Category Archives: Malware

Cyber Ransom vs. Ransomware

By now, we have all heard about ransomware as it has taken over the cybersecurity scene over the last couple of years. However, we want to make sure that everyone is clear about the difference between cyber ransom and ransomware, as there is a very clear distinction. Cyber ransom and ransomware attacks have been the most popular forms of cyberattacks as of late.

Cyber Ransom

The most common form of cyber ransom is through a distributed denial of service (DDoS) attack. In a DDoS attack, hackers flood a business’ site with data requests, overwhelming the site’s legitimate functions. The flooding eventually forces that website to shut down. As far as the ransom is concerned, cybercriminals will threaten to launch an attack on an organization’s site unless the organization pays a ransom fee of a certain Bitcoin amount.

Another form of cyber ransom is through corporate extortion which is becoming more and more popular. This type of attack can be carried out in several ways. One approach, which Domino’s in Europe was hit with, is where a cybercriminal sends out a ransom letter threatening businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, or fraudulent delivery orders.

Another variation of corporate extortion is where cybercriminals perform a data breach, where they gain access to a company’s network and gather sensitive data. The data collected is usually information on their clients such as credit cards, social security numbers, email addresses, and login credentials. While this seems like data breaches that we have heard about recently (Yahoo, Adult Friend Finder, and several social media sites), cybercriminals who are involved in corporate extortion are in it for the money. Once cybercriminals have performed the data breach, they will threaten to publicly release the information unless the company pays a set ransom fee.

Ransomware

Ransomware is the most common form of cyberattack seen today. In a ransomware attack, the cybercriminal will infect a machine with malware that encrypts all or some files on a user’s computer. Once the encryption process has completed, a ransom note will appear on the victim’s screen demanding payment in order to receive the decryption key. Payment for the decryption key is usually made in Bitcoins, which are extremely hard to trace back to the hacker. Ransomware is most commonly distributed through phishing campaigns where cybercriminals will send emails embedded with malware. Once the user on the receiving end clicks on a link or opens up an attached file, the malware will begin to download, and the encryption process will begin.

Cyber Ransom and Ransomware Connected

  • Cyber Ransom – Cybercriminals threaten to launch a DDoS attack on an organization’s site unless the organization pays a ransom fee.
  • Ransomware – Cybercriminals infect machines with malware that encrypts all or some files, then demand a ransom fee to receive the decryption key.

 

When put in these terms, cyber ransom and ransomware seem like they wouldn’t be connected at all. However, cybercriminals are becoming more and more sophisticated with their attacks every single day. So, here’s the kicker. Cybercriminals are starting to use the threat of DDoS as ‘smokescreens’ for more wicked attacks, such as ransomware. The hackers will use DDoS attacks to distract the IT department, so they are able to slip under the radar without being detected. While the DDoS attack or the threat of one will only distract IT individuals for a short time, that’s all the time hackers need. While the IT staff scramble to handle the momentary network outages, hackers can use automated scanning or penetration techniques to map a network and install ransomware.
To stop these types of attacks, look at some of the new technologies that continuously monitors your network traffic.

Ransomware Infection Causes Loss of 8 Years Of Police Department Evidence

Oh when will you learn to “BACKUP” your data.  Check your backups before you have an issue !!!

The Police Department in Cockrell Hill, Texas released in a press release that they lost 8 years worth of evidence after the department’s server was infected with ransomware.

The lost evidence includes all body camera video, and sections of in-car video, in-house surveillance video, photographs, and all their Microsoft Office documents. OUCH.

Eight years worth of evidence lost

Some of the lost data goes back to 2009, there are some files that era that are backed up on DVDs and CDs and remained available.

“It is […] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill’s police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney’s office of the incident.

Backup Procedure Kicked In After Locky Infection

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI’s cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files. OUCH.

Infection Source: Phishing email with spoofed address

The press release says the infection took place after an officer opened a spam message from a cloned (spoofed) email address imitating a department issued email address. Security awareness training would have likely prevented this.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand.

New Phishing Campaign Targeting Gmail Users

A new phishing campaign has been discovered this week that targets even the most tech-savvy Gmail users. By posing as someone you may know, cybercriminals are gathering personally identifiable information that could be leveraged against the individual or against your company. Learn how the newest phishing campaign works and how you can keep yourself and your company safe from becoming the next victim.

What is Phishing?

Phishing is nothing new to the cybersecurity world. However, it is often mistaken for being general spam emails which is how many forms of ransomware are distributed. Take the newest form of ransomware, Spora, as an example. Spora is distributed through spam emails disguised as invoices for charges that victims didn’t make. These emails are coming from an individual or organization that is unknown to the potential victim.

What’s different about phishing is that the emails are coming from a known contact whose account has been compromised. Or, the emails are coming from someone who you think you know, but the email address has been changed by a letter or two. For example, JohnSmith@gmail.com compared to JohnSmith@gmails.com. Notice the ‘S’ at the end of Gmail on the second example.

Phishing campaigns can certainly be used to distribute ransomware. However, it would take the cybercriminal much more time to distribute the emails as they are more sophisticated attacks. The targets of phishing campaigns using ransomware would be high-profile targets where a large ransom can be demanded.

Most phishing emails contain an attachment or link set up to trick the user into divulging personally identifiable information such as financial information, login credentials, or credit card details.

Gmail Phishing Campaign

As mentioned before, the new Gmail phishing attack can trick even the most tech-savvy users. The attack works like this:

  • Hackers breach someone’s Gmail account and look through emails for correspondence containing attachments.
  • They then send emails from the compromised account, with each email leveraging similarities to prior communications, so as to make the new messages seem legitimate and familiar. Hackers will even use subject lines that were used in the past.
  • Here’s where the hack takes place. The email is embedded with an image of an attachment that has been used in the past. Rather than opening the attachment, clicking on the image will lead the user to a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not sound any alarms.
  • Once the new victim enters their credentials into the phony Google login page, the hackers now have access to the victim’s account.

It’s believed that this phishing campaign has been going on for about a year with increasing intensity. How are these hackers using this campaign against their victims? Take a moment to think about all the ways your email account is used for everyday purposes. The first thing that comes to my mind is my banking sites. We have all forgotten a username or password before, right? How do you recover or reset your credentials? Enter your email address, and they will send you a temporary password or a code to reset your credentials. All a hacker has to do is search through your emails, find what banks you use, and go to those sites to request a reset to these credentials. In as little as five minutes, these cybercriminals have access to all of your personally identifiable information.

How can you stay safe?

Below are some tips, rather, necessities you need to implement into your everyday life to stay safe from phishing campaigns.

  • First, for the Gmail campaign, using two-factor authentication (2FA) can protect your Gmail account from being compromised. While this may be a pain to login to your account every time, it could save you from becoming a victim. 2FA basically means that you will need to use your password as well as a temporary code sent via text message to log in to your Gmail account. If hackers have access to your password but not the temporary code, they won’t be able to login to your account.
  • Always think twice before entering login credentials. For the Gmail campaign, why would you have to enter your login credentials again if you were already on the site? Second, do not log into sites via login pages generated by clicking links. Always go directly to the site through entering the URL into the Web browser.
  • Never enter passwords or other sensitive information into any Website with a data:text Furthermore, do not rely on warnings by Web browsers. The red warning used on insecure Websites, the certificate warnings used for invalid certificates, and the ‘unsafe site’ messages often do not appear for data:text URLs.
Be Prepared

Phishing campaigns can be used for ransomware attacks and gathering personally identifiable information on victims. However, they can also be the ‘in’ for hackers to gain access to a company’s servers and databases. Did you know? The average cost of a data breach in 2016 was $4 million, up from $3.8 million in 2015. How would a $4 million data breach affect your company? Would you be able to survive? Employees are and probably always will be the weakest link in the cybersecurity chain. Make sure your employees are educated not only on the persistent threats of cyberattacks and how to stay safe but the effect a cyberattack could have on your company. Unfortunately, this could be one of the biggest factors for continued success for your company.

GoldenEye Ransomware – A New Variant of Petya Ransomware

The creators of Petya ransomware, going by the name of Janus, have come out with a new variant tabbed as GoldenEye ransomware. Continuing with the James Bond theme, the GoldenEye ransomware is almost identical to past versions of Petya and Mischa variants.

Petya Ransomware History
The Petya ransomware emerged on the cybersecurity scene back in March 2016.   Typically, when a user becomes infected with ransomware, the malware targets and encrypts files on the victim’s hard drives. By doing this, the malware leaves the operating system working properly. However, Petya takes it to the next level. Instead of encrypting files on the hard drive, the ransomware encrypts portions of the hard drive itself, making the user unable to access anything on the drive, including Windows.

The ransomware is distributed via emails that target human resource departments. The emails contain a Dropbox link to supposed applications that download a file and when executed, install the Petya ransomware on the system.

In May, two months after the release of Petya, the ransomware bundled a second file-encrypting program for cases where it cannot replace a computer’s master boot record to encrypt its file table. Before encrypting the computer’s master file table (MFT), the ransomware replaces the computer’s master boot record (MBR), which contains a code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves the computer unable to boot.

However, in order to overwrite the MBR and the computer it infected, the malware needs to obtain administrator privileges. In previous versions of Petya, if it failed to obtain administrator privileges, the infection routine stopped. The latest variant, dubbed Mischa, installs another ransomware program that begins to encrypt users’ files directly, which doesn’t require administrator privileges.

In summary, Petya starts off by distributing the ransomware through an email posing as a job application. Once executed, the fake file attempts to download Petya, and if that fails, it installs Mischa. This dynamic duo ensures that the cybercriminals will encrypt your hard drive, leaving you unable to use your system until you have paid the ransom.

GoldenEye Ransomware
Like the earlier version of Petya, the GoldenEye ransomware is distributed via emails. Posing as job applications, the emails include two file attachments that are supposedly resumes and have a subject starting with the word Bewerbung. As you can see in the email below, GoldenEye is targeting German users.

One of the attachments is a fake resume that is used to convince members of the human resource department that the email is legitimate. The second attachment is an Excel spreadsheet, which is the installer for the GoldenEye ransomware that contains a malicious macro. In the spam emails that have been circulating over the past couple of days, the following Excel names have been observed to be spreading GoldenEye.

  • Wiebold-Brewerbung.xls
  • Meinel-Brewerbung.xls
  • Seidel-Brewerbung.xls
  • Wust-Brewerbung.xls
  • Born-Brewerbung.xls
  • Schlosser-Brewerbung.xls

When a user clicks on the ‘Enable Content’ button, the macro will launch and save the embedded file into an executable file in the temp folder. Once the file has finished being created, the malware will automatically launch, beginning the encryption process on the computer.

Here is where GoldenEye differs from the earlier combination of the Petya/Mischa version. Instead of running Petya first and trying to gain administrative privileges to overwrite the MBR and then running Mischa to encrypt files, GoldenEye does the opposite.

Starting just like any other ransomware, GoldenEye encrypts the user’s files and appends a random 8-character extension. This is the Mischa part of the ransomware. Shortly after displaying the ransom note, GoldenEye enters the Petya part of the encryption process. The ransomware forcibly reboots the user’s computer and enters the stage where it starts encrypting the user’s hard drive MFT which makes it impossible to access any files on the hard drive. This process is masked by a fake ‘check disk (chkdsk)’ screen as seen below.

Once this process ends, you will see a new ransom screen, using yellow-colored text hence the name ‘GoldenEye.’ The GoldenEye ransom note is shown below.

The GoldenEye ransomware has seen incredible numbers compared to the Locky ransomware, which has been one of the most successful ransomware to-date. Last Wednesday, (December 7, 2016) GoldenEye infected 160 users in Germany alone while Locky’s best day over the last month infected 375 users across 30 countries. The ransom for the encryption key is currently set at 1.33 bitcoins which equates to roughly $1,000.

Why Clickjacking Is More Intrusive Than You Think

Another great post from a guest writer, Vlad De Ramos

clickjacking

Regardless of the size of your business or data, clickjacking should be your concern. There’s no such thing as a minor issue when it comes to your security on the web.

The discovery of clickjacking dates back to 2008, when computer security experts, Robert Hansen and Jeremiah Grossman, first divulged it in the OWASP NYC AppSec Conference. At the time, the duo described it as another form of zero-day attack, referring to a software vulnerability that’s unknown to its vendor, and which hackers are quick to exploit.

Browser or network services are prone to clickjacking attacks, which target legitimate content on websites by layering it with malicious links or buttons without the knowledge of the website administrator and end users. Clicking on those links redirects users to phony websites, exposing the victims to the attacker’s malicious codes.

How Serious a Threat is Clickjacking?

In 2010, social media enterprise, Facebook, unknowingly became a platform where a number of clickjacking attacks were launched. The series of scams were made possible by enticing users to Like and Share posts that either tricked people into giving out their cell phone number for a survey or load a fan page onto their profile. Unknown to the unsuspecting victims, they were being charged on their phone bills and sharing con sites on their Facebook page.

Given the creativity of criminal hackers, they can use clickjacking on businesses.

1. Data can be illegally obtained or manipulated.

Research from CyberKeel, a Danish maritime security specialist firm, revealed in 2015 that 18 out of 20 cargo vessels are prone to clickjacking.

Through clickjacking, a shipper logs or registers into a fake website mirroring the legitimate carrier’s site. As the shipper provides personal information, the attacker is waiting to intercept that information and make fraudulent transactions on behalf of the shipper.

The possibilities on how the shipper information can be misused are endless. Hackers may use it to access shipment information, transport banned cargo, modify shipping documents, or steal cargoes altogether.

2. Sneaky money making schemes.

Criminal hackers can replicate legitimate emails to lure people into clicking a link. Once done, the user will be redirected to a landing page which contains a button hiding the attacker’s code. If the victim interacts with the malicious code, it will execute a command that will transfer money to the attacker.

This requires social engineering and a susceptible victim which makes clickjacking a medium risk, but the impact of the scheme is high because this technique can be used to execute other attacks such as keylogging and theft.

3. Spamming your entire network.

This vulnerability requires interaction as victims have to voluntarily interact with the malicious page and if a user fall for the technique, it can potentially expose confidential information or take control of the user’s account or computer which can lead to an unauthorized user spamming its network of friends or contacts with more malicious links or viruses from its account.

How Can Clickjacking Be Countered?

Back when clickjacking was first announced to the public, the first recourse was to encourage web users to use text-only browsers. This way hackers can’t embed their malicious code on graphic elements.

Although web developers are responsible and have the major role in designing websites and code that will keep your websites away from vulnerabilities, users also have a significant role in preventing malicious attacks:

  • Turn off or disable scripts and plugin content, which are the most common and usual clickjacking targets during browsing sessions.
  • Always make sure that your browser is updated to the latest version as it also offers improved security measures.
  • Pay attention to the browser’s warning notifications, saying there might be some element hidden in the content you were trying to access.
  • Keep your antivirus software up to date and secure as possible.
  • Be extra vigilant when web pages load too slowly, which may indicate suspicious activity within the site.
  • Coordinate with your IT specialists for tools and new developments.
  • Do not click any link in emails by unknown sources. Delete them immediately.

Clickjacking should not be overlooked. This vulnerability can be linked to other series of attacks and the impact of it will be even higher. There is no such thing as a minor issue when it comes to your security on the web. Regardless of the size of your business or data, you must always be prepared and ready to implement a disaster recovery plan.

 

About the Author: Vlad de Ramos has been in the IT industry for more than 22 years with focus on IT Management, Infrastructure Design and IT Security. Outside the field, he is also a professional business and life coach, a teacher and a change manager. Vlad has set his focus on IT security awareness in the Philippines and he is a certified information security professional, a certified ethical hacker and forensics investigator and a certified information systems auditor.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.

Tips on Training Employees on the Dangers of Cyberthreats

Unfortunately, no amount of training for your employees will prevent cyberthreats. If thatcomputer-security.png were the case, those of us in the cybersecurity industry would be without employment. However, training to reduce the risk of cybercriminal activity is essential to a company’s bottom line. Without training and security measures we may as well leave the front door open at night with a sign stating, “Welcome all criminals.”

The total global impact of cybercriminal activity is expected to cost businesses over $2 trillion by 2019. This is larger than the cocaine, heroin, and marijuana trade combined.
Cybercriminal gangs are increasing by the thousands monthly, and why not? In comparison with other criminal activity (drugs, robbery, guns, etc.) cybercrime is much easier, more profitable, and less likely to land one in prison. While cybercriminal activity may be on the mind of our government here in the states, the argument can be made it is not nearly as significant as it should be, and it certainly is not of concern to the governments in the far east of the world. If you think the Russian government is overly
concerned with locating small groups of hackers in basements ripping off Americans, you are mistaken.
We can place prevention products like a firewall and anti-virus on our network, as well as protection software like CryptoStopper.io, HackTraps and Carbon Black, but the first line of defense is training our staff.
Here are a few tips for educating employees about cybersecurity that are essential to business:
1. Create an environment open to discussion on cybersecurity.
In several workplaces, for whatever reason, many employees don’t feel comfortable with the IT staff and vice versa. This cannot be an issue. The staff must feel comfortable taking suspicious e-mails to IT, and IT departments must feel comfortable discussing recent threats with the staff. Do not have an environment of, “Sign this policy every year and be on your way.”  Issues must be discussed. Never make anyone feel bad for bringing something they think is an issue to IT. Thank them for bringing a false alarm to your attention, or they may not bring a real one next time. Also, provide food.  This always makes people happy.
2. Create a regular meeting to discuss various concerns on cybersecurity and make it worth employees’ time.
This may be met with groans at first, but if you make the content relevant, you will be surprised by how many people are genuinely interested in how to keep themselves and friends and family at home safe from cybercriminals. Keep it simple at first. Discuss how to keep their social media accounts safe, improving passwords and interesting stories and of individuals getting hacked (yes, in cybersecurity you actually do run into some pretty crazy stories).
3. Educate the staff to recognize an attack.
Training is essential prior to being attacked. Assume an attack will happen; what is the first thing that needs to be done? Teach employees what a suspicious e-mail looks like. Provide examples. What should be done if a suspicious e-mail is received? This all needs to be done in orientation for new hires and reviewed more than just once a year.
4. Send internal phishing campaigns.
A well-done phishing campaign can be 45% effective. Again, do not harass anyone who fails. I can promise you will have failures. Use this as a time to teach how to spot a fraudulent e-mail: are there any spelling errors? Does this not appear to be the way this sender speaks? Is this from UPS/Fed Ex and you are not expecting a package? Is the salutation vague and not personalized? All of these are signs of a phishing campaign. Teach them to spot them, contact the sender if known before clicking on anything, or contact IT to analyze.
5. Lastly, and probably most simply, make sure employees are changing passwords frequently.
 I bet if you surveyed the office you would find many employees store passwords on a spreadsheet directly on their wall or even worse in a spreadsheet on their desktop. I once encountered a situation where an employee had a spreadsheet on the shared file on the server. You may laugh, but did anyone let them know this was a giant no-no? Of course not. The key is, don’t assume your head accountant, top salesperson, or even your CEO knows as much as you do.

 

 

Zero-Day Warning! Ransomware targets Microsoft Office 365 Users

microsoft-office-zero-day-exploit
If just relying on the security tools of Microsoft Office 365 can protect you from cyber attacks, you are wrong.

Variants of Cerber Ransomware are now targeting MS Office 365 email users with a massive zero-day attack that has the ability to bypass Office 365’s built-in security tools.

According to a report published by cloud security provider Avanan, the massive zero-day Cerber ransomware attack targeted Microsoft Office 365 users with spam or phishing emails carrying malicious file attachments.

The Cerber ransomware is invoked via Macros. Yes, it’s hard to believe but even in 2016, a single MS Office document could compromise your system by enabling ‘Macros‘.

Locky and Dridex ransomware malware also made use of the malicious Macros to hijack systems. Over $22 Million were pilfered from the UK banks with the Dridex Malware that got triggered via a nasty macro virus.

You can see a screenshot of the malicious document in the latest malware campaign below, targeting Microsoft Office 365 users:

 microsoft-office-exploit

While the security firm did not specify the exact number of users possibly hit by the ransomware, Microsoft reported in its first quarter 2016 that there are almost 18.2 Million Office 365 subscribers.

“While difficult to precisely measure how many users got infected,” Avanan estimated that “roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

Although Cerber originally emerged in March, the malware campaign targeting Office 365 users began on June 22. However, Microsoft started blocking the malicious file attachment on June 23.

The Cerber Ransomware not only encrypts user files and displays a ransom note, but also takes over the user’s audio system to read out its ransom note informing them that their files were encrypted.

The ransomware encrypts files with AES-256 encryption, asking victims to pay 1.24 Bitcoin (nearly US$810) for the decryption key.

How to Protect Yourself from Cerber Ransomware

In order to prevent yourself from the Cerber or any ransomware attack:

  • Always keep your system and antivirus up-to-date.
  • Regularly backup your files in an external hard-drive.
  • Disable Macros in your MS Office programs.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.
  • You can also use an Intrusion detection system (IDS), to help you quickly detect malware and other threats in your network.

Dozens of Malicious Apps on Play Store can Root & Hack 90% of Android Devices

Android
It’s not at all surprising that the Google Play Store is surrounded by a large number of malicious apps that has the ability to gain users’ attention into falling victim for one, but this time, it is even worse than most people realize.

Researchers at Trend Micro have detected a family of malicious apps, dubbed ‘Godless,’ that has the capability of secretly rooting almost 90 percent of all Android phones.

Well, that’s slightly terrifying.

The malicious apps are distributed via different methods and variety of app stores, including Google Play Store, which is usually considered as a safe option for downloading apps.

The malicious apps packed with Godless contain a collection of open-source or leaked Android rooting exploits that works on any device running Android 5.1 Lollipop or earlier.

90% Android Devices are Vulnerable to Godless Rooting Malware

Since Android ecosystem is so broken that around 90 percent of all Android devices are vulnerable to this malicious software. Godless apps have already been installed on more than 850,000 devices worldwide so far.

Rooting a device could expose a user to several security risks as it practically opens the door to unwanted access, hardware failure, data leaks and information theft, and so on if the developer has malicious intent.

Based on the source code they analyzed, Trend Micro researchers say that once an app with Godless malware is installed on a victim’s device, it uses a framework known as “android-rooting-tools” to gain root access to the victim’s device.

From there, the malware will make sure the victim’s screen is turned off before executing the malicious code.

Here’s what a Godless-Packed App can do to your Device:
Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it gets an apps list to be installed on the rooted device and installs them without the users knowledge, and all of this can be done remotely as well.

“With root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices,” Trend Micro says. “This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.”

The researchers say the malware has the ability to bypass security checks done Google Play store and other online app stores.

Although there are several apps in Google Play, including utility apps like flashlights, Wi-Fi apps, and popular game apps, that contain the malicious Godless code, Trend Micro had identified only one such Android app by name.

Dubbed Summer Flashlight, the malicious app had been installed from 1,000 to 5,000 times, and was recently removed from the Google Play store, but it’s still listed in search engine caches for the time being.

Godless is the latest Android malware to use rooting exploits in order to gain a persistent foothold on victims’ handsets. Based on the graphic, most victims are located in India, followed by Indonesia, and Thailand (9.47 percent). The US also has around 17,000 Godless downloads.

“Unknown developers with very little or no background information may be the source of these malicious apps,” Trend Micro notes.

So, in order to avoid being a victim to one such app, Android users are advised to avoid using third-party app stores and always “review the developer” when downloading apps even from Google’s official store.

 

Ransomware is Growing as Cyber Crime Pays Off

Ransomware
Ransomware is growing and transforming and cyber criminals are taking it to the bank!

Ransomware is growing into a huge business for cyber-criminals. This is business venture has a very low cost to maintain so criminals jump in and out of the business very easily.

An analysis of phishing email campaigns from the first three months of 2016 has seen a 6.3 million increase, due primarily to a ransomware upsurge against the last quarter of 2015. That is a staggering 789% jump.

Published on PhishMe’s Q1 2016 Malware Review identified ransomware is growing by three key trends previously recorded throughout 2015, but have come to full fruition in the last few months:

  1. Encryption Ransomware
  2. Soft Targeting by Functional Area
  3. Downloader/Ransomware: the one-two combination

“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber-criminal enterprises,” explains Rohyt Belani, CEO and Co-Founder of PhishMe.

Rohyt continues, “Another 2015 trend that emerged into fuller fruition during the first quarter of 2016 is threat actors’ use of soft targeting in phishing. In contrast to both broad distribution and the careful targeting of one or two individuals via spear phishing emails, soft targeting focuses on a category of individuals based on their role within any organization anywhere in the world. Criminals target this subset with content relevant to their role. Such malicious emails are typically accompanied with Microsoft Office documents laden with malware or the ability to download the same.” During the first quarter, JavaScript applications even surpassed Office documents with macro scripts to become the most common malicious file type accompanying phishing emails.

Whichever way the cyber-criminals succeed to infiltrate the organization, the impact on the victimized organization is significant because it needs to use up scarce incident response resources for cleaning up, managing a potential public relations nightmare, and in some cases even caving in to hacker demands of paying the ransom being demanded.

The latest Infoblox DNS Threat Index for Q1 2016 reports a 3,500 percent increase in ransomware domain creation quarter on quarter from 2015. “The relative cost of infrastructure is so low that it completely makes sense from the criminal’s point of view,” Rod Rasmussen, vice president of cyber security at Infoblox.

Another factor behind the fact that ransomware is growing is that people are paying the ransoms.  Don’t mistake this as an honorable act though. According to SecureWorks senior security researcher Keith Jarvis, more than four dozen distinct families of ransomware have emerged since the start of 2015 and “generally, 0.25% to 3.0% of victims elect to pay a ransom,” Jarvis explains, “meaning attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom.”

Estimating the ransomware industry, we find that the largest operations are pulling in several million dollars per year. Which is hardly surprising when you consider that 93% of phishing emails delivered last quarter contained ransomware.”

It’s an attractive threat sector for many reasons. Number one, persistent attacks can be avoided. “Ransomware that encrypts all the data and destroys local backups before asking for a lump sum payout,” Dave Venable, VP of cyber security at Masergy told SC, “lets hackers avoid the higher costs and labor of maintaining the infrastructure of persistent attacks.”

Ransomware is popular because the malware can be monetized anonymously and quickly. “Through the use of bitcoin payment systems,” explains Gunter Ollmann, CSO at Vectra Networks, “the criminal can force the victim to pay the ransom in a monetary unit that facilitates complete anonymity and can be trivially converted to cash.” Gone are the days of requiring different and specialist criminal hands to both launder the data and anonymously monetize it.

As Ilia Kolochenko, CEO of High-Tech Bridge, concludes, “Ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing.”

5 cyber security mistakes that might make you vulnerable to hackers

 

cyber_security_2Very few of us fall for the old Nigerian prince email scam these days, and even fewer will click on a pop-up ad inviting us to “win $1 million” by playing a simple game. We’ve come a long way in terms of learning the do’s and don’ts of cyber security, but that doesn’t mean our days of online vulnerability are completely behind us.

Over 6 million internet users were attacked by malware in 2015. As we become savvier to the tricks they’ve pulled in the past, hackers begin to up their game by catching us where we least expect it. Although we’d like to assume that all of those users who were attacked in 2015 were prime targets, or perhaps people who are a bit less tech savvy than the rest of us, the fact is that many of them were normal internet browsers like you and me who actually know a thing or two about online safety.

There are additional risks these days, and even some of the tech-savviest internet users create cyber security risks without knowing it. To help avoid online attacks, here is a list of some of the top cyber security mistakes internet users are making in 2016.

1. Storing passwords in a browser

According to a recent survey, 59 percent of millennials store passwords in their browsers on a regular basis. It may be convenient to easily access your most-used accounts without typing in a username and password each time, but it also puts you at serious risk for an online attack.

The first step in keeping your passwords safe is to create a strong password that uses numbers, symbols, and both capital and lower case letters. You’ll also want to use a different password for each site. Once you’ve got a solid password for each of your online accounts, avoid storing them in your browser! If you’re like me and tend to forget things easily, try using a secure password storage system or software such as “KeePass, LastPass, Dashlane, 1 Password, RoboForm”  to keep track of your logins.

2. Purchasing locked devices

Prices for phones, laptops, and tablets can be high these days. The good news is that the market for selling used electronics online is getting bigger and more easily accessible. The bad news is that scammers have begun to use this second-hand marketplace as a means for duping consumers into paying more for devices that they’ve already paid for.

If you’re looking into purchasing a used device online, it will be important to ensure that it is unlocked. There will be different processes for checking iOS and Android devices.

For iOS devices, you’ll also need to ensure that the former user’s iCloud account is taken off of your device. If it’s not, you’ll need to take the necessary steps to remove their account from your device before they have a chance to lock the phone.

3. Connecting to unencrypted Wi-Fi networks

The ability to hop onto free Wi-Fi at your local coffee shop or the university library sure does make working on projects or simply browsing much easier on the go. The problem is, hackers are starting to take advantage of society’s reliance upon public Wi-Fi connections.

Do your best to avoid Wi-Fi connections that don’t have password protection when you’re out and about. Checking for the password of the official Wi-Fi at your location of choice will also help you avoid logging into a network set up by hackers looking to view your online activity.

To be extra secure on public Wi-Fi, stick to HTTPS sites while you’re browsing and look into using a virtual private network. It’s also best to avoid installing new software while using a public Wi-Fi network.

4. Ignoring security software updates

We’re all guilty of clicking out of software update notifications when they pop up on our screens. Although taking a few minutes to update your device’s security software may seem like a burden in the middle of a big project, it will be worth your while when it prevents an online attacker from installing malware on your device.

Be sure to install security software updates each time you receive a notification. If you’re connected to a public Wi-Fi network or really don’t have the time to do it when the notification pops up, set a reminder to install the new software later. The longer your device runs without up-to-speed security software, the more vulnerable you become to cyber security breaches.

5. Clicking on links in emails

Most of us receive emails from banks, utility companies, and other organizations with links to view account activity online. Although these are typically from a trusted source, you can never be too sure. A well-written email from a seemingly credible source could send you a link that installs malware on your device when clicked.

Next time you receive a link in an email, leave your email account and look for the actual site in your browser to avoid clicking on a malicious link. For example, even if the link goes to your bank of choice, it’s best to leave your account and log in through a trusted portal.

Have you been making any of these common cyber security errors? If so, it’s about time to take action and implement the provided tips to protect yourself from online attacks.

Share your experiences in the comment section.