CyberheistNews Vol 4, # 09 41 Percent Of Infected Pay The CryptoLocker Ransom



CyberheistNews Vol 4, # 09
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 09

Editor's Corner

KnowBe4

41 Percent Of Infected Pay The CryptoLocker Ransom

I have warned about the CryptoLocker ransomware recently, but now we have some hard numbers about the percentage of people that are forced to pay up when a workstation has been infected and there are problems with backup (of which there are many).

This type of file-ransom malware has been an incredibly effective way for cybercriminals to make boatloads of money, and other gangs are following their example. They are making hundreds of millions of dollars with relative ease. And how much is this costing the average company that gets infected?

A brand new survey by the University of Kent shows about 10 percent of their 1,502 respondents have been affected by CryptoLocker or similar variants, and 41 percent of those ended up paying CryptoLocker the ransom. Other strands of this type of ransom malware scored a 30 percent pay-up ratio.

In the U.S. the average amount paid is $300, in the U.K. it's 300 pounds, and for Europe it's 300 Euros. Apparently the bad guys don't care about exchange rates. You can also pay 2 Bitcoins, if they have not been already stolen out of your wallet by another cyber gang or your Bitcoin exchange went bust. There's a new twist that was added recently. If you miss the first deadline, you get a second chance, but the price is now 10 Bitcoins, which gets very expensive.

Now, keep in mind that the CryptoLocker gang (widely assumed to be Russian mob) is fully automated and operates on an industrial scale. And then there are also some criminal "boutique shops" that operate on a strike-force basis targeting an individual company. An example is a medical practice where the hackers encrypted the patient database, and asking for a relatively low amount of $4,000 which shows they have gotten smart and go for a high-volume, low-yield scheme to increase their chance of a payout.

Widespread malware attacks like these should really serve as a heads-up for any organization to get effective security awareness training for all employees, from the CEO down to the mailroom. Particularly organizations dealing with customer credit cards or financial data, personally identifiable information or personal health information should deploy training ASAP because when you deal with information like this, ignorance is not an excuse.

Dr Julio Hernandez-Castro, one of the authors of the research commented: "If the results reported on the rate of CryptoLocker victims who pay a ransom are to be strengthened by further research, these figures would be extremely troubling, netting criminals behind the ransomware hundreds of millions. This would encourage them to continue with this form of cybercrime, potentially prompting other criminal gangs to jump into an extremely profitable cybercrime market." Link to the survey:
http://www.cybersec.kent.ac.uk/Survey2.pdf

Get a quote now and find out how much Kevin Mitnick Security Awareness Training would cost for your employees. You will be pleasantly surprised how effective and affordable it is:
http://info.knowbe4.com/dont-get-hit-with-cryprolocker

Scam Of The Week: Email Customers "Upgraded to Outlook"

Cybercriminals are trying to trick Hotmail users into handing over their credentials with fake emails that claim to come from "The Microsoft account team." The emails, analyzed by researchers from Malwarebytes, inform recipients that their Hotmail account is upgraded to Outlook.

The scam claims their Hotmail Account has expired and that due to a new system upgrade to Outlook they need to follow the link, sign in and re-activate their account.

The email address is spoofed and the link points to a website whose owners are probably not aware of the fact that they’ve been hacked. Warn your users about this scam, and scams similar to it; STOP LOOK THINK!

Quotes of the Week

"Do something wonderful, people may imitate it." - Albert Schweitzer

"This above all; to thine own self be true." - Albert Einstein

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

Can Phishing Attacks Spoof -Your- Domain? Find Out Now:

91% of successful data breaches began with a "spear-phishing" email, research from security software firm Trend Micro shows. Are -you- vulnerable? Find out now if your email server is configured correctly, many are not!

KnowBe4 offers you a free 'Domain Spoof Test', which shows if outsiders can send you an email coming from someone within your own domain. It's quick, easy and often a bit of a shock. The single thing we do is just send one email from the outside directly to you, but we spoof your own email address, so if the email makes it through, it's from "you to you".

So, can hackers send all your employees an email 'from your CEO' about your organization's "new healthcare plan"? Find out now:
http://info.knowbe4.com/domainspooftest-14-03-04

KnowBe4

RSA Conference Wrap-Up

Like I mentioned in the last issue, I was over at the RSA show in San Francisco last week. It was bigger than ever, the expo had something like 400 vendors demoing their products, and a several side-conferences were held at the same time. I spent one day at one of those, where Venture Capital people met with 300 start-ups presenting their company and growth plans. Interesting to see big companies like Google, Intel and Yahoo explain why and how they acquire startups (no secret, it's "Technology and Talent"). The recent crazy-high WhatsApp valuation made everyone giddy and was discussed all day.

The Expo itself was massive, loud and lots of vendors made noise about their solution being the best and most secure one. However, some realism seems to have set in, because most of them were forced to eat humble pie the last 12 months as hackers had been able to get past their defenses. There was so much news that it is impossible to cover it all here, but if you want to have a quick check of the important IT security news all in one spot, go to our new hackbusters site. We are still tweaking it but people seem to like it: http://www.hackbusters.com/

KnowBe4

Average Enterprise Is Hit by a Cyber Attack Every 1.5 Seconds

FireEye released its yearly Advanced Threat Report, and they did some interesting math. Enterprises are hit by cyber attacks on average once every 1.5 seconds, which is double from the year before, which was once every three seconds for an attack of some kind.

In the first six months, Java was the most common attack vector for hackers, but FireEye observed a surge in watering hole attacks using IE zero-days in the second half of the year.

Cybercrime also expanded globally, as FireEye found malware attack servers and Command & Control machines in 206 countries, up from 184 the year before. The U.S., Germany, South Korea, China, the Netherlands, the U.K. and Russia were home to the most C&C servers.

FireEye senior global threat analyst Dr. Kenneth Geers said in a statement: "Across the board, we are seeing a global expansion of APTs, malware, C&C infrastructure, and the use of publicly available tools to facilitate the attack process. The global scale of the threat has put cyber defenders in the very difficult position of not having any clue where the next attack will come from."

The Top 10 countries that were most frequently hits by APTs in 2013 were the U.S., South Korea, Canada, Japan, the U.K., Germany, Switzerland, Taiwan, Saudi Arabia and Israel. Download the report at FireEye (registration required)
http://www2.fireeye.com/advanced-threat-report-2013.html

KnowBe4

Hacked in 20 Minutes: Social Engineering Done Right

Excellent article at PCMag Security Watch: "How long would it take for an attacker to break into a business? Get on the corporate network as an authenticated user? If you think it would take a few days or even a few hours, you are way, way off. Try 20 minutes.

It took David Jacoby, a senior security researcher with the Global Research and Analysis Team at Kaspersky Lab, three minutes to sneak into the building, four minutes to get network access, five minutes to get authenticated access to the network, and ten minutes to install a backdoor onto the corporate network. He was able to download and walk away with "gigabytes of data" from the company, he told attendees at last week's Kaspersky Lab Security Analyst Summit.

Jacoby was invited by a company come in and tests its defenses. As it turned out, he didn't need any fancy hacks or zero-days to get through. It was all social engineering. "They spent so much money [on security], and I still got in," Jacoby said. Here is the whole article - very interesting:
http://securitywatch.pcmag.com/security/320913-hacked-in-20-minutes-social-engineering-done-right

KnowBe4

When A Stranger Calls

Dr. Neal Krawetz posted something very useful over at the hackerfactor. Apart from that it's also very entertaining. He is legally recording various cold-calls he gets. Some of them are obvious scams and he now and then messes with them until they hang up. Neal has some very good hints, tips and rules you should be aware of. I am only giving highlights here, you need to read the whole post:

 

Rule #1: Expect no delay. If you answer the phone and do not hear someone respond to your greeting, then it's virtually guaranteed to be a scam, telemarketer, or political survey.

Rule #2: Identify who is calling. Regardless of who it is, you need to know who you are talking to.

Rule #3: Trust but verify. I don't care who they say they are. Verify the caller!

Rule #4: What do they want? Replies should be very specific. "This is a call regarding your credit card." Which credit card exactly?

Rule #5: NEVER give a confirmation. This is really an important lesson and a hard habit to break. Never give any kind of positive confirmation on the phone until you are absolutely certain who you are talking to. Here is a WRONG way to answer the phone:
Me: Hello?
Them: Is this Neal Krootz?
Me: Yes this is. How can I help you?

Rule #6: Record the call. I'm always amazed at the number of cold calls that hang up on me when I ask these basic questions. "Who is calling?" *click* "What is your address?" *click*. Any caller who won't give their name or address is a scam. And if they hang up, then it's definitely a scam. Right now, about 50% of callers hang up when I ask for their address.

Here is his post, with several recorded sample calls. Have fun and learn something:
http://www.hackerfactor.com/blog/index.php?%2Farchives%2F594-When-a-Stranger-Calls.html

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

SUPER FAVE: Jeff Gordon pulls off the best prank ever: LMAOROTFL:
http://www.roadandtrack.com/go/pop-culture/jeff-gordon-pranks-jalopniks-travis-okulski?

A 2000 hp Ford Mustang takes off vertically as driver David Measell accelerates slightly too fast during a drag-racing event at South Georgia Motorsports Park, USA.
http://www.flixxy.com/2000-horsepower-ford-mustang-vertical-takeoff.htm?utm_source=4

Van Damme - Zero Gravity Split. He did it before - on trees, ropes, chairs, kitchen countertops and even between two driving trucks ... but now he has reached a new level:
http://www.flixxy.com/van-damme-zero-gravity-split.htm?utm_source=4

A sweet moment between a mother humpback whale and her calf filmed using a video camera mounted on a remote-controlled hexacopter. The baby is piggybacking:
http://www.flixxy.com/incredible-view-of-a-mother-humpback-whale-and-her-baby.htm?utm_source=4

Blast From The Past. Top 5 home-made vehicles - blimp (1927), plane (1933), gyrocopter (1959), car and hydro-glider (1935):
http://www.flixxy.com/top-5-homemade-vehicles.htm?utm_source=4

And one more golden oldie, All stunts in this Isuzu Gemini spot were performed by real drivers. It was made in Paris in 1985 - before the age of computer graphics:
http://www.flixxy.com/isuzu-dancing-in-paris.htm?utm_source=4

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews