Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 6 #1 First Javascript-only Ransomware-as-a-Service Discovered

    Cybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015

    CyberHeist News CyberheistNews Vol 6 #1 Jan 5, 2016
    First Javascript-only Ransomware-as-a-Service Discovered
    Stu Sjouwerman

    Cybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015.

    However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the "write-once-infect-all" threat, which is something to be aware of.

    For the moment it's only a Windows executable though, and do not confuse Java and JavaScript. They use a very similar syntax but are completely different. Java is a (buggy) object oriented programming language, originally developed by Sun and now owned by Oracle when they acquired Sun. JavaScript on the other hand is an object oriented client-side scripting language that is implemented in the browser. Without JavaScript, most of the interactive features of almost every site on the web would not be possible, so you cannot just disable JavaScript because that breaks a large part of the web.

    So, how did the bad guys implement this technically?

    What NW.js does is let you take node.js, standard JavaScript scripts, and Chromium and bundle them into a single executable. When you run this executable, Chrome executes and launches the JavaScript scripts. This allows any whitehat or blackhat developer to create and distribute native apps that run just like a normal executable. The malware package is a self-extracting RAR file of 22MB which expands to over 67MB.

    Using this architecture they can encrypt client-side files without using much resources and stay under the radar to prevent detection. Ransom32 will target only specific file extensions and encrypt them using AES encryption but is using wildcards like .*sav* to maximize its "effectiveness". A large benefit for the malware author is that NW.js is a legitimate framework and application so it is no surprise that antivirus signature coverage still very bad at the time we write this. See Virustotal here:
    http://tinyurl.com/virustotalknowbe4

    How Does This Ransomware-as-a Service Work?

    Any newbie cybercriminal can easily go to a darkweb TOR site, register with a Bitcoin address, configure and download their very own customized version of the executable. The developers take a 25% cut of all ransom payments and then forward the rest to their criminal affiliate. You can run multiple campaigns with different Bitcoin addresses. The executable can be spread with the usual infection vectors like massive spray-and-pray phishing campaigns, targeted spear-phishing, malvertising with poisoned ads on websites compromised with exploit kits causing drive-by-downloads of the RaaS executable, manually hacking Linux servers or brute forcing terminal servers.

    What Is The Scary Part?

    Larry Abrams at BleepingComputer put it best: "No administrative rights necessary. Runs under the security context of the user. The ransomware itself isn't a big deal at all. It must be executed, just like any other executable because that is what it is, or installed via an exploit just like all other ransomware.

    "The main point is that it is created in JavaScript. JavaScript is cross-platform and so is node.js. Using NW.js, it would be trivial to take this javascript/node.js program and easily generate packages that run on Linux or Macs as well. You now have one codebase that works on all three major server and desktop environments. Then it just becomes up to the affiliate to decide how they distribute the ransomware package. With any would-be criminal able to easily signup, the sky is the limit. That is the scary part."

    He summarized with this shorthand: "Uses AES encryption. Affiliate service. No way to decrypt for free at this time. Extracts to folder in %Temp% and %AppData%\Chrome Browser. Creates startup called ChromService. Uses TOR to communicate with C2."

    What To Do About It

    • It is still in the early days, at the moment there is no known way to decrypt the files for free, but if malware researchers reverse engineer the code and find a way to get your files back, we will update this post.
    • Your best protection remains a solid and proven backup strategy, with regular off-site copies.
    • For mitigation purposes, treat this like any other ransomware. Continue blocking executables from running from standard paths (%appdata%, %temp%, etc).
    • Step your users through effective security awareness training which includes frequent simulated phishing attacks.
      • (https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/)

    We want to thank our friends over at BleepingComputer, who brought this threat to our attention first. Also, for a more thorough and detailed explanation on how the Ransom32 utilizes NW.js and encrypts your data, please see this great Emsisoft article:
    http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/
    Ransomware In 2016: What To Look Out For

    It is clear that a ransomware crime wave will surge across America and Canada. Here is what we expect will happen in 2016 and what you need to look out for:

      1. Ransomware attacks doubled in 2015 and will double again in 2016. The U.K. is to some extent a bell-weather for the U.S. as they function as a beta test site for Eastern European cyber mafias who can test malicious code in their own time zone. Well, over half (54%) of all malware targeting UK users in 2015 contained some form of ransomware. Buckle up.

      2. The use of Cryptowall 4.0 will explode, and Cryptowall V5.0 will add an actual working "feature" that the TeslaCrypt strain only threatened with: extortion by potentially publishing private personal or sensitive business files on the Internet.

      3. Cryptowall will be the first strain of ransomware to hit a billion dollars in total damages.

      4. Ransomware is the new APT: "Annoying Persistent Threat", as it will be increasingly used in double-payload attacks combined with other scams.

      5. Ransomware-as-a-service hosted on the TOR network and using Bitcoin for ransom payment enables a new generation of cybercrime newbies to make their mark.

      6. Cyber mafias will focus on professional services firms and local government using Cryptowall as their tool and extort tens of thousands of dollars from organizations that don't want their business disrupted or their intellectual property compromised.

      7. A new sleeper ransomware variant will start to stealthily encrypt data, pull your critical files onto a C&C Server, and wait until a backup been made. At that point they will yank the encryption key and demand a much larger amount of ransom than the current 500 bucks.

      8. Bonus Wild-Ass Guess: Ransomware gets bundled with worm-like malware to "brick" all the Windows endpoints and servers of a targeted organization. Cybercriminals will use this technique on a large scale, demanding millions in Bitcoins from their victims and may even offer "innovative" payment plans with protection terms.
    Cyber Criminals Release Hard To Recognize Social Engineering Scam.

    Jerome Segura, a senior security researcher over at our friend Malwarebytes, reported a new, in-the-wild tech support scam that has moved from Amazon Web Services to Rackspace's managed cloud network. What it does is spread alarming popups ads that claim a site is infected and directs the reader to click on the ad for help.

    Segura warned that this Amazon/Rackspace support scam is particularly tough for security software to recognize because it is more advanced than normal. "Some differences include caution to use anonymizer services, disabling Google indexing, and HTML code obfuscation of the scam page. In addition, the crooks managing these campaigns rely on those cloud services to frequently rotate IP addresses and point them to countless different domains and sub-domains," Segura told SCMagazine.com in an email Wednesday.

    Not only are security pros given fits by this scam, but the general public is also more susceptible because they run directly in the browser and prey on people's well-founded computer security fears by displaying fake warnings.

    "What makes it even more effective is the fact that the scam page triggers a continuous series of pop up alerts preventing the user from closing the page. Out of desperation, users may end up calling the 800 number to get the situation resolved," Segura said.

    The next step has the victim being told by someone posing as a tech support person from a major company that for a fee they will fix the problem. Microsoft estimates that about 3.3 million people have fallen victim to scammers in 2015 and have paid out more than 1.5 billion dollars to the perpetrators.

    Segura said Malwarebytes has reported the campaign to Rackspace for takedown and will continue tracking it to see where it goes next.

    It is obvious that employees which have stepped through effective security awareness training will not fall for social engineering tricks like this. Find out how affordable this is for your organization and be pleasantly surprised.
    https://info.knowbe4.com/kmsat_get_a_quote_now
    Laugh The Pain Away With 2015's Best Infosec Memes

    Endgadget wrote: "As you might guess, infosec memes aren't as straightforward as Pizza Rat or Left Shark. That's because most of the time they run on one part inside joke and two parts hacker history. They're usually technical, and they communicate an intimate knowledge of the slow-roasted levels of hell only understood by an information security professional. Recently, infosec coughed up two particularly transcendent and painfully hilarious memes." I especially like the threatbutt caper. Ready for a good chuckle?
    http://www.engadget.com/2015/12/31/2015s-best-infosec-memes/
    Don't Miss The January Live Demo: New School Security Awareness Training

    Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security. Join us on Wednesday, January 13 at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:

    • Send Simulated Phishing tests to your users and get your Phish-prone percentage.
    • Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
    • Point-of-failure training auto-enrollment.
    • NEW Phish Alert Button for Outlook so employees can report phishing attacks.
    • NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.

    Find out how more than 2,500 organizations have mobilized their end-users as their first line of defense. Register Now:
    https://attendee.gotowebinar.com/register/4207198052493900546
    Warm Regards,
    Stu Sjouwerman

    Quotes Of The Week

    "The thing always happens that you really believe in; and the belief in a thing makes it happen."- Frank Lloyd Wright - Architect (1867-1959)

    "Some people want it to happen, some wish it would happen, others make it happen."- Michael Jordan

    Thanks for reading CyberheistNews

    Security News
    2015 Top 5 KnowBe4 Blog Posts
      1. Apple's OS X Security Honeymoon Is Over: 41,365 views
        https://blog.knowbe4.com/apples-os-x-security-honeymoon-is-over

      2. The Seven Deadly Social Engineering Vices: 19,079 views
        https://blog.knowbe4.com/bid/290552/The-Seven-Deadly-Social-Engineering-Vices

      3. Antivirus Isn't Dead, It Just Can't Keep Up: 16,219 views
        https://blog.knowbe4.com/antivirus-isnt-dead-it-just-cant-keep-up

      4. KnowBe4 got a CEO Fraud phishing attack. Wrong Mark!: 12,641 views
        https://blog.knowbe4.com/knowbe4-got-a-ceo-fraud-phishing-attack.-wrong-mark

      5. Near-flawless Social Engineering attack spoiled by single flaw: 9,824 views
        https://blog.knowbe4.com/near-flawless-social-engineering-attack-spoiled-by-single-flaw
    Credit Union CEO Fraud Horror Story

    I received this the last day of the year from a Director of IT Security who works at a mid-size credit union.

    "Stu, I think you’ll be interested in my story. If you want to share it, just anonymize it sufficiently. I’ve been very concerned about Business Email Compromise (BEC), particularly because government entities have continually sounded the warning. It’s obviously a very fast way to lose a lot of money, so I determined to prove our own controls. I visited our Finance department head. Did she know about BEC? Yes, she said. Was she sure that we couldn’t be fooled into falling for this scheme? She was very emphatic that this couldn’t happen here with the controls we had in place. Well, says I, how about a test? She agreed, and the game was on.

    I explained the exercise to our CEO, who agreed to let me spoof his email address. Fortunately for me, he had just recently requested a wire on behalf of one of our CUSOs. Perfect. I originated a phishing message in the KnowBe4 system using the recent wire request as additional bait (hey, sorry folks – I forgot about this one; please expedite ASAP. Sorry, my bad).

    I kept our Finance head in the loop, so there could be no way any funds actually left the credit union. She kept insisting that nothing was going to happen. The big day arrived, and I kicked off the campaign to send the request to the Finance group responsible for processing wires.

    We didn’t have long to wait. Two minutes after transmission, Person 1 took the email and passed it along to Person 2, who went straight to the Finance head’s office. This is exactly what is supposed to happen. However, our Finance leader took a little jolt. She was expecting to be informed that the group found the message suspicious. Instead, she was asked to confirm the wire so it could move along. A little chill went down her spine. She let the cat out of the bag at that point, and called her group together for a chat.

    In the end, it was determined that the wire would never have been sent. However, she was very worried that there wasn’t more immediate awareness of the scheme before it reached her. The main reason their guard was let down just a little was “it came from our CEO”. She used the opportunity to drive home the necessity to follow procedure no matter who it was – our CEO, the POTUS, or Stu Sjouwerman.

    Lessons Learned:

      • Test, test, test – no matter how comfortable you think you are, nothing beats a good test for assurance.

      • If you have upper management’s support, your job is SO much easier. If you don’t have it, I can only recommend one option – update your resume; you’ll never win.

      • A good service provider like KnowBe4 can help you accomplish your information security program’s objectives."

    Excellent lessons I must say. It's worth doing this kind of test in your own organization and see what the results are.

    Organizations that discover they're victims of business email compromise exploits should immediately contact law enforcement officials to report the attacks, says Camelia Lopez, a federal prosecutor for the Eastern District of Texas. Here is a short video that explains more:
    http://www.cuinfosecurity.com/fighting-business-email-compromises-a-8770

    Right after I sent this to our customers, one of them answered back with this: "I can do you one better… the following is true and first hand. I still have the emails." And he's right, that one _is_ better. Read it here:
    https://blog.knowbe4.com/credit-union-chilling-ceo-fraud-story
    Chinese Hacker Steals Data From Airline, Uses It To Sell Tickets

    You can use this to send to your users:

    Recently, a 19 year old Chinese guy was nabbed and charged with stealing data from a yet unknown airline. He exfiltrated flight booking information of more than a million of the airline's customers. Next, and here is the crafty part, he spoofed the airline in a text message to the airline's customers and claimed their flight had been cancelled and lured them into rebooking their flights with him and stole that money. You have to give it to him, this is pretty smart.

    So, remember to THINK BEFORE YOU CLICK. Do not trust any phone call, email or text message that asks you for personal information such as credit card data. Always contact the company yourself, do not click on links, open attachments or dial phone numbers in emails. Call the number on the credit card or pull the number from the website where you went yourself.
    Why CEOs Are in the Dark About Cyber-Security

    A new study about the gap between executive awareness and enterprise security finds that the majority of IT security professionals believe CEOs make decisions with little regard to security. IT security pros also believe management teams are not regularly briefed on cyber-security issues.

    The survey, commissioned by cyber-security company CyberArk, was conducted by Dimensional Research and captured the opinions of 308 IT security professionals worldwide. The goal was to capture hard data on visibility and support for security programs at the executive level and determine which metrics are used to define security effectiveness.

    "Compliance does not equal security. It can lull a CEO into a state of complacency because all it demonstrates is the simple checking of a box without context for responsible levels of information protection," said John Worrall, chief marketing officer of CyberArk. "Security professionals are briefing executives on the wrong information. They need to arm their CEOs and executive teams with information that matters, such as threat detection risks versus compliance and system availability." More at:
    http://www.cioinsight.com/security/slideshows/why-ceos-are-in-the-dark-about-cyber-security.html
    Insider Data Breach: The Hidden Hack Attack

    According to the Open Forum by American Express, 36% of company data breaches are caused by employee mistakes. For instance, employees could very well send private company information, such as client or customer reference lists, to their personal emails, provide online account credentials to strangers, or leave online company data unattended, which can all lead to sensitive data exploitation. These insider related data leaks can be directly attributed to lack of oversight, accountability, and, more importantly, proper training from their employers.
    http://www.business2community.com/cybersecurity/insider-data-breach-hidden-hack-attack-01410396#MYiBtQBlYitB8ZPG.97
    Survey From Our Friends At Malwarebytes. Win A Surface Pro 4

    Our friends at Malwarebytes would like your opinion about endpoint security solutions and your preferences. The survey takes about 5 minutes and will enter you in a raffle for a new Surface Pro 4. Here is the link:
    https://www.surveymonkey.com/r/MBEndpoint

    Cyberheist 'FAVE' LINKS:
    This Week's Links We Like, Tips, Hints And Fun Stuff
      • Using a 250 sized mini quad drone for aerial cinematography is not only possible, but the ONLY way to achieve this shot. Rise & Shine at Venice Beach. Cool:
        https://vimeo.com/149850024

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews