Tag Archives: Ransomware

Ransomware Incidents at Health Organizations are now Classified as a Data Breach

Healthcare_Breach

According to new guidelines issued by the United States Department of Health and Human Services (HHS), ransomware incidents in HIPAA regulated organizations are now classified as a data breach. HIPAA is the Health Insurance Portability and Accountability Act, that must be followed by any health care provider who transmits health information in electronic form. In America, with the use of electronic medical records, this means just about every health care provider.

To most security professionals, this is an unusual approach, as a data breach has previously indicated the exfiltration of data by an attacker. In fact, the Code of Federal Regulations defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . .”

Although there have been rumors of ransomware that steals data, there is still no proof of any such ransomware in the wild.

The HHS has codified a breach as the following:

“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”

In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.)

In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event.

Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures.

Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data.

The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers.

Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected.

Of course, the best protections against ransomware remain the same:

  • A layered defense;
  • Good backups that are stored offline and regularly tested;
  • Security awareness training for all staff;
  • Access controls;
  • Vulnerability assessments and penetration testing (including hunt team exercises);
  • Maintaining a patch management strategy.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor.

Mobile ransomware use skyrockets, blocking access to phones

mobile_phones-100576186-primary_idge
Kaspersky Lab has detected almost four times as many attacks on its Android customers compared to last year

The number of users infected with mobile ransomware is skyrocketing, as hackers try to expand the number of potential victims they can target.

Compared with a year ago, almost four times as many users are being attacked by mobile ransomware, security firm Kaspersky Lab said on Wednesday.

It’s a troubling trend. Ransomware has typically targeted PCs by encrypting all the information that is inside the targeted machines, and then holding the data hostage in exchange for money.

The threat is that users who fail to pay ransom will see all the data erased. Hospitals, schools and police departments have all been major victims. But increasingly, hackers have begun focusing on smartphones.

Kaspersky looked at its own Android customers and noticed the spike. Between April 2015 and March this year,136,532 of its users encountered a mobile version of ransomware. That’s up from 35,413 in the year earlier period.

Kaspersky customers in Germany, Canada, the U.K. and the U.S., in that order, were the top four countries affected by mobile ransomware.

The largest mobile ransomware family detected is called Fusob, Kaspersky said.  It was responsible for 56 percent of the attacks during the year and targets Android users.

Victims are unwittingly downloading it when visiting porn sites. Fusob masquerades as a multimedia player, called xxxPlayer, that’s been designed to watch the porn videos.

Once downloaded, Fusob can block all user access to a device. Victims are told to  pay between $100 and $200 in iTunes gift cards to deactivate the block.

Most of the victims have been located in Germany. The ransomware ignores devices that use Russian and several Eastern European languages.

Kaspersky noted that much of mobile ransomware detected actually doesn’t encrypt any information on the infected device. Smartphone owners usually back up all their data to a cloud service anyway, so there’s no point to try and encrypt it, the security firm said. Instead, the ransomware blocks user access to apps on the phone. Often, victims of mobile ransomware will see a ransom note on their device’s screen with instructions on how to pay the ransom, and will not be able to use the phone otherwise until they do so.

Hackers are increasingly using mobile malware in order to expand the number of potential targets outside of PCs, according to security firms.

“In the end, they’re going to follow the money, and find what’s most effective,” said Christopher Budd, the communications manager with Trend Micro. He expects ransomware to continue to evolve and possibly target more Android-based devices, including smart TVs in the future.

To avoid ransomware, Kaspersky advises that users regularly update their software and back up all crucial files. Users should also be wary of downloading anything from untrusted sources and look into buying strong security software.

Zero-Day Warning! Ransomware targets Microsoft Office 365 Users

microsoft-office-zero-day-exploit
If just relying on the security tools of Microsoft Office 365 can protect you from cyber attacks, you are wrong.

Variants of Cerber Ransomware are now targeting MS Office 365 email users with a massive zero-day attack that has the ability to bypass Office 365’s built-in security tools.

According to a report published by cloud security provider Avanan, the massive zero-day Cerber ransomware attack targeted Microsoft Office 365 users with spam or phishing emails carrying malicious file attachments.

The Cerber ransomware is invoked via Macros. Yes, it’s hard to believe but even in 2016, a single MS Office document could compromise your system by enabling ‘Macros‘.

Locky and Dridex ransomware malware also made use of the malicious Macros to hijack systems. Over $22 Million were pilfered from the UK banks with the Dridex Malware that got triggered via a nasty macro virus.

You can see a screenshot of the malicious document in the latest malware campaign below, targeting Microsoft Office 365 users:

 microsoft-office-exploit

While the security firm did not specify the exact number of users possibly hit by the ransomware, Microsoft reported in its first quarter 2016 that there are almost 18.2 Million Office 365 subscribers.

“While difficult to precisely measure how many users got infected,” Avanan estimated that “roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

Although Cerber originally emerged in March, the malware campaign targeting Office 365 users began on June 22. However, Microsoft started blocking the malicious file attachment on June 23.

The Cerber Ransomware not only encrypts user files and displays a ransom note, but also takes over the user’s audio system to read out its ransom note informing them that their files were encrypted.

The ransomware encrypts files with AES-256 encryption, asking victims to pay 1.24 Bitcoin (nearly US$810) for the decryption key.

How to Protect Yourself from Cerber Ransomware

In order to prevent yourself from the Cerber or any ransomware attack:

  • Always keep your system and antivirus up-to-date.
  • Regularly backup your files in an external hard-drive.
  • Disable Macros in your MS Office programs.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.
  • You can also use an Intrusion detection system (IDS), to help you quickly detect malware and other threats in your network.

Ransomware is Growing as Cyber Crime Pays Off

Ransomware
Ransomware is growing and transforming and cyber criminals are taking it to the bank!

Ransomware is growing into a huge business for cyber-criminals. This is business venture has a very low cost to maintain so criminals jump in and out of the business very easily.

An analysis of phishing email campaigns from the first three months of 2016 has seen a 6.3 million increase, due primarily to a ransomware upsurge against the last quarter of 2015. That is a staggering 789% jump.

Published on PhishMe’s Q1 2016 Malware Review identified ransomware is growing by three key trends previously recorded throughout 2015, but have come to full fruition in the last few months:

  1. Encryption Ransomware
  2. Soft Targeting by Functional Area
  3. Downloader/Ransomware: the one-two combination

“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber-criminal enterprises,” explains Rohyt Belani, CEO and Co-Founder of PhishMe.

Rohyt continues, “Another 2015 trend that emerged into fuller fruition during the first quarter of 2016 is threat actors’ use of soft targeting in phishing. In contrast to both broad distribution and the careful targeting of one or two individuals via spear phishing emails, soft targeting focuses on a category of individuals based on their role within any organization anywhere in the world. Criminals target this subset with content relevant to their role. Such malicious emails are typically accompanied with Microsoft Office documents laden with malware or the ability to download the same.” During the first quarter, JavaScript applications even surpassed Office documents with macro scripts to become the most common malicious file type accompanying phishing emails.

Whichever way the cyber-criminals succeed to infiltrate the organization, the impact on the victimized organization is significant because it needs to use up scarce incident response resources for cleaning up, managing a potential public relations nightmare, and in some cases even caving in to hacker demands of paying the ransom being demanded.

The latest Infoblox DNS Threat Index for Q1 2016 reports a 3,500 percent increase in ransomware domain creation quarter on quarter from 2015. “The relative cost of infrastructure is so low that it completely makes sense from the criminal’s point of view,” Rod Rasmussen, vice president of cyber security at Infoblox.

Another factor behind the fact that ransomware is growing is that people are paying the ransoms.  Don’t mistake this as an honorable act though. According to SecureWorks senior security researcher Keith Jarvis, more than four dozen distinct families of ransomware have emerged since the start of 2015 and “generally, 0.25% to 3.0% of victims elect to pay a ransom,” Jarvis explains, “meaning attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom.”

Estimating the ransomware industry, we find that the largest operations are pulling in several million dollars per year. Which is hardly surprising when you consider that 93% of phishing emails delivered last quarter contained ransomware.”

It’s an attractive threat sector for many reasons. Number one, persistent attacks can be avoided. “Ransomware that encrypts all the data and destroys local backups before asking for a lump sum payout,” Dave Venable, VP of cyber security at Masergy told SC, “lets hackers avoid the higher costs and labor of maintaining the infrastructure of persistent attacks.”

Ransomware is popular because the malware can be monetized anonymously and quickly. “Through the use of bitcoin payment systems,” explains Gunter Ollmann, CSO at Vectra Networks, “the criminal can force the victim to pay the ransom in a monetary unit that facilitates complete anonymity and can be trivially converted to cash.” Gone are the days of requiring different and specialist criminal hands to both launder the data and anonymously monetize it.

As Ilia Kolochenko, CEO of High-Tech Bridge, concludes, “Ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing.”

93% of phishing emails are now ransomware

ransomware-100646738-primary_idge
As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today.

As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today by PhishMe.

That was up from 56 percent in December, and less than 10 percent every other month of last year.

And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789 percent increase over the last quarter of 2015

The anti-phishing vendor also counted the number of different variants of phishing emails that it saw. Ransomware accounted for 51 percent of all variants in March, up from just 29 percent in February and 15 percent in January.

The skyrocketing growth is due to that fact that ransomware is getting easier and easier to send and that it offers a quick and easy return on investment.

Other types of cyberattacks typically take more work to monetize. Stolen credit card numbers have to be sold and used before the cards are canceled, for example. Identity theft takes even more of a time commitment.

With ransomware, however, victims tend to pay quickly. Instead of hunting through company networks for valuable data, exfiltrating it, processing it, and monetizing it, ransomware criminals can just sit back and watch the money flow in.

“If you look at the price point of paying the ransom, it is rarely more than 1 or 2 Bitcoin, that’s $400 to $800, maybe $1,000 depending on the exchange rate,” said Brendan Griffin, Threat Intelligence Manager at PhishMe. “That’s a relatively low price point for a small to medium business.”

The amount is low enough that it’s often easier to victims to pay up rather than struggle to recover the data by other means.

And the new, easy-to-use ransomware tools and services are not just attracting criminals who would previously run other kinds of scams, but also bringing new players into the business, he said.

Locky and TeslaCrypt, two common varieties of ransomware have seen significant growth, but not all types of ransomware fared as well. CryptoWall, for example, seems to have fallen out of favor, PhishMe reported. In October and November of last year, CryptoWall accounted for 90 percent of encryption ransomware samples. In March, nearly 75 percent of all samples were Locky.

Soft targeting

In addition to the spike in the number of ransomware emails, one variant that’s seeing increasing popularity is the “soft targeted” phishing message.

It’s somewhere between a business compromise email or spearphishing attack, which is targeted at one specific executive, and the general-purpose spam email that goes out to everybody.

The soft targeted phishing email targets people in a particular job category, but may include some customization, such as the name of the recipient in the salutation.

“This has been a creeping trend for a while now,” said Griffin.

For example, a popular type of phishing email is the resume email, which supposedly has a resume from a job applicant in the attachment.

Recipients who don’t work in human resources or other jobs where they hire people would either ignore it, or forward it on to the appropriate person at the company. Other job functions can be targeted as well.

“For example, our vice president of finance received a message that said it was an important message for the vice president of finance, and had his name in the first line,” said Griffin.

Other common types of soft targeted phishing emails are billing, shipping and invoice-related messages.

According to Griffin, soft targeting increases the likelihood that someone will fall for a phishing email.

If you don’t know the person sending you the email take extra precaution.

 

Ransomware: Lucrative, fast growing, hard to stop

103537634-GettyImages-492752888.530x298

The hackers behind recent high-profile ransomware attacks on U.S. hospitals are using business methods that might be familiar to some Silicon Valley start-ups.

Cybercriminal gangs are attacking large markets with rich customers. They offer a product with a clear value proposition (giving you back your seized data) that alleviates a specific pain point (the inability to run your business). They act with agility and stealth enabling them to outwit the competition. They are also scrappy, often bootstrapping their illicit businesses.

“It is an economic business system, it is just perpetrated at a criminal level,” said Matt Devost, CEO of FusionX, a unit of Accenture. “There are a lot of analogies between that and a start-up environment.”

What started as a basic scam — extorting, say, a $300 ransom from a grandmother wanting to get family photos back — has escalated. Last year there was a “reported loss of more than $24 million as a result of ransomware attacks,” according to the FBI, a figure that surely massively underrepresents the scale of the problem due to the unwillingness of many victims to report.

The start-up costs for an illicit ransomware business are minimal. The hackers write their own code or buy ransomware as a service on the black market, often as part of a suite of other products.

Many groups are already operating other cybercriminal businesses, so getting into the ransomware business is just another way of leveraging existing talent and infrastructure. It requires minimal investment, is relatively low risk and the returns are potentially massive.

 

Enterprise victims frequently have no choice but to pay up, since hackers are often able to seize backup data as well, said Denise Anderson, president of the National Health Information Sharing and Analysis Center. “So if they need to stay in business, they are paying it.”

With the recent attacks on U.S. hospitals, the assailants are expanding beyond consumer to enterprise “customers” — their victims — and adjusting pricing accordingly. For example, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in bitcoin in February. Other enterprises are likely paying a lot more than that already, said experts. (The FBI does not condone payment of ransom, an agency official told CNBC.)

Read MoreThe hospital held hostage by hackers

“Last year alone there was a reported loss of more than $24 million as a result of ransomware attacks” -FBI official

“I imagine it will hit into the millions of dollars, if they are able to infect some of the right types of targets in an enterprise environment,” said Devost.

Like smart start-up CEOs, the hackers are testing the market and refining the business model. As the vast majority of attacks are likely settled without going public, more research is needed to figure out just how profitable the business really is, said experts. Unlike the criminal networks, which often share information freely, many of the victims do not.

“The cybercriminals collude when their business model merits it,” said Anderson. “Shame on us for not working together to protect against them.”

 

The most lucrative potential victims have a specific set of characteristics. They hold critical information and infrastructure, have immature and vulnerable security programs and the ability to pay the ransom. Small- to medium-sized U.S. hospitals have proven to be a sweet spot in ransomware because of their often poor security infrastructure as well as the willingness to pay to retrieve patient data, get back online quickly and prevent reputational damage.

“We will see much more successful attacks in other industries,” said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.

Law firms, which protect confidential and valuable information about their clients, and venture-backed start-ups that have invested in developing intellectual property are two targets criminals may increasingly go after, he said.

“It is an economic business system, it is just perpetrated at a criminal level” -Matt Devost, CEO of FusionX, a unit of Accenture

The black market for high-value trade secrets or intellectual property is a lot more lucrative than the market for personally identifiable information, which is fairly saturated after numerous data breaches, said Devost. It is also a lot riskier, potentially exposing hackers attempting to sell their ill-gotten goods to law enforcement.

Within businesses, it is almost always employees at the top and bottom of the pyramid who represent the best “leads” for attackers. Often, hackers will specifically target C-level executives with high-level access to an entire corporate network, or find success when low-level employees click on something they should not, said Vinny Troia, CEO of cybersecurity consulting firm Night Lion Security.

In a perhaps counterintuitive twist, some ransomware criminals actually want to make their attacks “user friendly” for their victims. Like legitimate businesses, they want to maintain a five-star rating, said experts. Some will offer the opportunity for victims to “try before they buy,” unencrypting a small portion of the files held hostage to prove they can deliver the product — a decryption key to get their files back.

 

They are creating user interfaces with sleeker designs and, in some cases, even providing customer support to make it easier to for victims to pay, said Devost. That makes it easier for even low-level victims — i.e., the grandma who just wants her photos back, and who has never heard of bitcoin — to make a payment.

“To the extent that you have a support apparatus to help your victims pay tells me there is a lot of money being made,” said Cabrera.

On the back end, the hackers continue to innovate to make ransomware more robust, and to stay one step ahead of cybersecurity companies and law enforcement. When the “good guys” discover a decryption key, they often release it to enable victims to decrypt their own data, undercutting the attackers’ business.

An example of how nimble these illicit enterprises are is shown by the rapid product evolution of CryptoWall, first released in 2014. CryptoWall is one of the most widely used forms of ransomware, and has been updated several times to make it stronger, said cybersecurity and threat intelligence firm Webroot in its 2016 Threat Brief.

CryptoWall 3.0 is smarter, more secure and stealthier than previous generations. The malware generates unique encryption keys instead of using one key for all infections, secures the master key itself to prevent unauthorized access, and conceals the location of the servers containing the decryption keys and payment mechanisms, among other things.

“In late 2015, CryptoWall 4.0 was released, with numerous enhancements to help sidestep security software,” said Webroot.

 

The next evolution of CryptoWall will likely more aggressively try to encrypt attached network storage devices, Devost said.

The software is largely operated by criminal gangs, many with ties to organized crime, often located in Eastern Europe and Russia.

“Whenever it comes to malware that is written with the focus of strictly making more of a profit, it has typically come out of that region of the world,” said Brian Calkin, vice president of operations at the Center for Internet Security.

For example, the architect believed to be behind CryptoLocker, Evgeniy Mikhaylovich Bogachev, remains at large, and is suspected to be in Russia. “Many of the most sophisticated cybercriminal actors are located in jurisdictions that do not cooperate directly with the United States,” said the U.S. Department of Justice on March 4 in response to an inquiry by Sen. Tom Carper (D-Del.) about the challenges in bringing the suspected criminals behind these types of ransomware attacks to justice.

“If all individuals and businesses backed up their files, ransomware that relies on encrypting user files would not be as profitable a business for cybercriminal actors,” said the DOJ.

The business of backing up data is also booming thanks in part to the recent high-profile ransomware attacks, with cybersecurity companies crowding the market. For example, Code42 provides a backup and real-time recovery solution. The company counts 37,000 organizations — including Lockheed Martin, Mayo Clinic and Kohl’s — as customers.

“If you had our solution you certainly would not have to pay for ransomware,” said Rick Orloff, chief security officer at Code42. “The flip side of the coin is, here is a thousand types of vulnerabilities, do you want to pay to be protected from all of them?”

“Companies need to align around what types of attacks do they want protection from,” he said.

Ransomware – Practical view, mitigation and prevention tips

You've been Hacked

Ransomware:
Ransomware is a kind of malware that encrypts everything on your system with a Cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomwares. In first, ransomware encrypts all data on the system and it is nearly impossible to decrypt it without the key. In second, it simply locks the system and demands to enter the key for data decryption but it does not encrypt data.

One of the very well-known ransomware is Cryptolocker. It uses RSA to encrypt data. Command and control server of malware stores the private key for decryption of data. It typically propagates as a Trojan and it relies mainly on social engineering for propagation.

Working of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide its working in following steps.

  1. Approaching system of the victim and installing it as a covert/silent installation. It places its keys in system registry.
  2. After installation, it contacts its command and control center. The server tells the ransomware what to do. It starts communication by performing handshake with the server and exchange keys.
  3. Now it actually starts working, with the key provided by the server it starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.
  4. This is where it gets scary. After encrypting the data, it shows a message on screen that it has locked data on your computer and you have to pay within a period if you want to see your data again.

How it propagates:

Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also a likely reason of infection. Ransomware also spreads through mediums like USB, portable hard drives etc.

Ransomware installation:

Its installation is a covert operation. It uses Windows default behavior to hide the extensions from name of the file, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in the Appdata folder, User Temp and Localappdata folders. Later, it adds a registry key in the windows registry to start the malware every time windows restart. 

Main working:

The main purpose of ransomware is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg etc. and other files whose extension are in the malware code. It uses AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with asymmetric private key using RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.

The malware communicates with its command and control center to obtain the public key. It uses Domain generation algorithm (DGA) with common name as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and failed to do so will delete the key.

Money_Pack

The compromise system can have the symptoms like high rate of Peer to Peer communication, increased network communication (Communication with Command & Control center server) and high use of system resources.

Mitigation and Prevention:

So far, there is no way that can break the Cryptolocker encryption and provide you the key to decrypt data. Paying seems to be the only way to get data back unless you have a backup. Some of the incidents in past showed that paying did not pay back. As some people paid but did not get the key and in other cases the given key did not work. So the best way is to keep yourself save proactively. Now we are going to discuss some proactive approaches to keep yourself safe from these types of attacks, in case you are affected what steps to take.

  1. The first and the foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and all stakeholders is the most important thing. As in this case, we are in a war against malware. In addition, users cannot win this fight unless they are aware of the threats. SOC/Security management team can organize seminar, awareness campaigns etc., to guide the employees. Periodic briefing is also important. Explaining the cases with examples to the non-technical as well as technical employees can make it better for them to understand and remember the scenarios they are likely to face in everyday life.
  2. Along with user awareness, implementation of security policies is inside the domain via GPO and email transport rules to block such potential type of emails and Exes to execute silently. One recommends it highly to use Security Group policies in your organization for safeguarding against malware. Let us walk through the process of implementing the same.

Certain application and programs apply software restriction policies for their execution. This uses Group policy. What we can do is to block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In small business environment, home or organizations with no domains apply local security policies.

  • Open Group Policy management console on your primary DC to implement a Software restriction policy.

  • Create a New GPO. Name it as “Software Restriction Policy”.

Well the folder structure for users in Windows XP and prior is a bit different so what we can do is, to create 2 different policies; one for XP systems in domain and other for Vista and higher version of OSs. What I would do is, I will add both types of folders for XP and later in one GPO.

  • Now edit the newly made GPO and add user space folders in which we don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click Additional Rule and click ‘Add new Path rule’. Here we will create a new rule and enforce software restriction.

  • We will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.

The paths for XP user space are as follows:

  • %AppData%\*.exe
  • %AppData%\*\*.exe
  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %UserProfile%\Local Settings\Temp\Rar*\*.exe

The paths for other higher version of OS are:

  • %LocalAppData%\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe

  • Now allow sometime to let the GP sync to all the systems or you can go to every system and open cmd as Administrator write ‘gpupdate /force’ to force update the group policy to the system and now you are done.

There can be a disadvantage of applying the software restriction policy i.e. all the other legitimate exes will not run in those spaces as well. However, we can whitelist the legitimate software in Software Restriction policies.

For Whitelisting apps in Software Restriction policy, exceptions have to be set for those apps. We can manually instruct windows to allow those apps while block all the others. For doing so just add same rule for particular apps as explained before and set security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps and their execution takes place in user space.

  1. If you have on-premises email server or exchange, Transport rules are something very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so User may have warned by the content of the email.
  • Open Exchange Management Console on your exchange server.
  • Go to Organization Configuration > Hub Transport.
  • Open Transport Rules.

  • Add new rule by right clicking the main screen. Enter the Name of the rule along with the description of rule.

  • Select the condition for the rule from next window. Select option “When any attachment file name matches text patterns”.

  • Select as much extensions as you want. Here we are adding exe, html, doc, docx, jpg, jpeg, zip, rar etc.
  • Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Now add “Possible Spam” as the text that will be added in the subject line.

  • If there are any exceptions, add them on the next screen else left it as it is. Complete the process by click Next and then Finish. The transport rule is added and its enable with priority set to 0.

Now when the user will receive the email with those specific extensions that we added in rule, he will observer Possible Spam in the subject of those emails.

3. User permissions: It is something minor but very important when we are dealing with the threats like ransomware. Review the NTFS permissions carefully for every time we deal with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permission and the user system gets infected, you are in trouble. Try to give the as minimum permissions as possible to users to lessen the damage.

4. By this time, many antivirus softwares are able to detect and remove this virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.

5. Keep your systems up-to-date and patched up with latest security patches that the manufacturer releases.

6. Do not allow Peer to Peer communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep save.

7. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.

8. Avoid using such type of unknown anti-virus on your system even if it claims to remove the malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key so if any unknown anti-virus claims that it can break encryption in no time don’t get tricked. It is some other type of malicious virus.

9. Last but not the least: Rather it is the most useful solution I know so far, is to BACKUP all your data regularly. I have seen clients affected with ransomwares and the only thing that saved them was Successful backup. Backup all your critical data to the external drive or NAS or SAN that is isolated from your system is very useful. If you are a big organization, then develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can or will take for your organization. There are many backup solutions available in the market that can help you backing up your data to an external storage or remote location i.e. cloud storage.

Thank you Tal for the great Post:
Operational Security Specialist | OSCP, CREST, ISO 27001, 22301 & 22035 Certified Lead Auditor and 27005 Risk Manager

Multiple Hospitals Hit In Ransomware Attack Wave

mcafee-video-image_1102_65x70In the past week alone, three hospitals have reported being victimized by cyber-extortionists.

A flurry of ransomware attacks against hospitals in recent weeks suggests that online criminals may have found a new favorite target for cyber-extortion.

The latest to get hit are Methodist Hospital in Henderson, Kentucky, and Southern California’s Chino Valley Medical Center and Desert Valley Hospital, both of which belong to the Prime Healthcare Service chain.

The incident at Methodist Hospital forced it to declare a state of internal emergency earlier this week while administrators tried to restore access to encrypted files and email.

Security blog Krebs on Security, which was the first to report on the attack, quoted the hospital’s information system director Jamie Reid as describing the malware used in the attack as “Locky,” a particularly virulent ransomware sample that surfaced earlier this year.

According to Reid, after initially infecting a system, the ransomware spread to the entire internal network and compromised multiple systems. This prompted the hospital to turn off all desktop computers and bring them back up one and a time after ensuring they were infection-free.

Reid did not respond immediately to a Dark Reading request for comment, so it is unclear if the hospital ended up paying the $1,600 ransom demanded by the attackers to unlock the encrypted files. An attorney for Methodist Hospital interviewed by Krebs on Security had said the hospital had not ruled out paying the ransom.

Meanwhile, Fred Ortega, a spokesman for the two California hospitals that were also similarly hit, today claimed the malware did not impact patient safety or compromise health records, staff data, or patient care.

Ortega described the attacks as disrupting servers at both hospitals. But measures were quickly implemented that allowed a majority of operations to continue unhindered, he said in comments to Dark Reading.“The malware was ransomware,” Ortega says. “I can confirm that no ransom has been paid.”

According to Ortega, in-house IT teams were able to quickly implement certain protocols and procedures to contain and mitigate the disruptions. But he did not elaborate on what those measures were. “The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised or leaked. As of today, most systems have been brought online,” Ortega says.

The attacks on the three hospitals continue a trend that first grabbed attention in February when Hollywood Presbyterian Hospital said it had paid $17,000 in ransom money to regain access to files that had been locked in a ransomware attack. Since then there have been reports of similar attacks on two hospitals in Germany, one at the Los Angeles County health department, and now the three over this past week.

Expect such attacks to increase, says James Scott, senior fellow at the Institute for Critical Infrastructure Security (ICIT), which recently released a report on the ransomware threat to organizations in critical infrastructure sectors.

“Hospitals are an easy target for many reasons,” Scott says. “Employees typically lack cyber hygiene training and their technology landscape, in most cases, is eerily absent of layered security centric protocols.”

Scott predicts that adversaries are going to start using ransomware as a diversionary tactic while they steal electronic health records and other sensitive data from healthcare networks. “The ransom will be secondary to the primary revenue generated by the sale of the data,” Scott says.

Another reason hospitals are being targeted is because threat actors know they simply cannot afford a prolonged disruption adds, Israel Levy, CEO of security vendor BufferZone. “The first attacks on hospitals, which may have been opportunistic rather than targeted, were successful for the attackers, so copycat attacks are now inevitable,” he said.

Regulatory pressures and public concerns have forced the healthcare sector to be more diligent about protecting private medical data in recent years, Levy says. But the same is not always true when it has come to protecting daily operations and common issues like email and Web use.

“Ransomware threat actors seem to be going after that weakness,” Levy said. “They aren’t going after personal medical data specifically, but are holding the hospital’s operational infrastructure hostage.”

Ron Zalkind, CTO and co-founder at CloudLock, says healthcare organizations are often viewed as soft targets by threat actors. A recent study that CloudLock conducted found that only five percent healthcare organizations on average are concerned with password protection, only 38% are concerned with personally identifiable information, and 30% are concerned with PCI, says Zalkind, who will talk cloud security issues at the upcoming Interop conference. “Similar vulnerabilities exist in other high-risk verticals, such as computer-controlled oil refineries and electrical grids,” he says.  “[The] consequences of such attacks to these sectors are just as significant.”

5 things you need to know about ransomware, the scary malware that locks away data

869cbb32-a1c0-47d3-8364-6a4e39983484-large

Over the past few years millions of PCs from around the world have been locked or had their files encrypted by malicious programs designed to extort money from users. Collectively known as ransomware, these malicious applications have become a real scourge for consumers, businesses and even government institutions. Unfortunately, there’s no end in sight, so here’s what you should know.

It’s not just your PC that’s at risk

Most ransomware programs target computers running Windows, as it’s the most popular operating system. However, ransomware applications for Android have also been around for a while and recently, several variants that infect Linux servers have been discovered.

Security researchers have also shown that ransomware programs can be easily created for Mac OS X and even for smart TVs, so these and others devices are likely to be targeted in the future, especially as the competition for victims increases among ransomware creators.

Law enforcement actions are few and far between

There have been some successful collaborations between law enforcement and private security companies to disrupt ransomware campaigns in the past. The most prominent case was Operation Tovar, which took over the Gameover ZeuS botnet in 2014 and recovered the encryption keys for CryptoLocker, a notorious ransomware program distributed by the botnet.

In most cases, however, law enforcement agencies are powerless in the face of ransomware, especially the variants that hide their command-and-control servers on the Tor anonymity network. This is reflected in the multiple cases of government agencies, police departments and hospitals that were affected by ransomware and decided to pay criminals to recover their files. An FBI official admitted at an event in October that in many cases the agency advises victims to pay the ransom if they don’t have backups and there are no other alternatives.

Back up, back up, back up

Many users back up their sensitive data, but do it to an external hard drive that’s always connected to their computer or to a network share. That’s a mistake, because when a ransomware program infects a computer, it enumerates all accessible drives and network shares, so it will encrypt the files hosted in those locations too.

The best practice is to use what some people call the 3-2-1 rule: at least three copies of the data, stored in two different formats, with at least one of the copies stored off-site or offline.

You might get lucky, but don’t count on it

Sometimes ransomware creators make mistakes in implementing their encryption algorithms, resulting in vulnerabilities that allow the recovery of the files without paying the ransom. There have been several cases where security companies were able to create free decryption tools for particular versions of ransomware programs. These are temporary solutions though, as most ransomware developers will quickly fix their errors and push out new versions.

There are other situations where security researchers take control of command-and-control servers used by the ransomware authors and make the decryption keys available to users for free. Unfortunately these cases are even rarer than vulnerabilities in the ransomware programs themselves.

Most security vendors discourage paying the ransom, because there’s no guarantee that the attackers will provide the decryption key and because it ultimately encourages them.

If you decide to hold your ground, keep a copy of the affected files as you never know what might happen in the future. However, if those files are critical to your business and their recovery is time sensitive, there’s little you can do other than pay up and hope that the criminals keep their word.

Prevention is best

Ransomware programs get distributed in a variety of ways, most commonly through malicious email attachments, Word documents with macro code and Web-based exploits launched from compromised websites or malicious advertisements. Many are also installed by other malware programs.

As such, following the most common security best practices is critical. Always keep the software on your computer up to date, especially the OS, browser and browser plug-ins like Flash Player, Adobe Reader, Java and Silverlight. Never enable the execution of macros in documents, unless you have verified their senders and have confirmed with them that the documents should contain such code. Carefully scrutinize emails, especially those that contain attachments, regardless of who appears to have sent them. Finally, perform your day-to day activities from a limited user account, not from an administrative one, and run an up-to-date antivirus program.

Security Predictions 2016: Ransomware will continue to evolve and become increasingly complicated

26884181_m-750x410

As we start each year, the team at thedigitalageblog looks into the crystal ball and makes predictions for the year.  Sometimes we’re right and sometimes we’re wrong, but we find it useful to look to the future and document what we see.

Our Prediction centers on the ongoing Ransomware attacks:

Ransomware will continue to evolve and become increasingly complicated.  We continue to be shocked at the amount of ransomware attacks where the “victim” actually pays the ransom.  The FBI said it received 992 CryptoWall complaints from April 2014 to June 2015, representing total losses of $18 million—and that is just reported cases. Because criminals are finding this scheme lucrative, hackers will continue to work on producing virus variants that are harder to detect and decrypt. Ransomware depends on human error; it is usually activated by a user clicking on a link in a phishing email. Encryption of sensitive data combined with regular back-ups onto external devices or cloud services are an excellent defense against these schemes. If you have a current copy of your data or web site, business can continue with minimal disruption. Paying the ransom does not, after all, guarantee full restoration of your data or web site. It’s important to note that mobile devices can also be overtaken by ransomware, and often the accompanying threat is to ruin one’s reputation.