 CyberheistNews Vol 6 #33 |
| Ransomware Roundup: Fresh Strains And New Nasty Features |
.jpg)
The ransomware market is rapidly maturing, we are starting to see upgraded strains and rebranded versions sold cheaply on the Dark Web. And mainstream media have finally glommed on after years of being oblivious, trumpeting the FBI recently projected that the losses caused by ransomware infections could reach a billion dollars in 2016 alone. Here is your July ransomware roundup.
Upgraded Strains
CryptXXX
You, yes, YOU could be an infection vector, making your customers a ransomware victim.
Late July, thousands of legit WordPress business sites were hijacked by a botnet named SoakSoak to deliver ransomware to anyone who visits their website. If you are running WordPress as your website or blog platform, you really want to upgrade to the very latest version and minimize your plugins to make the attack surface as small as possible. The hijacked websites were redirecting visitors to a compromised site, where the payload was the very latest CryptXXX, one of the more infamous ransomware strains.
Cerber
The leading cybermafias are furiously innovating to stay ahead of the copycats. Cerber has updated its code numerous times, like adding a DDoS and the use of double-zipped Windows Script Files (WSFs) to evade detection. July saw the release of Cerber’s latest variant that put Office 365 users in homes and in businesses at the crosshairs of attack.
The attack vector? Phishing with Office documents laced with macros and once your user opens on the attachment, Cerber encrypts 442 file types using combined AES-256 and RSA encryption. This new strain was also pushed by the Rig and Magnitude exploit kits which both are using 0-day vulnerabilities.
Two Ransomware Strains Are Copycats of Earlier Families
Stampado
Mid-July a new ransomware type surfaced that has some similarities to CryptoLocker and Jigsaw in terms of functionality. Stampado (detected by Trend Micro as RANSOM_STAMPADO.A) was heavily advertised in the cybercrime underground for a fraction of the price of malware typically sold in the Ransomware-as-a-Service market at 39 bucks, with training videos that show how it works. Stampado encrypts files using AES and deletes chunks of the hostaged files after a time period lapsed without paying the ransom. Stampado gives a 96-hour deadline before all files get deleted.
CrypMIC
The moment CrypMIC was found, malware researchers immediately saw it was a copycat of CryptXXX, trying to rake in Bitcoin with a copied entry point, ransom note, and even its payment user interface. One twist is that CrypMIC does not append any extension name to files that it has already encrypted, which makes it hard to spot which of the files have been affected.
New Blood: Brand New Strains
cuteRansomware, CTB Faker, Alfa, Ranscam, Hitler and Pokemon.
Six strains reared their ugly heads in the last few weeks.
- cuteRansomware using Google Docs and other cloud apps to transmit encryption keys and gather user information to evade detection.
- Alfa ransomware looks like a descendant of Cerber, the malware scans its infected system’s local drives and encrypts over 142 file types, appending a “.bin” extension name to the locked file.
- CTB Faker copycats CTB Locker. This variant is spread via bogus profiles from adult sites that trick users with the promise of access to a password-protected striptease video. The poisoned link then leads to the download of the ransomware hosted on JottaCloud.
- Ranscam was also discovered in July, which threatens to delete files unless a 0.2 bitcoin-ransom is paid. The tricky part, though, is that the files are deleted even if the ransom has already been paid for, probably buggy code so wait for the next version to fix that.
- Security experts detected and analyzed a new threat, the Hitler ransomware, that doesn’t encrypt files but simply deletes them:
https://blog.knowbe4.com/hitler-ransomware-just-deletes-files-instead-of-encrypting-them
- PokemonGo ransomware installs backdoor account and spreads to other drives. This strain has some extra scary features like adding an admin account and spread to all removable drives:
https://blog.knowbe4.com/pokemongo-ransomware-installs-backdoor-account-and-spreads-to-other-drives?
All These Strains Rely On Social Engineering
You simply cannot sit back and hope your filters are going to catch it all, they never do. You have to create an additional layer, call it your "human firewall". Thousands of organizations are doing this with great results. Most of you have to do this anyway to be PCI compliant so why not do it right the first time.
Stepping your users through new-school security awareness training is a must, moreover it's simply fun to phish your users and train them not to fall for social engineering attacks!
Find out how affordable this is for your organization and be pleasantly surprised.
Get A Quote: https://info.knowbe4.com/enterprise_get_a_quote_now
(Hat tip to Trend Micro this month)
|
| Scam Of The Week: New Social Security Account Fraud |
|
Bad guys are abusing the Social Security Administration's (SSA) online service called My SocialSecurity Account in two ways:
1) A phishing scam which encourages employees to create an account, where your user enters all their confidential information at the scammer's site, leaving them open to ID theft and social engineering attacks with that data and infect their workstation either in the office or the house.
2) The scammers set up My Social Security Accounts on behalf of people, and change the account to direct the benefits checks to a bank account they control.
Basically, this "My Social Security Account" is very useful. It allows you to set up a personal online account that enables you to view your earnings history, estimates of benefits, change your address or start or change direct deposits of your check into a bank account. The SSA also supports 2-factor authentication, which is good.
However, it's a heaven for scammers. Yes, to open an account the SSA requires verification of personal data by asking questions that only the Social Security recipient should know but this info is easily available to an identity thief, who can open an account in the name of the intended victim.
The introduction of 2-factor authentication does not prevent an identity thief from initially setting up a My Social Security Account in the name of their victim, and we all know that you can social engineer the user to send the 2FA code to the hacker.
What To Do About This
I suggest you send your employees, friends and family the following. You're welcome to copy/paste/edit:
There are two Social Security scams you need to watch out for at the moment.
The first one is where you receive an official-looking email from the Social Security Administration with an invite to create an account so you can receive your benefits. You land on a webpage where the scammers hope you will fill out all your confidential information. Don't fall for it. Never click on links in any of these emails. If you want to sign up for a My Social Security Account go directly to https://ssa.gov/myaccount/
The second scam is where the bad guys actually create an account for someone, and redirect the payments to a bank account controlled by them, not the victim. To prevent this from happening, create your own MySSA account with a strong username and password. This is similar to filing your tax return early before the bad guys file a bogus return and steal your refund.
Another security measure I recommend is that when you create your MySSA account, go to the settings and choose the option that any changes to the bank account into which your check is electronically deposited only be done physically at a Social Security branch office and not using your online account. Note that you may have to travel to that office if you live far away.
Think Before You Click!
KnowBe4 customers will get their "New Template Notification" when we have this ready for you to send to your users and inoculate them against this attack.
Stepping your users through new-school security awareness training is a must, moreover it's simply fun to phish your users and train them not to fall for social engineering attacks! Find out how affordable this is for your organization and be pleasantly surprised.
Get A Quote: https://info.knowbe4.com/enterprise_get_a_quote_now
|
| Email Accounts Of Hillary Clinton And 100+ Democratic Officials Hacked |
|
As the investigation of the hack into the Democratic National Committee (DNC) broadens, authorities have found that the private email accounts of more than 100 Democratic officials have been breached, according to the New York Times.
American intelligence agencies claimed that Russian hackers were behind incursions which were believed at first to have targeted the DNC and the Democratic Congressional Campaign Committee (DCCC), the group raising money for Democrats. But as the FBI has widened its probe, the scope of the attack appears more extensive.
My take? The Republicans are probably also breached, and a lot of people are going to change their cell phone numbers! More at SC Magazine:
http://www.scmagazine.com/email-accounts-of-hillary-clinton-and-100-democratic-officials-hacked/article/515447/?
|
| The Russians Are Coming, The Russians Are Here |
|
A series of reports on the threats posed by Russian hackers and how to respond to them highlight the latest edition of the ISMG Security Report.
In this report, you'll hear:
- ISMG Security and Technology Managing Editor Jeremy Kirk explain why the FBI is better positioned to attribute the source of the attacks that plague Democratic Party servers;
- Homeland Security Secretary Jeh Johnson address steps DHS can take to help local and state governments secure the electoral process;
- Internet Security Alliance Chief Executive Larry Clinton champion the creation of a new U.S. government department focused on cybersecurity;
- BankInfoSecurity Executive Editor Tracy Kitten analyze the breach of Oracle's point-of-sales business MICROS System.
The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out their Aug. 5 and Aug. 9 reports, which respectively analyze why the United States electoral system should be designated as critical infrastructure and the reopening of the encryption bypass debate.
Check it out here:
http://www.govinfosecurity.com/interviews/russians-are-coming-russians-are-here-i-3288?
|
Warm Regards,
Stu Sjouwerman |
|
|
|
