Tag Archives: ransomware

Ransomware: A Crippling and Ever-Present Threat

Ransomware continues to cast a long shadow, dominating the cyberthreat landscape for small and medium-sized businesses (SMBs), according to a recent report from Datto.

Ransomware was the most common cyberattack experienced by SMBs in 2018, with companies facing these attacks more than viruses or spyware.

Datto’s Report

The report surveyed 2,400 managed service providers (MSPs) that provide IT support for roughly half a million SMBs worldwide. It found that ransomware attacks occur frequently and are, unsurprisingly, expected to increase.

More than 55% of those surveyed said their clients experienced a ransomware attack in the first six months of 2018, and 35% said their clients were attacked multiple times – often in the same day. 92% of MSPs said they predict the number of attacks will continue at current or increased rates. Continue reading Ransomware: A Crippling and Ever-Present Threat

Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

Airline travelers at Bristol Airport, the UK’s ninth largest airport which handles more than 8 million passengers a year, were forced to read departure times off old-fashioned whiteboards due to technical issues caused by a recent cyber-attack.

Airport officials confirmed the airport was subject to an opportunistic ransomware attack, a type of malicious software which encrypts (“kidnaps”) user data unless a ransom is paid.

The Ransomware Attack

Ransomware (also called cyber extortion) is a type of malware (i.e. malicious software) designed to hijack your computer by locking your important files and forcing you to pay a ransom to unlock the files.  Cyber criminals infect your computer with ransomware by tricking you into clicking on a malicious email attachment that downloads the ransomware or by visiting a ransomware-carrying website.

Furthermore, a growing number of attacks have used remote desktop protocol and other approaches that don’t rely on any form of user interaction to cause the ransomware infection. Continue reading Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

SamSam Ransomware: A Continued and Growing Cyber Threat

The SamSam ransomware has affected far more victims than initially thought – raising nearly $6 million and counting in ransom demands. According to Sophos’ research of the SamSam ransomware, it’s estimated that roughly 233 victims have paid a ransom to the attackers so far.

Sophos Report

Sophos has uncovered new details about the SamSam ransomware, focusing on how it works and how it’s evolving. Most ransomware is spread out in large, untargeted spam campaigns sent to thousands of people. These attacks use simple techniques to infect victims, raising money through large numbers of relatively small ransom requests. SamSam, on the other hand, is used in specific, targeted attacks.

SamSam attackers break into a specific victim’s network and then run the malware manually. These attacks are tailored to cause maximum damage, with ransom demands in the tens of thousands of dollars – the largest individual victim so far shelled out $64,000.

Although initially thought to specifically target healthcare, government and education sectors, the Sophos report indicates that the private sector has been equally attacked. However, victims in the private sector have been more reluctant to come forward. Continue reading SamSam Ransomware: A Continued and Growing Cyber Threat

Ransomware Update: September Edition

As noted here in our monthly updates, ransomware is a destructive cyber-attack that only seems to be gaining traction. It poses a serious threat to an organization’s active data, backup data, system configurations, and baseline operating systems.

NIST & NCCoE Publish Guidelines for Ransomware

NIST and NCCoE partnered to provide guidance on recovering from ransomware.

The complete guide is NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events.

“This project explores methods to effectively recover operating systems, databases, user files, applications, and software/system configurations. It also explores issues of auditing and reporting to support recovery and investigations.”

“The goal of this effort is to help organizations identify:

  • Altered data, as well as the date and time of alteration
  • The identity of those who alter data
  • Other events that coincide with data alteration
  • Any impact of the data alteration
  • The correct backup version (free of corrupted data) for restoration”

IT security professionals will find this practical guide helpful in improving the legitimacy of backup data, reducing the impact and downtime of a ransomware attack, and providing more continuity of operations.

Bitpaymer Ransomware Wreaks Havoc on Scottish Hospitals

A new version of Bitpaymer ransomware is back and spreading via remote desktop protocols. NHS Lanarkshire experienced the new ransomware as they deal with their second attack of the year.

NHS Lanarkshire is part of Britain’s National Health Service, and were victimized earlier in May by the WannaCry ransomware outbreak.

Once they discovered the Bitpaymer attack, NHS Lanarkshire alerted the public on Facebook noting the IT issues and disruption to services. That was quickly followed up by a warning to patients looking for care at the emergency department.

NHS Lanarkshire promptly engaged their contingency plan, and within a few days the IT team restored most of the affected systems. The hospital did not pay the ransom demand.

Bitpaymer Details

The new version of Bitpaymer was successful at sliding by anti-virus defenses unnoticed and infecting the system. From there, it performs the encryption process and saves the locked files with the ‘.locked’ extension.

Below is the Bitpaymer ransom message:

Bitpaymer is known to spread by leveraging remote desktop protocols (RDP). Attackers will search for connected endpoints with RDP enabled and brute force the username password combinations. Then they use RDP client software to remotely access target PCs and servers to install ransomware.

Bitpaymer is looking to catch big fish. Attackers spreading the new version are targeting larger-sized companies and organizations. This is reflected in their ransom demand of 50 Bitcoins – currently worth about $235,000.

IT teams will want to secure and protect all endpoints where RDP is enabled, including strengthening RDP passwords and implementing multi-factor authentication.

PrincessLocker Brings Exploit Kits Back into Fashion

PrincessLocker isn’t a fun game with rainbows and unicorns. Instead, it’s a fresh ransomware version designed to encrypt files and PCs.

First spotted in September 2016, a decryptor tool was quickly built to assist victims on PrincessLocker ransomware. Attackers fixed the issues in the ransomware code and we’re seeing it pop up on the radar again.

Below is the PrincessLocker ransom message:

Exploit Kit Distribution

The notable feature about PrincessLocker ransomware is the use of an exploit kit called RIG to deliver the malware.

Exploit kits are malicious software hiding on websites to automatically exploit vulnerabilities in a web user’s browser or plug-ins. The malware waits for unsuspecting users to visit the website while running browsers or plug-ins with vulnerabilities.

Attackers will often use spam or phishing emails to lure victims to the website. This is one reason why clicking the link in emails is dangerous. In this case, if the RIG exploit kit finds any of these flaws in Internet Explorer or Flash Player, PrincessLocker gets installed and performs the encryption process (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2015-8651, CVE-2016-0189).

Browsers have played their part in securing their code to protect against these types of attacks. But the continued use of exploit kits as an attack method indicates vulnerabilities still exist.

Ransomware Update: August Edition

Here we are in August, and ransomware is still dominating the headlines.

Other articles this month highlight the evolving trend in ransomware motives and Nuance’s decision to not report the NotPetya attack as a data breach.

This month, we have several other noteworthy ransomware-related news to cover:

Locky Returns!

We’ve run into a familiar name again: Locky.

Locky was one of the top ransomware variants throughout 2016. It was distributed through the infamous Necurs botnet. However, by the end of 2016, Locky went curiously quiet.

Now with the seasons changing andsummer coming to a close , Locky is making a comeback. Security researchers discovered two new variants of the Locky ransomware popping up – Diablo and Lukitus.

Both variants use similar social engineering tactics to infect victim machines. The Locky campaigns use spam email to carry their ransomware in malicious attachments. Common subject lines for these attacks are “missed voicemail” or “outstanding invoices”; to create a sense of curiosity or urgency for users.

Some email attachments leverage malicious macros to deliver the ransomware payload. It’s an old story: user opens the malicious document, content looks like gibberish, popup prompts the user to ‘enable macros,’ ransomware file downloads, files get encrypted, viola.

The big takeaway here is Locky is back and active. Organizations and users should continue to use caution with email.

Ransomware Steals Bitcoin Wallets

Cerber has gained a reputation when it comes to ransomware, often listed in the top variants.

A spinoff of the Cerber ransomware variant is designed to steal Bitcoin wallets and passwords before encrypting the victim’s files and demanding ransom.

Aside from the traditional ransomware component, the new Cerber searches for files of three Bitcoin wallet applications – Bitcoin Core (wallet.dat), Electrum (electrum.dat), and Multibit (*.wallet). If found, it sends them back to the attacker’s command-and-control and then deletes them from the victim’s machine. In order to complete the Bitcoin theft part of the attack, Cerber also attempts to steal the associated saved passwords from the victim’s browser.

The new Cerber variant uses the same delivery method – via email (shown below):

Cyber attackers are innovative and continue to evolve their attack methods. This Cerber variant illustrates the potential for ransomware beyond the traditional extortion tactics. Stealing Bitcoin from ransomware victims could be a huge source of income for attackers.

EV Ransomware Targets WordPress Sites

The WordPress security affiliate Wordfence discovered ransomware attempts against WordPress websites. The ransomware – dubbed EV Ransomware – is designed to encrypt a WordPress website’s files.

It works like traditional ransomware and starts encrypting files after the attacker compromises a WordPress site and uploads the malware. Affected files are deleted and replaced by the encrypted version carrying the .ev extension – hence the name EV Ransomware.

Wordfence explains to their technical audience: “The encryption process uses mcrypt’s functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key. Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file.”

Once encryption is complete, the WordPress site will display the screen:

This is a case where the ransomware is poorly built and does not provide a practical decryption method. Victims are advised not to pay the ransom in the event of an infection.

EV Ransomware provides a .php file that supposedly enables victims to decrypt files with the key. However, Wordfence notes you will likely need an experienced PHP developer to help fix the broken code in order to embark on the decryption process.

Wordfence aims to help customers from being attacked. According to their security alert, websites running both Wordfence Premium and Wordfence free are protected against EV Ransomware.

Ransomware is No Longer about the Ransom

On an average day, you probably don’t think a lot about someone kidnapping your data or taking your business hostage…but you should. In the beginning, ransomware attackers exchanged “hostage” data for money. Transactions were simple: Pay the demand and receive a decryption key to unlock your data. It was stressful and costly, but it was straightforward.

When regular hackers sought entry into the game, ransomware kits popped up on the dark web. The common issue became a weak product lacking a proper decryption method, casting some doubt on the traditional business model.

Today, the ransomware game has evolved and become more dangerous than ever.

Gone Are the Days of Pay Up and Get Back to Work

These days, ransomware has adopted a new objective: Cause widespread disruption. The June 27th NotPetya attack netted hackers a measly $10,000. Not much of a payday for a global cyber attack. Now, ransomware attackers appear to be looking to cause financial losses to others without actually cashing in.

Viewing ransomware through this new lens, the NotPetya attack was wildly successful. It caused a major disruption to business operations around the globe. Let’s look at some examples:

A.P. Moller-Maersk

  • Industry: Shipping, Transport, and Logistics
  • Affected Areas: Maersk’s container-related businesses were affected. Systems were shut down as a precaution against further ransomware infection.
  • Duration of Interruption: Two weeks
  • Financial Impact: Expected to be between $200-300 million.

Saint-Gobain

  • Industry: Manufacturing for construction and other markets
  • Affected Areas: The French multinational company noted information systems experienced an extended period of downtime along with disruptions in supply chain operations.
  • Duration of Interruption: More than two weeks
  • Financial Impact: €220 million impact on first-half sales and a €65 million impact on first-half operating income.

Mondelez International

  • Industry: Multinational food and beverage company
  • Affected Areas: Mondelez reported a 5% decrease in net revenue with 2.3% attributable to the NotPetya attack.
  • Duration of Interruption: Recovery still ongoing
  • Financial Impact: Just over $150 million.

Merck & Co.

  • Industry: Pharmaceuticals
  • Affected Areas: Merck & Co noted an impact on manufacturing, research, and sales operations
  • Duration of Interruption: Still ongoing
  • Financial Impact: Unknown, but fulfilling some product orders continues to be delayed.

Final Thoughts

As ransomware moves beyond its reputation as a petty extortion attempt, its widespread impact should raise concern for organizations of all sizes. Whether you operate a single location entity or a global organization, protecting yourself operationally and financially must be reprioritized to the top of your “to do” list.

Nuance Says NotPetya Attack is Not a Reportable Health Data Breach

Nuance’s decision to not report the NotPetya attack to federal regulators puts an interesting twist on the premise whether ransomware is a reportable data breach.

The Department of Health and Human Services (HHS) issued guidance about a year ago on ransomware qualifying as a reportable breach under HIPAA rules. Since this HHS guidance, relatively few ransomware breaches have been posted on OCR’s HIPAA Breach Reporting Tool. Many suspect this to be a result of continued confusion and uncertainty about reporting regulations.

Nuance, a medical transcription services vendor, issued a public letter regarding the NotPetya attack in July. They were victims of the NotPetya malware, but determined it didn’t qualify as a reportable breach to OCR.

Nuance Public Letter

Nuance publicly detailing their decision process for notification of the incident is a rare occurrence.

Nuance cited the relevant findings in its letter:

  • No Ransomware: Despite media reports to the contrary, the NotPetya malware was not actually ransomware. It was not designed to give its perpetrator(s) any capability to control data on affected systems. To date, we have seen no indication that the malware functioned differently in practice on affected Nuance systems.
  • No Unauthorized Access: The malware was not designed to allow any unauthorized party to view any file contents (including ePHI) on affected systems, nor have we seen any indication that it actually functioned in that manner on affected Nuance systems.
  • No Loss of Control on Affected System: The malware was not designed to copy or extract any file contents (including ePHI) from affected systems or to give its perpetrator(s) any capability to control data on affected systems. To date, we have seen no indication that the malware functioned to do any of these things in practice on affected Nuance systems.
  • No ePHI targeted: The malware was not designed to target the types of files in which Nuance stores ePHI and we have seen no evidence that those file types actually were targeted in this Incident.

Based on the findings above, Nuance determined the NotPetya incident to be a security incident according to the HIPAA Security Rule. However, they also made the attention-grabbing decision that the NotPetya incident did NOT constitute a breach of protected health information applicable to the HIPAA Breach Notification Rule.

Learn How to Protect Against the FBI’s Top 3 Cyber Threats

Every day, we share information digitally. Business as usual, right? But what about the risks trying to undermine your business, steal your data, and clean out your company’s bank account?

In June 2017, the FBI released its annual Internet Crime Report showing $1.3 billion in annual losses due to Internet crime. The numbers are probably even higher because companies are hesitant to publicize themselves as victims of cybercrime.

Cybercrime continues to plague our Internet society, and the FBI’s Internet Crime Complaint Center (IC3) highlighted three specific crimes in their annual report: Business Email Compromise, Ransomware, and Tech Support Fraud. We’ve expanded on these cyber threats so you can educate yourself and your employees, and hopefully, avoid becoming a victim.

Business Email Compromise

Business Email Compromise scams go by various names. Call it a BEC scam, CEO fraud, or a wire-transfer scam, the goal is always the same – target organizations that routinely execute wire transfers. Why? Because human error can be easily exploited.

How the Scam Works:

The premise of the scam starts with an attacker hacking or spoofing the CEO’s email account, often while he or she is out of the office. Next, the criminal emails specific targets in the organization requesting an urgent wire transfer. Due to the authority, urgency, and consistency of the email, many times organizations fall victim and comply with the wire transfer request.

Common scenarios here target the finance department while the CEO is out of the country on business travel and unavailable to confirm the request. During tax season, attackers will target the HR department requesting personal information, like employee W-2 forms. Hackers even pose as lawyers or law firms to request fraudulent transfers.

BEC Scam Prevention Tips:

  • Scrutinize the validity of any email requesting a wire transfer. Ensure it’s consistent with other transfer requests (timing, frequency, amount, recipient, etc.). Examine the sender’s email address for any changes mimicking the legitimate email.
  • Confirm the transfer request in person or via phone call. Make sure there are dual approval protocols in place as well as a protocol for requests made by traveling executives.
  • Educate your employees, emphasizing the warning signs. Oversharing is a cyber criminal’s dream, so use caution when posting an executive’s travel schedule or other employee information on social media.

Ransomware

Ransomware is the most notorious type of malware these days. Cyber criminals constantly have their lines in the water baiting victims to click on a phishing email or visit a compromised website to deliver ransomware.

The goal is to encrypt your files and deny you access to critical data or systems. Ransom demands in cryptocurrency (i.e. Bitcoin) keeps attackers anonymous and under-the-radar.

Ransomware Prevention Steps:

  • Regular Patching: Many vulnerabilities leveraged in ransomware attacks are well-known flaws that have been exposed (i.e. WannaCry and NotPetya). Many attacks can be prevented through regular patching and updates.
  • Close RDP; Use VPN: Close remote desktop protocols unless they’re strictly required. If you must use RDP, either whitelist IP’s on a firewall or do not expose it to the Internet. Only allow RDP from local traffic. Setup a VPN to the firewall and enforce strong password policies.
  • Segregate you Networks: Separate your network into smaller, independent networks. This limits a ransomware infection from propagating across an entire organization by isolating networks.
  • Offline Backups: Regularly backup any files stored on your devices. Ensure your backups are not connected to the rest of your critical network.
  • Employee Training: Educate the workforce about ransomware and the associated dangers and threats. Anti-phishing training is one good approach. But overall cyber security awareness is important as ransomware is delivered through other vectors as well.

Tech Support Fraud

Tech support fraud is a type of social engineering where the criminal poses as a legitimate party offering technical support to victims. The intent of the fraudsters is to gain access to a victim’s device. From there, they can leverage their access for financial gain or engage in other malicious activity.

Many fraudulent tech support operations exist. There are several different ways the criminals will try to reel you in:

  • Fraudsters are known to cold call and attempt to convince victims to allow remote access into their devices.
  • Pop-up or locked screens are leveraged to take advantage of unsuspecting victims who a link on a compromised website.
  • Fraudulent tech support companies use search engine optimization to appear at the top of search results for tech support.
  • Fraudsters register URL domains similar to legitimate sites to take advantage of typos or errors made by victims who are typing in a web address.

Beware the Overpayment Scam

Cyber criminals are always looking for a new way to victimize you, and the overpayment scam is gaining traction. Posing as good-hearted professionals, criminals offer victims a refund for previous tech support services. Once they gain online access to a bank account, they first transfer money around between the victim’s accounts to make it appear the refund was too much. Before the victim notices anything odd, the criminals will request a wire transfer for the excess funds.

Keys to Mitigate Risk

As cybercrimes continue to increase, your organization needs to be diligent about analyzing its cyber risk. Errors happen, and raising cyber awareness among your workforce is key.

ePlace provides cyber training programs on our risk management platforms as a resource for educating employees on cyber threats, and we encourage you to implement these if you haven’t already.

Finally, the FBI urges victims of computer crimes to report the incidents to IC3.gov. The IC3 unit is part of the FBI’s Cyber Operations Section and uses the reports to compile and refer cases for investigation and prosecution.

Are you vulnerable to ETERNALBLUE? Scan your systems TODAY

The EternalBlue exploit that targets a serious flaw in Microsoft’s Server Message Block (SMBv1) made headlines after the worldwide ransomware outbreaks WannaCry and NotPetya. After seeing the devastating impact, organizations should be checking their systems for any trace of the EternalBlue vulnerability.

Fortunately, security researcher Elad Erez has a tool to help you do just that. In the aftermath of NotPetya, Erez developed a method to easily and quickly scan systems for the presence of the Microsoft SMB flaw.

Using this method Erez identified 50,000 internet-connected systems still vulnerable to the SMB flaw. Erez has now released his research in a free tool he calls Eternal Blues.

Eternal Blues

This vulnerability scanner (pictured below) intends to help security teams identify the EternalBlue vulnerability in their networks.

Erez notes, “The majority of the latest WannaCry, NoPetya victims are not technical organizations and sometimes just small businesses who don’t have a security team, or even just an IT team to help them mitigate this. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.”

He adds, “I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us – for example, data exfiltration or even just using your computers to join a botnet.”

Organizations should realize the importance of running a scan for the EternalBlue vulnerability. One instance illustrates the danger: The Eternal Blues tool found two vulnerable hosts on a network of 10,000.

In situations where the vulnerable system cannot be patched, organizations are advised to disable SMB_v1 or implement safeguards to protect against exploit attempts.

Scan now, or forever hold your peace.

Ransomware Update: July Edition

Ransomware continues to be one of the top cybercrimes and has been taking over headlines with outbreaks like WannaCry and NotPetya.

This month, we have several noteworthy ransomware attacks and news stories to cover:

Web Hosting Provider Pays $1 Million Ransom

South Korean web hosting provider, Nayana, suffered a ransomware attack costing over $1 million.

The attack struck 153 Linux servers and encrypted 3,400 websites hosted by Nayana. Both internal and external backups were infected.

The major headline is the daunting ransom payment. Trend Micro reported the original demand was 550 Bitcoin ($1.6 million). After negotiating with the attackers, the ransom demand of 398 Bitcoin ($1 million) was agreed to by both parties.

While it’s always possible that more costly demands have gone unreported, this instance is the largest ransom payment known publicly to date.

Nayana reportedly made the payment in three installments as the attackers decrypted the affected servers. After receiving the decryption key, it could take Nayana at least two weeks to fully restore the affected servers to normal operation.

According to Trend Micro’s blog, the ransomware variant used in this attack is called Erebus. The ransomware was first discovered in September 2016, and resurfaced in February 2017.

Largest Reported Healthcare Ransomware Attack

On the thread of record ransomware attacks, we also saw the largest attack reported by a healthcare organization to the Office for Civil Rights (OCR).

Airway Oxygen – a provider of oxygen therapy and home medical equipment – detected the attack on April 18th. Anti-virus software initially alerted their IT team of the ransomware attack on their systems.

From there, the company’s investigation revealed attackers had access to 500,000 patients’ health information. Information affected by the attack included names, birth dates, telephone numbers, medical diagnosis and treatments, and health insurance policy numbers.

After discovering the incident, Airway Oxygen took the following steps to mitigate the attack and lower the risk of further impact:

  1. Scanned the entire internal system
  2. Changed passwords for users, vendor accounts, and applications
  3. Conducted a firewall review
  4. Updated and deployed security tools
  5. Installed software to monitor and issue alerts on suspicious firewall log activity
  6. Reported the incident to FBI and cooperating with their efforts
  7. Hired a cybersecurity form to assist with investigating the cause and impact of the breach

In its statement, the company says the incident “was a highly sophisticated attack, which we believe may have been carried out from an offshore location.” The company’s spokesman declined to say how much of a ransom was demanded by the attackers or whether Airway Oxygen had paid the extortionists.

Since OCR released their guidance last summer on reporting ransomware attacks, this represents the largest ransomware event reported to OCR. It is also the second largest health data breach listed on OCR’s Breach Portal this year.

Given the controversy surrounding the reporting guidance from last year, it is noteworthy that Airway Oxygen reported the incident as a breach… even without evidence of access or acquisition of protected health information.

University College London Suffers Attack

University College London (UCL) has been open and transparent about a recent ransomware attack on their networks and systems.

After getting hit by the ransomware attack, the university’s shared drives and student management system were taken off network.

To mitigate the impact, UCL temporarily blocked access to their shared drives to prevent any further spreading – similar to the WannaCry attack. Once safe, drives were restored to ‘read-only’ mode. Users could read the files, but not make any updates.

UCL keeps snapshot backups of the shared drives and they expect this will protect most of the encrypted data. It took six days to get all affected shared drives and services back to normal operation.

Their webpage has been carefully updated with relevant details and shows a great example of transparency with consistent information.