Blog

Archive for Tech Tips for Business Owners

Data Breaches in the USA – Is your business next?

The U.S. Department of Health and Human Services maintains a database that tracks every data breach of medical records where more than 500 records have been compromised. SafeticaUSA reports that, during 2016, the data breaches were caused by improper disposal of memory storage (2.3%), loss (5.4%), theft (19%), hacking (31.8%), and unauthorized access/disclosure of information (41.5%) by employees, which happens sometimes by accident.

Misuse of this information obtained by a data breach is rampant. Criminals can use this personal data in many nefarious ways including blackmail and identity theft. Businesses that do not protect personal and private data are liable for its misuse. They can face fines and civil lawsuits in the multiple millions of dollars.

The SafeticaUSA study noted that the average cost for a single data breach is $7 million and that 100% of businesses share business data in ways that are not safe. When employees leave a company, 87% of them take company data with them increasing risk exposure.

Indiana’s Data Security Record

In the SafeticaUSA study of medical record data breaches, which reviewed the occurrences in 2016, California was the state with the largest number of incidents, followed by Florida, Texas, and New York. Indiana came in fifth place by having 12 major data breach incidences during 2016. In terms of the number of compromised private records, the state of Indiana, with 257,174 records breached, was in tenth place on the list of states with the highest number of data breaches.

Conclusion

Data breaches are a serious problem that puts every business at risk. Personal medical records are very vulnerable and the dangers are increasing. Proactive strategies to reduce this risk include conducting a data security audit, implementing a data loss prevention solution, and advocating that the best practices are used for data security by affiliates, contractors, and business partners.

Contact Sentree Systems for a Cyber Risk Analysis to improve security and reduce the chance of a serious data breach.

Share

Posted in: Monthly Security Brief, Newsletter Topics, Pillar Post, Tech Tips for Business Owners

Leave a Comment (0) →

What is Encryption and How to Use it Effectively

When it is used properly, encryption is a valuable tool to help reduce data security breaches. Most business owners and C-level executives know something about the general topic of encryption; however, comprehensive data security reviews consistently show security problems that can be reduced by following the best-practice strategies regarding how to use encryption.

Using Encryption Effectively

Every organization benefits from encryption. Encryption is more effective when it is used comprehensively and always in place. During any part of the data processing, if the data is unencrypted, this creates a point of risk exposure. For example, if a user with authorized access uses an encryption key to decode some encrypted data and then leaves a copy of the unencrypted data on a laptop that they take home, suddenly the entire system is at risk. Encryption is made totally ineffective if an unencrypted copy of the database is on a laptop that can be hacked or stolen.

Avoiding a False Sense of Security

Just because data is encrypted, does not necessarily mean it is protected. There have been many examples of encrypted databases being subject to data breaches because even though the database was protected with encryption, those that had the encryption keys that are needed to read the data failed to protect their encryption key.

An example of this problem occurred in the loss of millions of dollars of cryptocurrency. This happened because the encryption keys, which are the proof of ownership of those assets, were hacked and stolen. They were kept in a database that was not secured. Since the ownership of cryptocurrency is semi-anonymous, protecting the encryption keys is the only way to control the assets. If the keys are lost or stolen the cryptocurrency is simply gone and nothing can be done about it.

Conclusion

To properly implement a comprehensive plan for using encryption effectively, one good strategy is to conduct an IT security review by Sentree Systems that focuses on implementing encryption on a network and protecting the encryption keys.

Share

Posted in: Monthly Security Brief, Tech Tips for Business Owners

Leave a Comment (0) →

Businesses of All Sizes Need to Protect their Data

Data security is a viable part of protecting the operations of any business. Think of this analogy. Even if you own a one-bedroom/one-bath home, which is the first home you ever purchased, this does not mean you be lackadaisical about home security. Having an alarm system with solid locks for windows and doors is just as important for your home as these things are in a luxury mansion.

Some might even say since your first home probably represents the biggest investment you have made so far in your life, it needs more protection than the luxury mansion owned by a wealthy family that already owns many other homes. The same logic applies to your business.

IT Security for All

It used to be that IT security was so expensive that only the larger businesses could afford it. Granted, even now, large businesses spend enormous amounts of money on data security efforts because protecting the data from security breaches is so important. However, just because a small business has a modest budget for IT services, this is no excuse for not having a service contract with a high-caliber security firm that specializes in IT data protection.

There are economies of scale that help keep the cost of IT protection modest when using a skilled firm. The security specialists concentrate on data protection. That is what they do best. They think about this 24/7 non-stop on behalf of their clients. Things that they notice affecting other small business clients are applicable for almost every customer they help.

Conclusion

Just because a business is small does not mean that IT security should be inadequate. Being a small business is not an excuse for having poor IT security policies. The cost for failed security measures can be the loss of the entire business. It is very unwise to risk this.

The key to success is NOT to rely only on in-house staff that does not have the time, energy, experience, and expertise to provide state-of-the-art IT security. Instead, outsource these tasks to a company like Sentree Systems and think of the investment as being similar to having a business insurance policy.

Share

Posted in: Monthly Security Brief, Tech Tips for Business Owners

Leave a Comment (0) →

How to Know if Your Vendors Have Good IT Security

Many small- to medium-sized businesses rely on third-party vendors for some of the critical-path IT functions of a business. When they do this, the responsibility for maintaining IT security is transferred to the vendor. This may increase the risk of potential damage caused by security breaches.

There have been many examples of serious security breaches at vendors that have done major harm to their clients. This is why conducting detailed due diligence is necessary to identify the security risks of using a third party vendor’s services or software tools.

Comprehensive due diligence for security risk analysis focuses on the following areas and specifics:

  • Historical record of problems and how the vendor dealt with security issues.
  • Upgrade policy and rapid response with security patches for vulnerabilities.
  • Use of encryption to protect sensitive data.
  • Vendor’s ability to view, share, or sell data to other parties. Any transfer of data to other parties adds additional security risk.
  • Does the vendor have a dedicated security team?
  • Do they conduct regular security audits and are those reports available to clients?
  • Specific security protocols must be in place if there is a legal requirement for data protection. Examples of this include attorney-client privilege in the legal profession, strict privacy rules under HIPAA for healthcare records, and student information under COPPA and FERPA rules.

IT security risk is a serious issue. Businesses that are not experts in IT security issues benefit strongly by using a specialist consulting firm to help with the due diligence requirements in this area.

Sentree Systems Corp. gives data security advice for clients in Indiana serving the communities of Indianapolis, Avon, Plainfield, Carmel, Fishers, Noblesville and others. We recommend conducting a detailed review of the Service Level Agreement (SLA) from any vendor and a security audit to help identify security risks. It is much better to know in advance of the existence of potential security risks and take steps to mitigate them, rather than being blind-sided by sudden damage from a security breach that is not expected.

Share

Posted in: Monthly Security Brief, Security Awareness Training, Tech Tips for Business Owners

Leave a Comment (0) →

FDA Recall for Nearly Half a million Pacemakers Vulnerable to Hacking

The Food and Drug Administration on Tuesday issued an alert about the first recall of a network-connected implantable device due to cyber security vulnerabilities.

 

The agency is instructing patients with certain implantable cardiac pacemakers from St. Jude Medical – now owned by Abbott Laboratories – to visit their physicians for firmware updates to address cyber vulnerabilities that can potentially be remotely exploited by hackers and that pose safety concerns.

Approximately 465,000 such devices are in use in the U.S., an Abbott spokeswoman tells Information Security Media Group. She did not immediately have information about how many of these devices are used outside the U.S.

While the FDA has characterized the corrective action to address the vulnerabilities as a “voluntary recall” by the manufacturer, the Abbott spokeswoman stresses that neither the company nor the FDA is not recommending the “prophylactic removal and replacement of affected devices.” Rather, patients are being advised to have the devices’ firmware updated “at their next regularly scheduled visit” to their healthcare provider, the Abbott spokeswoman says.

A related Department of Homeland Security alert also issued on Tuesday notes that vulnerabilities include the Abbott pacemaker’s authentication algorithm, “which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via radio frequency communications.”

‘Key Moment’
The recall of the Abbot cardiac devices is “a key moment in the evolution of connected medical devices,” says cyber security expert Joshua Corman, founder of grassroots cyber safety organization I Am the Cavalry and a member of the Department of Health and Human Services’ cyber task force. That group issued a report earlier this year with recommendations about how the healthcare sector can improve cyber security.

Making arrangements to have nearly a half million patients in the U.S. visit their healthcare provider for the firmware update “will be a logistical nightmare,” he says, despite Abbott and the FDA recommending that patients wait until their next regular appointment with physicians to do the update. Many worried patients are likely to seek appointments for the updates sooner than their regularly slated visits, he says.

And although there have been no reports of actual harm to patients due to hackers exploiting the vulnerabilities in the devices, “that number can go from zero to a lot of patients quickly” if hackers decide to launch attacks, Corman warns.

This recall is the most serious development so far related to medical device cyber security, Corman contends.

Affected Devices
The FDA alert says the recall involves implantable cardiac pacemakers, including cardiac resynchronization therapy pacemakers under the names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The alert does not apply to any implantable cardiac defibrillators or to cardiac resynchronization ICDs, the FDA says.

The FDA notes that on Aug. 23, it approved the firmware update “that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cyber security vulnerabilities for certain Abbott pacemakers.

 

Read More at InfoRisk.com

 

Is your Network REALLY Secure, why not know for sure, Get your FREE Vulnerability Assessment Today!!!


Get Your FREE Assessment Today!

Share

Posted in: Monthly Security Brief, Tech Tips for Business Owners

Leave a Comment (0) →

The Data Security Game Has Changed

Why Today’s Security Strategy May Not Be Enough

For auto racing fans and teams, safety is a subject that is always on everyone’s mind. Compared to racing 25 years ago, the game today has changed dramatically. Cars are faster, lighter, and danger to the drivers has increased. Safety features to accommodate these changes certainly cost the race team more money – but they’re necessary to stay secure. Investments in safety continue, as long as the threat escalates. The same is true in business, technology and cybercrime The game has indeed changed and a business’s security investment must adapt.

5 Reasons The Game Has Changed

Cyber-security, much like car racing, has changed significantly over the past several years. There are five ways the cyber-security game has changed and why the current strategy, particularly for the small businesses, may not be enough.
1. The Growth of Cyber-Crime – The growth in attack volume on small businesses has grown exponentially because it’s easy. Small businesses (and some public sector entities as well) tend to be well behind the security curve, making the organization an easy target of cybercrime.
2. The Target of Cyber-Crime – The real target of cyber-crime are small businesses! In 2014, 60% of all known successful attacks where against small and medium businesses. And of those that were breached, 60% went out of business within 6 months.
3. The Number of Security Solutions – While firewalls, IDS/IPS, AV, etc., are critical, improper configuration and management of these tools often create more risk. Many companies might not have the resources or expertise to know what to do if those tools alert them of a problem.
4. The Lack of Expertise – The most effective way to listen to these devices is to observe their every action and their communication patterns. Because these actions and “event logs” occur several times per second, many companies turn to a Security Information and Event Management tool (SIEM) to help make sense of the vast amount of machine data being generated.
5. The Lack of Resources – Security products, to be effective, must be monitored and maintained 24/7 so that threats are detected and responded to immediately. Not an easy task for the typical small business that cannot afford around-the-clock security experts. Cisco agreed that “the worldwide shortage of information security professionals is at 1 million openings, even as cyber attacks and data breaches increase each year”.

“it only take once for a hacker to gain access to your network, but it takes 100% of your time defending it”!

Cyber-threat monitoring and detection are the cornerstones of an effective IT security strategy. But collecting the right data, parsing and analyzing it into manageable and useful pieces of information is an extremely complex task.
Our 24/7 security service employs the right technologies, paired with a staff of security experts, to reduce the risk and complexity of protecting your critical data.
Our SentreeGuard solution provides the intelligence and awareness needed to take action on the latest threats in your organization’s environment.  If you are serious about your company and want to take your security to the next level, we have the next level security solution, SentreeGuard.

 

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

Share

Posted in: Company News, Monthly Security Brief, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →

[Alert] WannaCry Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage

NHS Ransomware Attack

This screenshot is just one example: The IT systems of around 40 National Health System hospitals across the UK were affected by this ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the infection. Cybersecurity experts have long used the phrase “where bits and bytes meet flesh and blood,” which signifies a cyberattack in which someone is physically harmed.

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history.” This is a cyber pandemic caused by a ransomware weapon of mass destruction. In the Jan 3 issue of CyberheistNews, we predicted that 2017 would be the year where we’d see a ransomworm like this. Unfortunately, it’s here.

Banks, Trains and Automobiles

Hundreds of thousands of machines are infected worldwide, including FedEx Corp, Renault, Nissan, the German Railways, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica (which reported 85% of their systems being down as a result of the cyberattack), and in a case of poetic justice, Russia seems to have been hit the hardest up to now. The source is Kaspersky’s Securelist, note that this is just the early days, and their visibility is likely limited.

wannacry_03.png

The strain is called “Wana Decrypt0r” which asks $300 from victims to decrypt their computers. This monster has infected hundreds of thousands of systems in more than 150 countries. Monday morning when people get back to work, these numbers will only go up. Check out an early animated map created by the NYTimes.

Here is an infection map based on data from MalwareTech.com:

Wana_Infection_Map.png

…and the Wall Street Journal also created an InfoGraphic explaining the spread of Wana which is nice to show to management when you ask for more IT security budget to train your users – which would prevent this whole mess.

WSJ_Wana_Info.png

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. “Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”

Despite the fact that this strain is hyper-agressive, the criminals behind the code do not seem to be all that sophisticated, they are using only a limited amount of static bitcoin wallets. Could even be that they are relative newbies at ransomware, and that the NSA worm-code has run amock scaring the daylight out them, afraid to be caught.

The Ransom Deadline Is Short

The ransom starts at $300 for the first 6 hours, and you’ve got up to 3 days to pay before it doubles to $600. If you don’t pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”

Kaspersky Lab also reports that the Wana strain has numerous languages available and was designed to affect multiple countries.

wana-decrypt0r-2_0.png

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware is using originally NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the ShadowBrokers. There are recent patches available but many have not applied them yet.

 

Former U.S. intelligence contractor turned whistleblower Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows. It is not clear yet how the ShadowBrokers first got their hands on the NSA tools – conspiracy theories range from a contractor leak to a Russian counter-espionage trying to hint American intelligence should back off.
The group ShadowBrokers first appeared in August, claiming it had stolen tools from the Equation Group, a legendary espionage operation rumored to be affiliated with the NSA. The Brokers announced they had the tools and offered to auction them off which did not go very far. In January, the group gave up, only to resurface in April dumping EternalBlue and other Windows hacking tools in the public domain, where criminal hackers were grateful recipients.

 

The Initial Infection Vector Is A Well-crafted Phishing Email.

 

According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through phishing, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a password protected .zip file, so the email uses social engineering to persuade the victim to unlock the attachment with a password, and once clicked that initiates the WannaCry infection. Microsoft confirms this in a blog post.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” CrowdStrike’s Meyers told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

“We encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school,” the U.S. Department of Homeland Security said in a statement released late Friday. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.” Here is a technical nosedive of the Wana malware.

If You Can, Apply This Patch Immediately.

After the initial infection, the malware spreads like a worm via SMB, that is the Server Message Block protocol used by Windows machines to communicate with file systems over a network. According to Cisco’s TALOS team:

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.

From what we have been able to learn, Wana spreads through SMB so when we’re talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It’d only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the mean time, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Redmond Issues Emergency Patch For WinXP

Microsoft has also released out-of-band patches for older versions of Windows to protect against Wana, because the original patch did not include XP/Win8. “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind,” the company told customers in a blog post.

Besides installing these out-of-band updates — available for download from here — Microsoft also advises companies and users to outright disable the SMBv1 protocol, as it’s an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3. You can use Grooup Policy for Clients and Servers. Here is a script to check the complete Active Directory for systems that miss the WanaCry related hotfixes.

Here is how to remove SMBv1 on Windows 10:

Turn_Off_SMB.png

And here is how to turn if off on Windows Servers. Start with those…

SMBV1_win_server.png

Another option: Use DSC to enforce the SMBv1 removal. If you don’t have DSC in place, you can use DSC local on your servers as well. You can now download security updates for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.

A Honeypot Server Got Infected With WanaCry 6 Times In 90 Minutes

As the original one, the second variant is automatically executed by “Microsoft Security Center (2.0) Service” and is trying to spread by creating SMB connections to random IP addresses, both internal and external.

According to an experiment carried out by a French security researcher that goes online by the name of Benkow. WanaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims. Noteworthy: three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.

How To Detect The Presence Of Wana And SMBv1 Servers On Your Network

One of the easiest ways to monitor what is happening on your network is to setup a SPANMirror port or use a network TAP. This will give you access to flows and packet payloads so you can see who is connecting to what and if there is anything suspicious moving around. Check out this blog post if you use Cisco switches, it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

There is one caveat though, this infection moves out like lightning from patient zero, and all vulnerable machines are literally locked in less than two minutes so monitoring alone would not be enough to be stop this monster. Here is a video showing a machine on the left infected with MS17-010 worm, spreading WCry ransomware to machine on the right in real time.

There Are Four Things To Watch Out For When It Comes To Detecting Wana

  1. Check for SMBv1 use
  2. Check for an increase in the rate of file renames on your network
  3. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  4. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

If Your Network Has Been Infected, What To Do?

This ransomware strain cannot be decrypted with free tools. Research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake has not been found yet.

Your best bet is to recover from backups, and if your backup failed or does not exist, try a program like Shadow Explorer to see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to start the recovery. Here is How to recover files and folders using Shadow Volume Copies. As a last resort and all backups have failed, you could decide to pay and get the files decrypted. It appears to work.

uac-prompt.png

What Can Be Done To Stop These Bad Guys?

It’s possible but difficult. The money has reportedly been flooding into hackers’ accounts and investigators can track the money and see where the bitcoin ends up. “Despite what people tend to think, it’s highly traceable,” Clifford Neuman, who directs the University of Southern California’s Center for Computer Systems Security. told the Washington Post.

However, hackers are still able to hide and launder the bitcoins in many different ways. Investigators will also examine the code itself as hackers often leave identifiable traces of their work. You can watch as some of these wallets are receiving money in real time.

Here Are 8 Things To Do About It (apart from having weapons-grade backups)

  1. Check your firewall configuration and make sure no criminal network traffic is allowed out, and disable SMBv1 on all machines immediately
  2. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
  3. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly
  4. Make sure your endpoints are patched religiously, OS and 3rd Party Apps
  5. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers
  6. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
  7. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
  8. Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email.

See How Sentree Systems, Corp. can Help!!


Learn More!

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →

[ALERT] DynA-Crypt Ransomware Steals And Deletes Your Data

Our friend Larry Abrams at Bleepingcomputer alerted the world about a new strain of ransomware called DynA-Crypt that was put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.

Larry said: “DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim’s computer.dyna-crypt.png Image courtesy Bleepingcomputer

Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of NASTY that just makes a mess of a victim’s programs and data.

“The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.”

A DynA-Crypt Infection Means A Full-blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.  When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, When it is ready to send to send to the developer, it will zip it all up into a file called %LocalAppData%\loot.zip, and email it to the developer.

The Ransomware Portion of DynA-Crypt can be Decrypted

The ransomware portion of DynA-Crypt is powered by a PowerShell script that uses a standalone program called AES to encrypt a victim’s data. This script will scan a computer for files that match the following extensions and encrypt them.

When it encrypts a file it will append the .crypt extension to the encrypted file’s name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt. The ransomware will also delete the computer’s Shadow Volume Copies so that you are unable to use it to recover files.

When done encrypting a computer, DynA-Crypt will display a lock screen asking you to pay $50 USD in bitcoins to an enclosed bitcoin address. Thankfully, at this time nobody has paid a ransom.

 

 

Is your Home Internet Connection Secure???

Are you worried about what your child is seeing or doing on the Internet? Well look no further the MDS Personal Internet Security device, from Sentree Systems, Corp., is what you need.


Secure Your Home Internet Today!!!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →

Locky Ransomware Campaign Using Osiris Extension from Egyptian Mythology

The threat actors behind Locky ransomware have moved on from Norse gods such as Zepto, Odin and Thor and into Egyptian mythology with a new campaign that uses the extension .osiris when encrypting files as tweeted by R0bert R0senb0rg earlier this week.

How is this being distributed?

Operations6 tweeted that this campaign is being distributed through phishing emails with Excel email attachments that contain macros to download and install Locky.  

We’ve been warning about this very popular method of delivering ransomware for the past several months.  We’ve even put together a macros warning screen guide to show you the most common examples we see so you know what to watch out for when a phishing email like this lands in your inbox.

The name of the sheet in this particular campaign is called Лист1, a probable indication that the developers are located in Russia or the Ukraine. If a user actually opens the doc they get a blank screen with a prompt to enable macros.

Locky Phishing Email

Of course the attachments have important sounding names containing the word ‘Invoice’ to really try and get users interested enough to find out what’s in the attachment and enable the macros.

Once the macros are enabled it’s too late. A VBA macro is triggered that downloads a DLL (Dynamic-link library, Microsoft’s shared library concept) file and executes it using Rundll32.exe.  

Locky Excel Doc

Locky Installation

That DLL file is then downloaded into the %Temp% folder and gets renamed with an extension such as .spe rather than the usual .dll extension. The DLL file is subsequently executed using legitimate Windows program Rundll32.exe and installs Locky ransomware onto the computer. 

See the details from Larry Abrams at Bleeping Computer for the results of a sample he ran.

Once files have all been encrypted, Locky displays its ransom notes, see an example below. Currently the price for file recovery is about 2.5 Bitcoins (~$1880).

Locky Ransom Note Osiris

What to do about Locky

At this time unfortunately there is still no known free decryption method for the Locky ransomware variant. This would be where those weapons-grade backups we’re always talking about would save the day. Locky does try to erase Shadow Volume Copies although in some cases that fails, so it is possible to restore your encrypted files from Shadow Volume Copies if you’re lucky.

 

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →

[ALERT] Yikes, A New And Scary Double- ransomware Whammy.

GoldenEye-1.jpg

 

Sophos reported on one of the more scary ransomware strains I have seen lately. It’s called Goldeneye and encrypts the workstation twice: both the files and the Master File Table (MFT).

It’s a phishing attack with two attachments. One is a PDF and the other an Excel file. The Excel file contains a loader that pulls down all the malware. The PDF is the social engineering ruse that makes the user open the Excel file. If your user is untrained enough to open both attachments and there are crucial files on the local hard disk without a backup, you potentially get to pay ransom TWICE.

The spam email presents itself as a job application form to be filled out. It has attached an uninfected PDF with the application to get the process started, and in the PDF is a polite reference that the Excel file contains more details — no explicit demand to open up the file… just business as usual.

Opening up the Excel file, you get a suggestion how to display the aptitude test. Sophos said: “The crooks don’t openly ask you to do anything obviously risky, such “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

In fact, if you permit macros to run in this Excel file, you will quickly regret it: the VBA downloads a copy of the Goldeneye ransomware and immediately launches it.” The VBA programming language used in Office macros is powerful enough to allow cybercriminals to control Word or Excel programmatically, but also to perform more general actions such as downloading files from the web, saving them to disk, and running them. 

Yikes.

Once the Excel file is activated, all the malicious activity happens in the background, but when the encryption pass is done, there’s a whole bunch of files left behind called: YOUR_FILES_ARE_ENCRYPTED.TXT which announce the infection:

ge-hit1-1.png

Most strains of file-encrypting ransomware stop here, but Goldeneye’s developer has experience in this field and does a double-whammy attack similar to their Petya / Misha strain and encrypts the Master File Table (MFT) of that machine as well. 

Goldeneye works a bit different than the previous editions: it first encrypts the files, then performs the UAC bypass and the low-level MFT attack, then reboots and pretends doing a CheckDisk.

ge-chkdsk.png

Once the “check” is finished, another reboot sounds the alarm with some dramatic ASCII art:

ge-skull-1.png

Pressing the Any Key gives you this:

ge-hit2.png

In case you’re wondering why Sophos redacted the so-called personal decryption codes in the images above, the encryption is different for your files and for your MFT: the malware uses different algorithms and different keys each time.

In short, if you pay up to unlock your scrambled MFT so you can reboot into Windows, then, assuming the crooks actually send you the key, you’ll get back into Windows only to face the YOUR_FILES_ARE_ENCRYPTED.TXT pay page as well. If you don’t have any backup, you get to pay up 1.4 Bitcoins all over again.  That’s 2.8 total which starts to get very expensive.

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →
Page 1 of 11 12345...»
Real Time Web Analytics