CyberheistNews Vol 6 #22 It's Here. Nasty Ransomware That Spreads Like A Worm.

CyberHeist News CyberheistNews Vol 6 #22
It's Here. Nasty Ransomware That Spreads Like A Worm.
Stu Sjouwerman

Microsoft released an alert about a new ransomware strain called ZCryptor, which works like a worm and spreads via removable and network drives.

The MalwareForMe blog reported this first on May 24. Three days later, Redmond's security team decided to alert everyone about this threat.

“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior,” Microsoft's Malware Protection Center post stated. A subsequent analysis by Trend Micro confirmed Microsoft's findings, categorizing the threat as a "worm," with self-propagation features.

ZCryptor spreads via email with malicious macro attachments and a fake Adobe Flash Player installer.

Microsoft wrote that this strain use fake installers, usually for Adobe Flash, along with macro-based booby-trapped Office files to distribute the Zcryptor ransomware. Macro-based malware uses what could be argued as "user-consent prompt fatigue," only Microsoft can come up with a term like that.

Once the user installs the fake Adobe Flash update or allows an attached Office file to run macros, the Zcryptor ransomware is installed on the user's computer. The first thing the ransomware does is to gain PC restart persistence by adding a key to the computer's registry. After this, it starts to encrypt files.

Based on samples it analyzed, Microsoft reported the ransomware was targeting 88 different file types. The security researcher MalwareHunterTeam told Softpedia that, in samples he analyzed, he saw the ransomware targeted 121 different file types, so it appears that ZCryptor's criminal developers are still working and adding new code.

ZCryptor apparently is able to copy itself to removable and network drives.

The most worrying thing was Microsoft saying the ransomware has "worm-like behavior," meaning it can spread by itself to nearby targets. This type of behavior was predicted, but now it's here.

This is one of the first ransomware strains that features such a function. MalwareHunterTeam also said "that it [ZCryptor] has the codes to copy itself to removable devices."

Once installed on disk and available files are encrypted, a ransom note appears demanding 1.2 bitcoins, around 500 dollars, for the decryption key. It gives the victim four days to comply and then boosts the payment to five Bitcoins.

Effective security awareness training can stop this ransomworm in its tracks. Users can easily be trained to not enable macros or install fake updates. Find out how affordable this is for your organization and be pleasantly surprised.

Scam Of The Week: Summer Olympics Canceled
in Rio

Heads-up! There is a spike in phishing attacks with Summer Olympics themes, and in the coming months the bad guys are going to be all over this.

Kaspersky Labs researchers are reporting on this even now. Threat actors are competing for and registering domains that have words like "Rio" and "Rio2016", combined with low-cost SSL certs to make the fake sites look real.

Researcher Andrey Kostin was quoted in SC Mag: "Users may receive a phishing or malicious email, they might click a phishing link or advertising banner, or they might use a search tool and choose a fake website selling tickets." He said the most effective scams were conducted using phishing websites that emulate ticket sale services.

There are also scams going around claiming that users have won Rio-related lotteries and even fake ads for magic pills that promise to make the user into an "Olympic champion." Yeah, sure.

In other words, nothing really new here, but it's important to warn your employees about it, because the Olympics are such a big event. There is going to be a lot of controversy connected with the Rio Olympics, because of the Zika virus and the unrest in the area due to a recent rape.

At the KnowBe4 Blog is more info, links and a message you can cut/paste or edit and email to your users:

(For KnowBe4 Customers, we have a new template in Current Events we strongly recommend you send to your users. The title is: "Summer Olympics Cancelled in Rio")

Are North Koreans The Bad Guys Behind Brazen Cyberheists?

In March, we posted a story about a cyberheist where hackers tried to steal a cool 1 Billion dollars from the Bangladesh Central Bank, and a simple typo thwarted most of their attempt.

Everyone was wondering who was behind these attacks, and a team from FireEye's Mandiant forensics experts concluded early on that these attacks came from outside Bangladesh.

Now, in a very interesting development, malware researchers with Symantec -- confirmed by the British defense contractor BAE Systems -- say they see links between the Bangladesh bank heist and cyber-attacks on banks in Vietnam and Ecuador. The researchers found a unique piece of code that has only been found in two other hacker attacks: Sony Pictures in December 2014, and media companies in South Korea in 2013. The FBI has said North Korea was responsible for the Sony Pictures attack. MORE:

The Nightmare Of Exploits Past

Remember .PIF files? If you're like us, the extension probably rings a bell somewhere deep in the dustiest recesses of your mind -- the same place where you packed away those tips for trouble-shooting Win9x General Protection Faults and so forth.

In fact, .PIF files (Program Information Files) are config files for storing information on how to start up and run MS-DOS programs in Win9X environments. They were designed to function a lot like shortcut files, only with added config data for MS-DOS programs.

Turns out Windows still recognizes .PIF files and will try to run them if you double-click on them. Why we would still need this functionality on, say, a Windows 7 64-bit box is not very clear, but the folks in Redmond apparently decided such functionality is still useful.

But it gets better. The more recent versions of Windows -- including Windows 7, Windows 8, and Windows 10 -- don't just know how to run .PIF files; they hide the extension, even when you explicitly configure Windows to show all extensions.

Old Attacks Never Die

Starting to get worried? Yeah, you should be. Because it turns out that Windows will run files with the (hidden) .PIF extension even when they're not .PIF files. So, for example, we can take a Win32 executable file, use the old double-extension trick to name a file something.pdf.pif, and Windows will hide the .PIF extension, leaving us with something that looks like a .PDF. Full story at the KnowBe4 Blog:

Warm Regards,
Stu Sjouwerman


Related Pages: Ransomware

Quotes Of The Week

"The greatest deception men suffer is from their own opinions."- Leonardo da Vinci

"Reality is easy. It's deception that's the hard work."- Lauryn Hill

"Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker."- Kevin Mitnick

Thanks for reading CyberheistNews

Security News
Massive Locky Ransomware Campaign Targets Amazon Users

Comodo Threat Research Labs just posted an alert that a massive campaign of phishing emails has been sent with a spoofed "from" address: auto-shipping (at) The subject is “Your order has dispatched (and then a code)" and there is no body text in the email, just a Microsoft Word attachment.

In the Word files again is no copy, just macro codes, and people that receive the email are social engineered to "enable the content" of the documents, which kicks off the macros which in turn start an executable that downloads Locky ransomware. The number of infected machines is not yet available, but it looks like a massive campaign. More here:

Don’t Miss The June Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, June 8, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

  • Send Phishing Security Tests to your users and get your Phish-prone percentage.
  • Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
  • Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
  • NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”.
  • NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:

Shields Up! New DMA Locker V4 Unleashes Major Ransomware Assault

DMA Locker is an excellent example of cybercrime's furious speed of innovation. Version 1 showed up in January 2016, and V2 a month later, but the implementation of the encryption algorithm was flaky at best. The antimalware research community easily developed a decryption tool for versions 1 and 2 of DMA Locker.

These earlier versions infected workstations through weak passwords or stolen remote desktop credentials. The new V4, however, encrypts victim machines via drive-by download attacks that rely on compromised web servers with exploit kits, expanding the criminal "addressable market" significantly.

Earlier DMA Locker versions did not use a Command & Control (C&C) server so the RSA private key was stored locally on the computer and could be recovered by reverse-engineering.

The major new V4 feature is that DMA Locker's encryption routine now relies on a Command & Control server which generates unique public and private RSA keys for each infection. The New V4 first generates a unique Advanced Encryption Standard (AES) key for every file that it encrypts.

Next, that key is encrypted with a public RSA key and gets added to the beginning of the encrypted file. For the moment the C&C server is not hosted on TOR, so it's fairly easy to plug that IP on a blacklist, but wait a month and the C&C server will be on TOR.

The above weapons-grade procedure is used by market-leading ransomware like CrytoWall. To decrypt the ransomed files, the system admin need the corresponding private RSA key that the attackers hold until ransom is paid.

DMA Locker reverses the modus operandi of conventional ransomware architecture by how it picks the files to encrypt. Usually, ransomware has a list of file extensions that they will grab. DMA Locker has a list of extensions that it will not touch, and encrypts everything else. V4 will also encrypt files on any network share it can find, both mapped and unmapped drives.

By copying the most powerful features of other successful ransomware, DMA Locker has finally become a serious contender, so batten down the hatches. Here are 8 things you can do to protect your network against ransomware attacks, apart from having weapons-grade backups. Scroll to the bottom:

Cybercrime Hit Businesses Hardest in 2015, says latest FBI IC3 Report

Businesses were hit hardest by inbox-based scams in 2015 that robbed U.S. companies of 263 million dollars. The numbers come from the FBI’s recently released 2015 Internet Crime Report that tallies the types of cybercrimes hitting U.S. business and individuals the hardest. According to the FBI, its Internet Crime Complaint Center (IC3) received 288,012 complaints last year with total losses of 1.07 billion dollars.

In their own words:" The mission of the Internet Crime Complaint Center (IC3) is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners.

"Information is processed for investigative and intelligence purposes for law enforcement and public awareness.

"In an effort to promote public awareness, the IC3 produces this annual report to aggregate and highlight the data provided by the general public. The quality of the data is directly attributable to the information ingested via the public interface"

Here is a link to the latest IC3 report - don't be scared off by the volume of pages - most of it is a state by state breakdown of stats. Page 12 of the report has a good infographic that you can use as budget ammo:

Save The Date: NatGeo Series: I Am Rebel: Phreaks And Geeks

In the early 1980s, computer hackers were seen as dark and nefarious. But what officials don't understand is that by identifying the holes in online security, hackers help make systems safer. Prank caller and telephone system manipulator Kevin Mitnick was one of the first notorious hackers to do this. Using his hacking skills, he eluded the FBI for years. When finally caught, he teaches the government how to tighten digital security and turns hacking into a respectable career.

The series kicks off Sunday June 5th. It is a 4-part series with Kevin's segment premiering Sunday June 26, at 9/8c. Make sure you watch or record it!

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • And another Englishman. Know Eddie Izzard? Seen the Lord Darth Vader in the death star canteen in LEGOS video? It's a riot but NOT SAFE FOR WORK, lots of f-bombs but incredibly funny...
    • Russia is touting its Iron Man — a humanoid military robot — in the new global arms race that has sprung up over high-tech weaponry. Terminator here we come:

Subscribe To Our Blog

Cybersecurity Awareness Month 2021 Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews