CyberheistNews Vol 6 #29 New Locky Ransomware Strain Encrypts Files Even When Machine Is Offline



CyberHeist News CyberheistNews Vol 6 #29
New Locky Ransomware Strain Encrypts Files Even When Machine Is Offline
Stu Sjouwerman

A new strain of the Locky ransomware can encrypt files even when the code is unable to communicate with its Command & Control servers. Instead of using a unique encryption key, the new strain uses a predefined public key. This is a worrisome fallback position. Full story at the KnowBe4 Blog, with a list of 11 things you can do to block ransomware attacks:
https://blog.knowbe4.com/locky-ransomware-encrypts-files-even-when-machine-is-offline

Scam Of The Week: Pokémon Malware, Muggings And Other Mayhem

In case you just came back from vacation, there is literally a new craze going on with an augmented-reality smartphone app called Pokémon Go. It's a geocaching game, meaning it's tied to real-world locations.

It's a smash hit sending people on the street, trying to catch virtual creatures in real-world locations called Pokestops that players can capture, train and trade.

However, the game's rapid rollout and breakaway success has its risks. It's from Niantic, a Google spin-off that makes Ingress, which is a very popular multiplayer game, but Pokémon Go has immediately hit several security and privacy-related speed bumps, and not all of them are virtual.

First: Muggings

In this game, players can meet in real life using the Pokestop feature to do virtual battle, and police in O'Fallon, Mo., say that a group of four individuals apparently used that feature to lure other players to remote locations with the intention of robbing them. Police said they responded to an armed robbery report at 2 a.m. on July 10, and arrested four suspects - one of whom was a juvenile - who were in a BMW.

Second: The Google Login Permissions Problem

Many security researchers have been warning that the initial release of the Pokémon Go app has access to many more device permissions than needed meaning a possible privacy risk. Some information security experts - such as Veracode CTO Chris Wysopal - have even been urging users to create "burner" Apple or Google accounts that get used only with the game.

Third: Trojanized Apps

Just 72 hours after the release of Pokémon, bad guys had Trojanized a legitimate version of the no charge Android app to include malware and released it via unofficial, third-party app stores, researchers at security firm Proofpoint said.

The malicious Android application file "was modified to include the remote access tool called DroidJack - also known as SandroRAT, which would virtually give an attacker full control over a victim's phone," the researchers warn in a blog post.

Gaming websites have begun publishing instructions about how users can download the app, including using side-loading - evading Google's official app store - to install them.

Proofpoint said: "In the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk."

Send this to your employees, friends and family:

You have probably heard about the new Pokémon app. It's going viral and sends people on the street to catch these little virtual creatures. There are some risks if you have the "gotta catch 'em all" fever.

First, please stick to the vetted app stores, do not download the app from anywhere else. Why? Bad guys have taken the app and infected it with malware, and try to trick you downloading it from untrustworthy websites.

Second, anyone using the app, and especially kids should be VERY aware that they are not lured into a real-world trap which could lead to mugging or abduction. Other players can track you in the real world using this app so be careful.

Third, there are possible privacy issues if you use your Google account to log into the app. Create a throw-away account and use that to log into Pokémon, not your private or business account.

Last but not least, Pokémon is a no charge app and do not fall for emails that claim you have to buy an upgraded version for a monthly fee!

As always, Think Before You Click!


Let's stay safe out there.

(For KnowBe4 customers, we have a few simulated phishing templates you can send to employees to inoculate them against social engineering attacks using Pokemon Go as clickbait.)

THE BOOK TO READ this summer: Chaos Monkeys

At once hilarious and highly instructive dissection of the Silicon Valley casino. Chaos Monkey was written by a high-tech entrepreneur who founded a startup through Y Combinator and then worked for Facebook and Twitter. It's warmly recommended if you want to learn about the internals of high tech companies and what it means to be an entrepreneur in Silicon Valley. Read it on Kindle. Here is the link to Amazon:
www.amzn.com/B019MMUAAQ

The Value Of A Hacked Company

Brian Krebs had a great post. This is good ammo if you are requesting more InfoSec budget. "Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.

If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys. This is the graph...
http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/

See What Customers Are Saying About KnowBe4 At Gartner

We will sit here all day and tell you about how KnowBe4 is a great way to manage the ongoing problem of social engineering and train your employees to make smarter security decisions. But don't take our word for it - take a look at the new Gartner reviews site called PeerInsights and compare us to our competitors:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Once we believe in ourselves, we can risk curiosity, wonder, spontaneous delight, or any experience that reveals the human spirit."- E. E. Cummings

"If you wish to drive a car successfully it requires most attention forward - with a few quick glances to the side and at the rearview mirror - Successfully driving your life is the same."- Chase LeBlanc


Thanks for reading CyberheistNews


Security News
The Fine Art Of Not Being Stupid - Blocking Ransomware

Brian Honan wrote a GREAT post at HelpnetSecurity. On our blog we have a cross-post of his excellent article with a great list of things to block ransomware.

"There is a phrase I am finding quite relevant lately. It is attributed to the philosopher George Santayana and it goes like this: “Those who cannot remember the past are condemned to repeat it.” The reason it comes to my mind a lot these days is the headlines we are seeing relating to the latest ransomware attacks against companies’, hospitals’ and government departments’ systems."

The basic message of this article is fairly simple: the key to stopping the latest "sophisticated" attacks by the bad guys is not to get distracted by dazzling new (and expensive) security solutions, but rather to simply STOP BEING STUPID.

In other words, learn from past failures and take basic, no-brainer steps to protect your organization. There's a useful checklist of basic steps to take, the last of which is: "Run regular security awareness campaigns to enable users to identify and deal with potential threats."

Conclusion:

"In my mind ransomware is not an indication of how attackers have become more sophisticated but a reflection of how we have failed as an industry to effectively implement basic security controls. So instead of looking for a silver bullet to ease our security woes, let’s look at the past and learn from our mistakes instead of repeating them again and again."

Here is the blog post with the list of things to block ransomware:
https://blog.knowbe4.com/the-fine-art-of-not-being-stupid-security-awareness-training

Looks Like It Is Official...Ransomware A Data Breach Per HIPAA

According to new Health Insurance Portability and Accountability Act (HIPAA) guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance "describes ransomware attack prevention and recovery from a healthcare sector perspective, including ... how HIPAA breach notification processes should be managed in response to a ransomware attack."

John Pescatore at SANS commented the following: "The HHS guidance basically says that if an attacker was able to encrypt files containing PHI, then the attacker has both "acquired" the files (which requires notification) or has impacted the information owner's ability to access their own data and the business ability to maintain the integrity of the data, also requiring notification.

Note that this last condition means that disclosure would be required even if you had encrypted the files before the ransomware attack encrypted them a second time! The guidance does point out that you can still perform a risk assessment justifying your belief that a disclosure would not be required."

Here is the relevant HHS PDF. (Point 5) "The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule."
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

You can count on other regulations to follow in the near future. More at DarkReading:
http://www.darkreading.com/vulnerabilities---threats/new-hipaa-guidance-tackles-ransomware-epidemic-in-healthcare/d/d-id/1326291

Cybercrime Overtakes Traditional Crime In UK

In a notable sign of the times, cybercrime has now surpassed all other forms of crime in the United Kingdom, the nation's National Crime Agency (NCA) warned in a new report. It remains unclear how closely the rest of the world tracks the U.K.'s experience, but the report reminds readers that the problem is likely far worse than the numbers suggest, noting that cybercrime is vastly under-reported by victims. More at Krebsonsecurity:
http://krebsonsecurity.com/2016/07/cybercrime-overtakes-traditional-crime-in-uk/

Why You Shouldn't Pay The Ransomware Fee

CSO has a good article about the controversy of paying or not paying. They started out with: "While most of the decision makers would likely prefer to hear a simple yes or no when asking if they should pay, nothing in security is simple. By and large, the position of many leaders in the industry is that the ideal situation is not to pay.

Security experts across the industry would like to see all enterprises, large and small, be prepared for a hit so that they can recover their data without paying a ransomware fee. The question of whether to pay the ransomware fee is tricky, though, as sometimes organizations are left with no other options. More:
http://www.csoonline.com/article/3092278/backup-recovery/why-you-shouldnt-pay-the-ransomware-fee.html?

How Do I Make A CEO Fraud Phishing Template

There’s been a major increase in what the FBI calls Business Email Compromise, also known as CEO fraud, amounting to losses in the billion dollar range.

KnowBe4 has been warning against this kind of threat for a while now, and our platform is able to simulate CEO fraud phishing attacks to inoculate your employees against this type of attack.

The following is recommended when creating a CEO fraud template, this is a link to KnowBe4's Zendesk support site:
https://knowbe4.zendesk.com/hc/en-us/articles/222636687


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff





Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews