CyberheistNews Vol 10 #4 [Heads-Up] The Evil Ryuk Ransomware Strain Now Uses Wake-on-Lan to Encrypt Your *Offline* Devices





CyberheistNews Vol 10 #04
[Heads-Up] The Evil Ryuk Ransomware Strain Now Uses Wake-on-Lan to Encrypt Your *Offline* Devices

You must have heard of RYUK before. It's one of the most nasty, evil ransomware strains attributed to the North Korean state sponsored cyber criminals. They are an APT—Advanced Persistent Threat— and go in silent, live undetected on your network for months, and then one very bad day they encrypt all devices on the network to create the maximum amount of disruption and downtime.

And they now have a new "feature"...

Ryuk uses the Wake-on-Lan feature to turn on powered-off devices on a large compromised network to have greater success encrypting them.

Wake-on-Lan is a hardware feature that allows a powered-down device to be woken up, or powered on, by sending a special network packet to it. Highly useful for admins who may need to push out updates to a computer or perform scheduled tasks when it is powered down. Also highly useful for evil APTs.

According to a recent analysis of Ryuk by the head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument '8 LAN'.

How It Works

When this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and their associated MAC addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168."

If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'. If the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share.

Mount drive to the Remote C$ Share

If they can mount the share, Ryuk will encrypt that remote computer's drive as well. In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network.

"This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WoL & ARP," Kremez told BleepingComputer. "It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments."

Send this heads-up to your friends so they "KnowBe4":
https://blog.knowbe4.com/heads-up-the-evil-ryuk-ransomware-strain-now-uses-wake-on-lan-to-encrypt-your-offline-devices
[Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TODAY, Tuesday, January 21 @ 2:00 pm (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s Phish Alert email add-in button, or forwarding to a mailbox works too...
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TODAY, Tuesday, January 21 @ 2:00 pm (ET)

Save My Spot:
https://event.on24.com/wcc/r/2165375/1AB3377D6B7498CB06A81945579E91A5??partnerref=CHN2
The New SNAKE Ransomware Is an Attack Mix of Obfuscation, Encryption, and Corporate Disruption

Beware! This new targeted attack variant of ransomware is smart, sophisticated, and does a lot more than just encrypt files.

It’s inevitable that every attack vector – including ransomware – is going to evolve. In this latest iteration of the ongoing saga of bad guys encrypting your data for ransom comes SNAKE. According to MalwareHunterTeam (who first identified the strain), SNAKE ransomware has a higher level of obfuscation that normally found with ransomware – this helps to ensure the ransomware can make it past security solutions and result in a higher probability of infection.

It also works to delete Windows’ Shadow Volume copies (to eliminate the ability to easily recover), as well as kills a number of different types of processes related to security solutions, industrial control systems, remote and network management tools, and more. This can bring operations and IT support to a halt.

And, as if that wasn’t enough, SNAKE encrypts all non-OS critical files and leaves the victim with a ransom note found within a txt file. This new ransomware should come as no surprise; the bad guys are constantly watching what the good guys (read: security vendors) are doing and are taking steps to make their malware as disruptive as is humanly possible – the more disruptive, the higher and more likely the payout.

Today, ransomware usually only finds entry in one of two ways: RDP connections or email. Locking down externally-facing RDP services fixes the former, and putting users through new-school security awareness training fixes the latter.

SNAKE's focus on obfuscation as part of the attack should be a warning that simply relying on security solutions is not going to be a surefire way to protect your environment; it’s only through educating your users to spot potentially malicious emails and to not engage with them that you can avoid newer, smarter, and more deadly strains of ransomware.
[BRAND-NEW WEBINAR] Now That Ransomware Has Gone Nuclear, How Can You Avoid Becoming the Next Victim?

There is a reason more than half of today’s ransomware victims end up paying the ransom. Cyber-criminals have become thoughtful; taking time to maximize your organization’s potential damage and their payoff. After achieving root access, the bad guys explore your network reading email, finding data troves and once they know you, they craft a plan to cause the most panic, pain, and operational disruption. Ransomware has gone nuclear.

Join us Thursday, January 30 @ 2:00 pm (ET), for this webinar where Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will dive into:
  • Why data backups (even offline backups) won’t save you
  • Evolved threats from data-theft, credential leaks, and corporate impersonation
  • Why ransomware isn’t your real problem
  • How your end users can become your best, last line of defense
Date/Time: Thursday, January 30 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2167034/5A8EF121985F381E388D990EB12BF86F?partnerref=CHN2
You *Should* Be Scared of the Latest Strains of Phobos Ransomware

In an unusual twist, it’s not actually the ransomware itself that makes the newer forms of Phobos so frightening; it’s the people behind the attacks that will have you worried.

The Phobos family of ransomware has been around since late 2017 and has morphed into a few strains, always targeting larger organizations in hopes of taking home a bigger payout. It works to kill processes that may pose a threat, deletes Volume Shadow copies, disables Windows firewall, and even prevents systems from booting into recovery mode.

But that’s not the scary part.

The real frightening part of Phobos is how it’s distributed today. Sold in a Ransomware-as-a-Service business model, malware researchers have noted that those using Phobos today are not as organized and less professional than cybercriminal organizations that build and distribute their own ransomware.

What does this have to do with your organization? Plenty. It usually means it may take longer to negotiate ransoms (should you choose to pay), and potential issues around the decryption of ransomed files and systems. Think about it: the person (or persons) responsible for the specific attack on your organization have no control over the malware used as part of the attack; they need to go back to the organization they are using to retrieve decryption keys and instructions.

With email still being a primary attack vector, the need to trick users into clicking on malicious attachments and links is necessary. Users that step through new-school security awareness training are better prepared to improve your org’s security posture by identifying malicious emails for what they are.
Are Your Users' Passwords…P@ssw0rd? Find out for a Chance to Win a Stormtrooper Helmet

Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.

KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password-related threats and reports any fails so that you can take action. Plus, if you're in the US or Canada, you’ll be entered for a chance to win a Star Wars Stormtrooper Helmet Prop Replica!

This will take you 5 minutes and may give you some insights you never expected!
https://info.knowbe4.com/wpt-sweepstakes-012020

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Tell me and I forget. Teach me and I remember. Involve me and I learn."
- Benjamin Franklin - Founding Father of the USA (1706 - 1790)

"Science cannot solve the ultimate mystery of nature. And that is because, in the last analysis, we ourselves are a part of the mystery that we are trying to solve."
- Max Planck - Physicist (1858 - 1947)



Thanks for reading CyberheistNews
Security News
Defending Against Ransomware Is a Team Effort

Ransomware operators have grown very skilled in targeting exactly what will compel an organization to pay up, according to Andrew Brandt, principal researcher at Sophos.

On the CyberWire’s Hacking Humans podcast, Brandt explained that organizations of all sizes are at risk from targeted ransomware attacks. Earlier ransomware attacks, like WannaCry in 2017, went after any machine that was vulnerable, but newer attacks involve meticulous targeting and staging.

“We don't see quite so many ransomware attacks that target individuals,” Brandt said. “We see that the criminals have realized that they can make a lot more money by targeting organizations that have the deep pockets to pay the ransom but may not have the technical expertise to recover themselves quickly enough to sort of restore business operations.

And it becomes a strategic game for the ransomware operators, where they're trying to do just enough damage that they push people into the paying the ransom decision instead of just trying to fix it themselves by recovering from backups or, you know, what have you.”

In order to penetrate an organization, attackers only need one point of entry from which to launch additional attacks and spread throughout the network. Brandt explained that organizations need to train their employees to defend themselves against these initial attacks.

“IT security, in particular, depends on, basically, everyone in the company is on the front lines,” he said. “And they need people to be their eyes and ears. And if the employees feel that they're not being treated respectfully by the security folks, being told that, oh, that was a really dumb thing to do - anybody can be fooled by a phishing attack.

Even I can be fooled. I have very nearly clicked malicious links, and I do this for a living. So, if I can be fooled, anybody can be fooled. And so, you should just be open to listening to people. And when they tell you something is going on that's not right, trust their instincts and at least take a look.”

Most ransomware attacks are caused by employee error, such as falling for a phishing email or using poor authentication measures. New-school security awareness training can prepare all of your employees to face these threats. The CyberWire has the story:
https://thecyberwire.com/podcasts/cw-podcasts-hh-2020-01-16.html
Hackers Request Aging Reports to Identify Their Next CEO Fraud Victims for Them

Rather than attempt to hack user credentials and gain access to Accounts Payable applications, hackers are now impersonating the CFO and obtaining all the detail they need to launch a scam.

In a decidedly smart move, hackers are now shifting tactics to make it easier to build a list of potential victims to defraud through false wire transfers. Traditionally, this is accomplished by hacking into the AR application from company “A”, and then phishing the AP department in company “B” to trick them into modifying banking details to a hacker-controlled bank account.

In a new twist, hackers impersonate the CFO of company A and request an updated aging report together – a list of outstanding invoices – complete with up-to-date contact details for each of the customers that had unpaid overdue invoices.

So, without needing to do little more than pretend to be the CFO via email, hackers are handed a list of their potential victims. The next stage in the attack would be to pretend to be the AR department in company A and send each of the individuals identified in the aging report asking them to pay their invoice and use new banking details.

Organizations need to have processes in place whenever any kind of information is requested relating to payments – whether those that need to be paid or those that should be received. Hackers are constantly looking for new ways to extract this information to use for their own purposes.
TrickBot Hackers Have Created the Ultimate “On the Fly” Update Backdoor

The newly-created “PowerTrick” backdoor leaves malware ready to accept new commands and victim organizations perpetually in danger of the next thing the malware’s creators can think of.

It’s bad enough to be infected with a sophisticated piece of malware that supports multiple attack functionalities to support a variety of needs by those executing it. But this new version of malware from the cybercriminal group known as TrickBot puts their most valuable targets – usually financial institutions at even higher risk.

According to security researchers at Sentinel One, TrickBot’s latest malware contains a stealthy backdoor tool, dubbed “PowerTrick”, that establishes persistence and allows for reconnaissance and the accepting of future commands, making their malware updatable and extensible as TrickBot sees fit over time.

This is dangerous stuff; whatever the scheme is today, with this new post-exploit tool in place, TrickBot can easily launch a new attack within compromised organizations down the road.

And, while TrickBot have mostly focused on the finance sector, the presence of PowerTrick will simply be the next big thing to be adopted by other malware creators, causing this to become a standard part of the attack. So, organizations of every vertical should take note and put measures in place to come as close to ensuring no malware can infect endpoints as is possible.

This should include security awareness training to reinforce the need for users to remain vigilant, assuming that some small percentage of malware will get past security solutions. Users that undergo this training are cognizant of the need to be watchful of emails and web content that seem suspicious in nature.

PowerTrick is just the first of what will likely become many extensible malware backdoors. You should assume we’ll be seeing more of this kind of methodology used by malware creators, and take steps today to prevent infection.
What KnowBe4 Customers Say

"Wow! Watching the first few minutes of Inside Man and it’s really good stuff! Great content, production quality and keeps you engaged!"
- Z.T., IT Director



"Things are going really well here with the KnowBe4 platform. We are getting ready to launch the ‘Security Culture’ survey and the ‘Security Awareness Proficiency’ assessment. We’ve integrated everything with our AD and MFA provider, and have also been successful using the “Policy Acknowledge” module. We’re happy that we made the decision to partner with KnowBe4."
- A.R. Director – Global Security, CISSP | CISM | CRISC | CCSP



"Stu, I wanted to provide some feedback on our Customer Success Manager Erin Flynn. She is an absolute pleasure to work with. She has helped us kick off our testing, our first few campaigns, and has the right style to make a seemingly hard task, easy.

Erin also has stayed connected to us, instead of the “hey thanks for buying now Byeeeee” approach to customer service. She reaches out, makes sure we are using the platform, and helps us each step along with way.

Thanks again for such a great experience and great product. Her enthusiasm for her work is evident and really helped us feel at home in the KnowBe4 product line up."
- W.C., Director of Member Services
The 10 11 Interesting News Items This Week
    1. Pre-Mortem Analysis: NY Fed Reveals Implications of Cyberattack on US Financial System:
      https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf?mod=article_inline
    2. Nice. NSA found a dangerous Windows software flaw and alerted Microsoft rather than weaponize it:
      https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html

    3. YOWZER! Equifax to Pay $380.5 Million to Settle Data Breach Class Claims:
      https://news.bloomberglaw.com/product-liability-and-toxics-law/equifax-to-pay-380-5-million-to-settle-data-breach-class-claims

    4. Beware of this sneaky conversation hijacking phishing technique now being used in more attacks:
      https://www.zdnet.com/article/beware-of-this-sneaky-phishing-technique-now-being-used-in-more-attacks/
    5. Yours Truly at Forbes: "How To Stop Cyberattacks With Security-Minded Company Culture":
      https://www.forbes.com/sites/forbestechcouncil/2020/01/15/how-to-stop-cyberattacks-with-security-minded-company-culture/#746bb5316202
    6. Companies Hit By Iranian Cyberattacks May Not Have Insurance Coverage:
      https://securityboulevard.com/2020/01/companies-hit-by-iranian-cyberattacks-may-not-have-insurance-coverage/
    7. Ransomware, phishing and cyber attacks scare business chiefs the most:
      https://www.zdnet.com/article/ransomware-phishing-and-cyber-attacks-scare-business-chiefs-the-most/
    8. Windows 7 ‘Crazy High’ Security Risk As Crypto Exploit Found In Audio Files:
      https://www.forbes.com/sites/daveywinder/2020/01/14/windows-7-crazy-high-security-risk-as-crypto-exploit-found-in-audio-files/
    9. Five Major US Wireless Carriers Are Vulnerable to SIM Swapping
      https://hotforsecurity.bitdefender.com/blog/five-major-us-wireless-carriers-are-vulnerable-to-sim-swapping-22085.html
    10. Nemty Ransomware to Start Leaking Non-Paying Victim's Data:
      https://www.bleepingcomputer.com/news/security/nemty-ransomware-to-start-leaking-non-paying-victims-data/
    11. BONUS: She doesn't know what phishing is... so what will she do now? Go look it up on the public Wi-Fi in her hotel!:
      https://youtu.be/QATFQ0Lh3S8
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews