Blog

Disk-Killer Malware Adds Ransomware Feature And Charges $200,000+ 

Disk-Killer Malware Adds Ransomware Feature And Charges $200,000+ 

FSociety RansomwareTalk about adding insult to injury with this new KillDisk version. Here is how social engineering can cost you dearly.

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014,

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

KillDisk was used in 2015 and 2016 when another gang, the Russian BlackEnergy cyber-espionage group, used the malware to attack and sabotage energy- mining- and media companies in the Ukraine. Bad guys have very active forums and they talk all the time so this probably how state-sponsored Russian hackers got their hands on KillDisk.

Until today, the KillDisk malware strain was only active in espionage and sabotage ops. Well, they are now moving in the ransomware racket with a bang: 222 Bitcoins ransom, which with the skyrocketing Bitcoin exchange rate is well over 200 grand. If you get hit with this and your backups fail, that gets very expensive.

The new KillDisk strain uses very robust encryption, giving each file its own AES key, and then encrypting the AES key with a public RSA-1028 key. These guys know what they are doing.

KillDisk was recently used against Ukrainian banks

Recent KillDisk attacks were against Ukrainian banks. These attacks infected bank workers with the TeleBots backdoor trojan via phishing attacks with malicious email attachments. TeleBots is an easy to recognize malware strain because it uses the Telegram protocol to communicate with its criminal owners.

Catalin Cimpanu at Bleepingcomputer said: “After collecting data from infected systems, such as passwords and important files, the TeleBots gang would deploy the KillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. The purpose was to make the computer unbootable and also hide the intruder’s tracks.

In the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.

At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations.”

Why did they add a ransomware feature?

It’s easier to hide your tracks if KillDisk would pose as ransomware. You are basically talking a very profitable form of obfuscation.

The victim would assume they suffered an expensive ransomware infection, and wouldn’t scan for the TeleBots trojan or other data exfiltration code. Victims trying to avoid bad PR would restore from backup or pay the ransom and move on. Meanwhile, back at the ranch they would still be robbed blind.

According to malware researchers at CyberX, the KillDisk ransomware component shows the following message on infected computers and asks for a huge ransom demand of 222 Bitcoin, well over 200 grand.

 

KillDisk Ransomware

To unlock your files, you have to contact their customer support via an email and pay the ransom, and then receive your private RSA key that decrypts all your files.

The business model used here is not the spray-and-pray of the cheap ransomware. This gang goes for the high-end approach and demands a high price. Once you contact them through the email address, they will try to extort you threatening to dump sensitive files they stole via the TeleBots backdoor.

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Teen pleads guilty to creating DDoS tool used in 1.7 million attacks

A 19-year-old UK teenager from Hertfordshire has pleaded guilty to creating and running the Titanium Stresser booter service, with which he launched 594 denial of service (DDoS) attacks.

According to a statement put out by the Bedfordshire Police, Adam Mudd developed the tool when he was just 15 years old.

He didn’t just use it to launch his own DDoS attacks. He also sold it online and ran it as a service, distributing it to cyber crooks.

Investigators are still working out the total amount Mudd made from the attacks, but their preliminary estimate is around $385,000.

Investigators determined that Mudd’s stressor – which is a tool used to flood networks with data, bogging them down until they’re dead in the water, non-functioning and vulnerable to compromise – was used in more than 1.7 million DDoS attacks worldwide.

Those attacks were launched against 181 IP addresses between December 2013 and March 2015, the month that Mudd was arrested and the service was shut down.

According to Silicon Angle, Mudd kept detailed logs of all the attacks that relied on Titanium Stressor.

In fact, it was, for a time, the most popular DDoS-for-hire service available online.

One of Mudd’s satisfied customers must have been the hacking group Lizard Squad. According to The Register, Mudd’s creation was the basis for Lizard Stresser, a DDoS tool marketed by the hacking group.

Remember Lizard Squad? They ruined Christmas 2014 with a DDoS directed at PlayStation and Xbox servers, timed to make sure nobody could play games during the holiday.

A spot of poetic justice was had when the Lizard Stresser service itself got hacked, spilling customer details on to the internet.

Interestingly, the very same thing happened recently to vDOS, one of the most disruptive attack-for-hire services on the internet.

vDOS was taken down in September, and its alleged co-owners were arrested following a “massive hack” on the site. Tens of thousands of customers’ details were spilled, along with the identities of its teenage owners.

Technically speaking, those who launch these DDoS attacks aren’t hackers, given how little technical skill is required.

All they have to do is harness the horsepower provided by botnets, as Sophos’s Mark Stockley noted at the time of the vDOS takedown. Those botnets contain tens of thousands of computers compromised by malware.

Perhaps not coincidentally, both security journalist Brian Krebs and DNS service provider DYN – both involved in the vDOS sting – were hit by massive DDoS attacks from the Mirai botnet.

As Brian Krebs has reported, Lizard Stresser relies on thousands of hacked home routers to launch DDoS attacks.

That’s not dissimilar to Mirai, which also uses poorly secured devices that aren’t laptops, desktops or servers.

As we noted at the time of the attack on Krebs, Mirai originated not from malicious bot or zombie software on regular computers, as might have been the case a few years ago, but from so-called Internet of Things (IoT) devices such as routers, web cameras and perhaps even printers.

You might not think of such humble devices as having enough brawn to do the damage that DDoSes have wrought, but string them all together, and they can be used to cause a world of hurt.

Mirai wasn’t well-coded. But it didn’t have to be scrupulously developed in order to be destructive.

To make it all that much worse, in the aftermath of the assault on Krebs, the source code of the malware used in the attack was open-sourced.

But back to Mudd: he pleaded guilty to two offenses under the Computer Misuse Act and another of money laundering under the Proceeds of Crime Act. He’s due to be sentenced in December.

We don’t yet know how much prison time Mudd may be facing, but Silicon Angle reports that the judge who accepted his guilty plea noted that “a spell in a youth offenders institution will be considered”.

Article by:
sophos_logo_PA4_rgb

 

 

 

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Monthly Security Brief, Tech News

Leave a Comment (0) →

SanFran Muni Ransomware Hacker Gets Hacked Back!

A couple of weeks ago, a yet unknown attacker hacked the computer systems of the San Francisco’s Municipal railway causing a free ride for all that Saturday.  The ransomware hacker was hacked back, and intrepid reporter Brian Krebs was contacted by the anonymous counter-hacker who took over the email account that was reported in the ransom note provided in the attack: “Contact for key (cryptom27@yandex.com)”

The ransom demanded from the San Francisco Municipal Transportation Agency (SFMTA) was 100 BTC, or $73,184 USD with current exchange rates.

San-Fran-Muni-hacker.png

The security researcher who hacked back the Muni hacker broke into the email account by correctly guessing the security question protecting it, and then resetting the password and locking down the account including the secondary address which was cryptom2016@yandex.com.

“On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.” wrote Krebs. “A screen shot of the user profile page for cryptom27@yandex.com shows that it was tied to a backup email address, cryptom2016@yandex.com, which also was protected by the same secret question and answer.”

The analysis of the Bitcoin wallets used by the Muni hacker revealed that he earned $140,000 in the last three months. In this period he used to continuously switch Bitcoin wallets randomly every few days or weeks to thwart investigations. Most of the attempts of extortion targeted US-based construction and manufacturing companies, and in many cases, the victims appear to have complied with the demands.

“On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.” added Krebs. ““Emails from the attacker’s inbox indicate some victims managed to negotiate a lesser ransom. China Construction of America Inc., for example, paid 24 Bitcoins (~$17,500) on Sunday, Nov. 27 to decrypt some 60 servers infected with the same ransomware — after successfully haggling the attacker down from his original demand of 40 Bitcoins. Other construction firms apparently infected by ransomware attacks from this criminal include King of Prussia, Pa. based Irwin & Leighton; CDM Smith Inc. in Boston; Indianapolis-based Skillman; and the Rudolph Libbe Group, a construction consulting firm based in Walbridge, Ohio.””

The experts discovered that the server was used to hack into systems worldwide, it was hosting several open-source hacking tools, and that the Muni hacker used internet addresses based in Iran, they found also some notes which were translated into Farsi.

What to do about it

Brian Krebs wrote: “The data leaked from this one actor shows how successful and lucrative ransomware attacks can be, and how often victims pay up. For its part, the SFMTA said it never considered paying the ransom.” 

You need off-site backups that cannot be compromised, but some instances of ransomware can lock cloud-based backups when systems are configured to continuously back up in real-time.  For more tips on how to avoid becoming the next ransomware victim, check out the FBI’s most recent advisory on ransomware.

Krebs ended with: “Finally, as I hope this story shows, truthfully answering secret questions is a surefire way to get your online account hacked. Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions. But in some cases — as with United Airlines’s atrocious new password system— answering secret questions is unavoidable. In cases where I’m allowed to type in the answer, I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing.”

That is an excellent piece of advice, and part of new-school security awareness training which all users should be stepped through as soon as possible, followed up by frequent simulated phishing attacks. Start with a free Phishing Security Test, and phish your users to see how many click. Often an unpleasant surprise but a great catalyst to get buy-in and fast budget:

Get Your Free PST Now

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

 

Share

Posted in: Newsletter Topics, Tech News

Leave a Comment (0) →

And Another Billion More Yahoo Accounts Hacked

yahboohoo-580x314.png

In the September/ October timeframe this year it became clear that Yahoo had lost more than 500 million records which was the biggest hack of the year. Who knew that they would top themselves just a few months later!

Yahoo just stated today that a separate incident has exposed at least a billion more user accounts. They also warned that attackers figured out a way  to log into targeted Yahoo accounts with forged authentication cookies without having to supply the victim’s password.

How can this get any worse….   It’s a Massive Epic Fail. Here is the updated graph from the Wall Street Journal on the size of this monstrous hack.

Yahoo1billion.jpg

“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”

Yahoo said they were  in the process of notifying the affected account holders, and that they have invalidated the forged cookies.  “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.

Blaming it on the Russian Government in this case is a cop-out. These are high level criminal hackers that simply get air cover from Putin but are not on his payroll.

At this point, Yahoo has fallen down on security in so many ways that I have to recommend that if you have an active Yahoo email account, either direct with Yahoo or via a partner like AT&T, get rid of it. But clean it out first, get rid of all the folders, delete the account and open a gmail account instead. Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.

If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now a distinct possibility, so be be very wary of Smishes.

Thanks Verizon, for your interest in Yahoo and the due diligence that followed. I would recommend to not pursue this course of action though.

Share

Posted in: Monthly Security Brief, Tech News

Leave a Comment (0) →

Is Lynda.com A Hacking Victim? They Lost 55K Records Somehow…

Lynda_hacked.jpg

 

Lynda.com, the online learning unit of LinkedIn, has reset passwords for some of its users after it discovered recently that an unauthorized external party had accessed a database containing user data.

The passwords of close to 55,000 affected users were reset as a precautionary measure and they have been notified of the issue, LinkedIn said in a statement over the weekend.

The professional network is also notifying about 9.5 million Lynda.com users who “had learner data, but no protected password information,” in the breached database. “We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts,” according to the statement. Here is the email that was sent:

“We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.

Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.

If you have questions, we encourage you to contact us through our Support Center.

The Lynda.com team

Lynda.com was acquired a little while ago by LinkedIn for US$1.5 billion in a cash and stock deal. And then LinkedIn was in turn acquired by Microsoft this month for the all-cash transaction worth US$26.2 billion.

The breach at Lynda.com comes a little after Yahoo said last week that data relating to over a whopping 1 billion user accounts had been stolen in 2013. This is the second big breach reported by Yahoo, with the other affecting at least 500 million users.

Graham Cluley, who is more or less the Indiana Jones of insecurity reporting, wondered whether this is a hack in the traditional sense, whatever that means anymore, or whether it is based on the findings of a security researcher who uncovered a vulnerability and harvested it.

He’s also a bit miffed that the Lynda website isn’t making a big deal about the problem. This kind of obvious ignoring of hacks is a bugbear of his, which perhaps explains the big dig he gives LinkedIn at the end.

“The wording of the email is a little odd, and makes me wonder whether this was a traditional hack’ or more a case of a security researcher stumbling across a user database on a server that shouldn’t have been publicly accessible, or found a vulnerability that allowed them to access user information,” he said.

“Disappointingly, I was unable to find any reference to the data breach on the Lynda.com website. I always think breached sites should post an online notice so users can confirm the incident, rather than blindly trust an email received in their inbox. Regular readers will recall that LinkedIn is no stranger to database breaches”.

Share

Posted in: Monthly Security Brief, Security Awareness Training, Tech News

Leave a Comment (0) →

Phishing from the Middle: Social Engineering Refined

Phishing from the Middle: Social Engineering Refined

Phishing attacks have long been associated with malicious emails that spoof well-known institutions in order to trick users into coughing up credentials to banks accounts, email accounts, or accounts for major online services. Phishes that exploit the good name of trusted brands familiar to users have also been known to deliver ransomware, backdoors, and other malicious software designed to compromise the companies and organizations those users work for.

Spoofing well known institutions and brand names is old hat, though, and users have become increasingly wary of emails claiming to hail from familiar companies and organizations. In response, the bad guys have been refining their use of social engineering, the key to any successful phishing campaign.

This week we saw the latest evolution in the use of social engineering hooks designed to lure unsuspecting employees into downloading and executing highly malicious software inside corporate networks.
Making the Extraordinary Seem Everyday

Over the past two years malicious actors have increasingly resorted to simpler, less flashy social engineering schemes designed not to raise eyebrows to but to capitalize on users’ ingrained habit to click through attachments or links that give every appearance of being just more of the same dreary, business-related email content that fills their inboxes on a daily basis.

Thus, most of the major email-driven ransomware campaigns that we’ve seen over the past 6-9 months have been landing in users’ inboxes under the pretense of dealing with invoices, P.O.s, IT-related messaging, and other ordinary business documents and topics, some of them very industry-specific. The social engineering hooks in such phishes are noteworthy only for just how unspectacular they initially appear. A few recent examples:

  • Attached is the initial CD for my client (based on preliminary fees that you sent over). Can you please advise on revised/added fees (tax prorations, HOA dues, etc)?
  • You are going to be billed USD 3,881.74 on your Mastercard balance soon. Take a look at the attachment for information.
  • Your car loan is approved.
  • Charge attached.
  • Your order was completed in accordance with the agreement. Please see attached detailed estimates for each agreement article.
  • We need your signature on this before we can settle.
  • Please find attached the fully executed contract.
  • Our HR Department told us they haven’t received the receipt you’d promised to send them. Fines may apply from the third party. We are sending you the details in the attachment.

Such social engineering hooks are intended to provoke unthinking, habitual clicks from users inured to the avalanche of email that hits their inboxes day in and day out. Most are short — some less than five words — just like the majority of legitimate daily business email communication.

But even these cleverly designed phishes share a common problem: they are cold contacts, forcing users to refocus their attention on a new problem, a process that could raise their levels of awareness and alert them to something amiss. And, indeed, phishing emails are all by their very nature cold contacts.

But what if the bad guys could create the illusion of an on-going email discussion thread among office colleagues — the kind of cozy, familiar situation in which few users would ever expect to be phished? In fact, that’s just what we saw this week.

Starting from the Middle of Things

Over the past two days a number of our customers have reported receiving large numbers of a rather interesting phishing email.

phish-with-link1-2.png
There are a couple of things to note about this email.

First, the email appears to be a conversation between two different employees — one using a generic accounting email address within the company (whose name we’ve redacted) and a second being an individual employee named Sam. In fact, this entire email originated from outside the company being targeted. It is, in reality, a spoofed email thread.

Second, this is a targeted attack. The one named employee is real and the email address contained in the hyperlinked version of his name (only partially visible in the screenshot above) is that employee’s actual email. Moreover, the visible link points to the company’s own domain (while the actual underlying link, revealed by hovering the mouse, points to a Vietnamese domain). The bad guys obviously researched their targets before phishing them in order to create a credible, spoofed email thread purportedly involving real employees likely familiar to other users within the company.

Third, the social engineering hook involves an apparently innocuous request from a fellow employee. Who in a modern office environment hasn’t encountered printer problems? Moreover, the link being dangled in front of users appears to offer access to personally sensitive information — something that could prove irresistible to some people.

In short, this phish is a cleverly manufactured ruse designed to give users the impression that they have been mysteriously dropped into the middle of an ongoing discussion involving a document with personally sensitive information about another colleague working in the same office.

Just like any other phish, it’s a cold contact. But it doesn’t feel like one.

Things Get Real

Employees who click the link will find themselves downloading a malicious Word document that opens to a slickly designed macro warning screen offering the kind of “helpful” instructions that are now a staple among phishing campaigns pushing malicious Office macros:

macro-warning-screen1.png
Users curious enough to follow the directions in that initial screen and enable macros will be kicking off a trojan downloader that pulls down a malicious .EXE from a domain registered just three days ago. That .EXE is then dropped in two locations: the ProgramData and UsersAll Users folders.

After a reboot seven more files (all without file extensions) are added to those locations and a dodgy .DLL (probably extracted from one of those extension-less files) is automatically loaded by an instance of rundll32.exe.

The .DLL in question is, reportedly, a variant of Fareit — a sophisticated password-stealing tool that scowers compromised PCs for all manner of exploitable data and exfiltrates that data to malicious actors. On our test PC Sysinternals’ TCPView revealed that the .DLL in question had established a connection with a site in Russia — almost never a good sign — on a port often left wide-open in corporate firewalls:

tcpview-connections1.png

This phishing attack was undoubtedly the initial phase of a more extensive campaign to compromise the networks of targeted companies and exploit the resulting holes for monetary gain.

Helping Users Get Real

As noted earlier, we saw a large number of these malicious emails get reported to us by the employees of customers who have the Phish Alert Button (PAB) installed. Even though this attack used a rather unique social engineering hook, users who had been through KnowBe4’s new school security awareness training nonetheless smelled a rat and clicked the appropriate button in Outlook, effectively notifying their own IT departments as well as KnowBe4.

This is exactly the kind of response you need from users when something as dangerous as Fareit sails right past all the rest of your security solutions and ends up lurking in your users’ inboxes, tempting them to make one bad click and, in so doing, potentially bring the company down around their ears.

Too many users are taking the bait and clicking all the way through these ransomware traps. It’s time to educate your users with new-school security awareness training and stop the madness.

 

By Eric Howes, KnowBe4 Principal Lab Researcher.

 

See How Sentree Systems, Corp. can Help!!


Learn More!


 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Tech News

Leave a Comment (0) →

Phishing Reply Tracking Is Now Available for All KnowBe4 Customers

reply_to_graphic.jpg

Two of the big cybersecurity attacks are the CEO Fraud (aka Business Email Compromise) which has caused $3.4 billion in damages as well as the W-2 Scams which social engineer Accounting/HR to send tax forms. Both attacks have your employees engaging and replying with the bad guys. To help inoculate employees against this type of attack we are launching a new feature: Phishing Reply Tracking (*).

KnowBe4’s new Phishing Reply Tracking allows you to track if a user replies to a simulated phishing email and can also capture the information in the reply for review within your KnowBe4 admin console. Knowing if users are replying to phishing emails and what they are replying with is an excellent way to make sure users are following the best practices for dealing with phishing emails.

We have created a new category of system phishing templates called “Reply-To Online” which are specifically designed to test whether users will interact with “the bad guys” on the other end. However, the Phishing Reply Tracking also works with any of our existing 500+ phishing templates.

Additional options for this feature include:

  • Store the reply-to content.
  • Customizable reply-to address sub-domain, making the reply-to address look similar to your actual domain.
  • Track out of office replies to find out if your users are including company directories and other information with their OOF messages.

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Tech News

Leave a Comment (0) →

Want Your Ransomed Files Back? Just Infect Someone Else!

Larry Abrams just reported: “Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim’s a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Locky Ransomware Campaign Using Osiris Extension from Egyptian Mythology

The threat actors behind Locky ransomware have moved on from Norse gods such as Zepto, Odin and Thor and into Egyptian mythology with a new campaign that uses the extension .osiris when encrypting files as tweeted by R0bert R0senb0rg earlier this week.

How is this being distributed?

Operations6 tweeted that this campaign is being distributed through phishing emails with Excel email attachments that contain macros to download and install Locky.  

We’ve been warning about this very popular method of delivering ransomware for the past several months.  We’ve even put together a macros warning screen guide to show you the most common examples we see so you know what to watch out for when a phishing email like this lands in your inbox.

The name of the sheet in this particular campaign is called Лист1, a probable indication that the developers are located in Russia or the Ukraine. If a user actually opens the doc they get a blank screen with a prompt to enable macros.

Locky Phishing Email

Of course the attachments have important sounding names containing the word ‘Invoice’ to really try and get users interested enough to find out what’s in the attachment and enable the macros.

Once the macros are enabled it’s too late. A VBA macro is triggered that downloads a DLL (Dynamic-link library, Microsoft’s shared library concept) file and executes it using Rundll32.exe.  

Locky Excel Doc

Locky Installation

That DLL file is then downloaded into the %Temp% folder and gets renamed with an extension such as .spe rather than the usual .dll extension. The DLL file is subsequently executed using legitimate Windows program Rundll32.exe and installs Locky ransomware onto the computer. 

See the details from Larry Abrams at Bleeping Computer for the results of a sample he ran.

Once files have all been encrypted, Locky displays its ransom notes, see an example below. Currently the price for file recovery is about 2.5 Bitcoins (~$1880).

Locky Ransom Note Osiris

What to do about Locky

At this time unfortunately there is still no known free decryption method for the Locky ransomware variant. This would be where those weapons-grade backups we’re always talking about would save the day. Locky does try to erase Shadow Volume Copies although in some cases that fails, so it is possible to restore your encrypted files from Shadow Volume Copies if you’re lucky.

 

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →

[ALERT] Yikes, A New And Scary Double- ransomware Whammy.

GoldenEye-1.jpg

 

Sophos reported on one of the more scary ransomware strains I have seen lately. It’s called Goldeneye and encrypts the workstation twice: both the files and the Master File Table (MFT).

It’s a phishing attack with two attachments. One is a PDF and the other an Excel file. The Excel file contains a loader that pulls down all the malware. The PDF is the social engineering ruse that makes the user open the Excel file. If your user is untrained enough to open both attachments and there are crucial files on the local hard disk without a backup, you potentially get to pay ransom TWICE.

The spam email presents itself as a job application form to be filled out. It has attached an uninfected PDF with the application to get the process started, and in the PDF is a polite reference that the Excel file contains more details — no explicit demand to open up the file… just business as usual.

Opening up the Excel file, you get a suggestion how to display the aptitude test. Sophos said: “The crooks don’t openly ask you to do anything obviously risky, such “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

In fact, if you permit macros to run in this Excel file, you will quickly regret it: the VBA downloads a copy of the Goldeneye ransomware and immediately launches it.” The VBA programming language used in Office macros is powerful enough to allow cybercriminals to control Word or Excel programmatically, but also to perform more general actions such as downloading files from the web, saving them to disk, and running them. 

Yikes.

Once the Excel file is activated, all the malicious activity happens in the background, but when the encryption pass is done, there’s a whole bunch of files left behind called: YOUR_FILES_ARE_ENCRYPTED.TXT which announce the infection:

ge-hit1-1.png

Most strains of file-encrypting ransomware stop here, but Goldeneye’s developer has experience in this field and does a double-whammy attack similar to their Petya / Misha strain and encrypts the Master File Table (MFT) of that machine as well. 

Goldeneye works a bit different than the previous editions: it first encrypts the files, then performs the UAC bypass and the low-level MFT attack, then reboots and pretends doing a CheckDisk.

ge-chkdsk.png

Once the “check” is finished, another reboot sounds the alarm with some dramatic ASCII art:

ge-skull-1.png

Pressing the Any Key gives you this:

ge-hit2.png

In case you’re wondering why Sophos redacted the so-called personal decryption codes in the images above, the encryption is different for your files and for your MFT: the malware uses different algorithms and different keys each time.

In short, if you pay up to unlock your scrambled MFT so you can reboot into Windows, then, assuming the crooks actually send you the key, you’ll get back into Windows only to face the YOUR_FILES_ARE_ENCRYPTED.TXT pay page as well. If you don’t have any backup, you get to pay up 1.4 Bitcoins all over again.  That’s 2.8 total which starts to get very expensive.

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →
Page 5 of 26 «...34567...»
Real Time Web Analytics