The Wrath of Locky Part 2

One of the most common types of ransomware, “Locky” all but disappeared late last year. Sadly however this very dangerous cyber threat has reemerged and is worse then ever. Everyone should make themselves aware of this particular cyber threat – because once your data is infected – you may never see it again.

The New Locky Brings a New Infection Mechanism

This current wave of SPAM comes in the form of emails that pretend to be payment receipts with various subjects. According to an article by My Online Security, the email subjects include Receipt 435, Payment Receipt 2724, Payment-2677, Payment Receipt_739, and Payment#229, where the numbers change.

Locky SPAM Email
Locky SPAM Email

These emails include a PDF attachment with a name like P72732.pdf. When these PDFs are opened, the target will be prompted to open an embedded Word document as shown below.

Malicious PDF SPAM
Malicious PDF SPAM

If a user opens the file, the Word document will open and the target will be greeted with the typical Malicious word document prompt. That is the prompting to enable the macros by clicking on Enable Content in order to properly see the document.

Enable Macros in Malicious Word Document
Enable Macros in Malicious Word Document

When the macros are enabled, the macros are currently downloading an encrypted Locky binary from http://uwdesign.com.br/9yg65, decrypting the file, saving it to %Temp%\redchip2.exe, and then executing the file to begin the encryption process. Redchip2.exe currently has a 7/55 detection on VirusTotal.

Just like previous variants, Locky deletes Shadow Volume Copies using a Scheduled Task and appends the .OSIRIS extension to encrypted files.  You can see the task used below.


  
  
  
    IgnoreNew
    false
    false
    true
    true
    false
    
      PT10M
      PT1H
      true
      false
    
    true
    true
    false
    false
    false
    PT72H
    7C:\Windows\system32\vssadmin.exe
      Delete Shadows /Quiet /All
    
  

While encrypting files it will routinely send status updates to the Command & Control servers located at 188.120.239.230/checkupdate and 80.85.158.212/checkupdate. When done it will display the ransom note to let the victim know that they have been infected.

Locky Ransom Note
Locky Ransom Note

Unfortunately, at this time there is still no way to decrypt files encrypted by Locky.

Protecting Yourself Against Ransomware

As I continually recommend you should never open an attachment from a sender that you did not request. This goes for hyperlinks in email messages as well that you did not request. If you receive email messages from “lenders” or “creditors” regarding payments etc that include documents call the lender and speak to someone. Do not open the attachment p or click on the hyperlink unless you are 100% certain of its legitimacy.

Share This:

Ransomware Strikes PA Dems

The threat of Ransomware is something we have written about much and now it seems that this scourge has infected the Pennsylvania State Democrats.

Pennsylvania’s Senate Democrats yesterday reported that they are in contact with the FBI and state attorney general’s office after a “ransomware” cyberattack shut down their computer systems.

The attack Friday left lawmakers and staff in the caucus unable to access their computer network or data.

Senator Jay Costa states that the ransomware attack was discovered Friday morning. Citing the investigation, caucus officials are not saying what, if any, ransom was demanded.

A ransomware attack is typically aimed at stealing sensitive information in an attempt to be paid for the data’s return, often in a digital currency.

Democratic Govenor Tom Wolf’s office states that the attack hasn’t affected the state’s networks, which are separate from the Senate Democrats’ computers. An FBI spokeswoman in Philadelphia didn’t immediately have any information about the case. The attorney general’s office says it is taking the cyberattack very seriously.

What is Ransomware?

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

Protecting Yourself Against Ransomware

The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.

The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.

Share This:

2016: The Year of the Hack

As you can see cyber-security concerns continued to worsen in 2016 and it appears there will be more problems in 2017. Cyber-security is now a full fledged geopolitical issue.

Image result for year of the hack 2016

2016 was a record-setter for hacking incidents. Unfortunately the headlines show no signs of slowing as we enter 2017. The concern with 2016 was that we experienced a much more diverse field of victims, ranging from celebrities, technology CEOs, political parties, Netflix and even the Olympics.

Netflix “Attacked” 

On December 21, the Netflix Twitter account was hit by hacking collective OurMine, “a self-described white hat security group.” The hackers tweeted a message saying they were “just testing” Netflix security, and suggested Netflix contact them to find out more. OurMine tweeted its message, along with an email address and logo, to the nearly 2.5 million Twitter followers of @netflix, which is Netflix’s U.S. account.

Political Hacks

One of the scarier trends in 2016 was the increased use of hacking to achieve geopolitical goals. Hacking groups linked to either the Kremlin or Russian president Vladimir Putin have been accused of reverting to Cold War tactics to weaken and delegitimize countries seen as political rivals.

A hack of the World Anti-Doping Agency’s database which resulted in the publication of private medical records for several U.S. athletes, was attributed to a group of Russian hackers going by the names “Team Tsar” and “Fancy Bear.” This group of hackers was also accused of hacking the Democratic Party’s network to find embarrassing information about then-presidential candidate Hillary Clinton.

Image result for team tsar fancy bear

The attack against the Democratic Party and the Clinton campaign was rumored to have been part of an orchestrated effort by Russia to use cyberwarfare to undermine the U.S. electoral process. While it’s impossible to say what, if any, effect the hack had on the election of Donald Trump, it has escalated tensions between the two countries and caused alarm within the U.S. intelligence community

Ransomware Attacks Continue To Surge – Public Transportation Exposed

2016 also brought a large increase in ransomware attacks, with individuals being targeted by hackers who encrypt their data in order to extort cash. Perhaps the largest such attack in 2016 was against the San Francisco transit system, which was targeted by a ransomware attack that resulted in travelers receiving free rides over the Thanksgiving weekend.

Bitcoins & Cryptocurrency

This year also saw the second largest bitcoin hack in history, resulting in the theft of more than $65 million of the cryptocurrency.

Point of Sale Concerns

A gang of Russian hackers also managed to break into more than 330,000 point-of-sale machines running software by Micros, an Oracle company. The hack hit cash registers used in food chains, hotels and retail stores.

Hospital Hacks

The U.S. hospitality industry suffered one of its largest hacks ever when 20 hotels owned by HEI Hotels and Resorts discovered malware running on point-of-sale machines used throughout the country. That hack may have resulted in the theft of customer data including account and credit card numbers.

Yahoo Troubles Continue

This year there was even information about past traditional hacks involving the theft of users’ email addresses and login information. Yahoo reported that in 2013, it suffered the largest breach in history, involving more than 1 billion user accounts. That exceeds the hack of 500 million accounts in 2014 that the company also reported this year.

Share This:

Cyber Threat Shifts from Spam to Malware

There may finally be some good news in the war against spam. The overall percentage of spam among e-mail messages dropped an amazing 49.7 percent last month, the lowest level since 2003. This is the first time the figure has been below 50 percent in more than a decade, according to a new study by Symantec.

Symantec reported these figures in its “Symantec Intelligence Report” for the month of June. Enterprises in the mining sector had the highest spam rate, at 56.1 percent, according to the report. The manufacturing sector was a close second at 53.7 percent. The finance, real estate, and insurance sectors had the lowest of any industry, at 51.9 percent.

It is apparent that spammers treat all businesses the same with regard to size. On average, companies experienced a spam rate of between 52 percent and 53 percent no matter the number of employees. The only variance to this pattern was companies with 251-500 employees, which experienced a 53.2 percent spam rate.

Spam Appears on the Decrease While Malware Increases

Despite the good news with spam, there were several troubling observations I found in Symantec report. There was a grand total of 57.6 million new malware variants reported in June, up from 44.5 million created in May and 29.2 million in April. The increase in malware variants indicate, something that many of us already knew. Hackers are changing tactics and shift to the very dangerous cybercrime tool of malware, as opposed to spam and phishing,

In addition to the increase in malware variants, ransomware attacks were up in June, with over 477,000 detected during the month. While still below the levels seen at the end of 2014, June represented the second month in a row that ransomware attacks increased since reaching a 12-month low in April. Crypto-ransomware was also up in June, reaching the highest levels since December.

On social media, meanwhile, hackers continued to rely primarily on manual sharing attacks, which require victims to propagate the scam by sharing content themselves.

Share This:

Malware & The Battlefield of the Future

MalwareIf there is one thing I learned in 2014, and I hope each and everyone one of you, my dedicated readers has learned is that “Malware” is the single biggest threat to our computer infrastructure as well as our personal security.

This tech blog has during many weeks in 2014 been greatly populated with stories of security breaches to organizations of all shapes and sizes. From police departments being infected with “CryptoLocker” to major retail chains being hacked and now the real possibility that Sony Pictures was hacked not by cyber criminals in someone’s basement but North Korea. What is scary about this one is that North Korea may have attacked in this way in response to a recent Sony Film release.

If North Korea is responsible for the Sony Pictures hack it is but the first shot to be fired in the battlefield of the future. Not with guns but malware.

How to Defend Yourself and Protect Your Personal Information

This is really quite simple and I urge everyone to follow these very basic directions, all of the time.

  • Keep Your Security Software Up to Date.
  • Keep Your Operating System Up to Date.
  • Never ever click on links in emails that you did not specifically request.
  • Never ever open attachments in email that you did not specifically request.

Stop and Verify when in doubt by making phone contact with the sender of a suspected email with a link or attachment that you feel might be valid.

If you can follow these steps you will go a long way protecting yourself and the organizations you work for.

Share This:

Police Department Infected by Cryptolocker

The computer system of a police department in Durham, New Hampshire has been reportedly infected with Cryptowall. Cryptowall a variant of Cryptodefense ransomware encrypts data and holds it hostage until money is paid for decryption.

Just like in the case of the infamous Cryptolocker, the attack was carried out via email phishing, with the piece of malware disguised into what appeared to be a legitimate file attached to the message.

Cryptowall ransom message

Cryptolocker Ransom Message

 

Once Cryptowall was executed on the department’s network, the affected machines once identified were isolated by being taken offline in order stop the spread and to run disinfection routines.

According to Todd Selig, Town Manager, no ransom was paid by the authorities for getting the decryption key. This refusal to pay the ransom is an action recommended by most security experts in order to discourage these type of cyber attacks from occuring more frequently. 

The police department in this case was not damaged because they had a backup system which allowed the data to be restored once the infection was isolated and removed.

According to Cisco Systems, Cryptowall has been around as part of an exploit kit called RIG since April, when they noticed increased traffic generated by the malicious package and started blocking it.

Cryptowall targets specific and common file formats, which include DOC, XLS, and TXT, along with images and videos. The malicious software creates files with instructions to follow in order to regain access to the content. A ransom message is then shown to the user informing that the data can be decrypted by paying a fee, which increases in time.

Many victims of the Cryptolocker set of malware have actually pad the fee. Some of regained access to their files while others regain access for a short time only to have them encrypted afterward.

Backup – Backup – Backup!

The lesson to learn from this and other security attacks by cyber criminals is to have several backups in place and updated regularity. I recommend both a local backup as well as a off site back with a cloud service.

 

Share This:

CryptoLocker Invades a PD

I have written about the CryptoLocker virus and other security problems countless times in this blog and here is yet another recent real life example of what can go wrong with computer security, even when police departments are involved.

A U.S. police department was so determined to get back important files that had been encrypted by the rampaging CryptoLocker Trojan it decided to pay the ransom being demanded by the criminals.

It sounds like a far-fetched and probably serious breach of law enforcement protocol, but according to a local news report, this is exactly what the police department in Swansea, Mass., decided to do when “several images and word documents,” were found to have been encrypted by the malware.

The department had followed the instructions given by CryptoLocker and on Nov. 10 bought two bitcoins worth $750 which resulted in the criminals sending the decrypt key, police said.

The “Trojan” is so complicated and successful that you have to buy these bitcoins, which we had never heard of,” said Swansea Police Lt. Gregory Ryan in an admission to the press many will find quite staggering.

Ryan didn’t say why the files were so important that a police department saw fit to pay a digital ransom to criminals, but insisted “It was an education for [those who] had to deal with it,” and that at least the infection had not caused damage to the system the department used for booking official reports and logging photographs.

“We were never compromised,” Ryan said, a statement that many would deem inaccurate.

Only last weekend, the UK National Crime Agency put out an alert that the criminals behind CryptoLocker were now targeting UK SMEs on a large scale. Their recommendation is that affected businesses do not pay the ransom, not least because there is no guarantee that they will even receive an unlock key.

There is growing concern about the scale and success of the CryptoLocker campaign which, it is worth pointing out, is far from the first malware to use the technique of locking or encrypting victim’s files. A key element of CryptoLocker’s recent success is that it has started demanding untraceable bitcoins for payment rather than more conventional money channels that were easier to block or trace.

Another weakness is that there is often no central place for affected individuals to report infections, nor seek advice. Consequently, some victims pay up. The citizens of Swansea, Mass., now know that this helplessness includes their local police department.

“With the FBI stating that this type of activity should not be encouraged by paying the ransom, it is surprising to see that the local police department paying to regain access to the files,” commented Gavin Millard, EMEA technical director of security firm Tripwire.

“What is more concerning though, is the apparent lack of security and backup procedures on systems that could be storing critical and highly confidential documents.”

I have written this countless times on this little tech blog. Never ever open attachments that you did not specifically ask for. When in doubt, contact the sender by phone to verify that the attachment is legitimate. Otherwise you may be in the same sinking boat as the police department in this article.

Share This:

TA13-309A: CryptoLocker Ransomware Infections

This is the 3rd Cyrpto-Locker Alert issued by the US Government.
Please take it seriously bloggers.



Original release date: November 05, 2013 | Last revised: November 15, 2013



Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems


Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links

  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments

  • Maintain up-to-date anti-virus software

  • Perform regular offline backups of all systems to limit the impact of data and/or system loss

  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity

  • Secure open-share drives by only allowing writable access to necessary user groups or authenticated users

  • Keep your operating system and software up-to-date with the latest patches

  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams

  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

Mitigation

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network

  • Users who are infected should change all passwords AFTER removing the malware from their system

  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:

    • Restore from backup,

    • Restore from a shadow copy or

    • Perform a system restore.

References

Revision History

  • November 5, 2013: Initial Release

  • November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

  • November 15, 2013: Updates to Impact and Prevention sections.

Share This:

TA13-309A: CryptoLocker Ransomware Infections

As I have reported previously the CryptoLocker virus is a very serious computer threat to everyone.

The United States Emergency Computer Response Team (US-CERT) has today issued an alert regarding the threat. I have been posting relevant US-CERT warnings on this blog so here is this one.

Systems Affected

Microsoft Windows systems running Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention
US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Maintain up-to-date anti-virus software
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
  • Secure open-share drives by only allowing connections from authorized users
  • Keep your operating system and software up-to-date with the latest patches
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

Mitigation
US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
  • Users who are infected should change all passwords AFTER removing the malware from their system
  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
    • Restore from backup,
    • Restore from a shadow copy or
    • Perform a system restore.

References

Share This:

CryptoLocker Threat Worsens

Last week I reported about a new serious security issue known as “CryptoLocker” which is a real threat to an infected user’s data. PC World recently re-visited this malware threat and I posted it here because it is so important to avoid.

Before I continue with PC World’s article I must suggest again, “never ever open an attachment unless you specifically requested the file”. This is the only way to avoid this and other security threats.

The creators of CryptoLocker, a piece of malware that encrypts user data and holds it for ransom, are giving users who removed the malicious program from their computers a second chance to recover their files, but at a much higher cost.

CryptoLocker is a malicious program that falls into a category of malware called ransomware. Once installed on a computer, ransomware applications typically prevent victims from accessing their files or even their operating system until they pay money to the malware authors.

Security researchers generally advise users against giving into this kind of extortion and in many cases there is a way to regain access to everything without paying up.

However, CryptoLocker uses solid public-private key cryptography to encrypt files that match a long list of extensions, including documents, spreadsheets, images and even AutoCAD design files. According to researchers from antivirus firm Sophos, the malware’s creators got the encryption process right and there’s no method to get the decryption keys, which are unique for every computer and are stored on attackers’ servers, without paying up.

After it infects a computer, CryptoLocker displays a message informing victims that if they don’t pay the equivalent of $300 or €300 in Bitcoins, a virtual currency, or via MoneyPak, a type of prepaid card, within 72 hours, the unique decryption key for the files will be automatically destroyed.
Users who regularly back up their data can clean their computers and restore the affected files from backups, but users who don’t have backups should consider those files lost, the Sophos researchers said.

Some files might be recoverable using the Shadow Copy technology, which is is an integral part of the System Restore feature in Windows.
However, even users who have backups might realize that they’re not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware.

It seems that the creators of CryptoLocker considered that possibility and realized that some users might have initially removed the malware, but then, for whatever reason, changed their mind about paying up. As a result, they’ve recently started offering an online decryption service that allow such users to still recover their files, but at a much higher price.

“Apparently the crooks will now let you buy back your key even if you didn’t follow their original instructions,” Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos, said last Monday. “Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind.”

The cost of using the service is 10 Bitcoins—around $2300 at the current Bitcoin exchange rate—and requires users to upload one of their encrypted files. The first 1024 bytes of the file will be used to search for the associated private key, a process that can take up to 24 hours.

“We’re guessing that the delay is because the crooks have to run a brute force attack against themselves,” Ducklin said. “Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypting your data with every stored private key until they hit one that produces a plausible result.”

However it’s not immediately clear whether using this service is still possible after the initial 72-hour deadline given by the malware. If it is, then the cybercriminals lied and the private keys are not being destroyed after that time period.

This decryption service might have also been created for users whose antivirus programs detected and deleted the malware after it encrypted the files, leaving them unable to buy the decryption key anymore.

“We’re still saying, ‘don’t buy,’ but we’re feeling your pain enough to know how tempting it will be for some people to pay the crooks, even though the blackmail charges have now ballooned to more than $2000,” Ducklin said.

Share This:

1 2