CyberheistNews Vol 6 #18 [ALERT] Ransomware explodes in 2016. Here is the new roundup!

CyberHeist News CyberheistNews Vol 6 #18
[ALERT] Ransomware Explodes In 2016. Here Is The New Roundup!
Stu Sjouwerman

If you've been in the IT trenches over the past year, you've probably noticed the announcements of new strains of ransomware are accelerating.

It's not your imagination. The research team at Proofpoint just published a blog post that confirms those impressions. Ransomware has indeed exploded, especially since the start of 2016. And just days before Proofpoint's blog post, the FBI went public with yet another warning over the threat of ransomware.

2016 Ransomware: The New Roundup

So just how bad is it? Proofpoint documents four new strains that their researchers have discovered in the wild just since early March:

  1. BrLock (mid April 2016)
  2. ROI Locker/Manamecrypt (early April 2016)
  3. CryptFlle2 (mid-March 2016)
  4. MM Locker (early March)

But these are just a subset of the new variants that have been discovered by the wider malware research community since the start of the year. Eric Howes, KnowBe4's Principal Lab Researcher decided to take a trip down Q1 2016 memory lane by way of some of our favorite anti-malware blogs and web sites. Here's a list of 28 new strains he found that were discovered by researchers just over the past four months!

Much more info, graph, links and resources at this blog post:

Verizon 2016 Data Breach Report: "Phishing Tops The List Of Increasing Concerns"

Verizon does a yearly comprehensive report on security and data breaches. It is excellent ammo to get budget approval for new-school security awareness training.

Why? Hundreds of security threat reports come out every year from all kinds of IT security companies. Most of these reports focus on a single type of threat that the author of the report conveniently offers protection against, and basically are thinly veiled marketing pieces.

Verizon's Data Breach Investigation Report is different. They create it together with 67 other organizations. To name a few well-known participants: the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, Kaspersky Lab, Cisco Security Services, EMC and many others. The 85-page report covers many areas of security for which Verizon doesn't sell products. I'm highlighting their insights about phishing.

“This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions. He deadpans:

"Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff. The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds. The median time to the first click on the attachment was 3 minutes, 45 seconds, thus proving that most people are clearly more on top of their email than I am."

One area that has picked up dramatically over the prior year is phishing. Alarmingly, 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link.

Dine said: “User security awareness continues to be overlooked as organizations fail to understand that they need to make their employees the first line of defense.”

“Organizations should be investing in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious,” he said.

For this reason, Dine said it is important for organizations to have the processes in place that make it easy for employees to report security issues. (here is a no-charge tool that you can download to do just that:)

The Rise Of The Three-Pronged Attack

This year's report calls out the rise of a new three-pronged attack that is being repeated over and over again by cybercriminals. Many organizations are falling prey to this type of attack. The three prongs are:

    1. Sending a phishing email with a link pointing to a malicious website, or a malicious attachment.

    2. Malware is downloaded onto an employees' PC that establishes the initial foothold, and additional malware can be used to look for secrets and internal information to steal (cyber-espionage) or encrypt files for ransom. Many times the malware steals credentials to multiple applications through keylogging.

    3. Use of the credentials for further attacks, for example, to log into third-party websites like banking or retail sites.

2016 Report Reiterates The Need For The Basics

The researchers note that basic, well-executed measures continue to be more important than complex systems. Organizations should check to make sure they are taking care of these things:

  • Know what attack patterns are most common for your industry.
  • Utilize two-factor authentication for your systems and other applications, such as popular social networking sites.
  • Patch promptly.
  • Monitor all inputs: Review all logs to help identify malicious activity.
  • Encrypt your data: If stolen devices are encrypted, it's much harder for attackers to access the data.
  • Know your data and protect it accordingly. Also limit who has access to it.
  • Train your staff: Developing security awareness within your organization is critical especially with the rise in phishing attacks.

The full "Verizon 2016 Data Breach Investigations Report," is available on the DBIR Media Resource Center, and again as said is excellent budget ammo. You need to register but it's worth it:

Notes From The Criminal Innovation Department

This new malvertising exploit kit pushes ransomware to Android devices. It's an old-fashioned flavor of ransomware that hijacks the whole device and there is no encryption, but Android devices are being targeted by malware that hijacks mobile ads to scam gift cards, discovered by researchers at Blue Coat Labs.

"This is the first time, to my knowledge, an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim." More at CSO:

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Your living is determined not so much by what life brings to you as by the attitude you bring to life."- Khalil Gibran - Poet (1883-1931)

"Nothing can stop the man with the right mental attitude from achieving his goal; nothing on earth can help the man with the wrong mental attitude."
- Thomas Jefferson

Thanks for reading CyberheistNews

Security News
U.S. Supreme Court Allows The FBI To Hack Any Computer In The World

In brief, the US Supreme Court has approved amendments to Rule 41, which now gives judges the authority to issue search warrants, not only for computers located in their jurisdiction but also outside their jurisdiction.

Under the original Rule 41, let’s say, a New York judge can only authorize the FBI to hack into a suspects' computer in New York. But the amended rule would now make it easier for the FBI to hack into any computer or network, literally anywhere in the world. If Congress does not act, the rules will go into effect December 2016.

The Ruling:

An initial comment: "These amendments will have significant consequences for Americans' privacy and the scope of the government's powers to conduct remote surveillance and searches of electronic devices," Democratic Senator Ron Wyden of Oregon said in a statement Thursday. More:

American Dental Assn Mails Malware On USB Drive To Members

The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of member dentists nationwide.

The problem first came to light in a post on the DSL Reports Security Forum. DSLR member “Mike” from Pittsburgh got curious about the integrity of a USB drive that the ADA mailed to members to share updated “dental procedure codes” — codes that dental offices use to track procedures for billing and insurance purposes.

“Oh wow the usually inept ADA just sent me new codes,” Mike wrote. “I bet some marketing genius had this wonderful idea instead of making it downloadable. I can’t wait to plug an unknown USB into my computer that has PHI/HIPAA on it…”

A clear case where awareness training would have prevented malware infections caused by infected USB devices. Anyone that has stepped through effective security awareness training would think twice before plugging a device like that into their computer. Here is the full story. Read it and weep:

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop

Interesting article at DarkReading: "Say hello to Ran$umBin, a new kind of ransom market dedicated to criminals and victims alike.

Ransom attacks are at an all-time high; more and more criminals are using common tools to steal data and extort data owners. But this type of attack can be risky for the cybercriminal because, unlike stealthy advanced attacks, such operations require interaction with the victim.

Furthermore, even if the victim is willing to pay to get their stolen data back, monetizing these attacks isn't so easy: not every criminal knows how to find a trustworthy Bitcoin launderer, or how to monetize their crime with minimal risk.

One cyber underground group saw this as a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who's willing to pay." More:$om-shop/a/d-id/1325265

From The KnowBe4 EmailBag


"Part of the Phishing training we received from KnowBe4 includes a warning about Enabling Macros in Word docs that you might receive. That training was important and well timed; I have received two emails like this in the past month. I got one today, and it had a sneaky new way to try to get me to enable the macros. It had what looked like a splash screen advising me that the document was created in a newer version of MS Office, and to Enable Content to be able to read it.

Also, the scary thing is that the crooks are getting better. This was addressed to me by name to my correct email address and includes our correct company name. I have noticed an increase in these attacks recently; please be very vigilant. Not paranoid, but almost."


Q: What about html file attachments? I don’t feel they are safe either. But American banks (and others) use them a lot. Any info on that file type? Could be just as bad?

A: HTML attachments can indeed be used for illicit/malicious purposes. We see malicious HTML attachments on a regular basis. In most cases the bad guys are using HTML attachments as a means to defeat malware scanners by embedding content that used to be in the email body in the attached HTML file instead.

That content often consists of a malicious link that opens an external web page or download. It might also consist of a credentials phish -- that is, the bad guys include the bogus/spoofed login form for a bank in the HTML attachment itself instead using a link to redirect users to an externally hosted version of the same page.

It's worth noting that in using HTML attachments this way, the bad guys are actually reducing the number of successful clicks from users. The more clicks you require of users, the fewer will actually click through to the end.

You're right to point out that HTML attachments do have legitimate purposes. We encounter completely legitimate HTML attachments from banks being erroneously reported as phishing attempts almost every day.

Like PDFs, HTML attachments have both legitimate and illegitimate uses. Thus, the importance of educating users and teaching them to distinguish between the two, esp. if your own company regularly receives legitimate HTML attachments from partners, customers, or clients. - Eric Howes,

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff

Subscribe To Our Blog

Free Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews