CyberheistNews Vol 6 #16 FBI: "Ransomware On Pace To Be A 1 Billion Dollar Business In 2016"



CyberHeist News CyberheistNews Vol 6 #16
FBI: "Ransomware On Pace To Be A 1 Billion Dollar Business In 2016"
Stu Sjouwerman

CNN Money reports about new estimates from the FBI show that the costs from ransomware have reached an all-time high. Cyber-criminals collected 209 million dollars in the first three months of 2016 by extorting businesses and institutions to unlock computer servers.

At that rate, ransomware is on pace to be a 1 billion dollar a year crime this year.

The FBI told CNN that the number "is quite high" because a few people "reported large losses." The agency also said that the losses could even be bigger once other related costs from these extortion schemes are factored in. Plus: Some victims may choose to pay and not report the crime.

More, and link to the video (which I think you should send to your C-suite)
https://blog.knowbe4.com/ransomware-on-pace-to-be-a-2016-1-billion-dollar-business

Phishing Attacks Hit the C-Suite With High Value Scams

OK, here is great ammo to get more IT security budget. Why? This infographic makes it real to the C-suite that they themselves have a big phishing target on their back.

You all know that spear-phishing is very effective. Cloudmark calls it “the secret weapon behind the worst cyber attacks”, and created an infographic of 10 recent major breaches (below), from Target to OPM, that started with a successful spear-phish.

We are absolutely, positively, and fundamentally losing the endpoint security battle. Should we keep fighting on in the same manner? Isn't that the definition of insanity? Time to pivot methinks.

Since January 2016, we have seen a massive rise in CEO fraud, which you could call a spear phish derivative. The FBI calls it "BEC" (Business Email Compromise), and like spear phishing it uses social engineering and spoofed CEO emails to manipulate senior executives, HR and Accounting into damaging actions.

A good example is the recent spate of W-2 scams where tax information of all employees gets emailed to the bad guys. Cloudmark's Tom Landesman has compiled a list of 55 companies that were taken in by these W-2 attacks, and comments, "It's likely that even more have been compromised, but have not come forward." Obviously it is tailing off now as the tax season ends, but will be back in full force next year.

Just recently it surfaced that a Mattel finance officer sent over 3 million dollars to the Bank of Wenzhou, in China. The bad guys are not just targeting America, in January the BBC warned that the "fraude au president" is widespread across France.

The FBI has instructed people to verify transactions by "picking up the phone".

Despite all that, CEO frauds are even more successful than spear phishing. Kevin Townsend at SecurityWeek suggested two major reasons: "firstly, very few companies deliver security awareness training (such as simulated phishing attacks) against their own C-suite; and secondly, many senior executives still don't believe that security is their personal concern."

"More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.

More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the NASDAQ.

Here is the infographic at the KnowBe4 Blog - an interesting summary of the recent attacks which all could have been prevented with effective security awareness training:
https://blog.knowbe4.com/phishing-attacks-hit-the-c-suite-with-high-value-scams-infographic

California Tries To Outlaw Russian Ransomware. Good Luck With That.

A proposed California legislation imposing specific penalties for ransomware took a step forward yesterday when the state senate's Public Safety Committee passed the bill at a hearing that featured testimony from Hollywood Presbyterian Medical Center (HPMC) — a notable victim of the ongoing ransomware epidemic.

The legislation, Senate Bill 1137, would amend California's penal code making it a crime to knowingly introduce ransomware into a computer or network, with penalties punishable by as much as four years and a 10,000 dollar fine. The law would not preclude prosecuting attorneys from pursuing additional charges under older statutes.

My take? A publicity stunt for a CA Senator more than anything else. We have no jurisdiction in Eastern Europe where these cyber mafias are rolling in hundreds of millions of scammed dollars with air-cover from their local governments.

Did you know that in the Ukraine it is not illegal to hack outside of the country?

Now and then Vladimir Putin arrests a token black hat -- who must have misbehaved and started hacking inside Russia -- to show the world they are serious about cybercrime, but generally speaking these bad guys can commit their crimes undisturbed by their local law enforcement.

Early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as "Paunch," the alleged creator and distributor of the Blackhole exploit kit. Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld. More at Krebs:
http://krebsonsecurity.com/2013/12/meet-paunch-the-accused-author-of-the-blackhole-exploit-kit/

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"The hardest thing in the world to understand is income tax."- Albert Einstein

"Life can only be understood backwards; but it must be lived forwards."
- Søren Kierkegaard

"The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man."- George Bernard Shaw


Thanks for reading CyberheistNews


Security News
Been Hit With Ransomware? This Site Identifies The Strain

Here is an online tool to identify types of ransomware based on uploaded samples. If decryption tools are available, users are directed to them. Note that this site itself does not help you to decrypt any ransomed data. You also cannot upload files like you can to VirusTotal. The strain is identified by the ransom note that you get when infected. It's a start. "Knowing is half the battle".
https://id-ransomware.malwarehunterteam.com/index.php

Survey: Spear Phishers Target Gullible Brits More Than Anyone Else

The Register reported that there’s been a sharp increase in crypto ransomware attacks, with the UK ranked as the nation third most targeted with ransomware.

The UK is also ranked as the most targeted nation for spear phishing attacks and the second most hit-upon country with social media scams, according to other findings from Symantec's latest annual Internet Security Threat Report (ISTR).

Why? The UK is the beta site for Eastern European cyber mafias that use them to debug their campaigns which then get unleashed on America.

The report makes grim reading for anyone concerned about privacy or corporate security. An estimated half a billion records were lost as a result of data breaches last year. And the number of zero-day vulnerabilities discovered last year more than doubled to a record-breaking 54, a 125% increase from the previous year, underlining the critical role unpatched vulnerabilities can play in targeted attacks.

Advanced professional attack groups are the first to leverage zero-day vulnerabilities, using them for their own advantage or selling them to lower-level criminals on the open market where they are quickly commoditized, according to Symantec.

Meanwhile, fake technical support scams tripled last year, with the UK the second most targeted nation globally, suffering 7m attacks in 2015. The type of fraud is evolving beyond purely targeting PCs with scammers sending fake warning messages to devices like smartphones, driving users to attacker-run call centers in order to dupe them into buying useless services.

Finally, 430 million new malware variants were discovered in 2015. Virus creators routinely vary their wares in a bid to outfox security defenses. This process is done automatically and is one the main reasons that security vendors have moved away from traditional signature detection, which these days, only has a support role in security software suites.

At half a billion, the number of malware variants has almost become irrelevant.

More details on the study, as well as top tips from Symantec on improving security, and infographics, can be found at The Register's article:
http://www.theregister.co.uk/2016/04/12/symantec_cyber_threat_report/

CTB-Locker Ransomware Uses Blockchain To Store & Deliver Decryption Keys

A mysterious update in the behavior of the CTB-Locker ransomware strain alerted security researchers to pull some strings and see what was going on.

The CTB-Locker ransomware family, which is mainly known for infecting and locking individual workstation, recently switched to targeting websites via a PHP version, first observed last February.

The change that caught the eye of Sucuri experts is a March update to its "Complimentary decrypt" page where users could unlock one complimentary file per infection.

Innovative And More Reliable

It didn't take long for researchers to observe that the ransomware was using blockchain to deliver decryption keys for their victims using a special field in the Bitcoin transaction operation called OP_RETURN.

For each infected websites, the cyber criminals were automatically creating a Bitcoin address, which they would monitor. If 0.0001 Bitcoin -- the minimum transaction fee-- was sent they would know it was for a complimentary decrypt operation.

From another account, they would then initiate a fake transaction to the infected website's unique Bitcoin address. While this transaction never went through, it would be enough to get recorded in the blockchain as a failed operation, along with its OP_RETURN metadata.

Crooks would then use the Blockexplorer.com API to look at the OP_RETURN field which would hold the decryption key for the file submitted via the complimentary decrypt operation. If the infected user paid the entire ransom, this same field would hold the entire master decryption key for all files. More at the SucuriNet blog:
https://blog.sucuri.net/2016/04/website-ransomware-ctb-locker-goes-blockchain.html

5 Steps to Take On Ransomware Using A Defense-In-Layers Approach

Sam Musa at GovTech had a good summary on what to do against ransomware.

His point 5 got our full approval!

"It is now virtually impossible to spot expertly crafted malware and ransomware in particular, which is increasingly and exactingly honed to an individual recipient. Therefore, it’s also necessary for agencies to maintain awareness of innovative new types of malware.

A strong IT security program cannot be executed successfully without training users on security threats, policies and techniques to protect their assets. Agencies must understand that users are one of the essential lines of defense against cyberthreats, so there is a need for continuous awareness training.

The training must focus on providing knowledge to protect information systems and sensitive data from both internal and external threats. Training contents may include social engineering techniques and how to avoid them, identity theft, cyber sexual harassment, peer-to-peer sharing programs and steps on how to avoid posting sensitive information online.

Agencies should offer awareness education throughout the year through formal training, monthly tips and wall posts to remind users that security is everyone’s responsibility. Security emails and announcements should be informative, rather than simply repetitious."

Here are the other four points, and send your users simulated phishing attacks!
http://www.govtech.com/security/5-Steps-Ransomware-Defense-in-Layers-Approach.html

KnowBe4 Announces Several Cool New Features In The Spring 2016 Release

These features were previously out of reach for IT managers with limited budget, and we're excited you can use them now with our Platinum level subscription.

  • EZXploit: fully automated human pentesting.
  • USB Drive Test: which users pick up and plug in strange USB drives
  • GEO-location: see where the users are that failed a phishing test

Learn more at the KnowBe4 Blog, and request a demo to see them in action:
https://blog.knowbe4.com/exciting-new-features-in-knowbe4-spring-2016-release


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff

 

Related Pages: Ransomware





Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews