New Ransomware Threat Emerges

A massive botnet is sending emails containing ransomware that could destroy your computer.

Image result for Scarab ransomware

You probably know from prior articles that ransomware is the # 1 digital threat in the world. The FBI estimates that nearly $1 billion was paid by victims of these attacks in 2016 alone. Now, millions of computers are at risk of being infected with a new ransomware strain. The threat is being spread in a super clever way that is easy to fall victim to.  That is why you need to know what to look for to prevent this threat.

It starts with a phishing email

The latest ransomware attack, dubbed Scarab, is being distributed by the Necurs botnet through phishing emails. Scarab first appeared this summer but was recently updated to block users from using third-party recovery tools. This attack is spreading extremely fast. Within the first six hours of being launched, over 12.5 million malicious emails were sent to unsuspecting victims.

The phishing emails supposedly contain a scanned document that the recipient will want to look at. The “document” is actually a zip attachment that contains a VBScript downloader. If the attachment is clicked, it will infect your computer, phone or tablet with ransomware.

People from all over the world started receiving these malicious emails on Novevmber 23rd. The email subject line says the document was scanned from trusted printer companies like:

• Scanned from Lexmark

• Scanned from Epson

• Scanned from HP

• Scanned from Canon

Once your computer is infected, a ransom note appears. It begins with, “If you want to get all your files back, please read this.” The note goes on to demand payment. In a strange twist, the scammers do not have a set ransom. Instead, the note says, “the price depends on how fast you write to us.”

The best way to avoid this ransomware attack is knowing how to spot a phishing email and not click this malicious link.

Share This:

Windows 10 Fights Ransomware

Windows 10 Fall Creators Update has a nifty security feature which perhaps hasn’t been trumpeted by Microsoft as much as it should: namely anti-ransomware defenses.

In a blog post detailing how the Fall Creators Update is being deployed in a phased rollout Microsoft mentioned that it had hardened security and added protection against ransomware.

Image result for windows 10 fall creators update

Specifically, the main countermeasure is a ‘controlled folder access’ feature which is activated in the Windows Defender Security Center app in Windows 10, in the Virus & Threat Protection section, as the Register reports.

It’s a simple slider to turn the feature on, and then specified protected folders are locked down, with only authorized apps able to make changes to the files within these folders.

As Microsoft explains: “This feature protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold.”

By default, common folders where user data is stored (like the Documents, Pictures, and Videos folders) are protected by the controlled folder access system, but you can manually add whichever folders you want to be defended against malware.

Solid Security

Remember, you’ll need to have upgraded to the Fall Creators Update to get this feature, and not everyone will have been offered it yet (if you can’t wait to get beefed up security, you can always check out our guide on how to download and install the update right now).

Microsoft noted elsewhere: “[This] and other security technologies [introduced in the Fall Creators Update] protect against persistent ransomware campaigns like Cerber, Locky, and Spora, as well as global outbreaks like WannaCry, and Petya.”

And indeed a third-party has tested the new anti-ransomware feature against Locky, and it successfully thwarted the attack. So it sounds promising from the off.

In its post detailing the Fall Creators Update deployment process, Microsoft also noted that it had tested the update with more Windows 10 devices in advance this time around, which should theoretically mean a smoother rollout.

The download size of the update is also smaller to the tune of 25%, Microsoft notes, because of the use of ‘differential downloads’ (at least if you grab the upgrade via Windows Update).

Share This:

Avoiding Bad Rabbit

Earlier this week a ransomware outbreak called Bad Rabbit was unleashed that infected victims throughout Russia, Ukraine, Bulgaria, and Turkey. This ransomware encrypts your files and then encrypts your file system, which leaves you with a ransom lock screen that is displayed before Windows starts.

Image result for bad rabbit ransomware

Although not specifically targeted by this campaign, according to cybersecurity and antivirus vendor Avast, Bad Rabbit has now been detected in the USA.

Avast Threat Intel lreported that while the victims were much more prevalent in Russia, they did detect some in the U.S.A.

How Bad is Bad Rabbit in the United States Today?

It is important to remember that Bad Rabbit attempts to spread laterally through an organization’s network via SMB. It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords.

Theoretically, if a U.S. organization had infected partners in the targeted regions and were on the same WAN with SMB access, Bad Rabbit could have spread laterally to the computers located in the USA.

Image result for bad rabbit ransomware

So how can you prepare for Bad Rabbit?

While this outbreak has a much smaller scale compared to other ransomware outbreaks, system administrators should be prepared for it and other attacks like it. If you are concerned that Bad Rabbit may be coming your way, here are some suggestions that can help protect your servers and computers.

Vaccinate a Computer

First, you can vaccinate a computer against Bad Rabbit, by performing the following steps. I am not sure who originally developed this method as I know many people reported on this information, but I personally saw it here & here.

  1. Create a files C:\Windows\infpub.dat & C:\Windows\cscc.dat.
  2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

The computer will now be vaccinated against Bad Rabbit.

Monitor your Event Logs

Microsoft released a threat bulletin related to Bad Rabbit, which they call Ransom:Win32/Tibbar.A. In this article they state that Windows Defender can detect the ransomware using detections update 1.255.29.0 and higher. So make sure you install the latest Defender updates if you have not already.

They also discuss that since Bad Rabbit will clear the event logs and create various scheduled tasks under the names Drogon, Rhaegal, and Viserion, you can monitor the event logs for this type of activity. The events you want to monitor are:

  • Event 1102, which indicates that the audit log has been cleared.
  • Event 106, which indicates that a scheduled task has been created.

System administrators can attach a scheduled task to these events that will run a specified command if the events are detected. This command could be to send an administrator an email or perform some other type of alert. If these events are detected, they could indicate that the computer has been scheduled for a shutdown and Microsoft suggests that it should be aborted using the shutdown -a command.

Review US-CERT Notice

US-CERT has released a notice that simply states that they have received reports of the Bad Rabbit ransomware infecting victims in multiple countries. It does not, though, specifically state that any of those victims are in the U.S.A.

With that said, they do offer links that contain information regarding the WannaCry and Petya infections in order to review suggested steps when dealing with these types of ransomware infections.

 

Share This:

Watch Out for SuperB

A new ransomware threat has been discovered making the rounds and once again the idea here is to separate victims from their cash.

Image result for superb ransomware

Introducing SuperB

SuperB is a computer virus that encrypts files and appends .enc extension to all encrypted files. Attacker warned victims that paying the ransom is the only key to restore their data.

SuperB is a file-encrypting virus. This malware forbid users to open their files like images, videos, databases, and other personal and sensitive data. It adds .enc extension to all encrypted files. Then SuperB virus shows a ransom note stating that your important files are encrypted.

The Malware creator claims that the only way to get back access to your data is through decryptor software or the private key. But, to be able to get the correct key, you have to first pay the ransom. The amount being demanded is $300 that must paid in Bitcoin currency. The attacker then instructs the victims to download TOR browser and visit SuperB’s web site for more information.

It is highly advised not to contact cyber criminals and not even think about paying the ransom. The creator of SuperB virus will not really decrypt your files even after payment is made. Dealing with them is surely a waste of time and your money.

SuperB virus is merely created to extort money from its victims. Giving their demand is like letting them or tolerating these people to profit from this scheme. So you better not to deal with them. The only thing you can do to bring back your files now is through your backups.

SuperB and most ransom virus use a number of tricky methods to spread it widely. This virus commonly hit its target machine by serving as a malicious email attachment. Some ransom virus may comes bundle with malicious downloadable programs. And some can sneak into the computer by finding the system vulnerability.

What To Do If SuperB Invades Your PC

The ransomware infection has been mainly designed with the purpose to scare users and trick their money. It take your files on hostage and demand ransom to return your important data. But now the question is what you can do when your system got infected by SuperB ransomware virus? Here are some option that you can use to get rid of this nasty infection.

Don’t Panic – Well the first thing is Don’t panic and then completely check out your system for any working files. If you got any working files then copy it to USB drive.

Pay Ransom – Other option is you can pay the ransom and wait to get your files back. (this is really a very bad option)

Use Backup – Clean you entire system files, remove the infection completely from your PC and restore your files with any backup.

Remove Infection – You can also delete SuperB ransomware virus using malware removal tool and remove all the infected files. You can later recover all your data by using any data recovery tool. (In case you don’t have backup of your files.) – Recommended Method.

Reinstall Windows – The last option is reinstall your Windows OS. It will completely remove all your data as well as infection. You will get a completely new infection free PC.

Share This:

Avoiding EternalBlue

Have you hear about EternalBlue?

Tens of thousands of computers have been hit by two major ransomware attacks in recent months — WannaCry, which took down large parts of the NHS, and Petya/NonPetya, a suspected worm that’s still wreaking havoc across the globe.

At the center of these ransomware outbreaks is a Microsoft Windows security vulnerability called EternalBlue. To keep you up to speed on the exploit here’s everything known so far.

What is EternalBlue?

EternalBlue is the name given to a software vulnerability in Microsoft’s Windows operating system. The tech giant has called it EternalBlue MS17-010 and issued a security update for the flaw on March 14. The patch was issued before the WannaCry ransomware spread around the world and those who had updated early would have been protected.

trendmicrowmi2.png

The vulnerability works by exploiting the Microsoft Server Message Block 1.0. The SMB is a network file sharing protocol and “allows applications on a computer to read and write to files and to request services” that are on the same network.

Microsoft says the security update it issued is Critical and following WannaCry it released a rare Windows XP patch after officially ending support for the software in 2014.

Can I Check to See if I Have EternalBlue?

Multiple versions of Windows are vulnerable to EternalBlue. “The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability,” Microsoft says in a statement.

The company’s security page details version of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016 can all be impacted by the EternalBlue exploit.

The good news is that security group Eset has created a free tool that will check to see if the version of Windows you are running is vulnerable to EternalBlue. “The danger is not in the WannaCry ransomware itself, but in the EternalBlue exploit, which has been using the vulnerability in unpatched Microsoft systems to spread the infection to other unpatched computers,” the company explains.

How Can I Protect Against EternalBlue?

From what is known about both WannaCry and Petya, the MS17-010 vulnerability can be exploited in a number of ways. During WannaCry it was spread through emails and within Petya it is believed, although not confirmed, to have spread through a software update from a Ukrainian company.

The best way to be protected from EternalBlue is to install the Microsoft patch detailed above. This will stop the SMB protocol being exploited even if attempts are made to do so.

Other basic security advice should be followed, including not clicking on links from unknown email senders and not opening attachments where the source is dubious.

Share This:

Petya Hackers Now Demanding $250,000

Friends, we do indeed live in a digital world. The battleground is more and more taking it to our digital data and less to traditional battlefronts as you can see with the growing Petya threat.

The authors behind the recent Petya ransomware attack, which rocked computers around the globe last week, have spoken out for the first time. In a message initially spotted by Motherboard on a Tor site known as DeepPaste, the Petya hackers have demanded 100 Bitcoins, currently worth more than $250,000, in exchange for a private key to decrypt disks affected by the attack.

Hackers behind Petya attack demand ransom of more than $250,000

Along with the message, the hackers have also made their first moves to recover ransom funds that were paid as part of the initial attack. From Motherboard:

At 10:10 PM UTC, the hackers emptied the bitcoin wallet they were using to receive ransom payments, moving more than $10,000 to a different wallet. A few minutes earlier, the hackers also sent two small payments to the bitcoin wallets of Pastebin and DeepPaste, two websites that let people post text online and are sometimes used by hackers to make announcements.

According to Forbes, the hackers also provided proof that they were indeed behind the attack by providing a signature for Petya’s private key. Two security researchers confirmed to Forbes that it was real.

Following the attack last week, Microsoft noted in a post on TechNet that the Petya attack actually had far less reach than was originally expected. More than 70 percent of affected machines were based in Ukraine, where the attack started. That has led some to speculate that Petya was a state-sponsored attack intended to do damage to Ukrainian digital infrastructure.

Share This:

New Ransomware Threat Spreads Globally

Here is yet another security threat that only infects those who do not keep their computers up to date.

A new ransomware called Petya which is very similar to WannaCry, is using the Eternal Blue exploit developed by the U.S. National Security Agency (NSA) to spread across the world. Ukraine’s national banks, power companies, airport, metro services and several organizations are now under attack by Petya. The attack is spreading fast and security companies are seeing thousands of infection attempts at the moment. More than 80 companies in Russia and Ukraine are reportedly infected already. Even the Chernobyl nuclear power plant is now under attack and they have now switched to manual monitoring of radiation. As you can see in the image above, this ransomware demands $300 in Bitcoin similar to WannaCry to get the decryption code.

This Petya ransomware affects only old Windows PCs which are running without latest updates. If you are running latest Windows 7 SP1 or latest OS from Microsoft with recent updates, you don’t have to worry about this cyberattack.

Dedicated readers – I urge you to keep your computers up to date with patches & fixes provided by Microsoft.

Share This:

Qakbot Attacks

Another week, another cyber-threat threatens the security of both individuals and business alike. This latest one, Qakbot has a special emphases on taking down business networks. It is just the latest cyber-threat and you can be sure that there will be many more – even more destructive ones to come. These threats will continue until our behavior changes in respect to how seriously we treat internet services. Security solutions are incredibly important, however even the best security solution cannot be 100% effective in this ever changing tech world. Cyber-criminals are continually changing their modes of attack and security solutions are often playing catch-up. The way we interact with internet services is the key to not only protecting ourselves – but each other. I touch on some of my recommendations for protecting yourself at the end of this article.

Image result for malware trojan

Introducing Qakbot

On Tuesday, researchers from Cylance said that Qakbot, an information-stealing Trojan and backdoor malware that targets the Microsoft Windows operating system and 64-bit browsers with a a target against business/enterprise users is on the loose.

Qakbot is a self-propagating kind of malware that has been circulating for several years now. The Trojan can spread not only through networks and external drives and devices but also focuses on stealing valuable credentials and taking control of the networks it has infected.

There has been a resurgence of the malware, according to Cylance, which had been made even more evasive and persistent with new, polymorphic features that enable the malicious code to squat in business networks for longer and “easily thwart legacy endpoint security solutions” by the use of muddying code, as well as constantly-evolving file makeup and signatures.

The Evil Tricks of Qakbot

Once a system has been infected with Qakbot through exploit kit use, phishing campaigns or malicious downloads, the malware does not lock a system in order to hold a business to ransom.

Instead, Qakbot is able to lock out Active Directories and once credentials have been stolen, use these to spam neighboring hosts and disrupt corporate activities. In turn, this may result in the compromise of additional hosts and further spread or the user accounts related to the authentication attempts being locked out.

New samples of the malware suggest that Qakbot now also targets victims globally due to the inclusion of international character sets, and a recent surge in attacks means that companies should stay on their guard against suspicious downloads or activity and keep their systems up-to-date to prevent infection.

Protecting Yourself

I do not mean to sound like a broken record each time I report on the latest security attack, but I have no choice. Protecting yourself against most security intrusions is actually quite easy, and you will find these tips throughout this fine blog. In fact what you see below is copied from my earlier post regarding the Wannacry Ransomware threat on May 15, 2017.


It is incredibly important to do the following:

  • Always make sure that you install the latest updates & patches for your operating system, especially Microsoft Windows.
  • Make sure you have an up to date anti-virus program running on your computer.
  • Do not click on links or attachments in email unless you are 100% certain it is legitimate and that you have requested it. If you are not sure about a hyperlink or attachment contact the sender directly to ask about it.
  • Do not visit questionable able websites.
  • When you are browsing website be certain to read carefully any dialog box that pops up before clicking on it.

Last but not the least, make sure that you run a backup of your system files regularly. If your PC gets infected and your important files are encrypted, you can get them later.


Thanks to ZDNet for being on top of the Qakbot story which much of this information was attained.

Share This:

Important Security Patches Arrive for Apple Products

This past week Apple released multiple security upgrades yesterday for its iOS, watchOS, tvOS, and macOS systems, addressing dozens of security bugs across its devices. The iOS update fixes 41 security flaws, including some that could potentially allow a remote attacker to execute malicious code on an Apple mobile device.

The update is well-timed, as most of the world is still reeling from the latest WannaCry ransomeware attck that has been racing across the globe since late last week. While the ransomeware attack targets Windows systems, Mac users are likely to feel a little safer knowing they have the most recent security patches installed.

Mostly Security Fixes

Apple attributed almost half of the bug discoveries to Project Zero, Google’s internal security and bug-hunting initiative. The most significant patch Apple released last week was for macOS. The update includes several fixes to the operating systems kernel, some of which address security vulnerabilities that would allow an application to gain access to kernel privileges as well as execute arbitrary code with kernel privileges.

The iBooks application received several fixes for bugs that would have, among other things, allowed a maliciously crafted book to open Web sites on its own without user permission. Meanwhile SQLite, a relational database management system, received four separate patches for issues that could have given an attacker remote access to a user’s device.

Apple’s mobile operating system, iOS, also received a major security upgrade. Several of the fixes relate to similar problems as those addressed in the macOS patch, such as the SQLite vulnerabilities, and kernel and iBooks bugs. Another major component of the OS that was patched was WebKit, a component that helps power the Safari browser.

No New Functionality, But Some Glitches Fixed

The watchOS update includes improvements and bug fixes while the tvOS update provides bug fixes and other enhancements to the fourth-generation Apple TV.

WebKit received a whopping eight patches, including several that would have permitted hackers to attack a user’s device through malicious Web content. The upgrade also changes the way Wi-Fi network credentials are handled to prevent having a person’s username and password stolen when accessing a malicious hotspot.

The security fixes will likely be the foremost in users’ minds as they rush to update their devices, but they are not the only changes Apple rolled out yesterday. While the upgrades do not appear to include any major new functionality, they do address several performance issues that should make the user experience a bit more pleasant.

On the Macintosh platform that includes a fix for the problem where audio may stutter when played through USB headphones. The update fixes an issue affecting some enterprise and education clients that may cause the system date to be set to 2040, and also prevents a potential kernel panic from occurring when starting up from a NetInstall image. All of the updates can be downloaded over the air.

If you have any apple products you should take the time to update its operating system.

Share This:

Mastering Password Managers

With this past week’s WannaCry ransomware scare I thought I would take a little time, again to write about how incredibly important password management is to the security of your data. Passwords are of course, inconvenient, time consuming and memory challenging which is why many people do not handle them seriously. However without good password management you are seriously taking a chance with your security.

I also wrote earlier this week that Microsoft is looking to kill passwords altogether for their services, however we are not exactly sure when that is going to happen and Microsoft not withstanding passwords are going to be around for quite a while yet… so you might as well master them.

Here areof my favorite password management applications, each with a free option. My favorite is LastPass, however each will do the trick if you want to lock out the cyber-criminals from getting a hold of your data.


Image result for lastpass logo png

 

There are two versions of LastPass – free and premium. Both can store an unlimited number of account logins in a secure vault protected by a master password, will complete online forms for you automatically, and can employ multi-factor authentication.

The premium edition also syncs across multiple devices, stores passwords for desktop programs, and lets you share secured folders with other people. with customizable permissions.

One of LastPass’s best features is its ability to generate strong, unguessable passwords for all your accounts, which it then stores for you. There’s no need to remember long, awkward streams of characters, or re-use the same password for multiple accounts. It’s a class act.


Image result for dashlane png

Dashlane is LastPass’s most serious rival, and like LastPass it’s absolutely superb with strong password security, exceptional ease of use and ability to store notes for future reference.

In addition to the Windows desktop password manager, there are browser plugins and mobile versions, and as with LastPass there’s a premium edition of Dashlane that adds unlimited syncing and sharing.

The premium edition of Dashlane costs US$39.99 per year, but the free version provides all the essentials: you get the core password manager, autofill and digital wallet features, all of which work flawlessly.


 

Image result for roboform logo

RoboForm claims to be the world’s best password manager, though its free version only lets you store up to 10 logins and lacks the breadth of features offered by some of its rivals. If you need to store more passwords, a premium account costs US$9.95 for the first year, though the mobile apps are free.

It’s available for Windows, Mac, iOS and Android, and is a good option for anybody who wants a simple and secure way to sync passwords between desktop, laptop and mobile devices.

RoboForm doesn’t have quite the same features lists as Dashlane or LastPass, but it’s a very good tool nonetheless and the free mobile apps are excellent.


Image result for keepass logo png

It isn’t the prettiest password manager around, but KeePass Password Safe is both free and open source with strong security, multiple user support and a whole bunch of plugins to expand the app further.

The password manager is small enough to run from USB without installing on a PC, it can input from and output to a wide range of file formats and there are stacks of customization options to play with.

The fact that KeePass Password Safe is open source means anybody can inspect the code for potential weaknesses, which means that any security issues can be identified and fixed quickly. It’s a great little app, if a bit intimidating for absolute beginners.


Image result for sticky password logo

Sticky Password comes from the team behind AVG Antivirus, so you can be confident that security is its top priority.

There are two versions of Sticky Password: free and premium. The latter adds cloud syncing and backup, and costs US$29.99, £19.99 (about AU$40) a year. There’s also a lifetime license available for $149.99, £96.99 (about AU$200) – an option not offered by any other premium password manager.

The app works on PC, Mac, Android and iOS, supports fingerprint authentication on mobile, is available as a portable USB version and offers lots of synchronisation options including Wi-Fi syncing with local devices. It doesn’t support the Edge browser just yet but it will once the Anniversary Update introduces extension support.


There you go. Give these a try. Anyone of them will help you lock down your accounts, secure your data and perhaps prevent a security disaster from impacting you. The time you spend doing this will be well spent… believe me.

Share This:

1 2 3 4