 CyberheistNews Vol 6 #22 |
| It's Here. Nasty Ransomware That Spreads Like A Worm. |
.jpg)
Microsoft released an alert about a new ransomware strain called ZCryptor, which works like a worm and spreads via removable and network drives.
The MalwareForMe blog reported this first on May 24. Three days later, Redmond's security team decided to alert everyone about this threat.
“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior,” Microsoft's Malware Protection Center post stated. A subsequent analysis by Trend Micro confirmed Microsoft's findings, categorizing the threat as a "worm," with self-propagation features.
ZCryptor spreads via email with malicious macro attachments and a fake Adobe Flash Player installer.
Microsoft wrote that this strain use fake installers, usually for Adobe Flash, along with macro-based booby-trapped Office files to distribute the Zcryptor ransomware. Macro-based malware uses what could be argued as "user-consent prompt fatigue," only Microsoft can come up with a term like that.
Once the user installs the fake Adobe Flash update or allows an attached Office file to run macros, the Zcryptor ransomware is installed on the user's computer. The first thing the ransomware does is to gain PC restart persistence by adding a key to the computer's registry. After this, it starts to encrypt files.
Based on samples it analyzed, Microsoft reported the ransomware was targeting 88 different file types. The security researcher MalwareHunterTeam told Softpedia that, in samples he analyzed, he saw the ransomware targeted 121 different file types, so it appears that ZCryptor's criminal developers are still working and adding new code.
ZCryptor apparently is able to copy itself to removable and network drives.
The most worrying thing was Microsoft saying the ransomware has "worm-like behavior," meaning it can spread by itself to nearby targets. This type of behavior was predicted, but now it's here.
This is one of the first ransomware strains that features such a function. MalwareHunterTeam also said "that it [ZCryptor] has the codes to copy itself to removable devices."
Once installed on disk and available files are encrypted, a ransom note appears demanding 1.2 bitcoins, around 500 dollars, for the decryption key. It gives the victim four days to comply and then boosts the payment to five Bitcoins.
Effective security awareness training can stop this ransomworm in its tracks. Users can easily be trained to not enable macros or install fake updates. Find out how affordable this is for your organization and be pleasantly surprised.
https://www.knowbe4.com/
|
Scam Of The Week: Summer Olympics Canceled
in Rio |
|
Heads-up! There is a spike in phishing attacks with Summer Olympics themes, and in the coming months the bad guys are going to be all over this.
Kaspersky Labs researchers are reporting on this even now. Threat actors are competing for and registering domains that have words like "Rio" and "Rio2016", combined with low-cost SSL certs to make the fake sites look real.
Researcher Andrey Kostin was quoted in SC Mag: "Users may receive a phishing or malicious email, they might click a phishing link or advertising banner, or they might use a search tool and choose a fake website selling tickets." He said the most effective scams were conducted using phishing websites that emulate ticket sale services.
There are also scams going around claiming that users have won Rio-related lotteries and even fake ads for magic pills that promise to make the user into an "Olympic champion." Yeah, sure.
In other words, nothing really new here, but it's important to warn your employees about it, because the Olympics are such a big event. There is going to be a lot of controversy connected with the Rio Olympics, because of the Zika virus and the unrest in the area due to a recent rape.
At the KnowBe4 Blog is more info, links and a message you can cut/paste or edit and email to your users:
https://blog.knowbe4.com/scam-of-the-week-summer-olympics-canceled-in-rio
(For KnowBe4 Customers, we have a new template in Current Events we strongly recommend you send to your users. The title is: "Summer Olympics Cancelled in Rio")
|
| Are North Koreans The Bad Guys Behind Brazen Cyberheists? |
|
In March, we posted a story about a cyberheist where hackers tried to steal a cool 1 Billion dollars from the Bangladesh Central Bank, and a simple typo thwarted most of their attempt.
Everyone was wondering who was behind these attacks, and a team from FireEye's Mandiant forensics experts concluded early on that these attacks came from outside Bangladesh.
Now, in a very interesting development, malware researchers with Symantec -- confirmed by the British defense contractor BAE Systems -- say they see links between the Bangladesh bank heist and cyber-attacks on banks in Vietnam and Ecuador. The researchers found a unique piece of code that has only been found in two other hacker attacks: Sony Pictures in December 2014, and media companies in South Korea in 2013. The FBI has said North Korea was responsible for the Sony Pictures attack. MORE:
https://blog.knowbe4.com/are-north-koreans-the-bad-guys-behind-brazen-cyberheists
|
| The Nightmare Of Exploits Past |
|
Remember .PIF files? If you're like us, the extension probably rings a bell somewhere deep in the dustiest recesses of your mind -- the same place where you packed away those tips for trouble-shooting Win9x General Protection Faults and so forth.
In fact, .PIF files (Program Information Files) are config files for storing information on how to start up and run MS-DOS programs in Win9X environments. They were designed to function a lot like shortcut files, only with added config data for MS-DOS programs.
Turns out Windows still recognizes .PIF files and will try to run them if you double-click on them. Why we would still need this functionality on, say, a Windows 7 64-bit box is not very clear, but the folks in Redmond apparently decided such functionality is still useful.
But it gets better. The more recent versions of Windows -- including Windows 7, Windows 8, and Windows 10 -- don't just know how to run .PIF files; they hide the extension, even when you explicitly configure Windows to show all extensions.
Old Attacks Never Die
Starting to get worried? Yeah, you should be. Because it turns out that Windows will run files with the (hidden) .PIF extension even when they're not .PIF files. So, for example, we can take a Win32 executable file, use the old double-extension trick to name a file something.pdf.pif, and Windows will hide the .PIF extension, leaving us with something that looks like a .PDF. Full story at the KnowBe4 Blog:
https://blog.knowbe4.com/your-win9x-nightmares-arent-finished-yet-how-phishing-attacks-use-old-vulnerabilities
|
|
Warm Regards,
Stu Sjouwerman
Related Pages: Ransomware
|
|
|
|
