CyberheistNews Vol 6 #33 Ransomware Roundup: Fresh Strains And New Nasty Features



CyberHeist News CyberheistNews Vol 6 #33
Ransomware Roundup: Fresh Strains And New Nasty Features
Stu Sjouwerman

The ransomware market is rapidly maturing, we are starting to see upgraded strains and rebranded versions sold cheaply on the Dark Web. And mainstream media have finally glommed on after years of being oblivious, trumpeting the FBI recently projected that the losses caused by ransomware infections could reach a billion dollars in 2016 alone. Here is your July ransomware roundup.

Upgraded Strains

CryptXXX

You, yes, YOU could be an infection vector, making your customers a ransomware victim.

Late July, thousands of legit WordPress business sites were hijacked by a botnet named SoakSoak to deliver ransomware to anyone who visits their website. If you are running WordPress as your website or blog platform, you really want to upgrade to the very latest version and minimize your plugins to make the attack surface as small as possible. The hijacked websites were redirecting visitors to a compromised site, where the payload was the very latest CryptXXX, one of the more infamous ransomware strains.

Cerber

The leading cybermafias are furiously innovating to stay ahead of the copycats. Cerber has updated its code numerous times, like adding a DDoS and the use of double-zipped Windows Script Files (WSFs) to evade detection. July saw the release of Cerber’s latest variant that put Office 365 users in homes and in businesses at the crosshairs of attack.

The attack vector? Phishing with Office documents laced with macros and once your user opens on the attachment, Cerber encrypts 442 file types using combined AES-256 and RSA encryption. This new strain was also pushed by the Rig and Magnitude exploit kits which both are using 0-day vulnerabilities.

Two Ransomware Strains Are Copycats of Earlier Families

Stampado

Mid-July a new ransomware type surfaced that has some similarities to CryptoLocker and Jigsaw in terms of functionality. Stampado (detected by Trend Micro as RANSOM_STAMPADO.A) was heavily advertised in the cybercrime underground for a fraction of the price of malware typically sold in the Ransomware-as-a-Service market at 39 bucks, with training videos that show how it works. Stampado encrypts files using AES and deletes chunks of the hostaged files after a time period lapsed without paying the ransom. Stampado gives a 96-hour deadline before all files get deleted.

CrypMIC

The moment CrypMIC was found, malware researchers immediately saw it was a copycat of CryptXXX, trying to rake in Bitcoin with a copied entry point, ransom note, and even its payment user interface. One twist is that CrypMIC does not append any extension name to files that it has already encrypted, which makes it hard to spot which of the files have been affected.

New Blood: Brand New Strains

cuteRansomware, CTB Faker, Alfa, Ranscam, Hitler and Pokemon.

Six strains reared their ugly heads in the last few weeks.

    • cuteRansomware using Google Docs and other cloud apps to transmit encryption keys and gather user information to evade detection.
    • Alfa ransomware looks like a descendant of Cerber, the malware scans its infected system’s local drives and encrypts over 142 file types, appending a “.bin” extension name to the locked file.
    • CTB Faker copycats CTB Locker. This variant is spread via bogus profiles from adult sites that trick users with the promise of access to a password-protected striptease video. The poisoned link then leads to the download of the ransomware hosted on JottaCloud.
    • Ranscam was also discovered in July, which threatens to delete files unless a 0.2 bitcoin-ransom is paid. The tricky part, though, is that the files are deleted even if the ransom has already been paid for, probably buggy code so wait for the next version to fix that.
    • Security experts detected and analyzed a new threat, the Hitler ransomware, that doesn’t encrypt files but simply deletes them:
      https://blog.knowbe4.com/hitler-ransomware-just-deletes-files-instead-of-encrypting-them

    • PokemonGo ransomware installs backdoor account and spreads to other drives. This strain has some extra scary features like adding an admin account and spread to all removable drives:
      https://blog.knowbe4.com/pokemongo-ransomware-installs-backdoor-account-and-spreads-to-other-drives?

All These Strains Rely On Social Engineering

You simply cannot sit back and hope your filters are going to catch it all, they never do. You have to create an additional layer, call it your "human firewall". Thousands of organizations are doing this with great results. Most of you have to do this anyway to be PCI compliant so why not do it right the first time.

Stepping your users through new-school security awareness training is a must, moreover it's simply fun to phish your users and train them not to fall for social engineering attacks!

Find out how affordable this is for your organization and be pleasantly surprised.
Get A Quote: https://info.knowbe4.com/enterprise_get_a_quote_now

(Hat tip to Trend Micro this month)

Scam Of The Week: New Social Security Account Fraud

Bad guys are abusing the Social Security Administration's (SSA) online service called My SocialSecurity Account in two ways:

1) A phishing scam which encourages employees to create an account, where your user enters all their confidential information at the scammer's site, leaving them open to ID theft and social engineering attacks with that data and infect their workstation either in the office or the house.

2) The scammers set up My Social Security Accounts on behalf of people, and change the account to direct the benefits checks to a bank account they control.

Basically, this "My Social Security Account" is very useful. It allows you to set up a personal online account that enables you to view your earnings history, estimates of benefits, change your address or start or change direct deposits of your check into a bank account. The SSA also supports 2-factor authentication, which is good.

However, it's a heaven for scammers. Yes, to open an account the SSA requires verification of personal data by asking questions that only the Social Security recipient should know but this info is easily available to an identity thief, who can open an account in the name of the intended victim.

The introduction of 2-factor authentication does not prevent an identity thief from initially setting up a My Social Security Account in the name of their victim, and we all know that you can social engineer the user to send the 2FA code to the hacker.

What To Do About This

I suggest you send your employees, friends and family the following. You're welcome to copy/paste/edit:

There are two Social Security scams you need to watch out for at the moment.

The first one is where you receive an official-looking email from the Social Security Administration with an invite to create an account so you can receive your benefits. You land on a webpage where the scammers hope you will fill out all your confidential information. Don't fall for it. Never click on links in any of these emails. If you want to sign up for a My Social Security Account go directly to https://ssa.gov/myaccount/

The second scam is where the bad guys actually create an account for someone, and redirect the payments to a bank account controlled by them, not the victim. To prevent this from happening, create your own MySSA account with a strong username and password. This is similar to filing your tax return early before the bad guys file a bogus return and steal your refund.

Another security measure I recommend is that when you create your MySSA account, go to the settings and choose the option that any changes to the bank account into which your check is electronically deposited only be done physically at a Social Security branch office and not using your online account. Note that you may have to travel to that office if you live far away.

Think Before You Click!


KnowBe4 customers will get their "New Template Notification" when we have this ready for you to send to your users and inoculate them against this attack.

Stepping your users through new-school security awareness training is a must, moreover it's simply fun to phish your users and train them not to fall for social engineering attacks! Find out how affordable this is for your organization and be pleasantly surprised.

Get A Quote: https://info.knowbe4.com/enterprise_get_a_quote_now

Email Accounts Of Hillary Clinton And 100+ Democratic Officials Hacked

As the investigation of the hack into the Democratic National Committee (DNC) broadens, authorities have found that the private email accounts of more than 100 Democratic officials have been breached, according to the New York Times.

American intelligence agencies claimed that Russian hackers were behind incursions which were believed at first to have targeted the DNC and the Democratic Congressional Campaign Committee (DCCC), the group raising money for Democrats. But as the FBI has widened its probe, the scope of the attack appears more extensive.

My take? The Republicans are probably also breached, and a lot of people are going to change their cell phone numbers! More at SC Magazine:
http://www.scmagazine.com/email-accounts-of-hillary-clinton-and-100-democratic-officials-hacked/article/515447/?

The Russians Are Coming, The Russians Are Here

A series of reports on the threats posed by Russian hackers and how to respond to them highlight the latest edition of the ISMG Security Report.

In this report, you'll hear:

    • ISMG Security and Technology Managing Editor Jeremy Kirk explain why the FBI is better positioned to attribute the source of the attacks that plague Democratic Party servers;
    • Homeland Security Secretary Jeh Johnson address steps DHS can take to help local and state governments secure the electoral process;
    • Internet Security Alliance Chief Executive Larry Clinton champion the creation of a new U.S. government department focused on cybersecurity;

    • BankInfoSecurity Executive Editor Tracy Kitten analyze the breach of Oracle's point-of-sales business MICROS System.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out their Aug. 5 and Aug. 9 reports, which respectively analyze why the United States electoral system should be designated as critical infrastructure and the reopening of the encryption bypass debate.

Check it out here:
http://www.govinfosecurity.com/interviews/russians-are-coming-russians-are-here-i-3288?

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"It's not that I'm so smart, it's just that I stay with problems longer."- Albert Einstein

"Intellectuals solve problems, geniuses prevent them."- Albert Einstein


Thanks for reading CyberheistNews


Security News
10 Critical Steps To Take In The First 24 Hours Of A Data Breach

The number of high profile data breaches that have hit the media headlines in recent years is certainly a wake-up call to organisations to be more prepared if it happens to them. But it’s not just the high profile ones that are being targeted. It’s all organisations and it’s across all sectors.

Read Jim Steven explain the 10 critical steps companies should take in the first 24 hours of a data breach on the Finextra blog:
https://www.finextra.com/blogposting/12956/10-critical-steps-to-take-in-the-first-24-hours-of-a-data-breach

How To Block Phishers When They Come A Knockin’

Just like throwing out a fishing line into the water, a phisher waits for just the slightest nibble before pouncing on a network.

Eyal Benishti, CEO of IronScales, says the way to cut off the phishers food supply is to first go to the core of the issue: employee awareness. The CEO notes that cybercriminals by nature are lazy. “If your organization is a tough nut to crack, they will move on to find more low-hanging fruit,” Benishti says.

According to the Verizon data breach investigation report published earlier this year, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.

The story continues with 6 best practices but ends with a video that is a good example of old-school thinking that no longer applies. The person interviewed wants to block all URLs for 24 hours before they are let in. Can you imagine the flood of help desk tickets? Check it out here:
http://www.csoonline.com/article/3105890/security/how-to-block-phishers-when-they-come-a-knockin.html?

Does Dropping USB Drives Really Work As An Effective Attack Vector?

Good discussion at Spiceworks about this topic: "Have you ever wondered what percentage of people might plug in a found USB drive? Pretty great study with methods and results found on this slide show. They also explore HID spoofing. Credit to Elie Bursztein, Google anti-fraud and abuse research team lead.
http://www.slideshare.net/elie-bursztein/does-dropping-usb-drives-really-work-blackhat-usa-2016

How many of you are restricting USB ports? Do you use group policy? If not, what do you do?
https://community.spiceworks.com/topic/1758595-does-dropping-usb-drives-really-work-as-an-effective-attack-vector?

Note that KnowBe4 allows you to create a USB and drop it in high-traffic areas and see who plugs it in.
https://www.knowbe4.com/products/enterprise-security-awareness-training/

Brian Krebs: "Road Warriors: Beware of 'Video Jacking'"

A little-known feature of many modern smartphones is their ability to duplicate video on the device's screen so that it also shows up on a much larger display -- like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping.

Dubbed "video jacking" by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the appropriate USB charging cord, the spy machine hijacks the phone's video display and records a video of everything you tap, type or view on it as long as it's plugged in -- including PINs, passwords, account numbers, emails, texts, pictures and videos. More at Krebs' website:
http://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/

Why Healthcare Providers Can’t Let Up On Security Training

Peter Singer, director of the Brookings Institution’s Center for 21st Century Security and Intelligence and co-author of the book “Cybersecurity and Cyberwar: What Everyone Needs to Know,” was quoted in Fortune as saying “Stop looking for others to solve it for you, stop looking for silver bullet solutions and stop ignoring it.”

The “it” healthcare management professionals must address is cybersecurity; the art and science of proactively and reactively protecting your hospital’s data, especially patient health information (PHI).

There’s a saying in IT security circles about how organizations acknowledge the ever-present threat of unauthorized intrusions into their information infrastructures. Basically, it notes at least 95 percent of public and private sector entities admit to having been hacked, while the other 5 percent are liars. Singer suggests 97 percent of all such institutions have been attacked and the remaining 3 percent don’t know it.

Security experts like Singer say the best way to protect and defend against hackers is to train your staff on what to look for and what to do. When he says staff, that means everyone; anyone who touches a keyboard, in an office, at a nurses’ station, wherever there’s connectivity to the IT network. More:
http://www.healthdatamanagement.com/opinion/why-providers-cant-let-up-on-security-training

Weaponizing Data Science For Social Engineering: Automated E2E Spear Phishing On Twitter

I went to see this session while I was attending BlackHat and DEF CON in Vegas. These two guys showed how they found and patched together a bunch of open source code and literally automated spear phishing on Twitter. They invited people in the audience to send a twitter message to a specific address and then they would send back an automated spear phish soon after. This was actually working. Another way to trick users into clicking on stuff that the bad guys soon will have...
https://www.blackhat.com/docs/us-16/materials/us-16-Seymour-Tully-Weaponizing-Data-Science-For-Social-Engineering-Automated-E2E-Spear-Phishing-On-Twitter.pdf


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews