CyberheistNews Vol 5 #10 New CryptoWall Attack Wave Using Help Files / Scam Of The Week



 
           
                                                                                                               

New CryptoWall Attack Wave Using Help Files / Scam Of The Week

A new CryptoWall attack wave has hit end-users with malicious .chm attachments  that infect networks with the latest and most sophisticated file-encrypting  ransomware. The latest wrinkle is that the fake "incoming fax report" email  looks to the user to come from a machine in their own domain. 

CryptoWall 3.0 is the most recent version of the original Cryptolocker, which  arrived on the scene in September 2013 and made 27 Million dollars in ransom  over the first few months. This file-encrypting ransomware social engineers  end-users by masking its malicious payload as an innocent attachment.

Once the user opens it, the payload encrypts the files of all mapped drives  and demands about $500 in ransom to be paid in Bitcoin. The current attack  uses a new attachment: help files with the .CHM extension. Bitdefender Labs  discovered the attack in late February 2015

It is targeting users from around the world, including the US, the UK, several  European countries and Australia. The servers that send the attack are  compromised machines distributed over Asia, India, Europe, Australia, US,  Romania and Spain. "Interestingly, in this instance, hackers have resorted  to a less fashionable yet highly effective trick to automatically execute  malware on a victim’s machine and encrypt its contents – malicious .chm  attachments," states Catalin Cosoi, Chief Security Strategist at Bitdefender.

Catalin Cosoi adds, "CHM is an extension for the Compiled HTML file format,  a type of file used to deliver user manuals along with software applications.  These CHM files are highly interactive and run a series of technologies  including JavaScript, which can redirect a user toward an external URL  after simply opening the CHM. Attackers began exploiting CHM files to  automatically run malicious payloads once the file is accessed. It makes  perfect sense: the less user interaction, the greater the chances of infection."

HTML files are compressed and delivered as a binary file with the .chm  extension. This format is made of compressed HTML documents, images and  JavaScript files, along with a hyperlinked table of contents, an index  and full text searching. 

I recommend to add .CHM files to the list of potentially malicious  extensions in your spam filters if it is not in there already.

Scam Of The Week: Ransomware Attack Wave

Looking at the above news, I would send the following to your end-users.  Feel free to copy or edit. Just get the word out to employees, friends and family.

"There is a new type of malicious software (malware) that attacks employees  in organizations like ours. It is called "ransomware" and what it does is  try to trick you into opening an innocent looking email attachment that claims to be a fax report from our own organization. But if you open it up, this malware locks all your files and potentially all files of everyone  else too. It then demands a $500 ransom to get your files back. This can  happen in the office and at the house.

"At the moment, this malware is sent in a wave of attacks all over the world. If you receive an email that claims to be a fax report that seems to come from our own domain, but has the .CHM file extension, delete the email. Do not open it up, and do not forward it to anyone. After you delete the email, please warn IT that it sits in your Deleted Items.

"Be alert for this latest attack, and remember: "Think Before You Click!"

New Ransomware CryptoFortress Encrypts Unmapped Network Shares

Used to be that ransomware only looked at hard drive C:, and then any  other mapped drives like D:, E:, F:, etc., but now a newly discovered  strain called CryptoFortress was discovered recently by security  researcher Kafeine that has stolen the look & feel of TorrentLocker but  is a whole new malicious strain. It would be a bit much to call this  a new generation, but it certainly is a powerful evil new feature.

CryptoFortress includes the new and nasty feature of being able to encrypt  files over network shares even if they are not mapped to a drive letter.  Normally when ransomware encrypts your data it does so by retrieving a  list of drive letters on a computer and then encrypting any data on them.

Therefore any network shares on the same network would be safe as long  as they were not mapped to a drive letter. Unfortunately this all changes  with CryptoFortress as this ransomware will also attempt to enumerate  all open network Server Message Block (SMB) shares and encrypt any that  are found.

As you can see from the image at our blog, CryptoFortress is successfully  able to encrypt the file test.txt in an open share over SMB on a test  network. This new ability changes the threat landscape for all server  and network administrators and it is even more important than ever to  properly secure your shared folders with strong permissions.

At the moment, it looks like the infection vector is Exploit Kits sitting  on compromised websites, so that means patch workstations religiously,  tighten up proxy and/or firewall rules, and possibly tell people to be  careful out there (maybe only Facebook?) if they surf the web on company  workstations. Full post with links to more detail:
https://blog.knowbe4.com/new-ransomware-cryptofortress-encrypts-unmapped-network-shares


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

" Keep true to the dreams of your youth.  "  - Friedrich Schiller

" Yesterday is but today's memory, and tomorrow is today's dream. "  - Khalil Gibran

" A dream doesn't become reality through magic; it takes sweat,  determination and hard work. "  - Colin Powell

 


 

 Thanks for reading CyberheistNews!

 

Security News

 

 

World Class Security Awareness Training: $10 Per Seat Or Less!

Did you know that KnowBe4's Kevin Mitnick Security Awareness Training is used by 1,000+ enterprise accounts? It's the world's most popular  integrated Security Awareness Training and Simulated Phishing platform.  For just 10 bucks per seat/yr. (or even less) you get:

  • World-class Kevin Mitnick security awareness training
  • Super flexible simulated phishing templates and landing pages
  • KnowBe4's unique "anti-prairie dog" feature
  •  
  • Extensive executive reporting
  • Powerful additional features and NEW community phishing templates!

This is so incredibly affordable that it's really a no-brainer to get this deployed in your organization. Get a quote now for the volume  discount that you qualify for. Guaranteed $10 or less per seat!
https://info.knowbe4.com/kmsat_get_a_quote_now

Hospital Sues Bank of America Over Million-Dollar Cyberheist

A public hospital in Washington state is suing Bank of America to  recoup some of the losses from a $1.03 million cyberheist that the  healthcare organization suffered in 2013.

In April 2013, organized cyber thieves broke into the payroll accounts  of Chelan County Hospital No. 1, one of several hospitals managed  by the Cascade Medical Center in Leavenworth, Wash. The crooks  added to the hospital's payroll account almost 100 "money mules,"  unwitting accomplices who'd been hired to receive and forward money  to the perpetrators. 

Krebs said: "So, if you run a business and you’re expecting your  bank to protect your assets should you or one of your employees  fall victim to a malware phishing scheme, you could be in for a  rude awakening. Keep a close eye on your books, require that more  than one employee sign off on all large transfers, and consider  adopting some of these: Online Banking Best Practices for  Businesses. The full story is at Brian Krebs' excellent site which also has a link to the best practices. Recommended!
https://krebsonsecurity.com/2015/03/hospital-sues-bank-of-america-over-million-dollar-cyberheist/

Small Firms Do Have One Edge in Fraud Fight

In the technology industry, the firms that provide anti-fraud and  authentication tools to smaller financial institutions and credit  unions are in an arms race with cybercriminals. That is not going to  stop. It's the new normal. Still, most financial crimes result from  successfully spear phishing an end user and compromising legitimate  user credentials.

The wild card for smaller financial institutions may still be the  ability of their end users to recognize when they are being scammed  and not fall into the spear phishing trap. That may provide only a  slight edge, but given today's threat level, any edge is worth having. Interesting article by John Zurawski over at Credit Union Times:
https://www.cutimes.com/2015/03/01/small-firms-have-edge-in-fraud-fight?

Anatomy Of A Ransomware Attack [Infographic]

How does ransomware actually work? Ransomware attacks cause downtime, data  loss, possible intellectual property theft, and in certain industries a  ransomware attack is considered a data breach. The U.K. antivirus company  Sophos did a great job creating an infographic that I included in a blog  post. A simple and quick way to wrap your wits around cryptoware:

https://blog.knowbe4.com/anatomy-of-a-ransomware-attack-infographic

Megabytes, Gigabytes, Terabytes... What Are They? This list goes up to Brontobytes !!

https://www.whatsabyte.com/

"Perpetual Motion machines" - All fakes. Find out how they did the fakes by observing each example carefully. It's quite fun:
https://www.youtube.com/watch?v=fQQ8_PDAdfI

CSI: Cyber: We Watched So You Didn't Have To - by Threatpost. The show  is horrible but the comments by real infosec pros are hilarious:
https://threatpost.com/csi-cyber-we-watched-so-you-didnt-have-to/111440                                                               

             
          



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews