Texas School District Lost $2.3M to Phishing Email Scam

Por David Bisson em 13/01/2020 no site The State of Security

A school district in Texas announced that it lost approximately $2.3 million after falling victim to a phishing email scam.
On January 10, the Manor Independent School District (MISD) published a statement on Twitter and Facebook in which it revealed that it was investigating a phishing email scam that cost it $2.3 million.

In the statement, MISD Director of Communications Angel Vidal Jr said that the Federal Bureau of Investigations and the Manor Police Department were pursuing “strong leads” as part of their investigation but that their efforts were ongoing.
Vidal also took the opportunity to thank the Manor Police Department for working with MISD to notify the community about the security incident.
MISD’s statement didn’t disclose any information about the phishing email scam including how it occurred or how the school district, which serves 9,600 students, detected it.
Anne Lopez, a detective with the Manor Police Department, provided some details about the attack to television station KVUE:

It was three separate transactions. Unfortunately they didn’t recognize the fact that the bank account information had been changed and they sent three separate transactions over the course of a month before it was recognized that it was a fraudulent bank account.

Lopez’s insights suggest that the attack consisted of a business email compromise (BEC) scam in which digital fraudsters tricked an employee at MISD into changing the payment instructions for a vendor or supplier. Those attacks have individually cost companies like Nikkei and Toyota millions of dollars. Between June 2016 and July 2019, BEC scams were responsible for $26 billion in damages globally.
The attack described above highlights the importance of organizations taking steps to protect themselves against malicious emails. They can do so by educating their employees about some of the most common types of phishing attacks circulating in the wild today. This resource is a good place to start.

RobbinHood ransomware attack brings down parts of City of Baltimore’s computer network

Por Grahan Cluley em 09 de maio de 2019 no site the State of Security

For the second time in a year, Baltimore city government computers have been infected by ransomware. Malicious hackers are demanding that a ransom is paid for the safe recovery of encrypted files on affected computers and servers.

On Tuesday, Mayor Bernard C. “Jack” Young tweeted how the city had “shut down the majority of its servers” out of “an abundance of caution,” but that the city’s core essential services (such as police and fire brigades) remained operational.

However, the email systems used by municipal employees, phone lines and online bill payments were impacted by the attack.

Amongst those workers affected were Baltimore’s Department of Public Works (DPW) who reported that their customer support line was unable to take calls due to its network being down, and was suspending customers’ late water bill fees as it was unable to accept payments other than those delivered via cheque or money order.

According to Mayor Young, the City of Baltimore had seen no evidence that any personal data had been exfiltrated from the compromised computers. That’s normal with ransomware – the attackers are typically not interested in the content of the files and documents that you store on your network of computers – they simply want to deny you your access to them.

Frank Johnson, Baltimore’s Chief Information Officer, confirmed in a press conference streamed via Facebook that the offending malware was the “very aggressive RobbinHood ransomware”, and specifically that the FBI had identified it as a “fairly new variant.”

It’s unclear whether the variant of the RobbinHood malware is the same as that which hit the network of the city of Greenville, North Carolina, last month. In that incident, the city was forced to shut down the majority of its servers – although similarly police and fire emergency communications were not impacted.

Reporters at the Baltimore Sun managed to get a copy of the ransom note displayed by the malware on affected Baltimore government computers, and confirmed that it was initially requesting 3 Bitcoins (approximately US $18,000) for the recovery of encrypted files on each computer, or 13 Bitcoins (US $78,000) for the release of all the city’s files.

“We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections.”

“We won’t talk more, all we know is MONEY!. Hurry up! Tik Tak, Tik Tak, Tik Tak!”

Just last month we described how the RobbinHood ransomware would, on the fourth day following encryption, increase its extortion demand by $10,000 every 24 hours.

After 10 days, if the RobbinHood ransomware is to be believed, the City of Baltimore would be unable to recover their data at all.

In March 2018, Baltimore’s 911 automated dispatch system was taken offline by a ransomware attack. It was later determined that a member of IT staff accidentally misconfigured a firewall in the hours before the attack, allowing the ransomware to successfully infect the city’s computer-aided dispatch (CAD) system.

Questions will no doubt be asked as to whether lessons were properly learned after the earlier ransomware attack, and if this latest ransomware infection could have been avoided.

At the very least, this latest incident is a reminder to organisations of all sizes of the essential need for a layered defence and a comprehensive backup and disaster recovery process in preparation should an attacker manage to break through in future.

Cryptomining Software Discovered on Tennessee Hospital’s EMR Server

Por David Bisson em 08/02/2018 no site The Sate of Security

A Tennessee hospital discovered cryptomining software installed on a server that hosts its electronic medical records (EMR) system.

In January 2018, Decatur County General Hospital began notifying patients of a incident involving its electronic medical record systems. Its breach notification letter (PDF) reveals the hospital first learned about the security event from its EMR vendor:

On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.”

Decatur County General Hospital. (Source: Nashville Public Radio)

Decatur County General Hospital subsequently launched its own investigation into the incident. So far, it’s determined that a remote actor likely accessed the server on which its EMR system stores patients information including their names, addresses, dates of birth, Social Security Numbers, insurance details, and medical treatment records. It’s also found that the cryptomining software had been active since at least 22 September 2017.

The hospital’s EMR vendor replaced the server and operating system four days after discovery.

At this time, Decatur County General Hospital cannot confirm whether the individual responsible for the breach accessed patients’ information stored on the server. It tells patients as much:

Again, while our investigation continues into this matter, we have no evidence that your information was actually acquired or viewed by an unauthorized individual, and based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server. Our investigation to date, however, has been unable to reasonably verify that there was not unauthorized access of your information.

Cryptomining emerged as a salient threat in 2017. Tools responsible for generating new units of cryptocurrency preyed upon 1.65 million users over the first eight months of the year. Since then, researchers have discovered a single Monero mining campaign that victimized 15 million users in the fall of 2017. Such findings have led some security experts to wonder whether cryptomining will supplant ransomware as the most widespread form of digital crime in 2018.

Given that possibility, it’s important that hospitals and other healthcare organizations maintain the security and integrity of their EMR systems. They can find guidance for that objective here.

To learn more about how Tripwire can protect your healthcare organization against digital threats, click here

5 Things to Do to Secure Your Facebook Account From Hackers

The State of Security em 25/12/207

Some time back, a Facebook account was irrelevant to hackers. There was no reason to hack anyone’s account since there was no reason for hacking an account in the first place.

Ever since it has grown to billions of users, Facebook contains enough data for hackers to use for either monetary gain or blackmail. A celebrity’s account, for example, can be hacked in order for a person to advertise a page or brand.

The hacker can also post embarrassing or discriminating posts that will leave the celeb’s fans furious. Your account is also prone to hacking even if you aren’t a celebrity. You obviously have to protect your Facebook account from malicious hackers.

It is not that hard to protect your account. Just follow these guidelines, and you’ll be good to go:

1) AVOID SAVING PASSWORDS ON PUBLIC DEVICES

Cybercafés are awesome alternatives when you do not have any data on your device. They are also reserves for passwords since most people just click on ‘yes’ on the save password dialog box.

They do so because of the rush they face during browsing. This might also happen to you. If you do not have a device to browse the web, never save your passwords on a device you have no control over.

The password will remain there, and someone will definitely log into your account without any hustle.

2) ALWAYS LOG OUT ON OTHER DEVICES

Not saving your password is not the only way to prevent hacking on public devices. Leaving your account logged in also paves the way for hackers to take control of your account.

Even if you close the browser after a session, Facebook will recognize the session as continuous for a while. If a person comes in just right after you, he should have access to your account.

You have to ensure that you have logged out and that neither your number nor email address is displayed in the authentication tabs. You’ll otherwise find some nasty posts up on your wall if the guy is aiming to destroy you.

3) OPT FOR TWO-WAY VERIFICATION

This feature sends an authentication message to your phone every time you or a hacker tries to log in to your account. You can use this through third-party software or Facebook’s verification mechanism.

When logging in, you receive a unique code that will enable you to access Facebook in that session only. Once the session has ended, you will need to receive another authentication message to access your account once more.

I know it is super inconvenient to go through all that instead of a once-click login. It is, however, better to be safe than sorry.

4) CLEAN UP YOUR BROWSER

It is always advisable to clean up your browser every once in awhile….

Most phishing and virus activities are found in porn and torrent sites. If you are a frequent visitor (not judging), always clear your data before someone gains access to your authentication details.

If that seems like much of a hustle, just download an adware removal tool to take care of that for you. The next person trying to hack you will not find the ones and zeros he/she is phishing for.

5) PROTECT YOURSELF FROM SPYWARE AND MALWARE

The hacking problems are not only web-based. A person can hack your browser through malicious software you may have unknowingly installed on your computer.

Some of these software could also spam some pop-up ads onto your screen or browser. You can avoid this by using malware, adware, and spyware removers.

If your Facebook account has already been hacked, don’t panic. There are lots of ways you can recover a hacked Facebook account.

About the Author: Hello, I am Mohit. With a strong passion for cyber security, I’m a content developer and would like to invite you on this learning journey where we will explore the latest technology and hot cybersecurity topics to stay secure and vigilant against all forms of cyber attacks. You can find out more about my company here.

5 Notable DDoS Attacks of 2017

Por David Bisson em 21/12/2017 no site The State of Security

We all know what a great year distributed denial-of-service (DDoS) attacks had in 2016. In the last four months, the web registered two significant DDoS campaigns. The first targeted Brian Krebs at a peak size of 620 Gbps. The second struck Dyn and, in so doing, took down Twitter, Amazon, Spotify and other clients of the DNS provider’s critical infrastructure.

2017 was far quieter in terms of DDoS attacks, by comparison. But not for want of trying on the part of computer criminals. Indeed, Arbor Networks detected 6.1 million campaigns through September 30.

This figure breaks down to 22,426 attacks per day, 934 per hour, and 15 per minute. Additionally, the provider of network monitoring software observed several massive DDoS campaigns in 2017, with one even surpassing the attack that struck Krebs at 622 Gbps.

Amidst these millions of attacks, a few stood out for their targets and consequences. Here are five campaigns in particular that deserve mention.

1. Melbourne IT

Domain name registrar Melbourne IT, as well as two of its subsidiaries Netregistry and TPP Wholesale, suffered a DDoS attack on April 13. The assault began at 10:00 local time, forcing the victimized organizations to inform customers that their cloud hosting and mailing platforms, among other services, were at the time unavailable.

By 11:30, the companies had returned normal service by implementing “our DDoS mitigation services as standard operating procedure and… international traffic management measures.” It took them another hour to tell customers that they had resolved the issues and that they would continue to monitor the situation.

2. DreamHost

At 09:20 PDT on August 24, a DDoS attack deluged web hosting provider and domain name registrar DreamHost, knocking its systems –particularly its DNS infrastructure – offline.

The Register‘s Iain Thomson believes the attack originated from those who opposed the company’s decision to take on as Punished Stormer, a reincarnation of the neo-Nazi Daily Stormer website for which CloudFlare terminated service following the Charlottesville protests, as a customer that same day. DreamHost mitigated the attack a few hours later.

3. UK National Lottery

After 19:00 local time on September 30, someone decided to target the UK National Lottery with a DDoS campaign. The attack knocked the Lottery’s website www.national-lottery.co.uk and its mobile app offline, which prevented many UK citizens from playing the Lottery without visiting a partner retailer to purchase a ticket.

By 23:00 local time, the bulk of the attack had died down. Even so, the Lottery’s website and app continued to experience lesser issues until 03:00.

4. Electroneum

Electroneum cryptocurrency startup had crowdfunded $40 million worth of Bitcoin and Ether following an initial coin offering (ICO). Just before it launched its mobile mining app on November 2, the company’s website suffered a DDoS attack.

The campaign led Electroneum to lock investors out of their accounts while it worked to restore its network access. In the meantime, the Financial Conduct Authority took a moment to remind investors that ICOs offer no protection, which means investors should “be prepared to lose [their] entire stake.”

5. Boston Globe

On November 8 at approximately 15:00 EST, the Boston Globe suffered what was likely a probe to gauge the anti-DDoS defenses of bostonglobe.com and other websites owned by the company. This initial wave disrupted the newspaper’s telephones. It also interrupted its editing system.

Subsequently, the bad actors took the results of their test and resumed their attack at 11:00 EST on November 9. In so doing, they prevented many Boston Globe employees from doing their jobs and rendered bostonglobe.com inaccessible. Relief eventually came in mid-afternoon when the company’s Internet service provider put effective anti-DDoS measures in place.

Some Advice for the New Year

In light of the DDoS attacks discussed above, it’s important that companies make sure they prepare themselves for 2018 and beyond. Technology firms will continue to work to take down DDoS botnets like WireX. However, organizations should make sure they’ve protected themselves with DDoS mitigation technologies in the meantime.

For additional advice on how to defend against DDoS attacks, click here.

Monero Mining Software Found on Oil Transport Company’s Systems

Por David Bisson em 18/12/2017 no site The State of Security

n oil transportation company discovered someone had installed Monero-mining software on its systems without its authorization.

On 14 December, Vladimir Rushailo, vice president of the Russian state-owned transport monopoly Transneft, revealed that the company had found that one of its computers had automatically downloaded software designed to mine the Bitcoin rival. As quoted in a statement provided to Reuters:

Incidents where the company’s hardware was used to manufacture cryptocurrency have been found. It could have a negative impact on the productivity of our processing capacity.

The company subsequently deleted the program from the computer. It also implemented “programs to block such downloads in the future.”

Transneft has not provided any details about what caused the computer to download the cryptocurrency miner, including whether a malicious insider or external actor might have hacked the workstation. What is clear, however, is that these types of attacks are growing in frequency. Pavel Lutsik, a head of information security projects with Croc IT firm, agrees:

More and more people have learn[ed] that, in fact, they do not even need to stand up from the sofa to make money – if they are not caught.

Transneft logo. (Source: Twitter)

In recent months, several organizations including Ultimate Fighting Championship and Showtime have removed CoinHive and other Monero miners that slowed down visitors’ computers from their websites. Attackers have also gone after companies’ internal networks directly in order to mine cryptocurrencies. F5 threat researchers detected one such campaign dubbed “Zealot” that leverages the Apache Struts Jakarta Multipart Parser attack as well as a flaw affecting the DotNetNuke (DNN) content management system to compromise vulnerable systems. It then leverages EternalSynergy and EternalBlue, the same Microsoft vulnerability exploited by WannaCry and NotPetya, to move laterally inside the network, find Windows and Linux computers, and seize them for mining Monero.

Attackers victimized 1.65 million users with cryptocurrency miners in the first eight months of 2017. No doubt this number will increase to account for the rest of the year.

As reported by RT, Russia intends to create legislation that governs cryptocurrency mining and other related matters by July 2018. This move will no doubt help the state crack down on cryptocurrency mining attacks, especially those involving Russian corporate servers.

At the same time, organizations can take steps to protect themselves against cryptocurrency miners by making sure their computers are up-to-date. To do so, they should build a patch management program that, among other things, gives them complete visibility over all their assets and prioritizes known vulnerabilities based on their business requirements. For information on how Tripwire can help your organization build such a program, click here.

Notice of Ransomware Attack Released by National Capital Poison Center

Por David Bisson em 12/12/2017 no site The State of Security

The National Capital Poison Center (NCPC) in Washington, DC has published notice of a ransomware attack it suffered back in 2017.

According to the news release (PDF), the critical health resource detected a ransomware infection on its systems in October 2017. It then launched an investigation into the matter with the assistance of a third-party forensic expert. Here’s what the NCPC has learned so far:

While this investigation is ongoing, on November 27, 2017, NCPC determined that unauthorized access to a database server occurred on October 21, 2017, and that unauthorized access to the data stored on that server cannot be ruled out. The possibly affected database contains information provided during calls made to or from the center between January 1997 and October 21, 2017.

The NCPC goes on to clarify that the affected database did not contain Social Security Numbers, passport data, or any type of financial information. Instead it consisted of personal information collected during call center calls like a person’s name, date of birth, address, phone number, email address, and medical recommendations discussed over the phone.

At this time, it’s unclear what ransomware struck the NCPC, whether it paid the ransom or restored from backups, and how many people the attack might have affected.

Dr. Toby Litovitz, Executive and Medical Director of NCPC, urges those concerned by the possible exposure of their personal information to reach out to the Center:

NCPC takes the security of information stored on our systems very seriously, and we understand this incident may cause concern or inconvenience. We continue to work with third-party forensic investigators to ensure the security of our systems, and encourage people to contact us at 877-218-3009 (U.S. and Canada callers) or 814-201-3664 (international callers) with any questions or concerns.

The NCPC currently lacks complete contact information for at least some of the records in the affected database. As a result, it’s posting the ransomware notice on its homepage (poison.org) along with the websites of state media outlets and publications. It’s also urging those who might be affected to place a fraud alert or credit freeze on their credit reports with TransUnion, Experian, Equifax, and Innovis.

In the meantime, organizations can protect themselves against ransomware attacks by implementing foundational security measures that, among other things, protect data via encryption, limit what individuals can access sensitive information, and ensure an organization can recover from a data corruption incident using data backups. Learn more about these controls and how they pair with Tripwire’s solutions here.

News of this attack follows less than three months after Arkansas Oral & Facial Surgery Center notified128,000 patients of a ransomware attack that might have exposed their information.

22 Ransomware Prevention Tips

David Balaban em 24/01/2016 no site The State of Security

Dealing with the aftermath of ransomware attacks is like Russian roulette, where submitting the ransom might be the sole option for recovering locked data. This is precisely why focusing on prevention is a judicious approach to adopt.

The growth of ransomware over the past few years has driven the security industry to create myriads of tools applicable for blocking these types of threats from being executed on computers. Few of them are 100% bulletproof, though.

This article is focused on additional measures that users should employ to ensure a higher level of defense against these plagues.

1. First and foremost, be sure to back up your most important files on a regular basis.

Ideally, backup activity should be diversified, so that the failure of any single point won’t lead to the irreversible loss of data. Store one copy in the cloud, resorting to services like Dropbox, and the other on offline physical media, such as a portable HDD.

An efficient tactic is to toggle data access privileges and set read/write permissions, so that the files cannot be modified or erased. An additional tip is to check the integrity of your backup copies once in a while.

2. Personalize your anti-spam settings the right way.

Most ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. It’s a great idea to configure your webmail server to block dubious attachments with extensions like .exe, .vbs, or .scr.

3. Refrain from opening attachments that look suspicious.

Not only does this apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution.

4. Think twice before clicking.

Dangerous hyperlinks can be received via social networks or instant messengers, and the senders are likely to be people you trust, including your friends or colleagues. For this attack to be deployed, cybercriminals compromise their accounts and submit bad links to as many people as possible.

5. The Show File Extensions feature can thwart ransomware plagues, as well.

This is a native Windows functionality that allows you to easily tell what types of files are being opened, so that you can keep clear of potentially harmful files. The fraudsters may also utilize a confusing technique where one file can be assigned a couple of extensions.

For instance, an executable may look like an image file and have a .gif extension. Files can also look like they have two extensions – e.g., cute-dog.avi.exe or table.xlsx.scr – so be sure to pay attention to tricks of this sort. A standalone known attack vector is through malicious macros enabled in Microsoft Word documents.

6. Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.

This habit can prevent compromises via exploit kits.

7. In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.

This is particularly efficient on an early stage of the attack because the ransomware won’t get the chance to establish a connection with its Command and Control server and thus cannot complete the encryption routine.

8. Think of disabling vssaexe.

This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy tool that can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service.

If it is disabled on a computer at the time of a compromise, ransomware will fail to use it for obliterating the shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted files afterwards.

9. Keep the Windows Firewall turned on and properly configured at all times.

10. Enhance your protection more by setting up additional Firewall protection.

There are security suites out there that accommodate several Firewalls in their feature set, which can become a great addition to the stock defense against a trespass.

11. Adjust your security software to scan compressed or archived files, if this feature is available.

12. Disabling Windows Script Host could be an efficient preventive measure, as well.

13. Consider disabling Windows PowerShell, which is a task automation framework.

Keep it enabled only if absolutely necessary.

14. Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).

In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC.

15. Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.

16. Use strong passwords that cannot be brute-forced by remote criminals.

Set unique passwords for different accounts to reduce the potential risk.

17. Deactivate AutoPlay.

This way, harmful processes won’t be automatically launched from external media, such as USB memory sticks or other drives.

18. Make sure you disable file sharing.

This way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.

19. Think of disabling remote services.

Otherwise, the threat could rapidly propagate across the enterprise network, thus calling forth serious security issues for the business environment if your computer is a part it.

For example, the Remote Desktop Protocol can be leveraged by the black hat hackers to expand the attack surface.

20. Switch off unused wireless connections, such as Bluetooth or infrared ports.

There are cases when Bluetooth get exploited for stealthily compromising the machine.

21. Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system.

The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.

22. Block known-malicious Tor IP addresses.

Tor (The Onion Router) gateways are the primary means for ransomware threats to communicate with their C&C servers. Therefore, blocking those may impede the critical malicious processes from getting through.

Since ransomware is definitely today’s number one cyber peril due to the damage it causes and the prevalence factor, the countermeasures above are a must. Otherwise, your most important files could be completely lost.

The key recommendation, though, is the one about backups – offline or in the cloud. In this scenario, the recovery consists of removing the ransom Trojan and transferring data from the backup storage.

Currently, dealing with the consequences of ransomware isn’t very promising from the file decryption perspective. That is why thwarting the virus attack can save you a pretty penny and guarantee peace of mind.

November 2017: The Month in Ransomware

Em 06/12/2017 no site The State of Scurity

November didn’t shape up to be revolutionary in terms of ransomware, but the shenanigans of cyber-extortionists continued to be a major concern. The reputation of the Hidden Tear PoC ransomware project hit another low as it spawned a bunch of new real-life spinoffs. The crooks who created the strain dubbed Ordinypt should be really ashamed of themselves, as their brainchild goes a scorched-earth route and simply destroys victims’ data beyond recovery. Furthermore, quite a few copycats of the infamous WannaCry ransomware popped up only to demonstrate that the original is always better than the sequel.

All in all, here’s a brief statistical breakdown of the month: 37 new ransomware species were discovered, 23 existing samples got a facelift, and three ransomware decryptors were released by the white hats.

NOVEMBER 1, 2017

Hidden Tear offshoot with French origin

Threat actors continue to abuse the proof-of-concept Hidden Tear ransomware. Its newest real-life incarnation targets French users, appends encrypted files with the .hacking extension, and instructs victims to contact the attacker at fbi-cybercrimedivision@hotmail.com.

NOVEMBER 2, 2017

Ostentatious claims regarding Hidden Tear

An umpteenth remake of the above-mentioned academic Hidden Tear goes live. It blemishes encrypted files with the .locked string, drops READ_ME.txt help manual, and displays a questionably truthful warning screen that says it’s “one of the most powerful ransomware’s around”.

Magniber strain updated

Magniber, a ransomware sample that’s most likely a successor to the nasty Cerber culprit, undergoes an update within one of the multiple affiliate campaigns. The infection switches to subjoining the .skvtb extension to ransomed files.

It’s time for Jigsaw to get some fine-tuning

Cybercriminals release a new variant of the Jigsaw ransomware, a true old stager on the extortion arena. The pest now appends the .game suffix to victims’ data entries while still displaying the same movie-themed background.

Hermes ransomware remake

Hermes 2.1 Ransomware is what this perpetrating program’s current edition is called. It stains encrypted files with the .HRM extension and leverages a mix of the RSA cipher and Microsoft’s CryptGenRandom function to lock data.

New hallmarks of the Matrix ransomware

A few tweaks are made to the existing blackmail Trojan called Matrix. Its latest build labels hostage data with the _[RELOCK001@TUTA.IO].[original extension] string and provides recovery steps in a document named !OoopsYourFilesLocked!.rtf.

NOVEMBER 3, 2017

GIBON ransomware released and quickly decrypted

This one appears to be quite professionally tailored, but that’s a delusive impression in a way. It concatenates the .encrypt extension to files, leaves a ransom how-to named READ_ME_NOW.txt, and works just like garden-variety ransomware. However, malware analyst Michael Gillespie finds a way to defeat the crypto and contrives a free decryption tool shortly after GIBON’s discovery.

Sad Ransomware lives up to its name

The specimen in question drops _HELPME_DECRYPT.html rescue note and appends a victim-specific extension to locked files. When it’s done encrypting data, it generates a short beep sound. Files cannot be decrypted without meeting the ransom so far.

Ranion ransomware gets a fresh look and feel

Ranion was originally spotted in early February 2017 as a RaaS (Ransomware-as-a-Service) platform. It took the crooks nine months to come up with a fresh edition that blemishes a plagued user’s files with the .ransom extension and provides recovery tips in README_TO_DECRYPT_FILES.html manual. The ransom note is available in seven different languages.

NOVEMBER 4, 2017

Hidden Tear echoes back, once again

A new blackmail virus based on the educational Hidden Tear code appears. It’s called Curumim and targets Portuguese-speaking audience. The pest concatenates the .curumim extension to encoded files and provides a ransom payment deadline of one day.

XiaoBa ransomware updated

This strain originally surfaced on October 27, so it took the ne’er-do-wells one week to craft and release an updated edition. The infection now locks the screen of an infected PC and demands a Bitcoin equivalent of 250 RMB (Chinese Yuan), which is worth about $37.

Zika ransomware continues the HT saga

The scandalous Hidden Tear project gives rise to Zika, a ransom Trojan targeting Spanish-speaking users. It concatenates the .teamo string to locked data items.

Waffle ransomware isn’t too delicious

The new Waffle ransomware is exactly what it sounds like. Its ransom notification is named ‘Waffle’ and includes a picture of a bunch of waffles in the background. Furthermore, it appends the .waffle extension to a victim’s files. The ransom amounts to $50 worth of Bitcoin.

NOVEMBER 6, 2017

Unexpected details of the GIBON ransomware unearthed

In-depth analysis of the GIBON ransomware campaign has revealed that it’s much older than previously thought. Specifically, this turnkey ransomware kit has been marketed on Russian dark web forums since May 2017.

NOVEMBER 7, 2017

Sigma ransomware spotted

The payload of this sample is disguised as GUID Helper tool (GUID.exe.bin). Having encrypted a victim’s valuable files, Sigma stains them with a random extension and drops a ransom how-to document named ReadMe.txt. The attackers demand $1,000 worth of Bitcoin for the private key and decryptor software.

NOVEMBER 8, 2017

The premature Christmas Ransomware

Extortionists are, obviously, prepping for the holiday season with the new Christmas Ransomware. It displays a picture of a leafless forest with Christmas toys hanging on the trees. The ransom amounts to 0.03 Bitcoin (about $230). It is currently in development and does not encrypt data yet.

Another city hit by blackmail virus

The computer servers of the city of Spring Hill, TN get hijacked by an unknown strain of ransomware. The infection reportedly took root as an employee clicked on a booby-trapped email attachment. As a result, city workers are unable to use email and accept online payments. The criminals ask for $250,000 to restore the affected services.

Jhash ransomware uses a file extension familiar to many

The fresh sample called Jhash is a Hidden Tear spinoff zeroing in on Spanish-speaking computer users. It subjoins the .locky extension to encoded files and instructs victims to submit ransoms via the Payza online payment platform.

NOVEMBER 9, 2017

Ordinypt – classic ransomware or wiper?

The specimen in question is propagating in Germany. Ordinypt drops rescue notes named Wo_sind_meine_Dateien.html (“Where_are_my_files.html” in English). As opposed to commonplace crypto parasites, this one overwrites files with random values instead of encrypting them. Consequently, there is no way to restore the data.

NOVEMBER 10, 2017

LockCrypt has got a RaaS-related background

The sample called LockCrypt was originally distributed via a Ransomware-as-a-Service platform called Satan. Later on, the threat actors must have invested some money and effort to code their own ransomware operating independently from the RaaS. LockCrypt is deposited on computers and servers by brute-forcing RDP credentials.

CrySiS ransomware fine-tuned

The most recent edition of the CrySiS, or Dharma, ransomware switches to adding the .cobra extension to locked files. It also drops ‘Files encrypted!!.txt’ ransom note and instructs victims to contact the attackers at cranbery@colorendgrace.com for recovery steps.

LOL ransomware passes itself off as a keygen

The malicious binary of the C# based LOL ransomware strain is masqueraded as a keygen application for VMware products. It concatenates the .lol string to encrypted files.

NOVEMBER 11, 2017

Jigsaw strain gets slightly modified

A brand-new variant of the Jigsaw ransomware is detected in the wild. It stains hostage data with the .##encrypted_by_pabluklocker## extension token and displays an updated set of messages.

Blackmail virus pretending to come from Cyber Police

Threat actors take advantage of the Hidden Tear project to coin another real-world crypto infection. The latest incarnation sports a warning message saying, “Your computer is blocked by Cyber Police for unlicensed software’s usage.” The pest subjoins the .locked suffix to ransomed files.

GlobeImposter changes its behavior

Some of the recent editions of the fertile GlobeImposter strain feature an externally inconspicuous yet significant modification in their modus operandi. The developers have changed the culprits’ config extraction script and the technique used to encrypt configuration data.

NOVEMBER 12, 2017

Stroman ransomware resurfaces

Although the perpetrating program in question hasn’t ever been in wide distribution and pretty much vanished from the extortion arena lately, it spawned a new version out of the blue. The baddie now concatenates the .fat32 extension to files and provides recovery tips in the info.txt manual.

NOVEMBER 13, 2017

CryptoMix reaches the end of alphabet

The latest mod of the fairly professionally made CryptoMix ransomware switches to using the .XZZX extension string for scrambled files. As before, the rescue note is named _HELP_INSTRUCTION.txt.

jCandy isn’t sweet at all

Malware analysts stumble upon a fresh specimen called jCandy. It affixes the .locked-jCandy string to no-longer-accessible data. Interestingly, this one drops two different editions of the ransom how-to at the same time named READ_ME.txt and JCANDY_INSTRUCTIONS.txt.

In-dev French ransomware discovered

Once again, security experts were able to spot a blackmail infection before it went real-world. This one displays all of its warnings in French and is configured to stain files with the .lockon suffix. This would-be baddie currently doesn’t encrypt data anywhere except a directory named ‘testrw’.

Dr.Web cracks a relatively new ransom Trojan

A ransomware lineage blemishing encrypted data with the .[attacker’s email].blind or .[attacker’s email].kill extensions is now potentially decryptable courtesy of Dr.Web antivirus vendor. Those infected may be able to restore their files using the company’s Rescue Pack tool. Be advised: this service isn’t free.

Unsurprisingly, GlobeImposter gets another update

The most recent iteration of GlobeImposter brings about the following new attributes: the .kimchenyn file extension, plus a ransom notification named how_to_back_files.html.

Fresh Amnesia2 ransomware version turns out somewhat crude

The edition in question scrambles filenames beyond identification and concatenates the .am extension to each one. Its ransom how-to document, ENCRYPTED FILES.txt, contains nothing but a bunch of digits that don’t make sense. So victims have no idea how to pay the ransom even if they are up to it. This, by the way, isn’t a good idea because a free tool called Emsisoft Decrypter for Amnesia2 supports this pest.

Goofed ransomware surfaces

The silly name doesn’t make this Hidden Tear offspring any less harmful than the rest. It speckles encrypted files with the .goofed extension and provides recovery steps in YOU_DONE_GOOFED.txt document. Goofed ransomware demands $100 worth of Bitcoin for decryption.

NOVEMBER 14, 2017

GlobeImposter authors get naughty

The GlobeImposter family expands with yet another sample. This time, the culprit concatenates the .SEXY extension to ransomed data entries and instructs users to send a message to sexy_chief@aol.com for recovery steps.

NOVEMBER 15, 2017

J. Sterling Student Survey ransomware

This one zeroes in specifically on students of J. Sterling Morton school district, Illinois. Its propagation relies on a bogus student survey that looks trustworthy enough for would-be victims to go ahead and click through. The ransomware does not do any real damage in its current state.

NOVEMBER 16, 2017

RASTAKHIZ ransomware campaign underway

Cybercriminals strike again using the Hidden Tear PoC. One more spinoff labels encrypted data with the .RASTAKHIZ extension. The infection goes with a well-designed GUI.

NOVEMBER 17, 2017

CryptoMix switches to a numeric extension

One more version of the CryptoMix ransomware pops up that concatenates the .0000 string to one’s skewed files and uses an updated set of four contact email addresses. The name of the ransom note is the same (_HELP_INSTRUCTION.txt).

WannaSmile ransomware

This one sure sounds better than the ill-famed WannaCry threat but isn’t much more promising for victims. Its ransom note ‘How to decrypt files.html’ is in Persian. The extension added to filenames is .WSmile.

CorruptCrypt is good at evading AVs

The sample called CorruptCrypt boasts a zero detection rate two days after discovery, which is a disconcerting hallmark. It uses two extensions concurrently to stain locked files, namely .corrupt and .acryhjccbb@protonmail.com.

Hand of God screen locker isn’t celestial at all

The ransom Trojan in question displays an “FBI anti-piracy warning” screen and instructions in French. It coerces victims to pay 0.06 Bitcoin (about $580) for unlocking their computers.

BASS-FES proves the Hidden Tear abuse story is ongoing

Yet another derivative of the academic Hidden Tear starts making the rounds. It’s called BASS-FES, which is an acronym for BitchASS File Encryption System. This pest subjoins the .basslock suffix to encrypted items.

NOVEMBER 18, 2017

Russian imitation of WannaCry appears

The warning screen displayed by this ransomware is a close resemblance to WannaCry’s, but it is titled “Wanna die decrypt0r” and contains Russian text. While still in development, it does not encrypt files at this point.

NOVEMBER 20, 2017

CrySiS ransomware update

The latest mod of the CrySiS/Dharma ransomware strain switches to concatenating the .java extension to encrypted data entries.

NOVEMBER 21, 2017

Cryakl ransomware devs feel fairytale-ish

Cryakl is a lineage that was one of the pioneers on the extortion arena and pretty much vanished from this threat landscape. As part of the first update in many months, though, the pest starts adding the .fairytale string to encoded files.

CryptoLocker lookalike called Locket ransomware

The Locket sample goes with a GUI imitating that of the infamous CryptoLocker. Although it fails to perform encryption, it demands a ransom of 0.1424 BTC (about $1,500).

GlobeImposter fine-tuned

A fresh variant of the GlobeImposter crypto baddie subjoins the .Ipcrestore extension to enciphered files and continues to drop a rescue note named how_to_back_files.html.

NOVEMBER 22, 2017

The unusual qkG ransomware

As opposed to other ransomware strains, the qkG sample only targets Microsoft Office documents spotted on a contaminated computer. To add insult to injury, it also affects all new Word files that the victim opens.

Test version of IGotYou ransomware

The culprit in question appends the .iGotYou extension to encoded files. Luckily, it isn’t fully functional at this point, and it only encrypts data in a Test folder on drive C of the author’s computer. The infection demands 10,000 Indian rupees for decryption, which provides a clue about the developer’s country of residence.

Another day, another WannaCry copycat

Security analysts spot a WannaCry ransomware imitator displaying its warning messages in Portuguese. It coerces victims to submit the ransom of 0.006 BTC within seven days.

NOVEMBER 23, 2017

A similarity between the new Scarab ransomware and Locky

Just like Locky, the old stager in the extortion landscape, the Scarab ransomware is making the rounds via malicious spam generated by the Necurs botnet. It blemishes encrypted files with the .[suupport@protonmail.com].scarab extension and leaves a ransom how-to file named “If you want to get all your files back, please read this.txt”.

Researchers unearth ransomware statistics for Africa

According to Sophos, the top ransomware lineages in Africa as of 2017 are Cerber (80% prevalence), WannaCry (17%), Locky and Jaff (1% each), and the destructive Petya (0.5%).

Cryp70n1c Army blackmail virus

This one is a Hidden Tear offshoot that stains locked data with the .cryp70n1c suffix. It threatens to delete all hostage files unless the victim coughs up the ransom in a three-day timeframe.

NOVEMBER 24, 2017

Girlsomeware appears to be a prank

The new ransom Trojan called Girlsomeware instructs those infected to click on several dozen checkboxes in order to restore allegedly encoded files. However, it doesn’t actually encrypt anything, so the trivial assignment isn’t compulsory at all.

NOVEMBER 25, 2017

ExoBuilder fails to impress

The ExoBuilder tool is being advertised on black hat hacking forums as a means to create new ransomware. It is supposed to subjoin the .exo extension to files and drop a rescue note named UnlockYourFiles.txt. However, all it does is sprinkle a slew of new files all over the computer and displays a full-screen warning to instill fear. An infected user should simply restart their machine to get rid of it.

NOVEMBER 27, 2017

StorageCrypter stands out from the crowd

The specimen codenamed StorageCrypter zeroes in on NAS (network-attached storage) devices. Having skewed one’s valuable files, it concatenates the .locked string to each one and provides recovery steps in the _READ_ME_FOR_DECRYPT.txt how-to document.

Samas ransomware refreshed

A brand-new version of the Samas/SamSam blackmail virus is different than its forerunner in that it uses the .areyoulovemyrans extension to label hostage data.

Magniber starts using a gibberish extension

Magniber, the crypto infection believed to be a successor of Cerber, undergoes fine-tuning in a way. It switches to using the .vpgvlkb extension for ransomed files, which doesn’t appear to make any sense. Another tweak is that it drops a recovery avenue named ‘read me for decrypt.txt’.

Researchers trying to hunt down a new cyber culprit

MalwareHunterTeam’s Michael Gillespie tweets with another ransomware hunt suggestion to fellow-analysts. The baddie being sought is a new French ransom Trojan someone uploaded to the ID Ransomware portal. It stains data with the .locked suffix and uses a rescue note named READ_ME_FOR_ALL_YOUR_FILES.txt. The initiative is to no avail at the time of this writing.

NOVEMBER 28, 2017

HC6 ransomware decrypted

Security experts contrive a free decryption tool supporting the HC6 ransomware. This perpetrating program appends the .fucku extension to encoded files and leaves a ransom note named recover_your_files.txt.

Known ransomware passing itself off as a keygen program

For the record, the CryptON ransomware is a .NET based sample discovered a year ago. Its latest update has introduced a fairly unusual alteration. The infection’s payload now goes camouflaged as a keygen utility for EaseUS Data Recovery, a popular file restoration suite.

Crypt12 strain updated

Security analysts were able to fine-tune the existing free decryptor for Crypt12 ransomware shortly after its new edition has been spotted in the wild. The tool now supports the variant that blemishes encrypted files with the ‘=[victim ID]=hello@boomfile.ru.crypt12’ extension.

MaxiCrypt ransomware discovered

This one scrambles filenames and appends them with the .[maxicrypt@cock.li].maxicrypt extension. The ransom how-to file is named ‘How to restore your data.txt’.

NOVEMBER 29, 2017

Brazilian WannaPeace ransomware spotted

Cybercrooks from Brazil calling themselves AnonymousBr must have decided to pay homage to the mega-successful WannaCry ransomware that broke out in May 2017. The copycat is called WannaPeace. It prepends the ‘_enc’ string to an original file extension. The ransom amounts to 0.08 BTC (about $900).

Crypt888 ransomware reemerges

The proprietors of the extortion campaign through Crypt888 ransomware haven’t released any fresh variants for months. This has changed with a recent update no one in the security circles really expected. The pest now instructs victims to contact the attackers via maya_157_ransom@hotmail.com email address.

NOVEMBER 30, 2017

HC6 strain upgraded to HC7? How prosaic

The brand new HC7 variant from the existing lineage uses the .GOTYA string to stain encrypted files. According to preliminary analysis, it infects computers via hacked RDP services.

ACCDFISA ransomware gaining momentum in Brazil

This sample is one of the oldest known ransom Trojans that has literally risen from the ashes. The name stands for ‘Anti Cyber Crime Department of Federal Internet Security Agency’, a purported organization that doesn’t even exist. According to statistics obtained via ID Ransomware service, this infection has been increasingly targeting Brazilian users during November.

New lousy specimen out there

Analysts stumble upon a sample using a binary named REAL DANGEROUS RANSOMWARE.exe. Despite the scary executable, it turns out to be all bark but no bite. It’s nothing but a screen locker that a victim can get around by simply pressing Alt+F4.

GlobeImposter and Necurs are now in cahoots

The architects of the GlobeImposter ransomware campaign change their tactics in terms of distribution. The crypto culprit has begun making the rounds via spam generated by Necurs, one of the world’s largest botnets.

SUMMARY

Only three new decryption tools crafted in November versus a slew of fresh ransomware strains still make an unsettling ratio. Under the circumstances, users should rely on their personal online hygiene rather than researchers’ success. Simply exercising caution with spam email attachments significantly reduces the risk of being infected. Keep that in mind, and don’t forget to back up your important files on a regular basis.

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.