just been ‘ransomwared’, but this was me,” he said in a blog post.

MalwareTech now thinks the code was originally designed to thwart researchers trying to investigate the ransomware, but it backfired by letting them remotely disable it.

Does this mean the ransomware is defeated?

While the registration of the web address appears to have stopped one strain of the ransomware spreading from device-to-device, it does not repair computers that are already infected.

Security experts have also warned that new variants of the malware that ignore the “kill switch” will appear.

“This variant shouldn’t be spreading any further, however there’ll almost certainly be copycats,” said security researcher Troy Hunt in a blog post.

MalwareTech warned: “We have stopped this one, but there will be another one coming and it will not be stoppable by us.

“There’s a lot of money in this, there is no reason for them to stop. It’s not much effort for them to change the code and start over.”

Henry Sapiecha

Massive international cyber attack hits computers across Europe, Asia and Russia

London: A huge cyber attack struck computers across Europe and Asia on Friday, crippling health services and closing emergency rooms in Britain.

The attack involved ransomware, a kind of malware that encrypts data and locks out the user. According to security experts, it exploited a vulnerability that was discovered and developed by the National Security Agency (NSA) in the US.

The hacking tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen NSA hacking tools online since the beginning of last year. Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets – particularly hospitals – had yet to update their systems.

The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.

Employees of Britain’s National Health Service (NHS) were warned about the ransomware threat early on Friday, but by then it was too late.

As the disruptions rippled through hospitals, doctors’ offices and ambulance services across Britain, the NHS declared the attack a “major incident” and patients were asked to only seek assistance for serious medical emergencies.

Hospitals and telecommunications companies across Europe, Russia and Asia were affected, according to MalwareHunterTeam, a security firm that tracks ransomware attacks.

Spain’s Telefonica and Russia’s MegaFon were among the telecommunications targets.

Attacks were being reported in Britain and 11 other countries, including Turkey, Vietnam, the Philippines, Japan, with the majority of affected computers in Russia. The computers all appeared to be hit with the same ransomware, and similar ransom messages demanding about $US300 to unlock their data.

The attack on the NHS seemed perhaps the most audacious of the attacks, because it had life-or-death implications for hospitals and ambulance services.

Tom Donnelly, a spokesman for NHS Digital, the arm of the health service that handles cybersecurity, said in a phone interview that 16 organisations, including “hospitals and other kinds of clinician services,” had been hit. Officials later updated that number to at least 25.

Hospitals and doctors’ surgeries were forced to turn away patients and cancel appointments as the attack crippled computer systems.

The Spanish government said a large number of companies, including telecommunications giant Telefonica, had been infected. Portugal Telecom was also hit but no services were impacted, a spokeswoman for the company said.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from the National Cryptology Centre of “a massive ransomware attack.” It said hackers used a version of a virus known as WannaCry that targets Microsoft Corp’s widely used Windows operating system.

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

Reuters

www.scamsfakes.com

www.crimefiles.net

Henry Sapiecha

Ransomware: An executive expose to one of the biggest monster menaces on the web

Everything you need to know about ransomware: how it started, why it’s booming, how to protect against it, and what to do if your PC’s infected

The AIDS demand for payment – by post.

ll you need to know about ransomware in 60 seconds

What is a ransomware attack?

Ransomware is one of the biggest problems on the web right now. It’s a form of malware which encrypts documents on a PC or even across a network. Victims can often only regain access to their files and PCs by paying a ransom to the criminals behind it. A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes.

Cybercriminals didn’t use to be so obvious. If hackers infiltrated your corporate network, they would do everything possible to avoid detection. It was in their best interests not to alert a victim that they’d fallen victim to cybercrime.

But now, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they’re holding your corporate data hostage until you pay a ransom in order to get it back. It might sound too simple, but it’s working: cybercriminals pocketed over $1bn from ransomware attacks during 2016 alone.

What is the history of ransomware?

While ransomware exploded last year, increasing by an estimated 748 percent, it’s not a new phenomenon; the first instance of what we now know as ransomware appeared in 1989.

Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims — mostly in the healthcare industry — on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and demanded the user ‘renew their license’ with ‘PC Cyborg Corporation ‘ by sending $189 or $378 to a post office box in Panama.

How did ransomware evolve?

This early ransomware was a relatively simple construct, using basic cryptography which mostly just changed the names of files, making it relatively easy to overcome.

But it set off a new branch of computer crime, which slowly but surely grew in reach — and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.

One of the most successful variants was ‘Police ransomware’, which tried to extort victims by claiming to be law enforcement and locking the screen with a message warning the user they’d committed illegal online activity, which could get them sent to jail.

However, if the victim paid a fine, the ‘police’ would let the infringement slide and restore access to the computer. Of course, this wasn’t anything to do with law enforcement — this was criminals exploiting innocent people.

An example of ‘Police ransomware’ threatening a UK user.

Image: Sophos

While somewhat successful, these forms of ransomware often simply overlaid their ‘warning’ message on the user’s display — and rebooting the machine could get rid of the problem.

Criminals learned from this and now the majority of ransomware schemes use advanced cryptography to truly lock down an infected PC.

What are the main types of ransomware?

Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.

Perhaps the most notorious form of ransomware is Locky, which terrorised organisations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a $17,000 ransom to have its networks restored.

Locky remained successful because those behind it regularly update the code with changes which allow it to avoid detection. They even update it with new functions, including the ability to make ransom demands in 30 languages, helping criminals more easily target victims in around the world. Locky became so successful, it rose to become most prevelant forms of malware in its own right.

Cryptowall is another form of ransomware which has found great success for a prolonged period of time. Starting life as doppleganger of Cryptolocker, it’s gone onto become one of the most successful types of ransomware.

Like Locky, Cryptowall has regularly been updated in order to ensure its continued success and even scrambles file names to make it harder for victims to know which file is which, putting additional pressure on the victim to pay.

While some ransomware developers — like those behind Locky or Cryptowall — closely guard their product, keeping it solely for their own use, others happily distribute ransomware to any wannabe hacker keen to cash in on cyber extortion – and it’s proved to be a very successful method for wide distribution.

One of the most common forms of ransomware distributed in this way is Cerber, which has been known to infect hundreds of thousands of users in just a single month. The original creators of Cerber are selling it on the dark web, allowing other criminals to use the code in return for receiving 40 percent of each ransom paid.

Cerber has become so successful that after it has surpassed Locky – which appeared to mysteriously disappear over Christmas, although remerged in April with new attack techniques – to become the most dominant form of ransomware on the web – accounting for 90 percent of ransomware attacks on Windows as of mid-April 2017.

In exchange for giving up some of the profits for using Cerber, wannabe cyber fraudsters are provided with everything they need in order to successfully make money through extortion of victims.

Indeed, now some criminal groups offer this type of ransomware-as-a-service scheme to potential users at no cost at the point of entry. Instead of charging a fee for the ransomware code, they want a 50 percent cut.

How much will a ransomware attack cost you?

Obviously, the most immediate cost associated with becoming infected with ransomware — if paid — is the ransom demand, which can depend on the type of ransomware or the size of your organisation.

Recent research revealed that a quarter of companies which paid a ransom paid over £5,000 to retrieve their data, while a further quarter paid hackers between £3,000 and £5,000.

The most common ransom paid amongst small and medium-sized businesses was between £500 and £1500, proving that there’s still easy money to be made from targeting organisations of this size.

There are also examples of high-profile targets paying five-figure fees in order to regain access to their networks, especially in cases where criminals threaten to delete data if they’re not paid.

Ultimately, whatever the size of the company, time is money and the longer your network is down, the more it’s going to cost your business.

Even if you regain access to your networks by paying a ransom, there will be additional costs on top of that. In order to avoid future attacks — especially if you’ve been marked as an easy target — be prepared to invest in additional cybersecurity software and to pay for additional staff training.

There’s also the risk of customers losing trust in your business because of poor cybersecurity and taking their custom elsewhere.

Why should businesses worry about ransomware?

To put it simply: ransomware could ruin your business. Being locked out of your own network for even just a day will impact on your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems go offline for so long not just because ransomware locks the system, but because of all the effort required to clean up and restore the networks.

And it isn’t just the immediate financial hit of ransomware which will damage a business; consumers become wary of giving their custom to organisations they believe to be insecure.

How does ransomware infect your PC?

It’s the modern enterprise’s reliance on the internet which is enabling ransomware to boom. Everyday, every employee receives hundreds of emails and many roles require these employees to download and open attachments, so it’s something which is often done on autopilot. Taking advantage of employees’ willingness to open attachments from unknown senders is allowing cybercriminals to successfully run ransomware campaigns.

Like other forms of malware, botnets send ransomware out en masse, with millions of malicious phishing emails sent every single second. Criminals use a variety of lures to encourage targets to open a ransomware email, ranging from offers of financial bonuses, fake online purchase receipts, job applications from prospective employees, and more.

A spam email claiming the target has purchased a flight – complete with fake invoice containing the ransomware.

Image: Symantec

While some messages give away clues to their malicious nature with poorly-worded messages or strange return addresses, others are specially tailored to look as convincing as possible, and appear no different from any other message the victim might be sent.

Once the malicious attachment has been opened, the user is encouraged to enable macros in order to view and edit the document. It’s when this is enabled that the ransomware code hidden within the macros strikes. It can encrypt files in seconds, leaving the victim with a ransom note demanding a payment ranging from a few hundred dollars to tens of thousands of dollars in order to get them back.

Which organisations are targets for ransomware?

Any business can find itself a victim of ransomware, but perhaps the most high-profile incident occurred when the Hollywood Presbyterian Medical Center in Los Angeles became infected with Locky ransomware. The infection left doctors and nurses unable to access patient files for days, until the hospital opted to give into the ransom demands of hackers in order to restore services.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Allen Stefanek, CEO of the hospital, said at the time.

Locky is one of the most successful forms of ransomware.

Image: F-Secure

Hospitals and other healthcare organisations are popular targets for ransomware attacks, because they are often willing to pay. Losing access to data is a life-or-death matter for them — and hospitals don’t want to be held responsible for letting people die due to poor cybersecurity. However, there are even cybercriminals who think attacking hospitals is too despicable an activity.

But there are plenty of other sectors criminals will happily target, including educational institutions, such as the University of Calgary, which paid a ransom of $20,000 to hackers. Any large business is at threat and there’s even the prospect of ransomware infecting industrial systems.

Why are small businesses targets for ransomware?

Small and medium -ized businesses are a popular target because they tend to have poorer cybersecurity than large organisations. Despite that, many SMEs falsely believe they’re too small to be targeted — but even a ‘smaller’ ransom of a few hundred dollars is still highly profitable for cybercriminals.

Why is ransomware so successful?

You could say there’s one key reason why ransomware has boomed: because it works. Organisations can have the best antivirus software in the world, but all it takes for ransomware to infect the network is for one user to slip up and launch a malicious attachment.

If organisations weren’t giving in to ransom demands, criminals would stop using ransomware. But businesses do need access to data in order to function so many are willing to pay a ransom and get it over and done with.

Meanwhile, for criminals it’s a very easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once?

There are even ransomware-as-a-service schemes available on the dark web which allow the most technically inept wannabe cybercriminals to start sending out ransomware — in exchange for a percentage of their ill-gotten gains going directly into the pockets of the creators.

What does Bitcoin have to do with the rise of ransomware?

The rise of crypocurrencies like Bitcoin has made it easy for cybercriminals to secretly receive extorted payments, without the risk of the authorities being able to identify the perpetrators. The secure, untraceable method of making payments makes it the perfect currency for criminals who want their financial activities to remain hidden.

Cybercriminal gangs are becoming more professional — some even offer customer service and help for victims who don’t know how to acquire or send Bitcoin, because what’s the point of making ransom demands if users don’t know how to pay?

Globe3 ransom demand for 3 Bitcoin – including a ‘how to ‘ guide for those who don’t know how to buy it

Image: Emsisoft Lab

How do you prevent a ransomware attack?

With email being by far the most popular attack vector for ransomware, you should provide employees with training on how to spot an incoming attack. Even picking up on little indicators like poor formatting or that an email purporting to be from ‘Microsoft Security’ is sent from a obscure address which doesn’t even contain the word Microsoft within it might save your network from infection.

There’s also something to be said for enabling employees to learn from making mistakes while within a safe environment. For example, one firm has developed an interactive video experience which allows its employees to make decisions on a series of events then find out the consequences of those at the end. This enables them to learn from their mistakes without suffering any of the actual consequences.

On a technical level, stopping employees from being able to enable macros is a big step towards ensuring that they can’t unwittingly run a ransomware file. Microsoft Office 2016 — and now Microsoft 2013 — both carry features which allow macros to be disabled. At the very least, employers should invest in antivirus software and keep it up-to0date, so that it can warn users about potentially malicious files.

How do I get rid of ransomware?

The ‘No More Ransom’ initiative — launched by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies — offers free decryption tools for ransomware variants to help victims retrieve their data without succumbing to the will of cyber extortionists.

The portal offers decryption tools for ransomware varients including Crypt XXX, MarsJoke, Teslacrypt, and Wildfire. It’s updated as often as possible in an effort to ensure tools are available to fight the latest forms of ransomware.

The No More Ransom portal offers free ransomware decryption tools.

Image: Europol

Another way of working around a ransomware infection is to ensure your organisation regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it’s possible just to isolate that unit then get on with your business.

Should I pay a ransomware ransom?

There are those who say victims should just pay the ransom, citing it to be the quickest and easiest way to retrieve dataand many organisations do pay.

But be warned: if word gets out that your organisation is an easy target for cybercriminals because it paid a ransom, you could find yourself in the crosshairs of other cybercriminals who are looking to take advantage of your weak security.

And remember that you’re dealing with criminals here and their very nature means they may not keep their word. There are stories of victims paying ransoms and still not having files returned.

What’s the future of ransomware?

Ransomware is continually evolving, with an increasing number of variants now engaging in additional activities such as stealing data or weakening infected computers in preparation for future attacks.

Researchers even warn that ransomware could soon hold whole operating systems hostage, to such an extent that the only two options available to the user would be to pay, or to lose access to the entire system.

And ransomware isn’t just a problem for Windows PCs; Apple Macs are vulnerable to it too.

Can you get ransomware on your smartphone?

Absolutely. Ransomware attacks against Android devices have increased massively, as cybercriminals realise that many people aren’t aware that smartphones can be attacked.

In fact, any internet-connected device is a potential target for ransomware, which has already been seen locking smart TVs.

Researchers demonstrate ransomware in an in-car infotainment system.

Image: Intel Security

Ransomware and the Internet of things

Internet of things devices already have a poor reputation for security. As more and more of these make their way onto the market, they’re going to provide billions of new attack vectors for cybercriminals, potentially allowing hackers to hold your connected home or connected car hostage.

There’s even the potential that hackers could infect medical devices, putting lives directly at risk.

As ransomware continues to evolve, it’s therefore crucial for your employees to understand the threat it poses, and for organisations to do everything possible to avoid infection, because ransomware can be crippling.

Read more about ransomware

www.scamsfakes.com

www.crimefiles.net

Henry Sapiecha

Ransomware: These four industries are attacked the most frequently.

Ransomware is a threat to all sectors — but these are the ones most under attack, states a new study

A ransomware attack against any business could be potentially devastating, but there are some sectors which are more at risk from file-encrypting attacks than others, as cybercriminals prey on industries which can’t afford to not have access to their networks.

Ransomware has boomed over the last 18 months, growing from an annoyance which targeted home PC users with moderate ransom demands, to a billion-dollar industry, with cybercriminals holding high-profile or deep-pocketed targets to ransom for tens of thousands of dollars.

While some cybercriminals might be attempting to compromise any organisation possible with a generic attack, professional threat actors will create specially tailored attacks in order to make them look as authentic as possible — even by making the message look like it comes from a colleague.

Ransomware is most often delivered via a phishing email, which arguably provides an explanation as to why NTT Security‘s Global Threat Intelligence Report lists business and professional services as the sector most likely to be targeted by ransomware.

Given that opening financial spreadsheets, job applications, and other email attachments is at the very heart of this modern sector, it makes sense that over a quarter of ransomware attacks (28 percent) were directed at business and professional services firms over the course of a year.

Meanwhile, 19 percent of ransomware attacks were targeted at government and government agencies. Healthcare is the next highest-profile target for cybercriminals, accounting for 15 percent of attacks. It was a ransomware attack against an LA hospital which infamously highlighted the problem, taking the network offline for days until the hospital paid a $17,000 Bitcoin ransom.

Ransomware attacks against the retail industry account for a further 15 percent of all incidents. All other industries make up the remaining 23 percent, according to the NTT Security report.

Ransomware has become one of the biggest menaces on the web. This ZDNet guide contains everything you need to know about it: how it started, why it’s booming, how to protect against it, and what to do if your PC suffers an attack.

www.crimefiles.net

www.scamsfakes.com

Henry Sapiecha