New CryptoWall Attack Wave Using Help Files / Scam Of The Week
A new CryptoWall attack wave has hit end-users with malicious .chm attachments that infect networks with the latest and most sophisticated file-encrypting ransomware. The latest wrinkle is that the fake "incoming fax report" email looks to the user to come from a machine in their own domain.
CryptoWall 3.0 is the most recent version of the original Cryptolocker, which arrived on the scene in September 2013 and made 27 Million dollars in ransom over the first few months. This file-encrypting ransomware social engineers end-users by masking its malicious payload as an innocent attachment.
Once the user opens it, the payload encrypts the files of all mapped drives and demands about $500 in ransom to be paid in Bitcoin. The current attack uses a new attachment: help files with the .CHM extension. Bitdefender Labs discovered the attack in late February 2015
It is targeting users from around the world, including the US, the UK, several European countries and Australia. The servers that send the attack are compromised machines distributed over Asia, India, Europe, Australia, US, Romania and Spain. "Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments," states Catalin Cosoi, Chief Security Strategist at Bitdefender.
Catalin Cosoi adds, "CHM is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. It makes perfect sense: the less user interaction, the greater the chances of infection."
HTML files are compressed and delivered as a binary file with the .chm extension. This format is made of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching.
I recommend to add .CHM files to the list of potentially malicious extensions in your spam filters if it is not in there already.
Scam Of The Week: Ransomware Attack Wave
Looking at the above news, I would send the following to your end-users. Feel free to copy or edit. Just get the word out to employees, friends and family.
"There is a new type of malicious software (malware) that attacks employees in organizations like ours. It is called "ransomware" and what it does is try to trick you into opening an innocent looking email attachment that claims to be a fax report from our own organization. But if you open it up, this malware locks all your files and potentially all files of everyone else too. It then demands a $500 ransom to get your files back. This can happen in the office and at the house.
"At the moment, this malware is sent in a wave of attacks all over the world. If you receive an email that claims to be a fax report that seems to come from our own domain, but has the .CHM file extension, delete the email. Do not open it up, and do not forward it to anyone. After you delete the email, please warn IT that it sits in your Deleted Items.
"Be alert for this latest attack, and remember: "Think Before You Click!"
New Ransomware CryptoFortress Encrypts Unmapped Network Shares
Used to be that ransomware only looked at hard drive C:, and then any other mapped drives like D:, E:, F:, etc., but now a newly discovered strain called CryptoFortress was discovered recently by security researcher Kafeine that has stolen the look & feel of TorrentLocker but is a whole new malicious strain. It would be a bit much to call this a new generation, but it certainly is a powerful evil new feature.
CryptoFortress includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter. Normally when ransomware encrypts your data it does so by retrieving a list of drive letters on a computer and then encrypting any data on them.
Therefore any network shares on the same network would be safe as long as they were not mapped to a drive letter. Unfortunately this all changes with CryptoFortress as this ransomware will also attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found.
As you can see from the image at our blog, CryptoFortress is successfully able to encrypt the file test.txt in an open share over SMB on a test network. This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions.
At the moment, it looks like the infection vector is Exploit Kits sitting on compromised websites, so that means patch workstations religiously, tighten up proxy and/or firewall rules, and possibly tell people to be careful out there (maybe only Facebook?) if they surf the web on company workstations. Full post with links to more detail:
https://blog.knowbe4.com/new-ransomware-cryptofortress-encrypts-unmapped-network-shares
Warm Regards,
Stu Sjouwerman
Quotes of the Week:
" Keep true to the dreams of your youth. " - Friedrich Schiller
" Yesterday is but today's memory, and tomorrow is today's dream. " - Khalil Gibran
" A dream doesn't become reality through magic; it takes sweat, determination and hard work. " - Colin Powell
|
Thanks for reading CyberheistNews!
|
|
World Class Security Awareness Training: $10 Per Seat Or Less!
Did you know that KnowBe4's Kevin Mitnick Security Awareness Training is used by 1,000+ enterprise accounts? It's the world's most popular integrated Security Awareness Training and Simulated Phishing platform. For just 10 bucks per seat/yr. (or even less) you get:
- World-class Kevin Mitnick security awareness training
- Super flexible simulated phishing templates and landing pages
- KnowBe4's unique "anti-prairie dog" feature
- Extensive executive reporting
- Powerful additional features and NEW community phishing templates!
This is so incredibly affordable that it's really a no-brainer to get this deployed in your organization. Get a quote now for the volume discount that you qualify for. Guaranteed $10 or less per seat!
https://info.knowbe4.com/kmsat_get_a_quote_now
Hospital Sues Bank of America Over Million-Dollar Cyberheist
A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.
In April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital's payroll account almost 100 "money mules," unwitting accomplices who'd been hired to receive and forward money to the perpetrators.
Krebs said: "So, if you run a business and you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses. The full story is at Brian Krebs' excellent site which also has a link to the best practices. Recommended!
https://krebsonsecurity.com/2015/03/hospital-sues-bank-of-america-over-million-dollar-cyberheist/
Small Firms Do Have One Edge in Fraud Fight
In the technology industry, the firms that provide anti-fraud and authentication tools to smaller financial institutions and credit unions are in an arms race with cybercriminals. That is not going to stop. It's the new normal. Still, most financial crimes result from successfully spear phishing an end user and compromising legitimate user credentials.
The wild card for smaller financial institutions may still be the ability of their end users to recognize when they are being scammed and not fall into the spear phishing trap. That may provide only a slight edge, but given today's threat level, any edge is worth having. Interesting article by John Zurawski over at Credit Union Times:
https://www.cutimes.com/2015/03/01/small-firms-have-edge-in-fraud-fight?
Anatomy Of A Ransomware Attack [Infographic]
How does ransomware actually work? Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries a ransomware attack is considered a data breach. The U.K. antivirus company Sophos did a great job creating an infographic that I included in a blog post. A simple and quick way to wrap your wits around cryptoware:
https://blog.knowbe4.com/anatomy-of-a-ransomware-attack-infographic
This Week's Links We Like. Tips, Hints And Fun Stuff.
Megabytes, Gigabytes, Terabytes... What Are They? This list goes up to Brontobytes !!
https://www.whatsabyte.com/
"Perpetual Motion machines" - All fakes. Find out how they did the fakes by observing each example carefully. It's quite fun:
https://www.youtube.com/watch?v=fQQ8_PDAdfI
CSI: Cyber: We Watched So You Didn't Have To - by Threatpost. The show is horrible but the comments by real infosec pros are hilarious:
https://threatpost.com/csi-cyber-we-watched-so-you-didnt-have-to/111440