Category Archives: RANSOMWARE

WannaCry researcher denies in court about creating banking malware

The security researcher rose to fame for curbing the spread of the WannaCry ransomware recently

A security researcher who helped curb a global outbreak of the WannaCry ransomware earlier this year has told a court he is not guilty of charges of allegedly creating a notorious banking malware.

Marcus Hutchins, 22, said he was not guilty during a hearing at a Las Vegas court after he was arrested and detained earlier this week.

The news was confirmed by his attorney Adrian Lobo, speaking on Facebook Live to local reporter Christy Wilcox, at the court house.

Hutchins was granted bail on a bond of $30,000 during a hearing at a Las Vegas court.

But he will “not be released today lawyers says could not get bail in time,” according to Wilcox in a tweet.

He will not be allowed access to devices with an internet connection, said Wilcox, and he will be tagged to be monitored at all times.

Hutchins, also known as @MalwareTechBlog, stormed to fame earlier this year after he found a kill switch in the malware, known as WannaCry, amid a global epidemic of ransomware in May.

By registering a domain found in the code, he stopped the spread of the malware.

The Justice Department announced Thursday that it was charging Hutchins with malicious activity, unrelated to the WannaCry cyberattack.

The security researcher, a British native, was arrested shortly before boarding a flight home. He had been attending the Def Con security conference late last month. He was briefly detained in a federal detention facility in Nevada, then later questioned by the FBI at its field office in Las Vegas.

Hutchins was later indicted, along with an unnamed defendant, on six charges relating to allegations that he created the Kronos malware, a trojan that can steal banking usernames and passwords from victims’ computers.

He was also charged with five other counts, including wiretapping — thought to relate to the interception of passwords; and violating the controversial Computer Fraud and Abuse Act, which serve as the basis of US hacking laws.

Hutchins will appear at a court in Wisconsin, where the case was filed, on August 8.

Developing… more soon. www.crimefiles.net

Henry Sapiecha

WannaCry Ransomware said to be hitting speed cameras in Victoria

Radio 3AW has reported that 55 speed and intersection cameras have been hit with WannaCry ransomware.

WannaCry ransomware attack on desktop screen, notebook and smartphone, internet cyber attack with Anonymous calling on smart phone to get the ransoms payment to decrypt the code

The WannaCry ransomware that claimed hundreds of thousands of victims across 150 countries has hit speed and intersection cameras in Victoria, Radio 3AW has reported.

According to the radio station, 55 cameras in the state belonging to vehicle monitoring and enforcement service Redflex were infected with the ransomware after a rogue USB was inserted by someone performing maintenance on the now-infected cameras.

It is understood that the infection came as a result of “human error” rather than a targeted attack aimed at holding the Australian state to ransom.

The cameras are not connected to the internet, however, which means the ransomware has not been spread throughout the field, 3AW told its listeners on Thursday.

Redflex Traffic Systems — which has its Australian head office located in Melbourne — said it has a patch to fix the infected devices, according to the report.

“The department is in the process of removing the virus from the affected cameras. The remaining sites will be rectified in the next couple of days,” a Justice and Regulation spokesperson is quoted as telling 3AW.

“The software virus has not impacted the accuracy of the camera system. All infringements during this period have been captured correctly, and no infringements have been affected by the virus.”

WannaCry has caused the cameras to intermittently reboot, however,

While WannaCry hit over 300,000 organisations around the world, only a tiny percentage of victims have given in to the demands of hackers.

According to a bot watching the Bitcoin wallets tied to the ransomware attack, just 335 payments had been made as of June 20, 2017, netting the perpetrators 51.9 bitcoins — a figure worth approximately $140,326.

It is unknown how long the cameras have been infected and how long Redflex has known about the issue.

NOTE> Around 600 speeding infringements have been withdrawn by the department as a result

Henry Sapiecha

 

WannaCrypt: Cyber attack rolls into Asia but global spread slows

London/Washington: The global WannaCrypt “ransomware” cyber attack spread more slowly on Monday with no major infections reported, as attention shifted to investment and government policy implications of lax cyber security.

There were 213,000 infected machines in 112 countries as of 1000 GMT (8pm AEST) on Monday, according to Czech security firm Avast, making it one of the largest coordinated attacks to hit computers across the world.

The countries most affected by WannaCrypt or WannaCry were the same as Friday: Russia, Taiwan, Ukraine and India, Avast’s data showed.

The number of infections has fallen dramatically since Friday’s peak when more than 9,000 computers were being hit per hour. By afternoon on the US East Coast, new infections had fallen to the low hundreds of machines and continue to decline, Avast said.

Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.

Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.

Tom Bossert, US President Donald Trump’s homeland security adviser, said people “should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat,” speaking on Good Morning America.

The perpetrators of the attack are still not known. Mr Bossert said that while US officials had not ruled out the possibility that it was a “state action,” he said it appeared to be criminal, given the ransom requests.

Some victims were ignoring official advice and paying the $US300 ($405) ransom demanded by the cyber criminals to unlock their computers, which was due to double to $US600 ($809) on Monday for computers hit by Friday’s first wave.

So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.

This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $US600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.

As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $US55,169 (around $74, 000), from 209 payments, according to calculations made by Reuters using publicly available data.

Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him “the customer service provided by the criminals is second-to-none,” with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

Renault-Nissan said output had returned to normal at nearly all its plants. PSA Group, Fiat Chrysler, Volkswagen, Daimler, Toyota and Honda said their plants were unaffected.

Shares in firms that provide cyber security services jumped on the prospect of companies and governments spending more money on defenses, led by Israel’s Cyren Ltd and US firm FireEye Inc..

Cisco Systems rose 2.8 per cent, making it the leading gainer in the Dow Jones Industrial Average, which was up more than 100 points in afternoon trading, as investors focused more on opportunities the attack presented rather than the risk it posed to corporations.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

Individual European countries and the United States saw infections at a rate of only 10 per cent to 20 per cent of the most affected countries, according to the researcher who stumbled on the “kill switch”.

The virus hit computers running older versions of Microsoft Corp software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company’s shares were down about 1 per cent on Monday, in a slightly higher broad market.

Infected computers appear to be largely out-of-date devices. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

The US Senate Intelligence Committee is monitoring the attack and expects to receive a briefing in the coming days from the Trump administration, a panel aide said.

Attack used NSA-devised tool

In a blog post on Sunday, Microsoft President Brad Smith confirmed what researchers had already widely concluded: the attack made use of a hacking tool built by the US National Security Agency that had leaked online in April.

He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

Russian President Vladimir Putin, noting the technology’s link to the US spy service, said it should be “discussed immediately on a serious political level.”

“Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,” he said.

In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.

“The government’s response has been chaotic,” the British Labour Party’s health spokesman Jon Ashworth said. “If you’re not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack.”

Britain’s NHS is the world’s fifth-largest employer after the US and Chinese militaries, Wal-Mart Stores and McDonald’s. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.

Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: “No. It was clear (that) warnings were given to hospital trusts.”

British health minister Jeremy Hunt said on Monday it was “encouraging” that a predicted second spike of attacks had not occurred, but the ransomware was a warning to public and private organisations.

Impact in Asia

China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world’s second-largest economy would cope. However, officials and security firms said the spread was starting to slow.

“The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days,” said Chinese Internet security company Qihoo 360.

A patient waits at Dharmais Cancer Hospital in Jakarta as the hospital’s information system is in trouble by cyberattack.. Photo: AP

An official from Cybersecurity Administration China (CAC) told local media on Monday the ransomware had affected industry and government computer systems but the spread was slowing.

Energy giant PetroChina said payment systems at some petrol stations were hit although it had restored most of the systems.

Elsewhere in Asia, Conglomerate Hitachi Ltd said the attack had affected its systems over the weekend, leaving them unable to receive and send emails or open attachments in some cases.

At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, attacks affected scores of computers. By late morning, some people were still manually filling out forms, but 70 per cent of systems were online.

India’s government said it received only a few reports of attacks and urged those hit not to pay any ransom. No major Indian corporations reported disrupted operations.

Reuters

Henry Sapiecha

Hackers reportedly hold Disney film for ransom

Even as many businesses are worried about hackers taking control of their computers as part of the worldwide WannaCry ransomware crisis, Disney may be facing a slightly different ransom situation of its own.

Hackers have obtained a copy of an upcoming Disney film and are threatening to release more and more snippets of it unless the company pays a “huge sum” of bitcoins, according to the Hollywood Reporter.

Citing remarks that chief executive Bob Iger made to employees Monday, THR reports that the film could be the latest entry in the Pirates of the Caribbean franchise, or perhaps Cars 3. The company is reportedly refusing to pay.

A spokesman for Disney didn’t immediately respond to a request for comment. But the report marks the latest attempt by hackers to wring Hollywood for cash. It comes two weeks after Netflix confirmed that hackers were responsible for leaking new episodes of its hit series, Orange Is the New Black.

It is unclear how much the hackers demanded of Netflix, but the company refused to pay.

The Washington Post

Henry Sapiecha

Global cyber-attack: Security blogger halts ransomware ‘by accident’

 

A UK security researcher has told the BBC how he “accidentally” halted the spread of the malicious ransomware that has affected hundreds of organisations, including the UK’s NHS.

The 22-year-old man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate the ransomware after hearing about the global cyber-attack.

He managed to bring the spread to a halt when he found what appeared to be a “kill switch” in the rogue software’s code.

“It was actually partly accidental,” he told the BBC, after spending the night investigating. “I have not slept a wink.”

Although his discovery did not repair the damage done by the ransomware, it did stop it spreading to new computers, and he has been hailed an “accidental hero”.

“I would say that’s correct,” he told the BBC.

Cyber-attack scale ‘unprecedented’

NHS ‘robust’ after cyber-attack

“The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation.”

What exactly did he discover?

The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer.

But the web address it was trying to contact – a long jumble of letters – had not been registered.

MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was.

By doing so, he unexpectedly triggered part of the ransomware’s code that told it to stop spreading.

Analysis: How did it start?

What is the ransomware?

This type of code is known as a “kill switch”, which some attackers use to halt the spread of their software if things get out of hand.

He tested his discovery and was delighted when he managed to trigger the ransomware on demand.

“Now you probably can’t picture a grown man jumping around with the excitement of having just been ‘ransomwared’, but this was me,” he said in a blog post.

MalwareTech now thinks the code was originally designed to thwart researchers trying to investigate the ransomware, but it backfired by letting them remotely disable it.

Does this mean the ransomware is defeated?

While the registration of the web address appears to have stopped one strain of the ransomware spreading from device-to-device, it does not repair computers that are already infected.

Security experts have also warned that new variants of the malware that ignore the “kill switch” will appear.

“This variant shouldn’t be spreading any further, however there’ll almost certainly be copycats,” said security researcher Troy Hunt in a blog post.

MalwareTech warned: “We have stopped this one, but there will be another one coming and it will not be stoppable by us.

“There’s a lot of money in this, there is no reason for them to stop. It’s not much effort for them to change the code and start over.”

Henry Sapiecha

Massive international cyber attack hits computers across Europe, Asia and Russia

London: A huge cyber attack struck computers across Europe and Asia on Friday, crippling health services and closing emergency rooms in Britain.

The attack involved ransomware, a kind of malware that encrypts data and locks out the user. According to security experts, it exploited a vulnerability that was discovered and developed by the National Security Agency (NSA) in the US.

The hacking tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen NSA hacking tools online since the beginning of last year. Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets – particularly hospitals – had yet to update their systems.

The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.

Employees of Britain’s National Health Service (NHS) were warned about the ransomware threat early on Friday, but by then it was too late.

As the disruptions rippled through hospitals, doctors’ offices and ambulance services across Britain, the NHS declared the attack a “major incident” and patients were asked to only seek assistance for serious medical emergencies.

Hospitals and telecommunications companies across Europe, Russia and Asia were affected, according to MalwareHunterTeam, a security firm that tracks ransomware attacks.

Spain’s Telefonica and Russia’s MegaFon were among the telecommunications targets.

Attacks were being reported in Britain and 11 other countries, including Turkey, Vietnam, the Philippines, Japan, with the majority of affected computers in Russia. The computers all appeared to be hit with the same ransomware, and similar ransom messages demanding about $US300 to unlock their data.

The attack on the NHS seemed perhaps the most audacious of the attacks, because it had life-or-death implications for hospitals and ambulance services.

Tom Donnelly, a spokesman for NHS Digital, the arm of the health service that handles cybersecurity, said in a phone interview that 16 organisations, including “hospitals and other kinds of clinician services,” had been hit. Officials later updated that number to at least 25.

Hospitals and doctors’ surgeries were forced to turn away patients and cancel appointments as the attack crippled computer systems.

The Spanish government said a large number of companies, including telecommunications giant Telefonica, had been infected. Portugal Telecom was also hit but no services were impacted, a spokeswoman for the company said.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from the National Cryptology Centre of “a massive ransomware attack.” It said hackers used a version of a virus known as WannaCry that targets Microsoft Corp’s widely used Windows operating system.

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

Reuters

www.scamsfakes.com

www.crimefiles.net

Henry Sapiecha

Ransomware: An executive expose to one of the biggest monster menaces on the web

Everything you need to know about ransomware: how it started, why it’s booming, how to protect against it, and what to do if your PC’s infected

The AIDS demand for payment – by post.

ll you need to know about ransomware in 60 seconds

What is a ransomware attack?

Ransomware is one of the biggest problems on the web right now. It’s a form of malware which encrypts documents on a PC or even across a network. Victims can often only regain access to their files and PCs by paying a ransom to the criminals behind it. A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes.

Cybercriminals didn’t use to be so obvious. If hackers infiltrated your corporate network, they would do everything possible to avoid detection. It was in their best interests not to alert a victim that they’d fallen victim to cybercrime.

But now, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they’re holding your corporate data hostage until you pay a ransom in order to get it back. It might sound too simple, but it’s working: cybercriminals pocketed over $1bn from ransomware attacks during 2016 alone.

What is the history of ransomware?

While ransomware exploded last year, increasing by an estimated 748 percent, it’s not a new phenomenon; the first instance of what we now know as ransomware appeared in 1989.

Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims — mostly in the healthcare industry — on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and demanded the user ‘renew their license’ with ‘PC Cyborg Corporation ‘ by sending $189 or $378 to a post office box in Panama.

How did ransomware evolve?

This early ransomware was a relatively simple construct, using basic cryptography which mostly just changed the names of files, making it relatively easy to overcome.

But it set off a new branch of computer crime, which slowly but surely grew in reach — and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.

One of the most successful variants was ‘Police ransomware’, which tried to extort victims by claiming to be law enforcement and locking the screen with a message warning the user they’d committed illegal online activity, which could get them sent to jail.

However, if the victim paid a fine, the ‘police’ would let the infringement slide and restore access to the computer. Of course, this wasn’t anything to do with law enforcement — this was criminals exploiting innocent people.

An example of ‘Police ransomware’ threatening a UK user.

Image: Sophos

While somewhat successful, these forms of ransomware often simply overlaid their ‘warning’ message on the user’s display — and rebooting the machine could get rid of the problem.

Criminals learned from this and now the majority of ransomware schemes use advanced cryptography to truly lock down an infected PC.

What are the main types of ransomware?

Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.

Perhaps the most notorious form of ransomware is Locky, which terrorised organisations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a $17,000 ransom to have its networks restored.

Locky remained successful because those behind it regularly update the code with changes which allow it to avoid detection. They even update it with new functions, including the ability to make ransom demands in 30 languages, helping criminals more easily target victims in around the world. Locky became so successful, it rose to become most prevelant forms of malware in its own right.

Cryptowall is another form of ransomware which has found great success for a prolonged period of time. Starting life as doppleganger of Cryptolocker, it’s gone onto become one of the most successful types of ransomware.

Like Locky, Cryptowall has regularly been updated in order to ensure its continued success and even scrambles file names to make it harder for victims to know which file is which, putting additional pressure on the victim to pay.

While some ransomware developers — like those behind Locky or Cryptowall — closely guard their product, keeping it solely for their own use, others happily distribute ransomware to any wannabe hacker keen to cash in on cyber extortion – and it’s proved to be a very successful method for wide distribution.

One of the most common forms of ransomware distributed in this way is Cerber, which has been known to infect hundreds of thousands of users in just a single month. The original creators of Cerber are selling it on the dark web, allowing other criminals to use the code in return for receiving 40 percent of each ransom paid.

Cerber has become so successful that after it has surpassed Locky – which appeared to mysteriously disappear over Christmas, although remerged in April with new attack techniques – to become the most dominant form of ransomware on the web – accounting for 90 percent of ransomware attacks on Windows as of mid-April 2017.

In exchange for giving up some of the profits for using Cerber, wannabe cyber fraudsters are provided with everything they need in order to successfully make money through extortion of victims.

Indeed, now some criminal groups offer this type of ransomware-as-a-service scheme to potential users at no cost at the point of entry. Instead of charging a fee for the ransomware code, they want a 50 percent cut.

How much will a ransomware attack cost you?

Obviously, the most immediate cost associated with becoming infected with ransomware — if paid — is the ransom demand, which can depend on the type of ransomware or the size of your organisation.

Recent research revealed that a quarter of companies which paid a ransom paid over £5,000 to retrieve their data, while a further quarter paid hackers between £3,000 and £5,000.

The most common ransom paid amongst small and medium-sized businesses was between £500 and £1500, proving that there’s still easy money to be made from targeting organisations of this size.

There are also examples of high-profile targets paying five-figure fees in order to regain access to their networks, especially in cases where criminals threaten to delete data if they’re not paid.

Ultimately, whatever the size of the company, time is money and the longer your network is down, the more it’s going to cost your business.

Even if you regain access to your networks by paying a ransom, there will be additional costs on top of that. In order to avoid future attacks — especially if you’ve been marked as an easy target — be prepared to invest in additional cybersecurity software and to pay for additional staff training.

There’s also the risk of customers losing trust in your business because of poor cybersecurity and taking their custom elsewhere.

Why should businesses worry about ransomware?

To put it simply: ransomware could ruin your business. Being locked out of your own network for even just a day will impact on your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems go offline for so long not just because ransomware locks the system, but because of all the effort required to clean up and restore the networks.

And it isn’t just the immediate financial hit of ransomware which will damage a business; consumers become wary of giving their custom to organisations they believe to be insecure.

How does ransomware infect your PC?

It’s the modern enterprise’s reliance on the internet which is enabling ransomware to boom. Everyday, every employee receives hundreds of emails and many roles require these employees to download and open attachments, so it’s something which is often done on autopilot. Taking advantage of employees’ willingness to open attachments from unknown senders is allowing cybercriminals to successfully run ransomware campaigns.

Like other forms of malware, botnets send ransomware out en masse, with millions of malicious phishing emails sent every single second. Criminals use a variety of lures to encourage targets to open a ransomware email, ranging from offers of financial bonuses, fake online purchase receipts, job applications from prospective employees, and more.

A spam email claiming the target has purchased a flight – complete with fake invoice containing the ransomware.

Image: Symantec

While some messages give away clues to their malicious nature with poorly-worded messages or strange return addresses, others are specially tailored to look as convincing as possible, and appear no different from any other message the victim might be sent.

Once the malicious attachment has been opened, the user is encouraged to enable macros in order to view and edit the document. It’s when this is enabled that the ransomware code hidden within the macros strikes. It can encrypt files in seconds, leaving the victim with a ransom note demanding a payment ranging from a few hundred dollars to tens of thousands of dollars in order to get them back.

Which organisations are targets for ransomware?

Any business can find itself a victim of ransomware, but perhaps the most high-profile incident occurred when the Hollywood Presbyterian Medical Center in Los Angeles became infected with Locky ransomware. The infection left doctors and nurses unable to access patient files for days, until the hospital opted to give into the ransom demands of hackers in order to restore services.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Allen Stefanek, CEO of the hospital, said at the time.

Locky is one of the most successful forms of ransomware.

Image: F-Secure

Hospitals and other healthcare organisations are popular targets for ransomware attacks, because they are often willing to pay. Losing access to data is a life-or-death matter for them — and hospitals don’t want to be held responsible for letting people die due to poor cybersecurity. However, there are even cybercriminals who think attacking hospitals is too despicable an activity.

But there are plenty of other sectors criminals will happily target, including educational institutions, such as the University of Calgary, which paid a ransom of $20,000 to hackers. Any large business is at threat and there’s even the prospect of ransomware infecting industrial systems.

Why are small businesses targets for ransomware?

Small and medium -ized businesses are a popular target because they tend to have poorer cybersecurity than large organisations. Despite that, many SMEs falsely believe they’re too small to be targeted — but even a ‘smaller’ ransom of a few hundred dollars is still highly profitable for cybercriminals.

Why is ransomware so successful?

You could say there’s one key reason why ransomware has boomed: because it works. Organisations can have the best antivirus software in the world, but all it takes for ransomware to infect the network is for one user to slip up and launch a malicious attachment.

If organisations weren’t giving in to ransom demands, criminals would stop using ransomware. But businesses do need access to data in order to function so many are willing to pay a ransom and get it over and done with.

Meanwhile, for criminals it’s a very easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once?

There are even ransomware-as-a-service schemes available on the dark web which allow the most technically inept wannabe cybercriminals to start sending out ransomware — in exchange for a percentage of their ill-gotten gains going directly into the pockets of the creators.

What does Bitcoin have to do with the rise of ransomware?

The rise of crypocurrencies like Bitcoin has made it easy for cybercriminals to secretly receive extorted payments, without the risk of the authorities being able to identify the perpetrators. The secure, untraceable method of making payments makes it the perfect currency for criminals who want their financial activities to remain hidden.

Cybercriminal gangs are becoming more professional — some even offer customer service and help for victims who don’t know how to acquire or send Bitcoin, because what’s the point of making ransom demands if users don’t know how to pay?

Globe3 ransom demand for 3 Bitcoin – including a ‘how to ‘ guide for those who don’t know how to buy it

Image: Emsisoft Lab

How do you prevent a ransomware attack?

With email being by far the most popular attack vector for ransomware, you should provide employees with training on how to spot an incoming attack. Even picking up on little indicators like poor formatting or that an email purporting to be from ‘Microsoft Security’ is sent from a obscure address which doesn’t even contain the word Microsoft within it might save your network from infection.

There’s also something to be said for enabling employees to learn from making mistakes while within a safe environment. For example, one firm has developed an interactive video experience which allows its employees to make decisions on a series of events then find out the consequences of those at the end. This enables them to learn from their mistakes without suffering any of the actual consequences.

On a technical level, stopping employees from being able to enable macros is a big step towards ensuring that they can’t unwittingly run a ransomware file. Microsoft Office 2016 — and now Microsoft 2013 — both carry features which allow macros to be disabled. At the very least, employers should invest in antivirus software and keep it up-to0date, so that it can warn users about potentially malicious files.

How do I get rid of ransomware?

The ‘No More Ransom’ initiative — launched by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies — offers free decryption tools for ransomware variants to help victims retrieve their data without succumbing to the will of cyber extortionists.

The portal offers decryption tools for ransomware varients including Crypt XXX, MarsJoke, Teslacrypt, and Wildfire. It’s updated as often as possible in an effort to ensure tools are available to fight the latest forms of ransomware.

The No More Ransom portal offers free ransomware decryption tools.

Image: Europol

Another way of working around a ransomware infection is to ensure your organisation regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it’s possible just to isolate that unit then get on with your business.

Should I pay a ransomware ransom?

There are those who say victims should just pay the ransom, citing it to be the quickest and easiest way to retrieve dataand many organisations do pay.

But be warned: if word gets out that your organisation is an easy target for cybercriminals because it paid a ransom, you could find yourself in the crosshairs of other cybercriminals who are looking to take advantage of your weak security.

And remember that you’re dealing with criminals here and their very nature means they may not keep their word. There are stories of victims paying ransoms and still not having files returned.

What’s the future of ransomware?

Ransomware is continually evolving, with an increasing number of variants now engaging in additional activities such as stealing data or weakening infected computers in preparation for future attacks.

Researchers even warn that ransomware could soon hold whole operating systems hostage, to such an extent that the only two options available to the user would be to pay, or to lose access to the entire system.

And ransomware isn’t just a problem for Windows PCs; Apple Macs are vulnerable to it too.

Can you get ransomware on your smartphone?

Absolutely. Ransomware attacks against Android devices have increased massively, as cybercriminals realise that many people aren’t aware that smartphones can be attacked.

In fact, any internet-connected device is a potential target for ransomware, which has already been seen locking smart TVs.

Researchers demonstrate ransomware in an in-car infotainment system.

Image: Intel Security

Ransomware and the Internet of things

Internet of things devices already have a poor reputation for security. As more and more of these make their way onto the market, they’re going to provide billions of new attack vectors for cybercriminals, potentially allowing hackers to hold your connected home or connected car hostage.

There’s even the potential that hackers could infect medical devices, putting lives directly at risk.

As ransomware continues to evolve, it’s therefore crucial for your employees to understand the threat it poses, and for organisations to do everything possible to avoid infection, because ransomware can be crippling.

Read more about ransomware

www.scamsfakes.com

www.crimefiles.net

Henry Sapiecha

Ransomware: These four industries are attacked the most frequently.

Ransomware is a threat to all sectors — but these are the ones most under attack, states a new study

A ransomware attack against any business could be potentially devastating, but there are some sectors which are more at risk from file-encrypting attacks than others, as cybercriminals prey on industries which can’t afford to not have access to their networks.

Ransomware has boomed over the last 18 months, growing from an annoyance which targeted home PC users with moderate ransom demands, to a billion-dollar industry, with cybercriminals holding high-profile or deep-pocketed targets to ransom for tens of thousands of dollars.

While some cybercriminals might be attempting to compromise any organisation possible with a generic attack, professional threat actors will create specially tailored attacks in order to make them look as authentic as possible — even by making the message look like it comes from a colleague.

Ransomware is most often delivered via a phishing email, which arguably provides an explanation as to why NTT Security‘s Global Threat Intelligence Report lists business and professional services as the sector most likely to be targeted by ransomware.

Given that opening financial spreadsheets, job applications, and other email attachments is at the very heart of this modern sector, it makes sense that over a quarter of ransomware attacks (28 percent) were directed at business and professional services firms over the course of a year.

Meanwhile, 19 percent of ransomware attacks were targeted at government and government agencies. Healthcare is the next highest-profile target for cybercriminals, accounting for 15 percent of attacks. It was a ransomware attack against an LA hospital which infamously highlighted the problem, taking the network offline for days until the hospital paid a $17,000 Bitcoin ransom.

Ransomware attacks against the retail industry account for a further 15 percent of all incidents. All other industries make up the remaining 23 percent, according to the NTT Security report.

Ransomware has become one of the biggest menaces on the web. This ZDNet guide contains everything you need to know about it: how it started, why it’s booming, how to protect against it, and what to do if your PC suffers an attack.

www.crimefiles.net

www.scamsfakes.com

Henry Sapiecha

Hacker Lexicon: A Guide to Ransomware, the Scary Hack That’s on the Rise

Ransomware is malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom, usually demanded in Bitcoin. The digital extortion racket is not new—it’s been around since about 2005, but attackers have greatly improved on the scheme with the development of ransom cryptware, which encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.

TL;DR: Ransomware is malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom—usually demanded in Bitcoin. A popular and more insidious variation of this is ransom cryptware, which encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.

And these days ransomware doesn’t just affect desktop machines or laptops; it also targets mobile phones. Last week news broke of a piece of ransomware in the wild masquerading as a porn app. The so-called Porn Droid app targets Android users and allows attackers to lock the phone and change its PIN number while demanding a $500 ransom from victims to regain access.

Earlier this year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims. The malware can infect you via a malicious email or website, or attackers can deliver it straight to your computer if they’ve already infected it with a backdoor through which they can enter.

The Ransom Business Is Booming

Just how lucrative is ransomware? Very. In 2012, Symantec gained access to a command-and-control server used by the CryptoDefense malware and got a glimpse of the hackers’ haul based on transactions for two Bitcoin addresses the attackers used to receive ransoms. Out of 5,700 computers infected with the malware in a single day, about three percent of victims appeared to shell out for the ransom. At an average of $200 per victim, Symantec estimated that the attackers hauled in at least $34,000 that day (.pdf). Extrapolating from this, they would have earned more than $394,000 in a month. And this was based on data from just one command server and two Bitcoin addresses; the attackers were likely using multiple servers and Bitcoin addresses for their operation.

Symantec has estimated, conservatively, that at least $5 million is extorted from ransomware victims each year. But forking over funds to pay the ransom doesn’t guarantee attackers will be true to their word and victims will be able to access their data again. In many cases, Symantec notes, this doesn’t occur.

Ransomware has come a long way since it first showed up in Russia and other parts of Eastern Europe between 2005 and 2009. Many of these early schemes had a big drawback for perpetrators, though: a reliable way to collect money from victims. In the early days, online payment methods weren’t popular the way they are today, so some victims in Europe and the US were instructed to pay ransoms via SMS messages or with pre-paid cards. But the growth in digital payment methods, particularly Bitcoin, has greatly contributed to ransomware’s proliferation. Bitcoin has become the most popular method for demanding ransom because it helps anonymize the transactions to prevent extortionists from being tracked.

According to Symantec, some of the first versions of ransomware that struck Russia displayed a pornographic image on the victim’s machine and demanded payment to remove it. The victim was instructed to make payments either through an SMS text message or by calling a premium rate phone number that would earn the attacker revenue.

CLUB LIBIDO BANNER BRUNETTE I LOVE YOU SIGN

Symantec-ransomware-image-582x409 www.intelagencies.com

The Evolution of Ransomware

It didn’t take long for the attacks to spread to Europe and the US, and with new targets came new techniques, including posing as local law enforcement agencies. One ransomware attack known as Reveton that is directed at US victims produces a pop-up message saying your machine has been involved in child porn activity or some other crime and has been locked by the FBI or Justice Department. Unless you pay a fine—in Bitcoin, of course, and sent to an address the attackers control—the government won’t restore access to your system. Apparently the fine for committing a federal offense involving child porn is cheap, however, because Reveton ransoms are just $500 or less. Victims are given 72 hours to pay up and an email address, fines@fbi.gov, if they have any questions. In some cases they are threatened with arrest if they don’t pay. However improbable the scheme is, victims have paid—probably because the extortionists distributed their malware through advertising networks that operated on porn sites, inducing guilt and fear in victims who had knowingly been perusing pornography, whether it was child porn or not. Symantec determined that some 500,000 people clicked on the malicious ads over a period of 18 days.

CLUB LIBIDO BANNER blonde x 3 in jeans.

In August 2013, the world of ransomware took a big leap with the arrival of CryptoLocker, which used public and private cryptographic keys to lock and unlock a victim’s files. Created by a hacker named Slavik, reportedly the same mind behind the prolific Zeus banking trojan, CryptoLocker was initially distributed to victims via the Gameover ZeuS banking trojan botnet. The attackers would first infect a victim with Gameover Zeus in order to steal banking credentials. But if that didn’t work, they installed the Zeus backdoor on the victim’s machine to simply extort them. Later versions of CryptoLocker spread via an email purporting to come from UPS or FedEx. Victims were warned that if they didn’t pay within four days—a digital doomsday clock in the pop-up message from the attackers counted down the hours—the decryption key would be destroyed and no one would be able to help unlock their files.

In just six months, between September 2013 and May 2014, more than half a million victims were infected with CryptoLocker. The attack was highly effective, even though only about 1.3 percent of victims paid the ransom. The FBI estimated last year that the extortionists had swindled some $27 million from users who did pay.

Among CryptoLocker’s victims? A police computer in Swansea, Massachusetts. The police department decided to pay the ransom of 2 Bitcoins (about $750 at the time) rather than try to figure out how to break the lock.

www.policesearch.net

“(The virus) is so complicated and successful that you have to buy these Bitcoins, which we had never heard of,” Swansea Police Lt. Gregory Ryan told the Herald News.

In June 2014, the FBI and partners were able to seize command-and-control servers used for the Gameover Zeus botnet and CryptoLocker. As a result of the seizure, the security firm FireEye was able to develop a tool called DecryptCryptoLocker to unlock victims’ machines. Victims could upload locked files to the FireEye web site and obtain a private key to decrypt them. FireEye was only able to develop the tool after obtaining access to a number of the crypto keys that had been stored on the attack servers.

Prior to the crackdown, CryptoLocker had been so successful that it spawned several copycats. Among them was one called CryptoDefense, which used aggressive tactics to strong-arm victims into paying. If they didn’t fork over the ransom within four days, it doubled. They also had to pay using the Tor network so the transactions were anonymized and not as easily traced. The attackers even provided users with a handy how-to guide for downloading and installing the Tor client.

But they made one major mistake—they left the decryption key for unlocking victim files stored on the victim’s machine. The ransomware generated the key on the victim’s machine using the Windows API before sending it to the attackers so they could store it until the victim paid up. But they failed to understand that in using the victim’s own operating system to generate the key, a copy of it remained on the victim’s machine.

The “malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape,” Symantec noted in a blog post.

The business of ransomware has become highly professionalized. In 2012, for example, Symantec identified some 16 different variants of ransomware, which were being used by different criminal gangs. All of the malware programs, however, could be traced back to a single individual who apparently was working full time to program ransomware for customers on request.

The Ransomware to Watch Out for Now

Recently Fox-IT catalogued what they consider to be the top three ransomware families in the wild today, which they identify as CryptoWall, CTB-Locker, and TorrentLocker. CryptoWall is an improved version of CryptoDefense minus its fatal flaw. Now, instead of using the victim’s machine to generate the key, the attackers generate it on their server. In one version of CryptoWall they use strong AES symmetric cryptography to encrypt the victim’s files and an RSA-2048 key to encrypt the AES key. Recent versions of CryptoWall host their command server on the Tor network to better hide them and also communicate with the malware on victim machines through several proxies.

CryptoWall can not only encrypt files on the victim’s computer but also any external or shared drives that connect to the computer. And the shakedown demand can range anywhere from $200 to $5,000. CryptoWall’s authors have also established an affiliate program, which gives criminals a cut of the profit if they help spread the word about the ransomware to other criminal buyers.

CTB-Locker’s name stands for curve-Tor-Bitcoin because it uses an elliptic curve encryption scheme, the Tor network for hosting its command server, and Bitcoin for ransom payments. It also has an affiliate sales program.

TorrentLocker harvests email addresses from a victim’s mail client to spam itself to other victims. Fox-IT calculated at one point that TorrentLocker had amassed some 2.6 million email addresses in this manner.

Protecting against ransomware can be difficult since attackers actively alter their programs to defeat anti-virus detection. However, antivirus is still one of the best methods to protect yourself against known ransomware in the wild. It might not be possible to completely eliminate your risk of becoming a victim of ransomware, but you can lessen the pain of being a victim by doing regular backups of your data and storing it on a device that isn’t online.

club libido banner-5

Henry Sapiecha

Scamming Ransomware network chalked up $121M in the 1st half of 2016

Healthcare and manufacturing companies are among the least prepared in preventing data loss, finds Intel’s McAfee Labs Threat Report, which reveals US$100,000 worth of hospital-targeted ransomware payments.

glowing-keyboard-hacker-security-620x465 image www.intelagencies.com ransomware-attacks-synology-nas-devices image www.intelagencies.com

A ransomware network appears to have chalked up US$121 million in payments over the first half of 2016 alone, as healthcare companies become hot targets due to their reliance on legacy systems.

A spate of ransomware attacks had been unleashed on hospitals early this year, with victims forking out some US$100,000 in payments to specific bitcoin accounts. While they still accounted for a comparatively small portion of overall ransomware targets, hospitals were among new verticals targeted by attack networks, according to Intel Security’s latest McAfee Labs Threat Report.

Researchers from the security vendor tracked a ransomware network that appeared to have receive bitcoin payments worth US$121 million from ransomware activities targeting several sectors. The distributor seemed to have chalked up profits of US$94 million in the first half of 2016 alone, the report stated.

Hackers split on ‘ethics’ of ransomware attacks on hospitals

Pointing to the increased focus on the healthcare sector, it noted that this industry’s dependence on legacy IT systems and medical devices with weak or no security as key reasons that made such companies targets. Furthermore, these organisations tapped third-party services that might be commonly used in the sector and needed immediate access to information to support patient care. These also made them hot targets for malicious attacks.

“Hospitals represent an attractive combination of relatively weak data security, complex environments, and the urgent need for access to data sources, sometimes in life or death situations,” said Vincent Weafer, vice president for Intel Security’s McAfee Labs. “The new revelations around the scale of ransomware networks and the emerging focus on hospitals remind us that the cybercrime economy has the capacity and motivation to exploit new industry sectors.”

He added that in addition to the manufacturing sector, the two industries provided significant opportunities for cybercriminals due to their weak defense mechanisms and complex environments. “Cybercriminals’ motive is ease of monetisation, with less risk,” Weafer said. “Corporations and individuals can easily cancel stolen payment cards soon after a breach is discovered, but you can’t change your most personal data or easily replace business plans, contracts, and product designs.”

The apparent compliance among healthcare and manufacturing companies might be due to the low frequency of attacks these sector experienced in the past, according to the McAfee survey. This, however, also meant the organisations made fewer investments in cybersecurity and had the least comprehensive data protection capabilities.

The report determined that retail and financial services companies had the most extensive protection against data loss, which was likely the result of the frequency of attacks targeting these sectors as well as the value of the data they held.

Across the board, more than 25 percent of respondents did not monitor data sharing and access involving sensitive employee or customer information. Some 37 percent did so, and this figure was a higher 50 percent where the largest organisations were concerned.

And while 90 percent had cloud security strategies, only 12 percent said they had visibility of data activities in the cloud.

Almost 40 percent had experience data loss involving physical media such as thumb drives, the report found, but only 37 percent used endpoint monitoring of user activities and physical media connections.

For the second quarter, McAfee Labs identified 316 new threats a minute with significant spikes in ransomware, mobile malware, and macro malware. Some 1.3 million new ransomware samples were recorded, the highest ever registered since the security vendor began tracking such threats.

Total ransomware climbed 128 percent in the quarter over the previous year, while macro malware increased 106 percent. New mobile malware reached a record high in the quarter, growing 151 percent year-on-year to hit nearly 2 million new samples.

New Trojans such as Necurs and Dridex fuelled more than 200 percent increase in new macro malware in the quarter.

www.newcures.info

www.crimefiles.net

www.scamsfakes.com

Beautiful_Russian_4_300_250

Henry Sapiecha