Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 5 #15 Apr 14, 2015 New Ransomware CrypVault Evades AV With Simple Batch Scripts

     
                                     
                                                                                                                    
                                                           
       
                        
                                                                                                                                           

    New Ransomware CrypVault Evades AV With Simple Batch Scripts

    A new ransomware strain dubbed CRYPVAULT is being spread as an email  attachment. It's beta testing in Eastern Europe and is making its  way to Europe and America.

    It's a novel approach. In an attempt to bypass any and all endpoint  protection, the user is social engineered to open an attached Javascript  file. The phishing attack does not have an executable as a payload. Next,  the malware uses the command box to run a batch file that encrypts the files.

    According to a post by Michael Marcos, threat response engineer with Trend  Micro, CRYPVAULT encrypts the files and then makes them appear to the  end-user as if they were quarantined, by giving them the .vault extension.

    Adam Greenberg at SCMagazine said: "The act of disguising the users' encrypted  files as quarantined files possibly aims to raise urgency for users to take  action on their files," Marcos told SCMagazine.com in an email correspondence,  going on to add, "Appending a .vault file extension can also be used as a  marker for the malware to know that the file is already encrypted."

    "The ransomware is written in a batch script (the script is executed line  per line in the command line/MS-Prompt)," Marcos said. "It did not import  any libraries or can create functions. The commands were executed from  top to bottom."

    What To Do About It

    Two things: First, check your edge devices (Firewall, spam filters, proxy  servers etc.) to make sure that any .js file extensions are found, and  quarantined or the whole e-mail deleted.

    Second: It is clear that more and more Eastern European cyber mafias are  jumping on the ransomware bandwagon, and that employees need to be trained  within an inch of their lives not to fall for these types of social  engineering attacks. Find out how affordable this is today:
    https://info.knowbe4.com/kmsat_get_a_quote_now

    There is much more technical detail, including a schematic of the infection chain at the KnowBe4 Blog here:
    https://blog.knowbe4.com/new-ransomware-crypvault-makes-files-look-like-they-are-quarantined

    So, What Is The Real Reason The White House Got Hacked?

    According to a new CyberEdge research survey of 19 sectors including  government, spearphishing is the biggest concern to IT security pros,  more worrisome than even malware. And only 20 percent of officials  expressed confidence their organizations have invested enough in educating  employees how to avoid falling for phishing attacks.  

    You may know that for months now, the State Department has struggled  to keep Russian hackers out of its networks, despite periodic shutdowns  of email for maintenance and a massive endeavor to re-issue credentials,  according to officials. The White House maintains the intruders did not  breach classified material, but CNN reports they had access to sensitive  data such as confidential updates on President Barack Obama's schedule.

    State even provided an online cyber training course, to train employees  to be careful about the personal and professional information they post  on social media. Social engineering was the topic of the lecture. One  of the subjects covered, according to State's website, was "organizational  risk to social engineering through email and social media."

    "No one at the White House took the course," White House deputy press  secretary Shawn Turner told Nextgov. Well, that will get you hacked.  Kevin and I are giving the White House a second chance, step through our  training...for free. Mr President, call us anytime! :-D

    If you want to know what your phishing attack surface is, you can find out  at no cost. We will send you your Email Exposure Check (EEC) with all email  addresses belonging to your domain that are out there on the Internet for  the bad guys to find:
    https://info.knowbe4.com/free-email-exposure-check-CTA-GEN

    NEW: This Week's Five Most Popular HackBusters Posts

    Here are this week's five most popular hackbusters posts:

     

    1. Hacked French Network Exposed Its Own Passwords During TV Interview:
      https://www.hackbusters.com/news/stories/301995-hacked-french-network-exposed-its-own-passwords-during-tv-interview
    2. How to Run Linux Kernel on Canon DSLRs Cameras:
      https://www.hackbusters.com/news/stories/300053-how-to-run-linux-kernel-on-canon-dslrs-cameras
    3. John Oliver Sits Down With Edward Snowden:
      https://www.hackbusters.com/news/stories/299575-john-oliver-sits-down-with-edward-snowden
    4. Anonymous Hackers Target Israeli Websites and Leak Credentials:
      https://www.hackbusters.com/news/stories/300249-anonymous-hackers-target-israeli-websites-and-leak-credentials
    5. NSA and CIA Analysts Watching Porn, A Lot of Porn, More Than You Could Ever:
      https://www.hackbusters.com/news/stories/299750-nsa-cia-analysts-watching-porn-a-lot-of-porn-more-than-you-could-ever

     


    Warm Regards,
    Stu Sjouwerman


    Quotes of the Week:

    "Life should not be a journey to the grave with the intention of arriving  safely in a pretty and well preserved body, but rather to skid in broadside  in a cloud of smoke, thoroughly used up, totally worn out, and loudly  proclaiming "Wow! What a Ride!"  - Hunter S. Thompson

    "A purpose is the eternal condition of success."  - Theodore T. Munger

    Security News
     

     

    NEW Whitepaper: Best Practices for Dealing with Phishing and Next-Generation Malware

    Can users be your first line of defense?

    Phishing and malware threats are skyrocketing as cybercriminals become more  adept, stealthier, and more able to penetrate your IT security defenses.

    The consequences of even a single attack penetrating your network can be  devastating, resulting in enormous potential losses. Large amounts of dollars  stolen directly out of your corporate financial accounts, your CEO first  reading about your data breach in the morning paper, the loss of intellectual  property like trade secrets, and possibly the bankruptcy of your organization.

    To combat phishing attempts and next-generation malware, this new Osterman  Research white paper gives you a list of high-priority actionable items, all  related to IT security. One of these is to learn how users can be mobilized  as your first line of defense using effective security awareness training.  Download Now:
    https://info.knowbe4.com/whitepaper-osterman-bp-phishing-15-04-14

    So, You "Don’t Believe In" Security Education?

    Joe Ferrara, CEO of our friends at Wombat Security posted an excellent editorial at the DarkReading site. He's taking on awareness training  naysayers and methodically shows why they are in the minority. I like his analytical approach pointing out why they are wrong, and comes up with a lot of actionable ammo in a short post. Recommended Reading!
    https://www.darkreading.com/endpoint/so-you-dont-believe-in-security-education-/a/d-id/1319793?#msgs 

    Mass Police Pay Ransom After Ransomware Phishing Attack

    Last December Police in Massachusetts confronted a new and growing  frontier in cybercrime when the CryptoLocker ransomware virus infected  the department’s network, encrypting essential department files until  the town paid a $500 Bitcoin ransom.

    In total, police systems were down between four and five days as the department  worked with the FBI, Homeland Security, Massachusetts State Police, as well as  private firms in an effort to restore their data without paying the ransom.

    The problem? The last good backup tape was 18 months old. Ouch.

    According to the U.S. Department of Homeland Security’s Computer Emergency  Readiness Team (US-CERT), CryptoLocker is a malware campaign that initially  surfaced in 2013. CryptoLocker is a new variant of ransomware that restricts  access to infected computers and demands the victim provide a payment to the  attackers in order to decrypt and recover their files. As of this time, the  primary means of infection appears to be through phishing emails containing  malicious attachments, phony FedEx and UPS tracking notices, and even through  pop-up ads.

    Police Chief Timothy Sheehan told the Town Crier that Tewksbury was hit with  a newer form of CryptoLocker, for which authorities did not have the key.  Though initially infected sometime on December 7, the department became  aware of the malware on December 8, 2014. 

    A recent KnowBe4 survey of more than 300 IT professionals found that 88 percent  of respondents said security awareness training provides the most effective  protection from ransomware. More at esecurityplanet:
    https://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html

    How Data Breaches Break Down By State And Sector

    Morgan & Morgan, a personal injury law firm, has compiled data that shows 930  million records have been breached since 2005. In 2010, if you received a  notification of a data breach, your chances of becoming a victim of fraud  were one in nine. By 2012, those odds had shrunk to one in four. Now, in  2014, it’s one in three. Here is a breakdown by state and sector of the data  breaches in the past 10 years. This is an interesting and scary slide show:
    https://www.csoonline.com/article/2907517/data-breach/how-data-breaches-break-down-by-state-and-sector.html?

    Identifying and Disrupting Crypto-Ransomware

    Adam Cramer posted something interesting at the SANS digital forensics blog. It's a new idea how to stop ransomware and destructive malware from causing  too much damage, by monitoring file handles and see if there is abnormal  activity. He even wrote some free code you can experiment with. It's all here:
    https://digital-forensics.sans.org/blog/2015/04/03/identifying-and-disrupting-crypto-ransomware-and-destructive-malware

    This Week's Links We Like. Tips, Hints And Fun Stuff.

    Indiana Jones in Real Life! In 4K. This looks like a BLAST. Never mind the bruises...
    https://youtu.be/qPKKtvkVAjY

    Wingsuit Precision Flight. Wow, this guy is good!
    https://youtu.be/uRGaIK51LWc

    Unified Weapons Master Video - high-tech armor that looks pretty cool:
    https://youtu.be/bK8BCdhsCF8
                                                           
         
     

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews