CyberheistNews Vol 6 #34 [ALERT] Cerber Ransomware Plague Earns 2 Mil With Just 0.3% Victims Paying Up



CyberHeist News CyberheistNews Vol 6 #34
[ALERT] Cerber Ransomware Plague Earns 2 Mil With Just 0.3% Victims Paying Up
Stu Sjouwerman

A new report by Check Point software's researchers showed that Cerber's Ransomware-as-a-Service (RaaS) affiliate program is a success with more than 160 participants at current count, and that the combined direct sales plus affiliates was almost 200K in July, despite a victim payment rate of just 0.3%.

That puts it on track to make 2.3 million dollars this year, said Maya Horowitz, group manager of threat intelligence Check Point.

Aspiring criminal affiliates create their own campaigns using the Cerber platform and keep 60 percent of the profits. They also have access to user-friendly management tools, Cerber's Bitcoin laundering architecture, and obviously the malcode itself. Every day eight fresh Cerber ransomware campaigns are launched, Horowitz said.

"My assumption is that this means that there will be more and more such services, more and more attacks, even more than today," she said. And she is right. Just this week Symantec reported on a new RaaS that competes with Cerber. The new ransomware -- dubbed Shark -- is currently available for no charge in underground forums. Novice hackers that use the tool to extort money from victims pay only a 20% cut to the Shark developers.

Check Point researchers identified the IP addresses that infected machines used for data traffic with their C&C servers. They were also able to easily identify that the bad guys are probably based in or near Russia.

"There are no infections in Russian-speaking countries," she said. "And in the configuration of the ransomware, the authors, as default, chose not to operate on machines or PCs that have Russian as their default language."

This is a tried-and-true strategy of not getting picked up by the FSB, today's equivalent of the KGB. As long as you do not hack inside Russia, the Putin kleptocracy leaves you alone.

Follow The Money

What is interesting is that Check Point was able to extract the exact Bitcoin wallets assigned to every victim so that they could track the percentage of people who actually paid the ransom. The next step was to "follow the money" to one ultimate final central wallet through a network of other wallets that are part of Cerber's Bitcoin obfuscation architecture.

"We followed these hundreds of thousands of different wallets," she said. "I think that this is the first time that security researchers can say for sure what percentage of victims pay the ransom."

The people that pay ransom was surprisingly low, compared to earlier estimates by other researchers, but it still pays off handsomely. A small team of four of five specialized cyber criminals can make 300 to 400 grand each per year, which is at least 10 times more than they could make in any legit enterprise where they live.

You wonder if you are in the right business now and then! :-D

FireEye Warns 'Massive' Locky Ransomware Campaign Hits America

The dangerous Locky ransomware is being hurled at a variety of industries, healthcare being the number one target, according to FireEye researcher Ronghwa Chong. We have talked about Locky since it first emerged and this strain is as nasty as it gets. "Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware," Chong stated in a blog post.

"The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry. The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing." On the KnowBe4 blog is a graph of the volume by day and the payloads.

Ransomware mafias have shifted to DOCM format attachments, each email has a unique campaign code used to download Locky from a command and control server to victim machines, and Chong warned "These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations." We would agree :-)

Security firm Proofpoint recently confirmed that 69% of email attacks that used malicious document attachments featured Locky ransomware in Q2, compared to 24% Q1. Last month Locky claimed top spot for email-based malware in Q2, overtaking Dridex.

So why did FireEye take an interest in what is really a run-of-the-mill Locky ransomware campaign -- the kind that has been going on every week since, say, April or May? Here's a good guess looking at the following headline in Fortune Magazine: "What FireEye's Stock Crash Says About Hacking."
http://fortune.com/2016/08/05/fireeye-stock-feye-earnings/

Key quote: Mandia said that widespread and persistent breaches designed to spy on a large number of computers—characteristic of cyberespionage and attacks by nation states—are declining, as hackers increasingly turn to ransomware and “extortion attacks,” often in an attempt to steal money, but then exit the network quickly.

“That complexity isn’t that high in ransomware attacks where it’s obvious how you scope it, and what you do about it is sometimes less complex than the tenacious attacks by state-level actors and folks who want to maintain access,” he said.

Of course, that’s not good for FireEye, whose business model is based on responding to those large-scale breaches and selling security software to protect against and detect such threats.

In other words, the APT threat proved to be overblown. It's mass-distributed malware (esp. ransomware) that most companies and organizations have to worry about.

All These Ransomware Strains Rely On Social Engineering

You simply cannot sit back and hope your filters are going to catch it all, they never do. You have to create an additional layer, call it your "human firewall". Thousands of organizations are doing this with great results. Most of you have to do this anyway to be PCI compliant so why not do it right the first time.

Stepping your users through new-school security awareness training is a must, moreover it's simply fun to phish your users and train them not to fall for social engineering attacks!

Find out how affordable this is for your organization and be pleasantly surprised.
https://info.knowbe4.com/enterprise_get_a_quote_now

A Hacker’s Best Friend Is A Helpful Employee

Remember the CyberheistNews issue two weeks ago where I reported on my trip to BlackHat and DEV CON? I talked about the social engineering contest where people get 25 minutes and attack a company using just the phone.

Well, a USA Today reporter was there who wrote a very useful article that you can send to your executives.

It explains in detail how social engineering over the phone works and indirectly how important security awareness training is! Great ammo to get budget, fun, very readable and interesting:
http://www.usatoday.com/story/tech/news/2016/08/15/hacker-social-engineering-defcon-black-hat/88621412/

By the way, I was interviewed by InformationWeek's DARKReading at Blackhat about ransomware, CEO Fraud, social engineering attacks and awareness training. Hear it straight from the horse's mouth:
https://www.knowbe4.com/bh2016

I Need Your Input For A New Training Module: Safe Travel For Executives

Quite a few customers asked us to create a new training module that helps executives travel more securely, related to their mobile devices.

We did our homework, consulted with Kevin Mitnick and isolated the highest risk factors of traveling with smartphones, tablets and laptops. We have identified 17 items that we'd like to know more about from your roadwarriors.

These are travel-related IT security measures like:

  • Before you travel
  • While traveling
  • During flying
  • While passing through customs

This survey is 17 simple multiple choice questions, takes 4 minutes and is fully anonymous. Could you send this to your roadwarriors for them to fill out? That would help us a lot in the creation of this important new module. Here is the link to SurveyMonkey:

https://www.surveymonkey.com/r/safetravelforexecutives

Thank you very much in advance!

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Five Tips To Help Execute An Employee
Training Program

Really interesting how much focus security awareness training is getting in the tech/security press over the past few weeks. Here's another article with some interesting data, with a key quote:

"Experts suggest that employees may forget 50 percent of training information within one hour of a presentation, 70 percent within 24 hours and an average of 90 percent within a week. When you consider this, it is clear that training once a year or on an ad-hoc basis is not sufficient to ensure information security policies and procedures are being followed." More at:
https://www.helpnetsecurity.com/2016/08/18/employee-training-program/

Next, Employee Awareness Training: Key Component Of IT Security Initiatives

"The reality is that the human element has always been, and will always be, the most challenging aspect of security. Whether staff members intentionally skirt security measures that they feel inhibit productivity or inadvertently take actions that open the digital door to bad actors, people are the proverbial weak link. And cybercriminals know that it is much easier to defeat a person than it is to defeat technology." Learn more:
https://www.helpnetsecurity.com/2016/08/15/employee-awareness-training/

And last, here is a thorough write-up on how to integrate KnowBe4's program as part of the security culture of your organization:
https://knowbe4.zendesk.com/hc/en-us/articles/225574347

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"All men who have achieved great things have been great dreamers."
- Orison Swett Marden - Writer (1850 - 1924)

"Boil things down to the most fundamental truths. Then reason up from there."
- Elon Musk. (and yes I drive a Tesla P85D)


Thanks for reading CyberheistNews


Security News
Social Security Administration Reverses Policy To Require Cell Phone#

OK, remember the SSA Scam Of The Week a few days ago?

Well, the U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at ssa.gov. The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves. Story at Brian Krebs' site [full disclosure, we advertise on this site]:
http://krebsonsecurity.com/2016/08/ssa-ixnay-on-txt-msg-reqmnt-4-e-acct-sry/

Why Doesn’t My Cybersecurity Insurance Cover That?

Quite a few organizations have been very unpleasantly surprised to find out that CEO Fraud aka Business Email Compromise is not covered by many cyberinsurance policies? Why? It was a human hack, not a technical hack.

Ryan Francis over at CSO created a 10-page slideshow that goes into more detail, evaluates the different types of risk, and explains why the buyer of such policies better be aware! Warmly recommended:
http://www.csoonline.com/article/3106074/data-protection/why-doesn-t-my-cybersecurity-insurance-cover-that.html?

How These Dirty Scammers Tried To Use LinkedIn To Steal Our Customer’s Passwords

Great blog post from Netragard who *have* trained their customers, and who are forwarding phishy emails to their incident response team. They started out with: "Earlier this morning one of our more savvy customers received an email from noreply@linkedin.com. The email contained a “New Message Received” notification allegedly sourced from CEO Tom Morgan. Contained in the email was a link that read, “Click here to sign in and read your messages”.

Fortunately we had already provided training to this particular customer that covered Social Engineering and Phishing threats. So, rather than click on the link they forwarded the email to Netragard’s Special Project Team, which is like throwing meat to the wolves. The actual email is provided below in figure 1."

Their summary:

"This phishing campaign highlights two specific issues that can both be countered with careful planning. The first is that employees are easy to phish especially when they are outside of the office and not protected by spam filters. This is problematic because employees often reuse the same passwords at work as they do outside of work.

"So stealing a LinkedIn password often provides attackers with access to other more sensitive resources which can quickly result in a damaging breach and access to an organizations critical assets. The solution to this issue is reasonably simple.

"Employees should be required to undergo regular training for various aspects of security including but not limited Social Engineering and Phishing. Second, Employers should require employees to use password management tools similar to 1Password. Using password management tools properly will eliminate password reuse and significantly mitigate the potential damages associated with password theft." Great story to read:
http://www.netragard.com/dirty-scammers-tried-use-linkedin-steal-customers-passwords

FTC To Host Ransomware Event Sept. 7

The Federal Trade Commission will host a three-panel discussion on ransomware in Washington on Sept. 7 as part of its Fall Technology Series, the agency announced in a press release. FTC Chairwoman Edith Ramirez, FTC Chief Technologist Lorrie Faith Cranor, CIPT, and representatives from organizations like our friends at PhishLabs, Red Canary and the FBI will speak.

“With alarming frequency, ransomware hackers are sneaking into consumer and business computers, encrypting files containing photos, documents and other important data, and then demanding a ransom in exchange for the key needed to decrypt the files.

"Consumers, businesses, and government agencies are falling prey to these schemes, including hospitals whose servers may contain sensitive patient data. New forms of ransomware encrypt files of website operators, threatening not only their files containing stored data, but the very files needed to operate their websites. Other variants of ransomware are now targeting files on mobile devices,” the FTC wrote.

“In addition to the panel discussions, the FTC’s Office of Technology Research and Investigation and New York University’s computer science department will present research based on a study of dozens of ransomware variants,” the report states. This event is no charge and public:
https://iapp.org/news/a/ftc-to-host-ransomware-event-sept-7/

4 Keys To Getting Funding For Your IT Project

Bart Perkins at ComputerWorld wrote a very useful article with hints and tips to get budget for an unbudgeted item (like security awareness training)

He started out with: "Many IT leaders complain constantly that they can’t satisfy their users because their budget doesn’t provide enough money for new services. Meanwhile, many unsatisfied users complain that IT should not be given more money until new services are delivered. It’s a vicious circle.

"But there is always money somewhere, especially in a large and established enterprise. According to a recent Fortune magazine survey of private companies’ CEOs, 92% said they have all the cash they need to fund investments. In many cases, even literal bankruptcy isn’t an automatic impediment, since judges will approve expenditures that they believe are important for companies under their protection.

Although the best time to obtain more funding is during the annual budgeting process, money for opportune investments is almost always available throughout the year. The key is to prove that the need is truly compelling. To do that, the following four things must be in place:

  • A compelling business case
  • An involved and committed executive sponsor
  • Credible IT leadership
  • Organizational optimism

Learn more about these four items and how you can use them to your advantage:
http://www.computerworld.com/article/3107244/it-management/4-keys-to-getting-funding-for-your-it-project.html?


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews