Disk-Killer Malware Adds Ransomware Feature And Charges $200,000+ 

A Study by the World Bank stated that Russia boasts more than 1 million software specialists involved in research and development.

Russian illegal cyber warriors are among the most proficient in the world with around 40 large criminal cyber rings operating within the country’s borders.Russia_Keboard_Flag.jpg

The Russian government has long been known to source its technology, world-class hacking talent and even some intelligence information from local cyber crime rings.

Hacking activities include the penetration of national infrastructure systems, and money markets, and the stealing of state secrets and intellectual property. All of these destabilizing attacks can be considered as preparation for any future conflict. Russian hackers made repeated attempts during 2016 to stage cyber break-ins into major US institutions, including the White House and the State Department.

Read more about this in an article at The Conversation by Professor of Electrical and Electronic Engineering and Director of Electronic Warfare Research, City, University of London

Very often, Russian hacking starts with a phishing attack.  As one of his last actions in office, President Obama expelled 35 Russian diplomats spies in retaliation for Russia interfering with the U.S. election process, after intelligence agencies lined up their stories and all pointed at Putin.

Bloomberg wrote: “The attack against U.S. democracy began in the summer of 2015 with a simple trick: Hackers working for Russia’s civilian intelligence service sent e-mails with hidden malware to more than 1,000 people working for the American government and political groups. U.S. intelligence agencies say that was the modest start of  ‘Grizzly Steppe,’ their name for what they say developed into a far-reaching Russian operation to interfere with this year’s presidential election.”


[contentblock id=72 img=gcb.png]



[ALERT] The bad guys are starting their tax scams early this season! They are now combining two scams-in-one. First, they ask you to send them the W-2 forms of all employees, with the email looking like it comes from the CEO or a C-level executive. Next, they follow up with an urgent request to transfer a large sum of money to a bank account controlled by these cyber criminals.


Remember that when you receive sudden requests like this, they may be spoofed emails and that you should double check by picking up the phone and verify that this is a legit request coming from that executive. In these cases, it’s “OK to say NO to the CEO”.


This tax season, stay alert for scams like this, and Think Before You Click!


[contentblock id=75 img=gcb.png]

yahboohoo-580x314.pngThis is getting old. It’s all over the press… again. Here is a Reuters article where I am quoted, which covers the most recent billion-record Yahoo hack.

Some people asked me after our Flash announcement last week: “Stu, really, these hacks happened a few years ago, closing down my whole Yahoo account, or blocking Yahoo at the firewall… aren’t you going a bit overboard here?”

Good question. Here is my take:
Well, that whole 1B database was sold on the dark web by a group of professional blackhats from Eastern Europe for 300K, (and is still for sale at a much lower price right now) which means that a ton of bad guys now have these credentials, but worse, they have answers to security questions like “your mother’s maiden name” which do not change like passwords, and and backup email addresses that could help with resetting forgotten passwords.

Bloomberg reported that 150,000 U.S. government and military employees are among the victims in the latest breach.

My position is that all Yahoo accounts need to be considered compromised. They are sitting ducks for spam, phishing and malware attacks. If employees check their Yahoo account on their lunch break, do you want to expose your company network to that?

It looks like Yahoo has not learned their lessons, so new hacks can happen any time. There has been an exodus of qualified Yahoo staff and they seem to be unable to apply best security practices. They are now forcing all users (link to WSJ article) to change their password, but that’s too little, too late. I simply have lost trust.

So, I recommend you warn your users, friends and family… again. We have been here before on September 23rd when the 500 million record hack was first announced.

In September, Yahoo did not force people to change passwords, but now they are forcing a password change, and the bad guys are (again) all over this — the ones that own the Yahoo database but also the ones that do not, because news like this is a phishing paradise.

This is a phishing paradise with significant fallout

Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will continue to happen is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames, passwords and possibly the answers to security questions into a website until they find a match using the stolen Yahoo username and passwords.

The bad guys will continue to exploit this, so remind your users

Remind your users, friends and family. They will be likely be confronted with Yahoo-related scams in their inbox. The bad guys are going to leverage this in a variety of ways, starting with bogus password reset phishing attacks, but also with masked links so that if you click on it you wind up on a compromised site which could steal personal information and/or infect the computer. The variations are infinite, but the defense against it is relatively simple.

I suggest you send them the following reminder – feel free to copy/paste/edit:

“Yahoo announced that 1 billion of their accounts were hacked. These accounts are now sold by internet criminals to other bad guys which are going to use this information in a variety of ways. For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. Here is what I suggest you do right away.

  • If you do not use your Yahoo account a lot. Close it down because it’s a risk. If you use it every day:
  • Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
  • If you were using that same password on multiple websites, you need to stop that right now. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
  • At the house, use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.
  • Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Yahoo Breach Phishing TemplateIf you are a KnowBe4 customer, we have a template in the Current Events Campaign which I suggest you send to all your users immediately as a reminder.

This is the largest hack ever, below is a graph fresh from an article in the Wall Street Journal that puts it in perspective. I suggest you send this to your management.

This is exactly the kind of thing that they want to prevent from happening and security awareness training is the number one thing that makes your organization more hack-resistant since your users are your weakest IT security link.




[contentblock id=74 img=gcb.png]



Confidential health data or personal information of more than 750,000 people may have been accessed in a cyberattack on Los Angeles County employees in May that led to charges this week against a Nigerian national, officials have disclosed.

The May 13 attack targeted 1,000 county employees from several departments with a phishing email. The email tricked 108 employees into providing usernames and passwords to their accounts, some of which contained confidential patient or client information, officials said.

Most of the 756,000 people whose information may have been accessed had contact with the Department of Health Services, according to the county. A smaller amount of confidential information from more than a dozen other county departments also was compromised.
“These kinds of phishing attacks are on the rise throughout society — and the county has not been immune from that trend,” county spokesman Joel Sappell said in a statement.

Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.

In February, officials disclosed that the Department of Health Services had been targeted in ransomware attack, a type of malware that cuts off users’ access to files or threatens to destroy them unless a ransom is paid.

The county is offering a year of free credit and identity-theft monitoring for people affected by the May phishing attack and has set up a website and call center for those seeking information: (855) 330-6368.

Ransomware attacks very often succeed through a phishing attack with a spoofed ‘From’ address. These types of attacks are hard to spot and employees tend to fall for them.

[contentblock id=73 img=gcb.png]

Our friend Larry Abrams at Bleepingcomputer alerted the world about a new strain of ransomware called DynA-Crypt that was put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.

Larry said: “DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim’s computer.dyna-crypt.png Image courtesy Bleepingcomputer

Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of NASTY that just makes a mess of a victim’s programs and data.

“The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.”

A DynA-Crypt Infection Means A Full-blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.  When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, When it is ready to send to send to the developer, it will zip it all up into a file called %LocalAppData%\loot.zip, and email it to the developer.

The Ransomware Portion of DynA-Crypt can be Decrypted

The ransomware portion of DynA-Crypt is powered by a PowerShell script that uses a standalone program called AES to encrypt a victim’s data. This script will scan a computer for files that match the following extensions and encrypt them.

When it encrypts a file it will append the .crypt extension to the encrypted file’s name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt. The ransomware will also delete the computer’s Shadow Volume Copies so that you are unable to use it to recover files.

When done encrypting a computer, DynA-Crypt will display a lock screen asking you to pay $50 USD in bitcoins to an enclosed bitcoin address. Thankfully, at this time nobody has paid a ransom.



[contentblock id=75 img=gcb.png]

It’s Valentine’s Day and the scammers are out in full force… again. There are many ways these online criminals try to trick you, but the most common are phony florists, online dating scams, phony electronic greeting cards and delivery scams. So, here are the red flags you need to look out for.


Do not trust emails or advertising from online florists or other gift retailers until you are sure that they are valid. Otherwise, you might be turning over your credit card information to a scammer or infect your computer with malicious software.


Do not trust an online greeting card, particularly if it does not indicate who sent it to you. Be very wary of a card sent by “a secret admirer.” Even if you recognize the name, confirm that it was really sent from that person before you click on the link and open the card.


Do not trust special deliveries, there is no special charge for alcohol so if someone requires a credit card payment for such a delivery, just politely decline knowing you just dodged a bullet.


Do not trust anyone who indicates he or she is in love with you and then wants to communicate with you right away on an email account outside of the dating site, claiming to be working abroad, asking for your address and poor grammar which is often a sign of a foreign romance scammer. Many romance scams originate in Eastern Europe… The rule still applies: THINK before you click.

[contentblock id=71 img=gcb.png]

Huge Ransomware Infection!!!


The Police Department in Cockrell Hill, Texas admitted in a press release that they lost 8 years’ worth of evidence after the department’s server was infected with ransomware.

The lost evidence includes all body camera video, and sections of in-car video, in-house surveillance video, photographs, and all their Microsoft Office documents. OUCH 1.

Eight years’ worth of evidence lost

Some of the lost data goes back to 2009, there are some files from that era that are backed up on DVDs and CDs and remained available.

“It is […] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill’s police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney’s office of the incident.

Backup procedure kicked in after Locky infection

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI’s cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files. OUCH 2.

Infection Source: Phishing email with spoofed address

The press release says the infection took place after an officer opened a spam message from a spoofed email address imitating a department issued email address. New-school security awareness training would highly likely have prevented this.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand. The department also said there was no evidence of data exfiltration to a remote server.

So now, do *you* have a recent off-site backup?

A rather mind-blowing 70% of businesses hit by ransomware paid the hackers to regain access to hijacked systems and files, according to a new IBM X-Force Ransomware report. Of the attacked IBM-Security-Ransomware-Infographic_12-13-2016.jpg
businesses, 20 percent paid over $40,000 to decrypt their files, while more than half paid more than $10,000.

The IBM study [registration required], “Ransomware: How Consumers and Businesses Value Their Data” surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value placed on different types of data. 

Around 66% of the report’s respondents are generally worried about hackers compromising data, and almost 60 percent of business leaders said they would be willing to pay the ransom to regain access to financial records, intellectual property, business plans and consumer data, the report found. And depending on the datatype, they’re willing to pay between $20,000 and $50,000 to get their data back.

FBI: “Not A Good Idea To Pay Up”

Law enforcement agencies like the FBI say that it’s not a good idea to pay the ransom. But unlocking patient records in a healthcare site is crucial to keeping patients safe – so hospitals pay up big time.

IBM researchers determined financial returns on ransomware are expected to grow to over $1 billion for cybercriminals in the next year, which means these types of extortion attempts will continue to expand. Almost 40 percent of spam emails sent in 2016 contained ransomware, we expect that number to grow.

Small to medium businesses are less prepared for a ransomware attack than larger businesses. And medium to large organizations are more likely to have taken action in the last three months to protect data.

Further, 74 percent of large organizations require employees to regularly change passwords, versus 56 percent of small companies. And only 30 percent of small organizations offer IT security awareness training. OUCH.

“Cybercriminals have no boundaries when it comes to their targets,” Limor Kessem, executive security advisor for IBM Security, said in a statement. “The digitization of memories, financial information and trade secrets require a renewed vigilance to protect it from extortion schemes like ransomware.”

Ransomware attacks very often succeed through a phishing attack with a spoofed ‘From’ address. These types of attacks are hard to spot and employees tend to fall for them.

Can Your Domain Be Spoofed?

Can hackers spoof an email address of your own domain and get away with millions??

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit “CEO Fraud”, penetrating your network is like taking candy from a baby.

Would you like to know if hackers can spoof your domain? Sentree Systems, Corp. can help you find out if this is the case with our free Domain Spoof Test. It’s quick, easy, and often a shocking discovery.

As the makers of recruiting platforms are happy to remind us, your social media self is extremely likely to be perused by recruiters who’ll either snap you up when they see the results or turn up their noses at, say, your posts about OMG how much you HATE your boss and hope he DIES!

According to one such vendor, as of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up.

There have been various tools put forth that make it easier for employers to get at your “true” self.

(And before you protest that our social media selves are not, in fact, our “true” selves, I need to point out that researchers say otherwise. “Disagreeable” or “non-conscientious” people are, in fact, more likely to emit the unpleasant aroma of, say, bad-mouthing peers and employers on social media.)

Now, there’s another such tool to go beyond just plain old running a search on a candidate.

Called The Social Index, the online service promises to rifle through the digital footprints of short-listed job candidates and present employers or recruiters with a report.

That report is an infographic that, the company claims, maps out a candidate’s “personal brand.”

It crunches data from Facebook, Twitter and LinkedIn. According to a report from Mashable, The Job Index focuses on those three social platforms partly because they’re common, but also because, typically, they’re the ones most relevant to a company’s client activities or reputation.

It takes about 30 seconds for the candidate to be analyzed before their “social footprint” is ready. Within 24 hours the report will be delivered to both the client and the job seeker.

It’s a lot faster than slogging through Google searches for a name. Plus, as the founder of the Australian company, Fiona McLean, points out, when you rely on search engine results, you can’t even be sure the profile you’re looking at is for the right person.

As far as privacy goes, McLean points out that the system only looks at public information, and it doesn’t share people’s posts with companies.

If it’s not online, then a client can’t see it in the report.

The system maps out when, where, and how often people are posting. It also gives a timeline for your career, highlighting both the good – say, when you got promoted, or your average tenure – and the bad – say, unaccounted chunks of time that don’t reflect your being employed, or a brief average tenure that could point to a pattern of getting shown the curb after a few months.

Like Klout, it also shows how much of an influencer you are: How many connections you have on any given platform, for example. The system also does some sentiment analysis to show how positive your digital self is.

Employers will be able to tweak it to fit a given role. McLean gave the example of a job that requires a lot of social media interaction: if your profile shows that you don’t post much, that’s bad.

I worked with someone early on who was hiring for a social media role, and they were getting a lot of people who were saying ‘well I know social media, I do a lot of it,’ but the reality was they knew the theory of it but couldn’t demonstrate it.

…on the other hand, if you’re spending all day posting when social media interaction isn’t part of your gig, that’s pretty bad too, McLean said:

If the role is a back office accountant and they are equally on social media between 10 and 4, the chances are, they are not doing the core part of the role as well as they could.

But wait, isn’t it illegal to ask employees for their account logins? Illegal, as in, it’s against user policies to share your account passwords?

Back in June, we got wind of a service that offered to scour potential tenants’ social media profiles for landlords.

The service, called Tenant Assured, still hasn’t launched, but its plan is to provide detailed reports assessing rental applicants’ personality traits, creditworthiness and financial risk by directly accessing their Facebook, Twitter, LinkedIn and Instagram profiles, with the applicant’s consent.

Consent needs to be given for either of these social media-mining apps.

That still doesn’t answer the question, though: isn’t it illegal to demand workers’ passwords?

No, it’s not, at least in the US. As it is, a number of US states have tried to make it so, but the US House has declined to ban the practice.

At any rate, job candidates and tenants alike can decline to hand over access to their accounts.

But if apps like Tenant Assured and The Social Index become widely used, will we even have a choice? My way or the highway or, in this case, pry way or the highway!

Hand over access, or some day you could well find yourself being disregarded for an apartment or a job.

When it comes to The Social Index, the small mercy is that they’re only going after publicly posted data.

It’s yet another very good reason to clean up your past posts and to lock down your privacy.

To maintain privacy, use privacy controls. Millions of Facebook users are oblivious to, or just don’t use, privacy controls.

Don’t be one of them, and while you’re at it, don’t let your friends or family fall into that category.

To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds.

Go to Facebook’s Activity Log page for a list of your posts and activity, from today back to the dawn of your Facebook life.

There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.

Besides photos we’re tagged in without our permission, most of the stuff that’s in our Graphs is up because we put it there.

To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in.

As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.

Also, to further lock down your profile, take a gander at these three ways to better secure your Facebook account.


[contentblock id=92 img=gcb.png]


[contentblock id=72 img=gcb.png]

FSociety RansomwareTalk about adding insult to injury with this new KillDisk version. Here is how social engineering can cost you dearly.

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014,

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

KillDisk was used in 2015 and 2016 when another gang, the Russian BlackEnergy cyber-espionage group, used the malware to attack and sabotage energy- mining- and media companies in the Ukraine. Bad guys have very active forums and they talk all the time so this probably how state-sponsored Russian hackers got their hands on KillDisk.

Until today, the KillDisk malware strain was only active in espionage and sabotage ops. Well, they are now moving in the ransomware racket with a bang: 222 Bitcoins ransom, which with the skyrocketing Bitcoin exchange rate is well over 200 grand. If you get hit with this and your backups fail, that gets very expensive.

The new KillDisk strain uses very robust encryption, giving each file its own AES key, and then encrypting the AES key with a public RSA-1028 key. These guys know what they are doing.

KillDisk was recently used against Ukrainian banks

Recent KillDisk attacks were against Ukrainian banks. These attacks infected bank workers with the TeleBots backdoor trojan via phishing attacks with malicious email attachments. TeleBots is an easy to recognize malware strain because it uses the Telegram protocol to communicate with its criminal owners.

Catalin Cimpanu at Bleepingcomputer said: “After collecting data from infected systems, such as passwords and important files, the TeleBots gang would deploy the KillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. The purpose was to make the computer unbootable and also hide the intruder’s tracks.

In the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.

At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations.”

Why did they add a ransomware feature?

It’s easier to hide your tracks if KillDisk would pose as ransomware. You are basically talking a very profitable form of obfuscation.

The victim would assume they suffered an expensive ransomware infection, and wouldn’t scan for the TeleBots trojan or other data exfiltration code. Victims trying to avoid bad PR would restore from backup or pay the ransom and move on. Meanwhile, back at the ranch they would still be robbed blind.

According to malware researchers at CyberX, the KillDisk ransomware component shows the following message on infected computers and asks for a huge ransom demand of 222 Bitcoin, well over 200 grand.


KillDisk Ransomware

To unlock your files, you have to contact their customer support via an email and pay the ransom, and then receive your private RSA key that decrypts all your files.

The business model used here is not the spray-and-pray of the cheap ransomware. This gang goes for the high-end approach and demands a high price. Once you contact them through the email address, they will try to extort you threatening to dump sensitive files they stole via the TeleBots backdoor.


[contentblock id=74 img=gcb.png]


Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!


Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282