CyberheistNews Vol 4, # 43 CryptoWall Ransomware Claims Fresh Victims

CyberheistNews Vol 4, # 43
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 4, 43

Editor's Corner


New Ad-borne CryptoWall Ransomware Claims Fresh Victims

The phones have been ringing off the hook here at KnowBe4. Not customers of ours but people who were hit with CryptoWall V2.0, needed Bitcoin urgently, did a websearch and wound up with us because of our crypto-ransom guarantee.

The folks at Proofpoint just wrote a long blog post explaining exactly why this is. In a nutshell, CryptoWall V2.0 now uses poisoned ads on dozens of major sites like Yahoo, AOL and to infect networks. Malicious ads are nothing new in themselves, but second-gen ransomware using them is worrisome.

Proofpoint said: "The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware". This means a so-called drive-by-download where the user does not have to click on anything. Up to now, CryptoWall was spread via spam with infected email attachments and download links sent by the Cutwail botnet.

The website visitors hit by this malvertising are people who run unpatched versions of Adobe Flash. The poisoned ads silently ‘pull in' malicious exploits from the FlashPack Exploit Kit, hence the "drive-by-downloads".

According to security researchers at Dell SecureWorks, more than 830,000 victims worldwide have been infected with ransomware, a 25% increase in infections since late August when there were 625,000 victims.

The first ransom usually has a deadline of 4-7 days and demands about $500. Even the bad guys understand it's not always easy to get your hands on Bitcoins quickly. But when this first deadline is not made, the ransom doubles to roughly $1,000, depending on Bitcoin exchange rates.

Counting the ransom payments to CryptoWall's Bitcoin addresses, Proofpoint estimates that the attackers make $25,000 per day. Recent data taken directly from the CryptoWall ransom payment server shows since August 2014 an additional 205,000 new victims have been claimed.

Here are 5 suggestions on what to do about it:

    1. Do not use mapped drives, period. Use UNC names instead to connect to servers. Apart from close to real-time (snapshot) fileserver backups I also strongly recommend to deploy ad blockers for all the browsers in your organization if you have not already done so already, or make sure you use endpoint security that has ad-blocking built-in.

    1. Continue to focus on all endpoints being fully patched, Windows and all third party apps. Also, configure endpoint browsers to only execute plug-in content when clicked rather than automatically. Uninstall apps that are not absolutely needed, make your attack surface as small as possible.

    1. Some browsers like Google Chrome and Mozilla Firefox allow you to enable click-to-play for plug-in based content, which can stop the automatic execution on exploits that target browser plug-ins. Deploying a whitelisting product on all machines is also something you could look at, whitelisting will stop ransomware cold.

    1. Technologies for lifecycle malware detection carry different names, including targeted threat protection (TTP), targeted attack protection (TAP), and "click-time link scanning". Whatever you call it, you want it in place.

  1. Having an Acceptable Use Policy (AUP) in place that forbids employees to use their machines for private browsing and have an edge device that blocks selected groups of websites (like all social media) is also something you should have in place.


You could also open an account with, get approved, (takes a few days) create a wallet and buy a few Bitcoin just to have them in case you get hit and your backup fails.

And obviously stepping all employees through effective security awareness training is a must these days. Find out how affordable this is for your own organization. Click on the link and get a quote:

What's Really the #1 Hot InfoSec Topic?

There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic? Well, we created the Hackbusters site for that. Hackbusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the -real- hot topics. We tweet when a #1 hot security topic bubbles up. Follow this new service @Hackbusters on Twitter and you will get tweets with the actual breaking hot security news:

PS: If you want this data via a browser instead of twitter, you can go here:

Here's a Halloween Phishing Security Test

OK, so it doesn't always have to be doom and gloom. We decided a bit of levity for Halloween might be a fun way to get the security message across. That's why we have a Phishing Security Test template ready for you that you can send to all employees announcing the Zombie Apocalypse: CNN has Breaking News: Re-animated Corpses Come to Life in Morgue!! You will find it in the system templates, as a Current Event.

Quotes of the Week

"At the center of your being you have the answer; you know who you are and you know what you want." - Lao Tzu, Philosopher

"Do you want to know who you are? Don't ask. Act! Action will delineate and define you." - Thomas Jefferson. U.S. President

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

PCI DSS 3.0 Compliant in Half the Time at Half the Cost

It's time to get and stay PCI DSS 3.0 compliant. Never a better time to start using a new tool that will save you half the time and money: KnowBe4 Compliance Manager 2015. It comes with a pre-made PCI DSS 3.0 template that you can immediately use to get compliant and maintain compliance in a business-as-usual process.

Escape from Excel-Hell!

Most organizations track PCI compliance using spreadsheets, MS-Word, or proprietary self-maintained software. This is inefficient, error prone, costly, and a risk in itself. GET and STAY PCI DSS 3.0 compliant with KnowBe4 Compliance Manager™.

Fill out the form for a live web-demo, we will show you how easy this is:


Koler Android Ransomware Now Spreads in U.S. as Text Worm

Android phones have by far the largest market share, and thus are mobile malware target #1. There is now a new variant of the Koler malware that spreads itself via text messages and holds the phone hostage until the ransom is paid.

Worm.Koler displays localized ransomware messages in at least 30 countries, but 75% of this latest Koler variant infections were seen in the U.S.

Researchers from mobile security firm AdaptiveMobile discovered a new variant named Worm.Koler that spreads via SMS spam and social engineers users into opening a shortened URL, turning Koler into an SMS worm. Perhaps this is why at the moment Google simply blocks any and all URLs.

When a phone is infected, it will send an SMS message to all contacts in the device's address book stating: "Someone made a profile named -[the contact's name]- and he uploaded some of your photos! is that you?" followed by a Bitly link.

When a victim falls for the trick and taps the link, they are redirected to a Dropbox page with a download link for a 'PhotoViewer' app that, if installed, will cause the ransom screen to pop up, claiming the device has been locked up because of having illicit content and users must pay $300 via MoneyPak to 'waive the accusations.'

What to do about it:

If you see a sudden ransom screen on your phone, do not pay. Koler does not actually encrypt the files, so you can eliminate this pest from your phone by these simple two steps:
    1) Reboot your phone in "Safe Mode"
    2) Remove the "PhotoViewer: app using the normal Android uninstall tool.

To protect yourself from similar future threats, have the "Unknown Sources" option turned off in your Android device' security settings menu. This will block the user's ability to install app from unknown sources, but only from the official Google Play store. Here is the AdaptiveMobile blog post:

How to boot Android in Safe Mode (I learned something new here!)


CryptoLocker... Is This Really My Life?

This is a very funny blog post. Michael Cooper wrote: "This is NOT a cautionary tale. I won't sell you anything here, but I hope you get a smile and a chuckle. It's too good not to tell.

"Our firm was recently engaged by a new client - a small building services firm with only a few employees. They had been operating as many small clients do - short on IT infrastructure, policies or procedures - seat of their pants type stuff. Their network was without Windows domain and the file server was a simple Linux based NAS device.

"This in of itself is not the end of the world, but they came bearing gifts for us - infected with Cryptolocker - and all files on their NAS were now encrypted and unusable. Backups were always something they were meaning to do... Yeah, there is a phrase that describes this - something about being up some kind of creek missing a paddle." Keep on reading here:


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

SUPER FAVE: The most epic airline safety video ever made - starring Elijah Wood and Peter Jackson:

Helmet camera view of an intense obstacle race through the narrow alleys of the old city of Porto, Portugal:

Young magician Moritz Mueller from Germany has a brilliant smooth touch and impresses even experienced magicians with his superb skill:

David Blaine spooks Harrison Ford by making a card disappear from a deck and then having it reappear rolled up inside an orange:

Watch the 10 most awesome low-pass jet fly-bys:

Lockheed has made a technological breakthrough with an inexhaustible and environmentally friendly power source - the Compact Fusion Reactor:

Cars being loaded onto a ferry in rough seas in Greece. Correct timing is of the essence. (Warning...Loud Volume!):

Using nothing more than water vapor, a projector, and some motion tracking software, the Leia Display System creates interactive holograms:

Glen Dell flies his Extra 300 aerobatics aircraft low enough for Nick de Wit to backflip his dirtbike over it:

This is more fun than anything else, but it paints a scary picture. Social Engineering on a country fair. How to get people's personal infos (it's so easy!)

Four singers from the Philippines with an amazing performance of 'Let It Go' at the Korean talent show 'SuperStar.' These gals are great!:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe To Our Blog

New call-to-action

Get the latest about social engineering

Subscribe to CyberheistNews