CyberheistNews Vol 6 #28 [ALERT] There Is A Nasty New MBR & File Encryption Ransomware Strain



CyberHeist News CyberheistNews Vol 6 #28
[ALERT] There Is A Nasty New MBR & File Encryption Ransomware Strain
Stu Sjouwerman

There is a new ransomware strain called "Satana" (the reference is clear, just take the last "a" off) which is a blend between classic file encryption malware and the Petya strain which locks the Master Boot Record (MBR).

This looks like a Petya copycat, but for each encrypted file, Satana prepends their email address to each file like this: "email@domain.com_filename.extension".

Satana then encrypts the MBR and replaces it with its own. The first time when a user reboots their workstation, Satana's MBR boot code will load and the only thing the machine will show is Satana's ransom note in red on black (pictures at the blog link below)

Security researcher Hasherezade posted the initial discovery at Malwarebytes, and stated it might be possible to recover the original MBR. Recovering MBR records via Windows' cumbersome command-line interface is not for the weak of heart, but doing that does not mean you can decrypt the files though.

According to the Hasherazade, the code looks like a work-in-progress, as its developers are still adding "new features". Stay tuned, this puppy is going to cause some damage when they start pumping it out.

Here's this week's ransomware roundup, covering the recent high volume spam-spewing Zepto strain:
https://blog.knowbe4.com/ransomware-roundup-july-2016-satana-new-mbr-/-file-encryption-strain

Scam Of The Week: FBI Warns Against Data Breach Extortion

The number of data breaches keeps going up. Last week it was more than a 1,000 Wendy's where credit card records got ripped off. Fraudsters quickly use the news release of a high-profile data breach to kick an extortion campaign into gear.

The public at large suffers from data breach fatigue and does not really care that much anymore, despite the two risks that can cause victims a lot of hassle and lost time, both for private and sometimes corporate credit cards:

  • Fresh credit card data can be used for illegal purchases for good that can be sold on the black market and turned into cash.
  • Enough personal information could be stolen to allow the bad guys identity theft, which can cause significant trouble and years to correct these records.

The FBI warned that internet lowlifes are exploiting these data breaches by threatening to expose the victim's personal information to their employer, friends and family using social media unless the targeted person agrees to pay a ransom in Bitcoin. The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately 250 to 1,200 dollars.

Lists of "fraud suckers" get sold online, and employees that fall for these attacks are going to be a future risk for themselves, their personal- and work environments as they can be blackmailed by other internet criminals. The FBI released some examples of extortion emails:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”


As part of your ongoing security awareness campaign, I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:

"Internet Criminals are using fresh news of big data breaches (like Wendy's last week) to send people threatening emails. These emails claim the criminals have confidential information about you that they will send to your employer, friends and family using social media. They threaten with possible divorce, court proceedings, losing your job, or worse.

If you get emails like this, delete them immediately. Do not click on any links in the email, do not open attachments that claim to show your confidential information, do not reply to them, and definitely do not send any money in any form, whether they want checks, wire transfers or payment in a new e-currency like Bitcoin."


The FBI published some very helpful tips to protect yourself online:

  • Do not open e-mail or attachments from unknown individuals.
  • Monitor your bank account statements regularly, as well and as your credit report at least once a year for any fraudulent activity.
  • Do not communicate with the cyber criminals.
  • Do not store sensitive or embarrassing photos of yourself online or on your mobile devices.
  • Use strong passwords and do not use the same password for multiple websites.
  • Never provide personal information of any sort via e-mail. Be aware, many e-mails requesting your personal information appear to be legitimate.
  • Ensure security settings for social media accounts are turned on and set at the highest level of protection.
  • When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes https, or the status bar displays a “lock” icon.

Now, if an employee replies that they have been a victim of this scam, tell them to reach out to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. Tell them to include the keyword “Extortion E-mail Scheme” in their complaint, and provide any relevant information including the extortion e-mail with header information and Bitcoin address if available. It's also a very good idea to get HR involved to help the employee cope with this new type of extortion.

Let's stay safe out there.

Cybersecurity Defense Is A Losing Game, Stop The Attacker's Offense Instead!

“The adage is true that the security systems have to win every time, the attacker only has to win once.” — Dustin Dykes.

You are going to be hacked if the only thing you do is play defense. If you want to be a hard target, you need to adopt a more military mindset, look at your adversary's weak points and block those actively.

Find out where your attacker is lazy and use that to your advantage. It's your network that is the battlefield and you can leverage your familiarity with the terrain.

Obviously you want to have a baseline that shows your normal network behavior and then monitor your own network for anomalies, similar to performing military recon missions. Ultimately you win by dictating the rules of the game and take control of the situation.

However, we in IT are not normally trained in a military approach to problems. It makes sense to start reading some books in that area, I've been studying Sun Tzu for a while now.

The bad guys are going for the low-hanging fruit and that's still your employees. Sending frequent simulated phishing campaigns to users is fun and extremely effective in blocking malware that makes it through your filters. Ultimately, your users are your first line of defense, or the last line depending how you look at it.

New-school security awareness training is a great way to block an attacker's offense. See what customers write about it at Gartner's brand new PeerInsight reviews site, which is "by IT, for IT" on key segments of the market.

This new site is available for both Gartner and non-Gartner customers, and a fantastic resource if you want to create a shortlist. Highly reliable, vetted, objective reviews of leading IT solutions:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training

Should Ransomware Infections Count As Data Breaches? (Yes.)

Paul F. Roberts is the Editor in Chief of The Security Ledger, and reported about a proposal circulating in Congress that would classify ransomware infections in healthcare settings as de-facto breaches. Wow, you can wait for that to filter out to other industries.

The idea is gathering steam within policy circles in Washington D.C. The Department of Health and Human Services’ Office for Civil Rights (OCR), which has responsibility for health information privacy, is working on guidance for healthcare organizations on dealing with ransomware attacks.

U.S. Congressman Ted Lieu (D-CA) is eager to ensure that the guidance specifically addresses how ransomware attacks fall under data breach laws. Further, Lieu has written a letter to HHS to urge regulators to require disclosures of ransomware attacks that affect access to patient records, even in the absence of a data breach involving the viewing of patient health information.

Ransomware attacks are different in that they affect healthcare operations and may deny access to patient records, Lieu noted. That kind of impact could affect patient care and should be something that patients are made aware of, even if no theft of records or leak of patient data results, Lieu argues. More at the Digital Guardian Blog:
https://digitalguardian.com/blog/should-ransomware-infections-count-data-breaches-yes

Don’t Miss The July 13 Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, July 13, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

  • Send Phishing Security Tests to your users and get your Phish-prone percentage.
  • Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
  • Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
  • NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”.
  • NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.

Find out how thousands of organizations have mobilized their end-users as their first line of defense:
Register Now: https://attendee.gotowebinar.com/register/5782005470711644161

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"A problem well stated is a problem half-solved."- Charles Kettering

"The humans are the most important security modules in the network."- Bob Young


Thanks for reading CyberheistNews


Security News
The Healthcare Ransomware Infection Dilemma

I was invited as a panel member in a webcast specifically about ransomware infections and mitigation in healthcare organizations. Having access to patient records is literally a matter of life and death in that environment.

This webcast covers critical points like learning how to prepare against a cyber attacks and keep operating when your systems are under siege, and the different levels of backup that are available. Watch the video and learn how to:

  • Prepare in advance of a threat
  • Back-up your sensitive records
  • Ensure alternative access to data

Work In Healthcare? Watch the webinar at:
http://info.purview.net/ransomware-webinar-video

Not in Healthcare? Watch it at BrightTALK:
https://www.brighttalk.com/webcast/14421/215019

Download These New Awareness Training Whitepapers

"What Constitutes Effective Security Awareness Training?"

Today employees are a critical part of an organization’s defense against many IT security threats. Read this whitepaper and find out what works to drive significant behavior change toward employees making smarter security decision:
https://info.knowbe4.com/whitepaper-effective-security-awareness-training

"Employees at the Frontline in the Battle Against Ransomware"

The recent escalating ransomware attacks have shown that no organization is safe. Find out how you can help to combat these attacks by training your employees to create a human firewall in the battle against ransomware:
https://info.knowbe4.com/whitepaper-employees-frontline

SANS released the July Issue of OUCH!

They said: "We are excited to announce the July issue of OUCH! This month, led by Guest Editor Angela Pappas of Thomson Reuters, we focus on CEO Fraud. CEO Fraud is a targeted attack where cyber criminals pose as a senior leader in an organization and trick employees into wiring money or sending highly sensitive documents. CEO Fraud is extremely effective and very hard for security technologies to detect and stop as there is no malicious link or infected attachment. Awareness is the best defense you have against these attacks. As such, we ask you share OUCH! with your family, friends, and coworkers.:
http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201607_en.pdf


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff





Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews