FBI Alert: Latest CryptoWall Ransomware Damage More Than $18 Million
|The latest version 3.0 of CryptoWall, descendant of the infamous CryptoLocker, is the most advanced and most damaging ransomware in the wild at the moment, specifically targeting U.S. businesses and individuals. We have been sounding the alarm about CryptoWall in CyberheistNews since last year, and its magnitude is now confirmed by law enforcement to some degree.
The FBI, through their Internet Crime Complaint Center (IC3), released an alert on June 23, 2015 that between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. And that is only the reported part, the estimate is that the actual infections are at least two or three times more. Going by the reported incidents only, it's a $70 million per year criminal enterprise, but in reality it looks more
like $200 million which is unbelievable. Link:
Some quick math shows $18,145 in costs per victim, caused by network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. As you can see, the total costs of a ransomware infection goes well above just the ransom fee itself, which is usually around $500 but can go up to $10,000.
The four infection vectors sorted by frequency:
By far the most used vector at the moment is phishing emails that have a zipped attachment that claims to be the resume of a girl. Open it up and unzip it, and a page opens up with a link to another zipped file which contains the payload. This tactic bypasses all antivirus engines and relies on social engineering your end user. A few months ago they used poisoned help-file attachments, and they continue to innovate fast to stay ahead of the spam filters.
- Phishing email with infected attachment
- Phishing email with malicious URL
- User clicks on infected ad
- User visits infected website
You probably know that defending a workstation against another workstation that has been compromised has a relatively good chance of success. However, defending a workstation against a malicious server is very difficult. This gang also uses malicious URLs which when clicked drive the user to a compromised website with an exploit kit. These exploit kits scan for known vulnerabilities in hundreds of applications that may not have been patched and can own the workstation in literally less than one second.
That is what infection vectors 2, 3 and 4 ultimately use, drive users to that compromised website and infect the workstation and network that way. It can go through a URL that drops the user onto that site, or an ad that redirects the user that way, or they compromise a site the user visits regularly and that is how they get infected.
It's a nasty business, and it's growing. You are dealing with a criminal hybrid of very high quality coding, used for sophisticated digital hijacking, and supported by commercial-grade "customer service" which makes sure they can generate cash from their malware. Ironically, these gangs are concerned with their reputation in the market. If word gets out they do not decrypt, their revenue stream will dry up because of bad word-of-mouth.
What To Do About It
IBM recently warned against spear phishing attacks using the Dyre Trojan for cyberheists of more than $1 million at a time, and suggested policy and procedures to block these attacks. Obviously things like having recent backups, excellent patching discipline and good filters at the network edge are a given. Their recommendations are on the mark:
"Organizations will remain only as strong as their weakest link. Proactive end-user education and security awareness training continue to be critical in helping prevent incidents like the one described in this advisory.
We could not agree more. New school security awareness training which combines web-based on-demand training by a social engineering expert, combined with frequent simulated phishing attacks is a must these days to protect your organization against these kinds of attacks.
- Train employees on security best practices and how to report suspicious activity.
- Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.
- Offer security training to employees to help understand threats and measures they can take to protect the organization.
- Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
- Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.
You can find this post at the KnowBe4 Blog here:
Ransomware Interview: Pay It Or Fight It?
|Colin Neagle at Network World interviewed me as part of his article about the pros and cons of paying the ransom if you get infected with criminal ransomware:
"Ask security experts what to do when hit with ransomware – the sophisticated malware that infects a device or network, uses military-grade encryption to restrict access, and demands payment for the decryption key – and you'll typically get the same answer: "never pay the ransom."
"But for many, that's simply not an option. For example, last November an employee in the Sheriff's Department in Dickinson County, Tenn., accidentally clicked on a malicious ad and exposed the office network to the infamous CryptoWall ransomware. Detective Jeff McCliss told local News Channel 5 that CryptoWall had encrypted "every sort of document you could develop in an investigation," such as witness statements and evidence photos.
"Even after consulting with the FBI and U.S. military, McCliss told the news station that the only solution was to pay the $500 to the cybercriminals to get their files back." You may come to the same conclusion if your backups fail. Read the whole interview here:
|" The good life is one inspired by love and guided by knowledge." - Bertrand Russell
" If you treat an individual ... as if he were what he ought to be and could be, he will become what he ought to be and could be." - Johann Wolfgang von Goethe
| Thanks for reading CyberheistNews
This Week's Five Most Popular HackBusters Posts
|There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic?
Well, we created the HackBusters site for that. HackBusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the real hot topics and we tweet the #1. Here are this week's five most popular hackbusters posts:
Finally Some Good News: Europol Arrests Gang Behind ZeuS Banking Malware
|The law enforcement agencies from six European countries have taken down a major Ukraine-based cyber crime gang that was developing, distributing and deploying Zeus and SpyEye banking malware. According to officials, the gang has caused financial damages estimated at more than 2 Million Euro, but that is a low-ball estimate.
According to the report on the Europol website, authorities arrested five suspects on June 18th and 19th. All five cyber gangsters are accused of infecting hundreds of thousands of computers worldwide with malware and banking Trojans.
"On the underground digital forums, they actively traded stolen credentials, compromised bank account information and malware," Europol said in their statement: "while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities."
Each cyber criminal of the alleged group had their own specialty. Also, the cyber gang was involved in developing malware, infecting machines and trading stolen bank credentials, malware, and hacking for hire services in underground fraudster forums. More at:
Ammo To Get Approval For User Education
|You may know Gartner, the 800-pound gorilla in the IT Analyst space. When a market is mature enough they create their Magic Quadrant (MQ) with the leading vendors in that particular space. Normally there are hundreds of players in a mature market but only 20 or so of the actual worldwide leaders make it on the MQ, and KnowBe4 is on it.
The Gartner Managing Vice President who covers the security awareness training market and manages this MQ is called Andrew Walls, here is his bio:
Walls revealed some interesting numbers that may help you to get budget: The security awareness training market globally exceeds one billion in annual revenue. This market is growing about 13 percent per year.
CISOs are increasingly turning to educational security awareness solutions. This is good ammo if you need to get budget approval to train your employees, C-level peer pressure is a great incentive to hop onto a trend and not fall behind.
InfoWorld's security guru Roger Grimes reviewed KnowBe4's integrated awareness training and phishing platform. It's great to send to executives as an addendum to a business case for user education: Here is the article:
Great Article In Washington Post: How Lopht Foretold Internet Disaster
|This is great to read over a lunch break, it's got a great history of how the Internet was made with built-in vulnerabilities. They started out with:
"The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world.
"Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it.
“If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes.
"The senators — a bipartisan group including John Glenn, Joseph I. Lieberman and Fred D. Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said. What happened instead was a tragedy of missed opportunity, and 17 years later the world is still paying the price in rampant insecurity. Read it and weep/enjoy:
Banks Get Attacked Four Times More Than Other Industries
|According to a new report from Websense Security Labs, the average number of attacks against financial services institutions is four times higher than that of companies in other industries.
Criminals aren't just going after banks for their money, according to Carl Leonard, principal security analyst at Websense. They're also using banks as a vehicle to reach other victims.
For example, a compromised email account at a bank could allow hackers to leverage the trust that customers have in their bank to reach out to their business and retail customers.
"Typo-squatting also made a strong comeback this year, now in combination with email-based social engineering tactics, at an average cost of $130,000 per incident." More:
This Week's Links We Like. Tips, Hints And Fun Stuff.