Tag Archives: Ransomware

Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes: PETYA

PETYA RANSOMWARE

The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. Both spread quickly, and both hit high-profile targets like large multinational companies and critical infrastructure providers. But while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.

Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

And while it owes its rapid spread in part to EternalBlue, the same stolen NSA exploit WannaCry leveraged, it lacks several of the traits that made WannaCry—which turned out to be an unfinished North Korean project gone awry—easier to stop.

WannaBreak

“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid,” says Bogdan Botezatu, a researcher at the security firm Bitdefender. “We don’t get to catch a break.”

The most important WannaCry pitfall that this current round sidesteps? A kill switch that allowed researchers to neuter the ransomware around the world and drastically reduce the spread. The mechanism was a low-quality, possibly unfinished feature meant to help the ransomware avoid analysis. It backfired spectacularly. So far, GoldenEye shows no signs of containing such a glaring error.

Additionally, WannaCry spread between networks across the internet like a worm, relying almost entirely on EternalBlue to get in and hitting systems that hadn’t yet downloaded Microsoft’s patch for that vulnerability. This new ransomware also targets devices that somehow still aren’t secured against EternalBlue, but can deploy other infection options as well. For example, the attackers seem to be spreading the ransomware through the software update feature of a Ukrainian program called MeDoc, and possibly through Microsoft Word documents laced with malicious macros.

Along with exploiting EternalBlue to gain access when possible, the ransomware can also leverage an additional Shadow Brokers-leaked NSA exploit known as EternalRomance (patched by Microsoft in March) for  remote access. And some researchers have also found unconfirmed evidence that the ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, that specifically targets computers running Windows XP and Windows Server 2003. Microsoft patched that vulnerability two weeks ago as part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.

“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to run the malware as well,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “That is why a lot of system administrators are freaking out right now.”

Smarts, Not Scale

Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit. But don’t read that as a weakness necessarily. WannaCry’s ability to spread over the internet led to out-of-control infections, and its creators were ill-equipped to handle that volume of potential payments.

In fact, WannaCry hackers proved incapable of tracking payments whatsoever. Attackers had victims send ransoms to one of four set bitcoin addresses, instead of assigning each target a unique address. This made incoming payments difficult to track, and left it to the criminals to figure out which victims (among hundreds of thousands) had paid and should be sent a decryption key.

Payment happens to be GoldenEye’s current weakness as well, though not due to WannaCry-level incompetence. It relies on manual payment validation, meaning that when victims pay the ransom they must email proof of payment to an email address, after which hackers send a decryption key. Not only does a manual system make it harder for attackers to get paid, it can reduce victim faith that paying the ransom will result in decryption.

Also? The hackers’ email provider, Posteo, pulled the plug on their account, making payment confirmation pretty much impossible.

No Easy Fix

This latest round of ransomware appears to be here to stay. The diversity of delivery options means that no single patch can necessarily provide complete protection against it. Still, administrators can take some steps to protect their systems. Analysts agree that while patches don’t solve everything in this situation, they are still crucially important and do offer real defense. “Very, very important to patch,” says MalwareHunter, a researcher with the MalwareHunterTeam analysis group.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running.

“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

First place to start make sure your systems have the latest patches and updates !!!

People are talking about hackers ‘ransoming’ Apple — here’s what’s actually going on

If you don’t want to be hacked, don’t use the same password across different services.

And if you’re an Apple user, it’s a good idea to check your Apple ID and iCloud account today to make sure it’s using a unique and long password.

On Wednesday, a hacking group calling itself the Turkish Crime Family told Business Insider that it had about 600 million iCloud passwords it would use to reset users’ accounts on April 7.

Apple told Business Insider in a statement that if the hackers had passwords, they did not come from a breach of Apple systems:

“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

“We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”

It is still possible that the group has some users’ passwords. Information from several large breaches, including those of Yahoo and LinkedIn, have spread across the internet in recent years. If an Apple user has the same password and email for, say, LinkedIn and iCloud, there’s a good chance that iCloud password is already publicly available.

Here’s what you can do to protect yourself:

Turn on two-factor authentication. That means when you log in to your iCloud account you’ll be asked to send a six-digit code to your phone. It’s annoying, but it’s the best way to ensure that your account remains your own.

Don’t use the same password for multiple services. If one of your accounts is hacked or breached, hackers can essentially access all your accounts that used the same password. Make sure to use a different password for your Apple ID and your email account — here’s how to change your Apple ID password and how to check if your password may already be public.

Make sure your password is long, random, and unique. Don’t use your name, birthday, or other common words.

  • Why this matters now

    Over the past few days, the Turkish Crime Family has contacted media outlets saying it has 200 million, 250 million, 519 million, or as many as 750 million Apple ID account credentials culled from breaches of other services.

    The hacking group also said it had been in contact with Apple and was demanding $75,000 in cryptocurrency like bitcoin or $100,000 in Apple gift cards.

    If Apple did nothing, it would “face really serious server issues and customer complaints” in an attack on April 7, a member of the hacking group told Business Insider in an email. They said they were carrying out the attack in support of the Yahoo hacking suspect.

    A report from Motherboard said the group had shown the outlet an email from one of the hackers to an Apple product-security specialist that discussed the ransom demands. That email is fake, a person with knowledge of Apple’s security operations told Business Insider.

    Apple is in contact with law enforcement about the ransom demand, the person said. Apple is unsure if the group’s claims are true, but people at the company say they doubt they are.

    There are other reasons to doubt the hackers’ claims, such as their thirst for publicity and their fluid story.

    But even if the hackers are telling the truth, Apple users can protect themselves by making sure their Apple ID password is unique and hasn’t been revealed in a previous breach.

    “A breach means nothing in 2017 when you can just pull the exact same user information in smaller scales through companies that aren’t as secure,” the group purportedly said in a post on Pastebin in response to Apple’s statement.

    Best thing to do to insure this does not happen to you is “Change Your Passwords”

 

Cyber Ransom vs. Ransomware

By now, we have all heard about ransomware as it has taken over the cybersecurity scene over the last couple of years. However, we want to make sure that everyone is clear about the difference between cyber ransom and ransomware, as there is a very clear distinction. Cyber ransom and ransomware attacks have been the most popular forms of cyberattacks as of late.

Cyber Ransom

The most common form of cyber ransom is through a distributed denial of service (DDoS) attack. In a DDoS attack, hackers flood a business’ site with data requests, overwhelming the site’s legitimate functions. The flooding eventually forces that website to shut down. As far as the ransom is concerned, cybercriminals will threaten to launch an attack on an organization’s site unless the organization pays a ransom fee of a certain Bitcoin amount.

Another form of cyber ransom is through corporate extortion which is becoming more and more popular. This type of attack can be carried out in several ways. One approach, which Domino’s in Europe was hit with, is where a cybercriminal sends out a ransom letter threatening businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, or fraudulent delivery orders.

Another variation of corporate extortion is where cybercriminals perform a data breach, where they gain access to a company’s network and gather sensitive data. The data collected is usually information on their clients such as credit cards, social security numbers, email addresses, and login credentials. While this seems like data breaches that we have heard about recently (Yahoo, Adult Friend Finder, and several social media sites), cybercriminals who are involved in corporate extortion are in it for the money. Once cybercriminals have performed the data breach, they will threaten to publicly release the information unless the company pays a set ransom fee.

Ransomware

Ransomware is the most common form of cyberattack seen today. In a ransomware attack, the cybercriminal will infect a machine with malware that encrypts all or some files on a user’s computer. Once the encryption process has completed, a ransom note will appear on the victim’s screen demanding payment in order to receive the decryption key. Payment for the decryption key is usually made in Bitcoins, which are extremely hard to trace back to the hacker. Ransomware is most commonly distributed through phishing campaigns where cybercriminals will send emails embedded with malware. Once the user on the receiving end clicks on a link or opens up an attached file, the malware will begin to download, and the encryption process will begin.

Cyber Ransom and Ransomware Connected

  • Cyber Ransom – Cybercriminals threaten to launch a DDoS attack on an organization’s site unless the organization pays a ransom fee.
  • Ransomware – Cybercriminals infect machines with malware that encrypts all or some files, then demand a ransom fee to receive the decryption key.

 

When put in these terms, cyber ransom and ransomware seem like they wouldn’t be connected at all. However, cybercriminals are becoming more and more sophisticated with their attacks every single day. So, here’s the kicker. Cybercriminals are starting to use the threat of DDoS as ‘smokescreens’ for more wicked attacks, such as ransomware. The hackers will use DDoS attacks to distract the IT department, so they are able to slip under the radar without being detected. While the DDoS attack or the threat of one will only distract IT individuals for a short time, that’s all the time hackers need. While the IT staff scramble to handle the momentary network outages, hackers can use automated scanning or penetration techniques to map a network and install ransomware.
To stop these types of attacks, look at some of the new technologies that continuously monitors your network traffic.

New Phishing Campaign Targeting Gmail Users

A new phishing campaign has been discovered this week that targets even the most tech-savvy Gmail users. By posing as someone you may know, cybercriminals are gathering personally identifiable information that could be leveraged against the individual or against your company. Learn how the newest phishing campaign works and how you can keep yourself and your company safe from becoming the next victim.

What is Phishing?

Phishing is nothing new to the cybersecurity world. However, it is often mistaken for being general spam emails which is how many forms of ransomware are distributed. Take the newest form of ransomware, Spora, as an example. Spora is distributed through spam emails disguised as invoices for charges that victims didn’t make. These emails are coming from an individual or organization that is unknown to the potential victim.

What’s different about phishing is that the emails are coming from a known contact whose account has been compromised. Or, the emails are coming from someone who you think you know, but the email address has been changed by a letter or two. For example, JohnSmith@gmail.com compared to JohnSmith@gmails.com. Notice the ‘S’ at the end of Gmail on the second example.

Phishing campaigns can certainly be used to distribute ransomware. However, it would take the cybercriminal much more time to distribute the emails as they are more sophisticated attacks. The targets of phishing campaigns using ransomware would be high-profile targets where a large ransom can be demanded.

Most phishing emails contain an attachment or link set up to trick the user into divulging personally identifiable information such as financial information, login credentials, or credit card details.

Gmail Phishing Campaign

As mentioned before, the new Gmail phishing attack can trick even the most tech-savvy users. The attack works like this:

  • Hackers breach someone’s Gmail account and look through emails for correspondence containing attachments.
  • They then send emails from the compromised account, with each email leveraging similarities to prior communications, so as to make the new messages seem legitimate and familiar. Hackers will even use subject lines that were used in the past.
  • Here’s where the hack takes place. The email is embedded with an image of an attachment that has been used in the past. Rather than opening the attachment, clicking on the image will lead the user to a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not sound any alarms.
  • Once the new victim enters their credentials into the phony Google login page, the hackers now have access to the victim’s account.

It’s believed that this phishing campaign has been going on for about a year with increasing intensity. How are these hackers using this campaign against their victims? Take a moment to think about all the ways your email account is used for everyday purposes. The first thing that comes to my mind is my banking sites. We have all forgotten a username or password before, right? How do you recover or reset your credentials? Enter your email address, and they will send you a temporary password or a code to reset your credentials. All a hacker has to do is search through your emails, find what banks you use, and go to those sites to request a reset to these credentials. In as little as five minutes, these cybercriminals have access to all of your personally identifiable information.

How can you stay safe?

Below are some tips, rather, necessities you need to implement into your everyday life to stay safe from phishing campaigns.

  • First, for the Gmail campaign, using two-factor authentication (2FA) can protect your Gmail account from being compromised. While this may be a pain to login to your account every time, it could save you from becoming a victim. 2FA basically means that you will need to use your password as well as a temporary code sent via text message to log in to your Gmail account. If hackers have access to your password but not the temporary code, they won’t be able to login to your account.
  • Always think twice before entering login credentials. For the Gmail campaign, why would you have to enter your login credentials again if you were already on the site? Second, do not log into sites via login pages generated by clicking links. Always go directly to the site through entering the URL into the Web browser.
  • Never enter passwords or other sensitive information into any Website with a data:text Furthermore, do not rely on warnings by Web browsers. The red warning used on insecure Websites, the certificate warnings used for invalid certificates, and the ‘unsafe site’ messages often do not appear for data:text URLs.
Be Prepared

Phishing campaigns can be used for ransomware attacks and gathering personally identifiable information on victims. However, they can also be the ‘in’ for hackers to gain access to a company’s servers and databases. Did you know? The average cost of a data breach in 2016 was $4 million, up from $3.8 million in 2015. How would a $4 million data breach affect your company? Would you be able to survive? Employees are and probably always will be the weakest link in the cybersecurity chain. Make sure your employees are educated not only on the persistent threats of cyberattacks and how to stay safe but the effect a cyberattack could have on your company. Unfortunately, this could be one of the biggest factors for continued success for your company.

Android Banking Trojans Now Include Ransomware

The newest generation of banking Trojans is now equipped with ransomware, creating a hybrid malware. The primary function of banking Trojans is still to collect login credentials for banking portals and instant messaging applications. However, with the addition of ransomware, cybercriminals are increasing the odds that they collect on every device that has been infected.

Mobile Banking Trojans

If you own a smartphone, it’s very likely you also have a bank card. Since banks use mobile phone numbers for authorization, it makes sense for cybercriminals to penetrate this channel of communication to execute payments and transfers from your account. Banking Trojans are the most prominent mobile threat, constituting over 95% of mobile malware. Over 98% of mobile banking Trojan attacks target Android devices, which should also come as no surprise, as Android is the most popular platform for mobile devices.

How do cybercriminals infiltrate Android devices with banking Trojans? Trojans are less dangerous than viruses because they require action on the user’s end, however, through social engineering, cybercriminals lure users into performing such actions. Trojans can mimic applications and prompt the user to run an important update or activate a bonus level for your favorite game. Exploits are also able to run the malware automatically, once the user accidently executes the malicious file. Once the malware is installed, there are three major methods that banking Trojans employ:

  • Hiding Text Messages: Malware on phones hides incoming SMS from banks and then sends them to cybercriminals who then proceed to transfer money to their accounts.
  • Small Cash Movements: Cybercriminals will occasionally transfer relevantly small amounts of money to fraudulent accounts from an infected user’s account, hoping it won’t be noticed so that they can continue to do so.
  • App Mirroring: Malware mimics a bank’s mobile application and gathers login credentials on the infected device. Once the credentials are gathered, cybercriminals are able to perform the two actions above.
Banking Trojans with Ransomware

Not all users who have been infected with an Android banking Trojan use banking applications, which is where the ransomware features come into play. The ransomware essentially acts as a backup plan for cybercriminals to increase their chances of extracting some form of payment from their victims.

Android.SmsSpy, Fanta SDK, and Svpeng are the first banking trojans to add ransomware-like features to their malware; locking user’s screen with a random PIN. This feature is to keep users busy while cybercriminals initiate fraudulent transactions. While the user is trying to figure out how to unlock their phone, hackers hope the victim will be too busy to see the text or email alerts they receive for large or fraudulent transactions that take place on their bank account. This gives cybercriminals hours, or even days, to transfer the stolen money to different bank accounts and withdraw the money from ATMs. By the time it’s discovered, police will be unable to identify the criminals as the money has likely been transferred through several fake bank accounts before being cashed out.

Faketoken and Tordow 2.0

Faketoken and Tordow 2.0 are the first to fully implement ransomware into their banking Trojans. Faketoken’s primary function is to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. Creators of Faketoken have now added the capability to encrypt user files stored on the phone’s SD card. Once the relevant command is received, the Trojan compiles a list of files located on the device and encrypts them.

Tordow 2.0 can make phone calls, control text messages, download and install programs, steal login credentials, access contacts, visit web pages, manipulate banking data, remove security software, reboot devices, rename files, encrypt files, and act as ransomware. To date, Tordow 2.0 has infected 16,000 devices in 27 countries with most of them located in Russia, Ukraine, Germany, and Thailand.

Once infected with the ransomware feature, victims will see something similar to the image below appear on their screens.

With the fully integrated ransomware feature, cybercriminals are targeting the least technical savvy users possible. If you think about it, encrypting files on a mobile device is essentially pointless. The point of ransomware is to encrypt files on a device and demand a ransom to get the decryption key. However, many files stored on mobile devices are backed up by cloud services. Therefore, users who have been infected could easily wipe their phone clean and download all their files from the cloud service they use. If they haven’t backed up for awhile, data may be lost, but it typically wouldn’t be anything of great value.

Outlook

It’s still very early in the development stages of banking Trojans being paired with ransomware. Thus, the encryption of files is likely to have the same purpose of locking users’ screens which is to give cybercriminals time to perform fraudulent transfers before users can figure out how to restore their mobile phones.

We recommend that Android users only install applications from the official Google Play store and should make sure that their phones don’t allow the installation of applications from unknown sources. Lastly, it’s a good idea to read user reviews and only download highly rated applications.

GoldenEye Ransomware – A New Variant of Petya Ransomware

The creators of Petya ransomware, going by the name of Janus, have come out with a new variant tabbed as GoldenEye ransomware. Continuing with the James Bond theme, the GoldenEye ransomware is almost identical to past versions of Petya and Mischa variants.

Petya Ransomware History
The Petya ransomware emerged on the cybersecurity scene back in March 2016.   Typically, when a user becomes infected with ransomware, the malware targets and encrypts files on the victim’s hard drives. By doing this, the malware leaves the operating system working properly. However, Petya takes it to the next level. Instead of encrypting files on the hard drive, the ransomware encrypts portions of the hard drive itself, making the user unable to access anything on the drive, including Windows.

The ransomware is distributed via emails that target human resource departments. The emails contain a Dropbox link to supposed applications that download a file and when executed, install the Petya ransomware on the system.

In May, two months after the release of Petya, the ransomware bundled a second file-encrypting program for cases where it cannot replace a computer’s master boot record to encrypt its file table. Before encrypting the computer’s master file table (MFT), the ransomware replaces the computer’s master boot record (MBR), which contains a code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves the computer unable to boot.

However, in order to overwrite the MBR and the computer it infected, the malware needs to obtain administrator privileges. In previous versions of Petya, if it failed to obtain administrator privileges, the infection routine stopped. The latest variant, dubbed Mischa, installs another ransomware program that begins to encrypt users’ files directly, which doesn’t require administrator privileges.

In summary, Petya starts off by distributing the ransomware through an email posing as a job application. Once executed, the fake file attempts to download Petya, and if that fails, it installs Mischa. This dynamic duo ensures that the cybercriminals will encrypt your hard drive, leaving you unable to use your system until you have paid the ransom.

GoldenEye Ransomware
Like the earlier version of Petya, the GoldenEye ransomware is distributed via emails. Posing as job applications, the emails include two file attachments that are supposedly resumes and have a subject starting with the word Bewerbung. As you can see in the email below, GoldenEye is targeting German users.

One of the attachments is a fake resume that is used to convince members of the human resource department that the email is legitimate. The second attachment is an Excel spreadsheet, which is the installer for the GoldenEye ransomware that contains a malicious macro. In the spam emails that have been circulating over the past couple of days, the following Excel names have been observed to be spreading GoldenEye.

  • Wiebold-Brewerbung.xls
  • Meinel-Brewerbung.xls
  • Seidel-Brewerbung.xls
  • Wust-Brewerbung.xls
  • Born-Brewerbung.xls
  • Schlosser-Brewerbung.xls

When a user clicks on the ‘Enable Content’ button, the macro will launch and save the embedded file into an executable file in the temp folder. Once the file has finished being created, the malware will automatically launch, beginning the encryption process on the computer.

Here is where GoldenEye differs from the earlier combination of the Petya/Mischa version. Instead of running Petya first and trying to gain administrative privileges to overwrite the MBR and then running Mischa to encrypt files, GoldenEye does the opposite.

Starting just like any other ransomware, GoldenEye encrypts the user’s files and appends a random 8-character extension. This is the Mischa part of the ransomware. Shortly after displaying the ransom note, GoldenEye enters the Petya part of the encryption process. The ransomware forcibly reboots the user’s computer and enters the stage where it starts encrypting the user’s hard drive MFT which makes it impossible to access any files on the hard drive. This process is masked by a fake ‘check disk (chkdsk)’ screen as seen below.

Once this process ends, you will see a new ransom screen, using yellow-colored text hence the name ‘GoldenEye.’ The GoldenEye ransom note is shown below.

The GoldenEye ransomware has seen incredible numbers compared to the Locky ransomware, which has been one of the most successful ransomware to-date. Last Wednesday, (December 7, 2016) GoldenEye infected 160 users in Germany alone while Locky’s best day over the last month infected 375 users across 30 countries. The ransom for the encryption key is currently set at 1.33 bitcoins which equates to roughly $1,000.

Ransomware Is Now Officially Extortion Under California Law

Extortion

Of course everyone knows that hacking into a computer is a federal crime, and infecting a system with ransomware already falls into that bucket. However, California’s SB-1137signed into law last Tuesday by Governor Jerry Brown, is the first one that specifically expands extortion laws to include ransomware.

The bill’s support in the California Senate was helped by testimony from Hollywood Presbyterian Medical Center, where operations were largely shut down by a ransomware infection. The attackers sent the decryption code after the hospital paid $17,000 in Bitcoin.

It is very easy to hide your tracks as a ransomware criminal. Very few people have been arrested for ransomware attacks in the continental U.S. From our perspective, the California bill is more of an “awareness” thing than anything else. Some hackers decided to have some fun with it and soon after the California Senate passed it, its site was hit with ransomware and in a separate attack, Sen. Bob Hertzberg who introduced the bill, saw his office also hit.

Though it’s existed for at least 10 years, ransomware has skyrocketed since September 2013 with CryptoLocker. Europol declared Wednesday it’s the internet’s “most prominent malware threat.” The FBI has issued multiple warnings to American businesses. Prevention requires a multi-layered approach.

Here Are 8 Things To Do About It (apart from having weapons-grade backup)
  1. From here on out with any ransomware infection, wipe the machine and re-image from bare metal.
  2. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly.
  3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps.
  4. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.
  5. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA).
  6. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud.
  7. Check your firewall configuration and make sure no criminal network traffic is allowed out.
  8. Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email.

Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.

 

Could Criminals Make A Billion Dollars With Ransomware?

Cybercrime_UnicornCould Criminals Make A Billion Dollars With Ransomware?

Bitcoin has not only changed the economics of cybercrime by providing crooks with an encrypted, nearly anonymous payment system autonomous from any central bank. It’s also changed researchers’ ability to track how much money criminals are making.

“Bitcoin is based on Blockchain, and Blockchain is a public ledger of transactions. So all Bitcoin transactions are public,”  “Now, you don’t know who is who. But we can see money moving around, and we can see the amounts.”

Every victim of Ransomware — malware that encrypts files and demands a payment for their release — is given a unique wallet to transfer money into. Once paid, some ransomware gangs move the bitcoins to a central wallet.

“We’ve been monitoring some of those wallets,” Mikko says. “And we see Bitcoins worth millions and millions. We see a lot of money.”

Watching crooks rake in so much money, tax-free, got him thinking: “I began to wonder if there are in fact cybercrime unicorns.”

A cybercrime unicorn?
CyberCrimeUnicorn_Bitcoin

(View this as a PDF)

A tech unicorn is a privately held tech company valued at more than a billion dollars. Think Uber, AirBNB or Spotify — only without the investors, the overhead and oversight. (Though the scam is so profitable that some gangs actually have customer service operations that could rival a small startup.)

“Can we use this comparison model to cybercrime gangs?” Mikko asks. “We probably can’t.”

It’s simply too hard to cash out.

Investors in Uber have people literally begging to buy their stakes in the company. Ransomware gangs, however, have to continually imagine ways to turn their Bitcoin into currency.

“They buy prepaid cards and then they sell these cards on Ebay and Craigslist.” “A lot of those gangs also use online casinos to launder the money.”

But even that’s not so easy, even if the goal is to sit down at a online table and attempt to lose all your money to another member of your gang.

“If you lose large amounts of money you will get banned. So the gangs started using bots that played realistically and still lose – but not as obviously.”

Law enforcement is well aware of extremely alluring economics of this threat. In 2015, the FBI’s Internet Crime Complaint Center received “2,453 complaints identified as Ransomware with losses of over $1.6 million.”

In 2016, hardly has a month gone by without a high-profile case like Hollywood Presbyterian Medical Center paying 40 Bitcoin, about $17,000 USD at the time, to recover its files.  And these are just the cases we’re hearing about.

The scam is so effective that it seemed that the FBI was recommending that victims actually pay the ransom. But it turned out their answer was actually more nuanced.

“The official answer is the FBI does not advise on whether or not people should pay,” “But if victims haven’t taken precautions… then paying is the only remaining alternative to recover files.”

What sort of precautions? The answer is obvious.

“Backups. If you get hit you restore yesterday’s backup and carry on working. It could be more cumbersome if it’s not just one workstation, if your whole network gets hit. But of course you should always have good, up to date, offline backups. And ‘offline’ is the key!”

What’s also obvious is that too few people are prepared when Ransomware hits.

Barring any disruptions to the Bitcoin market, this threat will likely persist, with even more targeted efforts designed to elicit even greater sums.

If you end up in an unfortunate situation when your files are held hostage, remember that you’re dealing with someone who thinks of cybercrime as a business.

So you can always try to negotiate !!!  What else do you have to lose?

 

HIPAA/HITECH Compliance – What Is the HITECH Act?

hitech

Not sure what the HITECH Act is all about? If you’re new to HIPAA compliance and related concerns, here’s a quick overview.

Summary of HITECH Act

HITECH stands for the Health Information Technology for Economic and Clinical Health. The HITECH Act was created in 2009 to encourage the adoption and “meaningful use” of electronic health records (EHR) and supporting technology in the U.S. This act was part of the American Recovery and Reinvestment Act (ARRA) economic stimulus bill. The HITECH Act initially offered financial incentives to providers who demonstrated “meaningful use” of EHRs. Later stages of the implementation of the act included penalties for providers who did not meet these requirements.

The HITECH Act also modified HIPAA. One of the ways it did so was by requiring covered entities to notify individuals whose protected health information (PHI) has been compromised. Additionally, it increased the fines that could be applied for noncompliance (up to $1,500,000); it authorized state Attorney Generals to bring actions to enforce violations of HIPAA; and it expanded portions of HIPAA to apply to business associates of covered entities and required the federal Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to audit both covered entities and their business associates.

Present and Future of HITECH Act

Many features affected by the HITECH Act are currently under debate, including changes to the definition of “meaningful use” of EHRs, cybersecurity issues, and interoperability issues.

As of April of this year, proposed new federal regulations may bring an end to the electronic health records “meaningful use” incentive program portion of the HITECH Act. This portion would be replaced with a simplified program. Concerns raised about these proposed changes state that they fail to address threats to cyber security from hackers and ransomware, a topic of real concern as healthcare providers have been under increased attack this year.

The proposed changes would also affect payment mechanisms for physicians, attempt to fight both information blocking, and would replace the current “meaningful use” program with the “advancing care information” category. As the HHS explains, this category would focus on interoperability and information exchange, and in contrast to the existing program, would not require and all-or-nothing approach to measuring the quality of EHR use. (For more on the proposed changes, see Healthcare Info Security’s in-depth article on the impact on security of Medicare’s new physician payment plan.)

Check out some of the technology that is coming your way for HEALTH:

The medical community really needs to pay attention to the new HIPAA/HITECH compliance rules.  This new rule is really going to affect the smaller healthcare groups that do use compliance today.

 

Ransomware Incidents at Health Organizations are now Classified as a Data Breach

Healthcare_Breach

According to new guidelines issued by the United States Department of Health and Human Services (HHS), ransomware incidents in HIPAA regulated organizations are now classified as a data breach. HIPAA is the Health Insurance Portability and Accountability Act, that must be followed by any health care provider who transmits health information in electronic form. In America, with the use of electronic medical records, this means just about every health care provider.

To most security professionals, this is an unusual approach, as a data breach has previously indicated the exfiltration of data by an attacker. In fact, the Code of Federal Regulations defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . .”

Although there have been rumors of ransomware that steals data, there is still no proof of any such ransomware in the wild.

The HHS has codified a breach as the following:

“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”

In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.)

In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event.

Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures.

Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data.

The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers.

Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected.

Of course, the best protections against ransomware remain the same:

  • A layered defense;
  • Good backups that are stored offline and regularly tested;
  • Security awareness training for all staff;
  • Access controls;
  • Vulnerability assessments and penetration testing (including hunt team exercises);
  • Maintaining a patch management strategy.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor.