[ALERT] Last Week Was A Ransomware Horror Show. Here Is The Roundup!
|
.jpg)
Guys, last week the news about ransomware just kept coming like a Tsunami. There are new troubling developments in this rotten ransomware racket. I have been blogging furiously just to keep up with this epidemic. I'm giving you the highlights here, and you can grab any blog posts if you want more detail about a certain strain or development. Here goes:
|
| TeamViewer Denies It Is "Negotiated Ransomware" Infection Vector |
|
A modified version of EDA2, an open source ransomware strain developed by Turkish computer engineering student Utku Sen, --by the way, thanks Utku, that was a very smart idea-- has been encrypting files and appending the .surprise extension to them. The cybercriminals using the Surprise ransomware have chosen an unusual infection vector: the popular remote control tool TeamViewer.
Apparently these bad guys are not counting on the "spray-and-pray" approach, but are doing this partly in person, and the amount depends on how important the locked data is. It may range from 0.5 BTC to as much as 25 BTC (that is 10,000 dollars!). These terms are to be negotiated individually. OUCH. More:
https://blog.knowbe4.com/teamviewer-denies-it-is-ransomware-infection-vector
|
| New PETYA Ransomware Locks Users Out By Overwriting Master Boot Record |
|
Security researchers at Trend Micro have found a new type of ransomware that doesn’t encrypt specific files but makes the entire hard drive inaccessible. The malware has been named Petya and targets mainly companies.
As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones. Here is what it looks like:
https://blog.knowbe4.com/petya-ransomware-lock-users-out-by-overwriting-master-boot-record
|
Fileless Ransomware Strain Written In
Windows PowerShell |
|
A new ransomware program written in Windows PowerShell is being used in attacks against enterprises, including health care organizations. The initial ransom is ~500 dollars, but it goes up to ~1,000 dollars after a couple of weeks.
The new ransomware program, dubbed PowerWare, was discovered by researchers from security firm Carbon Black and is being distributed to victims via phishing emails containing Word documents with malicious macros, an increasingly common attack technique. The fileless malicious code is hard to spot since PowerShell has been part of Windows for quite a while:
https://blog.knowbe4.com/new-ransomware-written-in-windows-powershell
|
| Survey: 62% Of Companies Lack Confidence In Ability To Confront Ransomware Threat |
|
Tripwire just published a new study which suggests that a majority of businesses might not be adequately prepared to either prevent or fully recover from ransomware infections. They announced the results of a survey of 200 security professionals who attended RSA Conference 2016:
https://blog.knowbe4.com/survey-62-of-companies-lack-confidence-in-ability-to-confront-ransomware-threat
|
New Maktub Ransomware Strain - Beautiful
And Dangerous |
|
Maktub Locker is the name of a new Russian strain of ransomware. The word Maktub is Arabic for "fate", suggesting it is inevitable you will get infected with ransomware. The code was put together by professionals with extensive experience in writing malicious code.
At the moment, the strain is spread via email with a .scr attachment that pretends to be a document with a Terms-Of-Service update. The social engineering tricks are also professional grade. When the user opens the document, it really displays a fake TOS update in .rtf format. However, in the background, their files are being encrypted.
What To Do About It
Suddenly, the low cost for effective security awareness training comes into perspective as a key piece of the puzzle to manage the ongoing problem of social engineering.
Obviously you also need a lot of technical controls in place to block ransomware, and here are some excellent suggestions from Steve Ragan at CSO. MORE:
https://blog.knowbe4.com/new-maktub-ransomware-strain-beautiful-and-dangerous
|
| Hospital Ransomware Attacks Surge; So Now What? |
|
Ransomware attacks against hospitals are becoming commonplace this year, with at least five incidents revealed in recent weeks:
http://www.healthcareinfosecurity.com/hospital-ransomware-attacks-surge-so-now-what-a-8987
|
| Certified Ethical Hacker Website Spreading TeslaCrypt |
|
Irony strikes. The website of a New Mexico-based security certification provider EC-Council which administers certified ethical hacker qualifications has reportedly been spreading TeslaCrypt ransomware via Angler exploit kits:
http://www.scmagazine.com/irony-strikes-certified-ethical-hacker-website-reportedly-spreading-ransomware-for-days/article/485578/
|
| Credit Union Times: Locky Ransomware Infects 90,000 Systems Daily |
|
Ransomware is quickly becoming a mainstream form of malware, according to the Tampa Bay-based cybersecurity firm KnowBe4, and one driving factor is the significant amount of cash being racked up by the notorious Dridex banking Trojan gang with its new Locky strain.
Locky was linked to the Russian Dridex gang by IT security companies Proofpoint and Palo Alto Networks as the most prominent form of operating banking malware, replacing former front-runner CryptoWall.
http://www.cutimes.com/2016/03/18/locky-ransomware-infecting-90000-systems-daily
|
Warm Regards,
Stu Sjouwerman |
