Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol #6 #23

    CyberHeist News CyberheistNews Vol 6 #23
    [ALERT] 93% Of Phishing Attacks Now Have Ransomware Payloads
    Stu Sjouwerman

    Oh boy. Things have gone from bad to worse in an awful hurry.

    I remember the first time I reported on ransomware in the CyberheistNews Issue Feb 11, 2014, where an attorney's office file server was encrypted due to an employee opening an infected phishing attachment. I have to give him credit, the man bravely stepped forward to explain this problem to the world on TV.

    Fast forward to June 1, 2016 and CSO has an article about a Phishme report which reveals a whopping 93 percent of all phishing emails contain ransomware. To make matters worse, endpoint security tools are not catching up with the now more than 100 different ransomware strains.

    CSO's Maria Korolov summarized the report with the following: "That was up from 56 percent in December, and less than 10 percent every other month of last year. And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789 percent increase over the last quarter of 2015."

    Soft Targeting

    She continued with: "In addition to the spike in the number of ransomware emails, one variant that's seeing increasing popularity is the "soft targeted" phishing message. It's somewhere between a business compromise email or spearphishing attack, which is targeted at one specific executive, and the general-purpose spam email that goes out to everybody. The soft targeted phishing email targets people in a particular job category, but may include some customization, such as the name of the recipient in the salutation.

    "This has been a creeping trend for a while now," said Brendan Griffin, Threat Intelligence Manager at PhishMe. For example, a popular type of phishing email is the resume email, which supposedly has a resume from a job applicant in the attachment.

    Recipients who don't work in human resources or other jobs where they hire people would either ignore it, or forward it on to the appropriate person at the company. Other job functions can be targeted as well. Other common types of soft targeted phishing emails are billing, shipping and invoice-related messages."

    Asymmetric Warfare

    The term "soft targeting" is adapted from asymmetric warfare where guerrilla forces or terrorists attack civilians -- often in other areas -- as opposed to attacking the military opposing force. I think the term applies in cyberwarfare as well, and is an apt description of what the bad guys are doing.

    It's Here. Mass Customized Spear Phishing

    I have been warning in many of these issues that with the emergence of a well-developed internet underground economy and sophisticated criminal bad actors this was inevitable. I'm surprised it has not happened any earlier, and this is only the beginning. Since practically everyone's personal, confidential data has been hacked and a large part of your work history is available through LinkedIn, it's easy to merge-purge databases and send highly targeted spoofed phishing attacks.

    Can Your Domain Be Spoofed?

    Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? If so, they can launch a "CEO fraud" spear phishing attack on your organization, supposedly coming from Human Resources, the CEO or perhaps the mail room, and social engineer your users to click on a link.

    That type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

    Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test. It's quick, easy and often a shocking discovery.

    Get your complimentary domain spoof test now.
    https://info.knowbe4.com/domain-spoof-test-eb
    Scam Of The Week: FBI Warns Against
    Email Extortion

    Your employees are being attacked both in and outside the office. This new email extortion scam can hit in both places, so it makes sense to warn them about this ahead of time and prevent a variety of trouble.

    The FBI’s Internet Crime Complaint Center (IC3) warned that e-mail extortion campaigns have heated up in recent weeks.

    The IC3 said the recent uptick in email extortion comes from the data breaches at organizations like Ashley Madison, the IRS, Anthem, and many others where millions of records with (sometimes highly) personal information have been stolen.

    With extortion e-mail scams, attempted victims are told that if a ransom is not paid, their personal information like name, phone number, address, credit card data, and other confidential details will be "outed" to all the victim's social media contacts, family, and friends.

    The recipient is instructed to pay in Bitcoin, and are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins, which amounts to about 400 to 1,500 dollars depending on the exchange rates.

    Here is some copy at the KnowBe4 blog I recommend you send in an email to your employees. You're welcome to copy/paste/edit:
    https://blog.knowbe4.com/scam-of-the-week-fbi-warns-against-email-extortion
    This Week's Ransomware Roundup

    UltraDeCrypter Ransomware DOES NOT Decrypt Your Files

    KnowBe4 gets regular calls from system admins who found us on the internet and are between a rock and a hard place. Backups failed and they have no way to revert to normal files. Worse, there is now a ransomware strain called UltraDeCrypter which simply does not deliver the unencryption routines after you pay. We have tried this twice, and two out of two they took the money and ran.

    I'm sure that these crooks are incurring the wrath of the other criminal players in the ransomware racket, but in the meantime if you see this screen and have no backups, you are truly hosed. Here is what the ransomware looks like that does NOT post the decryption file once you pay.
    https://blog.knowbe4.com/ultradecryptor-ransomware-does-not-decrypt-your-files

    BadBlock Will Encrypt Windows Executables And Brick Your Box

    Another strain called BadBlock is so developed that it will not only encrypt your data files but also the executables on your machine. That means if the OS files are encrypted it no longer boots and you cannot make payments if the system is bricked.

    The cybercriminals behind Badblock demand a ransom of 2 Bitcoin but victims can decrypt their files without paying, thanks to Emisoft’s security researcher Fabian Wosar. He has made a complimentary tool that is able to decrypt files encrypted by Badblock. More:
    http://www.myce.com/news/badblock-ransomware-damages-windows-wont-boot-anymore-79598/

    Blackshades Ransomware Targets US, Russians And Taunts Researchers

    Researchers who dig deep through the code of one of the latest strains of ransomware might be surprised and even a little irked at what they find. Hidden inside some of those strings of code are taunts aimed at them.

    According to Lawrence Abrams who runs BleepingComputer.com, the malware, BlackShades Crypter a/k/a SilentShades was spotted late last month by a researcher that goes by the name Jack, targeting both users in the United States and Russia.
    http://www.bleepingcomputer.com/news/security/black-shades-ransomware-encrypts-your-pc-and-taunts-security-researchers/

    Breaking Down A Powershell Ransomware - And Decrypting The Files

    Interesting: Breaking down a PowerShell ransomware - and decrypting the files! The folks at VMRay tear apart a PowerShell ransomware strain that uses phishing email as an infection vector. Really interesting writeup. More:
    https://www.vmray.com/powershellransomwarepowerware/
    Don’t Miss The June 8 Live Demo: New-School Security Awareness Training

    Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

    Join us on Wednesday, June 8, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

    • Send Phishing Security Tests to your users and get your Phish-prone percentage.
    • Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
    • Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
    • NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”
    • NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.

    Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
    https://attendee.gotowebinar.com/register/8234040645064891650
    [INFOGRAPHIC] Don't Be The Victim Of A Cyberheist

    We have created a new infographic for your users, as part of your ongoing security awareness program. It's a good reminder how to stay safe online, and to keep their awareness levels at the appropriate level... HIGH!

    You can attach this to an email, print it, make posters of it, or even fit the graphic in a screen saver. Downloads (Small and Large) here:
    https://blog.knowbe4.com/infographic-dont-be-the-victim-of-a-cyberheist
    Warm Regards,
    Stu Sjouwerman

    Quotes Of The Week

    "Science cannot solve the ultimate mystery of nature. And that is because, in the last analysis, we ourselves are a part of the mystery that we are trying to solve."
    - Max Planck - Physicist (1858 - 1947)

    "The search for the truth is the most important work in the whole world, and the most dangerous."- James Clavell - Writer (1924 - 1994)

    Thanks for reading CyberheistNews

    Security News
    Can You Prevent Ransomware Infections With Microsoft's FSRM Tool?

    On the SpiceWorks How-To section, someone wrote: "In this how-to I'm going to show you how to install File Server Resource Manager using PowerShell on Windows Server 2008/2012. I'm then going to show you how to configure it to prevent your company files from being encrypted by ransomware.

    Here is the link and the how-to in detail:
    https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm?source=start&pos=3

    I asked myself how effective this would be, and asked Bret Lowry, the lead developer of a dedicated anti-ransomware tool called Windows Anti Ransomware (WAR). Find it at https://www.winpatrol.com/

    He said: "As I read this article, I could not help but think about the recent exposure of the anti-ransom solution that BitDefender was employing. They would simply create the file(s) the ransomware created to note that a system was already infected to prevent infecting a system a second time.

    By doing so, an initial attack would see the files and disarm itself w/o attacking. Ingenious? Yes! Did I wish I thought of it? Oh yeah! But, the problem with such a solution is that it only works until the trick is exposed. Once exposed, the solution becomes worthless because ransomware authors will simply adjust their strategy.

    The use of FSRM in preventing encryption by ransomware smacks of the same type of "trickery". It is an ingenious and clever way of preventing attacks from old/outdated ransomware. However, as soon as ransomware authors hear of this method of prevention they will circumvent it leaving the FSRM strategy virtually ineffective.

    What will prevent ransomware authors from simply encrypting a file and leaving the file extension as-is? They don't have to change the file names or extensions, I think some do it simply for the effect it creates to see their signature on every single one of your files. It is sobering to see an infected filesystem.

    However, ransomware only plays by the rule, "Pay us or lose your data." Once ransomware authors are aware of this strategy, the FSRM solution will be helpless in a ransomware attack and even if an administrator receives an email every time a file is changed their email system will get overloaded in an attack and their data will be encrypted before they'll be able to react.

    The conclusion paragraph of this article saved it by stating, "Do not solely rely on FSRM for protection against ransomware. Use a multi-layered strategy for optimum security." Layered security is definitely what is required against ransomware because they play by their own rules and will use any means possible to achieve their goal."

    The concept of layered security comes from the principles of Defense In Depth. Learn more:
    https://www.knowbe4.com/resources/defense-in-depth/
    Federal Reserve Was Hacked More Than 50 Times In The Past Five Years

    The Guardian has a good article that caught my attention. However, first of all, you may not know that the United States Federal Reserve is neither Federal nor has it any Reserves. It's a central bank, and we have had a few of these before which were shut down by Congress at the time after much acrimony.

    The Guardian picked up a Reuters article and started with: "Cybersecurity reports reveal only a portion of all cyber-attacks on US central bank and identifies 51 cases of ‘information disclosure’ involving the Fed’s board.

    The Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage”, according to Fed records.

    The US central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.

    The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures. More:
    https://www.theguardian.com/business/2016/jun/01/federal-reserve-hackings-cybersecurity-espionage
    New Scam: Hackers Find Bugs, Extort Ransom And Call It A Public Service

    Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks.

    According to IBM’s X-Force researchers, the new tactic is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as 30,000 dollars in exchange for details on how hackers broke into their network and stole data. See more at:
    https://threatpost.com/hackers-find-bugs-extort-ransom-and-call-it-a-public-service/118360/
    SANS Announces June 2016 of OUCH!

    They said: "We are excited to announce the June issue of OUCH! This month, led by Guest Editor Francesca Bosco, a privacy lawyer at the United Nations, we focus on encryption. Far too often we tell people to encrypt their information and their devices, but many people do not understand what encryption is, how it works or how to use it. As such, we ask you share OUCH! with your family, friends, and coworkers." Download: English Version (PDF)
    http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201606_en.pdf

    Cyberheist 'FAVE' LINKS:
    This Week's Links We Like, Tips, Hints And Fun Stuff
      • We’re going to Pikes Peak. 1500-hp electric cars racing up the side of a mountain: Ride along with Rhys Millen as he becomes the fastest EV up the side of the mountain. The consequences of getting a corner wrong and going over the side don't bear thinking about. Holy S#!+. Full Screen! Sound Up! 9 minutes of adrenaline!!
        https://youtu.be/nMjsAMlXGBI

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews