The Wrath of Locky Part 2

One of the most common types of ransomware, “Locky” all but disappeared late last year. Sadly however this very dangerous cyber threat has reemerged and is worse then ever. Everyone should make themselves aware of this particular cyber threat – because once your data is infected – you may never see it again.

The New Locky Brings a New Infection Mechanism

This current wave of SPAM comes in the form of emails that pretend to be payment receipts with various subjects. According to an article by My Online Security, the email subjects include Receipt 435, Payment Receipt 2724, Payment-2677, Payment Receipt_739, and Payment#229, where the numbers change.

Locky SPAM Email
Locky SPAM Email

These emails include a PDF attachment with a name like P72732.pdf. When these PDFs are opened, the target will be prompted to open an embedded Word document as shown below.

Malicious PDF SPAM
Malicious PDF SPAM

If a user opens the file, the Word document will open and the target will be greeted with the typical Malicious word document prompt. That is the prompting to enable the macros by clicking on Enable Content in order to properly see the document.

Enable Macros in Malicious Word Document
Enable Macros in Malicious Word Document

When the macros are enabled, the macros are currently downloading an encrypted Locky binary from http://uwdesign.com.br/9yg65, decrypting the file, saving it to %Temp%\redchip2.exe, and then executing the file to begin the encryption process. Redchip2.exe currently has a 7/55 detection on VirusTotal.

Just like previous variants, Locky deletes Shadow Volume Copies using a Scheduled Task and appends the .OSIRIS extension to encrypted files.  You can see the task used below.


  
  
  
    IgnoreNew
    false
    false
    true
    true
    false
    
      PT10M
      PT1H
      true
      false
    
    true
    true
    false
    false
    false
    PT72H
    7C:\Windows\system32\vssadmin.exe
      Delete Shadows /Quiet /All
    
  

While encrypting files it will routinely send status updates to the Command & Control servers located at 188.120.239.230/checkupdate and 80.85.158.212/checkupdate. When done it will display the ransom note to let the victim know that they have been infected.

Locky Ransom Note
Locky Ransom Note

Unfortunately, at this time there is still no way to decrypt files encrypted by Locky.

Protecting Yourself Against Ransomware

As I continually recommend you should never open an attachment from a sender that you did not request. This goes for hyperlinks in email messages as well that you did not request. If you receive email messages from “lenders” or “creditors” regarding payments etc that include documents call the lender and speak to someone. Do not open the attachment p or click on the hyperlink unless you are 100% certain of its legitimacy.

Share This:

Technology Training Day @ West Chester

Today much of our staff got together for our quarterly technology training. Although you may have not been there – you can check out much of what we talked about right here.

We covered Microsoft Excel, Outlook, Word, OneNote, Skype for Business and the very scary situation that is Ransomware.

 

Share This:

Skype Hit with Ransomware Threat

If you use Skype*, do not respond to any pop-up messages similar to this one:

Several people have reported receiving “fake Flash” ads in Skype which, if triggered, can lead to a ransomware attack.

It has been reported that if an effort to infect a user’s PC with ransomware an advertisement appears followed by the above pop-up message. The triggered ad has obviously been designed to look like the real thing. Do not be fooled. The app, when opened, would download a malicious payload, which locks the user’s computer and encrypts its files for ransom.

Many other users in the past few days have also complained of similar issues with Skype’s in-app ads, with at least two other people having the same “fake Flash” ad into Thursday. I hope this problem has Microsoft re-considering in-app advertisements in Skype.

All signs point to this “fake Flash” ad as a spin off of a recent Locky ransomware campaign that also delivers a Kovter trojan, which remains on the system to carry out click-fraud and malvertising campaigns. Locky, which became one of the most notorious ransomware threats last year, uses a similar malicious JavaScript-based attack to lock computers, which execute directly on Windows without the help of any other app. I wrote about Locky back in May 2016. Check it out here.

* This threat does not involve Microsoft’s Skype for Business service.

Share This:

The New Dangers of Popcorn Time

A new ransomware variant known as Popcorn Time turns victims into attackers by offering a pyramid scheme-style discount.

Any user who finds themselves infected with the Popcorn Time malware is offered the ability to unlock their files for a cash payment, usually one bitcoin ($772.67).

A Nasty New Turn in Ransomware

But they also have a second option, described by the developers as “the nasty way”: passing on a link to the malware. “If two or more people install this file and pay, we will decrypt your files for free”.

The affiliate marketing scheme was discovered by security researchers MalwareHunterTeam. For now, it’s only in development, but if the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware.

How Ransomware Works

Like most ransomware, Popcorn Time, encrypts the key files on the hard drive of infected users, and promises the decryption key only to those users who pay up (or infect others). But the code also indicates a second twist: the ransomware may delete the encryption key entirely if the wrong code is entered four times. The in-development software doesn’t actually contain the code to delete the files, but it contains references to where that code would be added.

Responding When Infected

Advice varies as to what users who are infected with ransomware should do. Most law enforcement organizations recommend against paying the ransoms, noting that it funds further criminal activities, and that there is no guarantee the files will be recovered anyway (some malware attempts to look like ransomware, but simply deletes the files outright).

Many security researchers recommend similarly, but some argue that it should not be on the individual victim to sacrifice their own files for the sake of fighting crime at large. Some ransomware has even been “cracked”, thanks to the coders making a variety of mistakes in how they encrypt the hard drive. Petya and Telecrypt are two types of malware that have been so defeated.

Share This:

2016: The Year of the Hack

As you can see cyber-security concerns continued to worsen in 2016 and it appears there will be more problems in 2017. Cyber-security is now a full fledged geopolitical issue.

Image result for year of the hack 2016

2016 was a record-setter for hacking incidents. Unfortunately the headlines show no signs of slowing as we enter 2017. The concern with 2016 was that we experienced a much more diverse field of victims, ranging from celebrities, technology CEOs, political parties, Netflix and even the Olympics.

Netflix “Attacked” 

On December 21, the Netflix Twitter account was hit by hacking collective OurMine, “a self-described white hat security group.” The hackers tweeted a message saying they were “just testing” Netflix security, and suggested Netflix contact them to find out more. OurMine tweeted its message, along with an email address and logo, to the nearly 2.5 million Twitter followers of @netflix, which is Netflix’s U.S. account.

Political Hacks

One of the scarier trends in 2016 was the increased use of hacking to achieve geopolitical goals. Hacking groups linked to either the Kremlin or Russian president Vladimir Putin have been accused of reverting to Cold War tactics to weaken and delegitimize countries seen as political rivals.

A hack of the World Anti-Doping Agency’s database which resulted in the publication of private medical records for several U.S. athletes, was attributed to a group of Russian hackers going by the names “Team Tsar” and “Fancy Bear.” This group of hackers was also accused of hacking the Democratic Party’s network to find embarrassing information about then-presidential candidate Hillary Clinton.

Image result for team tsar fancy bear

The attack against the Democratic Party and the Clinton campaign was rumored to have been part of an orchestrated effort by Russia to use cyberwarfare to undermine the U.S. electoral process. While it’s impossible to say what, if any, effect the hack had on the election of Donald Trump, it has escalated tensions between the two countries and caused alarm within the U.S. intelligence community

Ransomware Attacks Continue To Surge – Public Transportation Exposed

2016 also brought a large increase in ransomware attacks, with individuals being targeted by hackers who encrypt their data in order to extort cash. Perhaps the largest such attack in 2016 was against the San Francisco transit system, which was targeted by a ransomware attack that resulted in travelers receiving free rides over the Thanksgiving weekend.

Bitcoins & Cryptocurrency

This year also saw the second largest bitcoin hack in history, resulting in the theft of more than $65 million of the cryptocurrency.

Point of Sale Concerns

A gang of Russian hackers also managed to break into more than 330,000 point-of-sale machines running software by Micros, an Oracle company. The hack hit cash registers used in food chains, hotels and retail stores.

Hospital Hacks

The U.S. hospitality industry suffered one of its largest hacks ever when 20 hotels owned by HEI Hotels and Resorts discovered malware running on point-of-sale machines used throughout the country. That hack may have resulted in the theft of customer data including account and credit card numbers.

Yahoo Troubles Continue

This year there was even information about past traditional hacks involving the theft of users’ email addresses and login information. Yahoo reported that in 2013, it suffered the largest breach in history, involving more than 1 billion user accounts. That exceeds the hack of 500 million accounts in 2014 that the company also reported this year.

Share This:

Facebook Messenger Conduit for New Malware

Earlier this week hackers temporarily found a way to bypass Facebook filtering systems to deliver malicious Chrome extensions to users. These then opened up the way for even worse malware downloaders that are capable of delivering a range of Trojans and other programs to your desktop. The .svg files sent to users got around Facebook’s file extension filter. This is because .svg are a relatively new file format and as a result hackers have room to experiment with it against existing filtering systems.

Image result for facebook malware

The image leads to a fake YouTube item, which demands you add a codec to view the video on Chrome. Once this is done permission is given to read and change all your data on the websites you visit. This also can download other malware to your machine.

Anyone who encounters the suspicious .svg files should disable JavaScript in their browser, block Wscript, or set any files with the extensions .svg, .js, and .jse to open only in Notepad — the latter technique defeats the code’s ability to execute itself in your browser when you click on the image.

Protecting Yourself with Good Habits

As always, you should avoid clicking on unsolicited messages in either Facebook Messenger, your email client, or in your SMS as was the case a few days ago with a fake Apple ID phishing attacks through text messages.

Stolen Credentials and Worse

At a minimum, this .svg trick stole users’ credentials on the social media platform to propagate itself through their contact lists. At worst, it is installing malware downloaders, with these then potentially acting as vectors for advanced ransomware like Locky that infects and locks people out of their computers.

Ransomware

Ransomware does exactly what its name says. When a user downloads the malicious program, it locks them out of their files and system by encrypting the content, and then notifying users that the only way to recover their desktop is by paying the hackers for a solution.

This would appear to be the case with the .svg files coming through Facebook, which is now filtering the content and conducting its own investigation.

 

Share This:

Ransomware Mimics Windows Activation Screen

There is a new screen-locking ransomware posing as a Windows activation window and asking users to call a toll-free number to regain access to their PC is targeting mainly people in the US.

ransomware

The ransomware was first spotted by security researcher S!Ri and then by Symantec’s team, and it is not distributed en mass like other threats, with just a few infections here and there.

What makes this ransomware different are some of the details that reveal this is not your casual screen-locker ransomware bought off the Dark Web by a small-time crook, but something that was well planned in advance.

Ransomware distributed via freedownloadmanager.exe file

First and foremost, infections occur via a program called freedownloadmanager.exe, which some users might install on their computer.

This actually installs the ransomware, which takes over the user’s computer and shows a screen with the standard Windows 10 wallpaper and an input field. Above this input field is the following message:

Your Windows Licence has Expired, Please get a new one by calling on 1-888-303-5121

Above this message are the icons of two applications, LogMeIn and TeamViewer. Both are legal and safe apps that allow someone to log onto a remote computer.

The role of these shortcuts is unclear at the moment, but they might be fully working applications packed inside the ransomware that might allow a crook to log into the user’s desktop to reactivate the computer when calling the toll-free number.

Nobody answers the toll-free number

This is only speculation since Symantec called the number shown on the screen, as a test, but nobody answered for 90 minutes. As such, the price it might take to unlock this type of ransomware is unknown at the moment.

Things get weirder when searching Google for the toll-free number. This search yields a large number of results that advise users to pay the fee to get rid of the activation screen.

Symantec says that these look like poisoned search results, most likely created and promoted using black hat SEO techniques by the hackers to convince users to pay for the activation fee.

Fortunately, Symantec’s developers and VMRay developer Chad Loeven have discovered that typing 8716098676542789 in the activation field will remove the ransomware.

Share This:

Outlawing Ransomware?

Legislation has yet to catch up with technology. Perhaps – finally legislators will begin to understand that they have some power to actually protect consumers where new technologies are concerned. There is hope coming out of California where tech law is concerned.

State legislation to outlaw ransomware is drawing broad support from tech leaders and lawmakers, spurred by an uptick in that type of cybercrime and a series of recent attacks on hospitals in Southern California.

The bill, authored by state Sen. Bob Hertzberg (D-Van Nuys), would update the state’s penal code, making it a felony to knowingly use ransomware, a type of malware or intrusive software that is injected into a computer or network and allows a hacker to hold data hostage until money is paid.

Ransomware has become a lucrative industry over the last three years, affecting schools, police departments and healthcare businesses. Trojans that work like viruses, such as CryptoLocker — which began appearing in 2013 — can be unleashed by users with few technical skills and reel in profits.

Proponents say the proposed ransomware law is the right step to counter attacks difficult to prosecute under existing statutes that are not tailored to combat computer crime. But some question just who will get caught in the dragnet, as such incidents are tough to trace and culprits are often overseas.

Victims nationwide lost more than $209 million in ransomware payments in the first three months of 2016 alone, compared with $25 million in all of 2015, according to the FBI.

But no arrests were made. Nor were arrests made in more than half a dozen of ransomware incidents investigated by the Cyber Investigation Response Team of the Los Angeles County district attorney’s office, which is a co-sponsor of the bill.

 

Ransomware Defined

Ransomware attacks are instigated when a person clicks on a compromised website or opens an infected email. The programs encrypt files, such as photographs, videos or documents, and they cannot be accessed without an encryption key.

Security researchers first saw similar attacks in 1989, when the so-called AIDS Trojan virus locked people out of their files if they clicked through a quiz about their sexual and drug habits. Ransomware has evolved over the last decade with the creation of “police screen lockers,” pop-up screens that appear to be created by law enforcement agencies that fraudulently order people to pay fines after accusing them of downloading pirated movies or child pornography.

At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.

Share This:

Beware Locky

The internet can be a very scary place.

Over the past week, computers throughout Europe and other places have been hit by a massive email spam campaign carrying malicious JavaScript attachments that install the Locky ransomware program.

Antivirus firm ESET has reported a spike in detections of JS/Danger.ScriptAttachment, a malware downloader written in JavaScript that started on May 22 and peaked on May 25.

Many countries in Europe have been affected. The company’s telemetry data also showed significant detection rates for this threat in Canada and the U.S.

JS/Danger.ScriptAttachment can download various malware programs, but recently it has been used to primarily distribute Locky, a widespread, malicious program that uses strong encryption to hold users’ files hostage.

While Locky doesn’t have any known flaws that would allow users to decrypt their files for free, security researchers from Bitdefender have developed a free tool that can prevent Locky infections in the first place. The tool makes the computer appear as if it’s already infected by Locky by adding certain harmless flags, which tricks the malware into skipping it.

The use of JavaScript-based attachments to distribute Locky began earlier this year, prompting Microsoft to post an alert about it in April.

The attachments are usually .zip archive files that contain .js or .jse files inside. These files with will execute directly on Windows without the need for additional applications.

However, it is very uncommon for people to send legitimate applications written in JavaScript via email, so users should avoid opening this kind of file.

Will Locky make it to the United States in a big way? I hope not. However be sure to be aware of it and use all of the security tips we have recommended in the past.

Share This:

Protect Yourself Against Ransomware

If you are a regular reader of this fine technology blog you must know that ransomware is dangerous, malicious and becoming more widespread with each passing day.  You do not need to panic because there are steps you can take to minimize the risk that your computer will be infected.

Update Often

Make sure that your software, operating system and plug-ins like Java and Flash are kept up-to-date by turning on their automatic update feature.

Some hackers are exploiting vulnerabilities in those programs to install ransomware automatically when consumers visit hacked websites.

Back-Up Your Data

If your files are locked by ransomware, the only way to recover them without paying the ransom is from backup copies. If you are not yet doing regular backups, you should start.

Even if you are doing regular backups – beware. Some ransomware can find and encrypt files on anything that looks like an attached drive, including external hard drives you may have connected, drives you may have on your local network or cloud services like Dropbox and OneDrive

To protect yourself use cloud backup services like Carbonite or Mozy in addition to an external hard drive that you disconnect after each backup. You should back up your data in multiple places or on to multiple drives.

Run Anti-Virus Software

First please keep it up-to-date and have it set to scan for viruses automatically. Anti-virus software can usually detect and block known ransomware.

However be aware that anti-virus programs typically struggle to identify and protect your computer from new versions of ransomware, so they are not a perfect solution. Some anti-malware programs can act as a kind of backup, allowing you to undue changes ransomware and other malware have done to your computer.

Think Before You Click

This bay me one of the most important tips here. Be skeptical of links or documents sent to you in email and be wary of clicking on them. A good rule here is that if you did not specifically request the links or documents contact the sender directly (in person or by phone) and verify the legitimacy of the email before clicking on anything.

Share This:

1 2 3