CyberheistNews Vol 6 #38 [ALERT] FBI Warns Ransomware Attacks Are Getting More Dangerous And Expensive

In an alert published this week, the U.S. Federal Bureau of Investigation warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) and multiplying the number of infected servers and devices on a network.

Powerful Ammo For Budget

This FBI alert is powerful ammo for budget. It explains one more time what ransomware is, how fast it mutates, and that infections are skyrocketing. They explain what the potential losses are -- service disruptions, financial loss, and in some cases, permanent loss of valuable data -- and that it is challenging for the FBI to keep pace. I strongly suggest you send this link to the decision-making team that holds the infosec purse strings:
https://www.ic3.gov/media/2016/160915.aspx

Knowing that the FBI only have about 800 cyber agents, including just 600 agents who conduct investigations, the agency doesn’t have the ability to address every attack, and must triage the most significant ones. You are on your own if the damage is less than a few hundred thousand dollars.

FBI: "Tell Us How Much Ransom You Have Paid"

The FBI is requesting victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at www.IC3.gov, with the following ransomware infection details (as applicable):

• Date of Infection
• Ransomware Variant (identified on the ransom page or by the encrypted file extension)
• Victim Company Information (industry type, business size, etc.)
• How the Infection Occurred (e-mail, browsing websites, etc.)
• Requested Ransom Amount
• Bad Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
• Ransom Amount Paid (if any)
• Overall Losses Associated with a Ransomware Infection (including the ransom amount)
• Victim Impact Statement

The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.

What To Do About It

"The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack:

• Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.

• Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.

• Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.

• Only download software – especially no charge software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.

• Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.

• Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.

• Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
  
  
• Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

The FBI suggests additional considerations for businesses and note their first bullet where we can help you:

• Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.

• Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.

• Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.

• Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.

• Use virtualized environments to execute operating system environments or specific programs.

• Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.

• Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
  
  
• Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy."

One thing missing from the FBI list is email server configuration. We all know that your users are the weak link in your IT security, and one of the very successful tactics the bad guys use is spoofed email addresses. When an email seems to come from a person they know, or has authority, the chance they fall for an attack increases dramatically.

No-Charge Domain Spoof Test

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test. It's quick, easy and often a shocking discovery. Find out now if your email server is configured correctly, 82% are not!

Get Started Here:
https://www.knowbe4.com/domain-spoof-test/

Here’s an example of a highly targeted ransomware attack, with bad guys using a phony Bank of Montreal (BMO) template to social engineer possible victims into clicking on a malicious attachment.

Chester Wisnewski, a Vancouver-based senior security adviser at Sophos Inc, said: "Literally as I got on the plane I got what looked like a BMO phish, and in fact it was ransomware. It was amazing how well crafted it was because the Web site booby-trapped with the exploit is literally a carbon copy of the BMO online login landing page.”

This is a good example which illustrates a SophosLabs blog post a bit earlier this year pointing to a growing trend of cybercriminals to target and even filter out specific countries when designing ransomware and other malicious cyberattacks.

Based on data collected from Sophos endpoints, firewalls and gateways, it shows attackers are now crafting customized phishing attacks using regional languages, ripped off logos, and/or pretending to be tax and law enforcement agencies. Their tactics include phony shipping notices, refunds, speeding tickets and electricity bills.

Looking for bad grammar or typos to tip you off? Nope, it's all flawless.

Wisnewski said: "Patching and updates are crucial. The latest versions of Microsoft Office are better at stopping document malware, giving admins the ability to disable macros in documents that came from the Internet. Similarly Windows 10 is more secure than Win 7, and using a sandbox and Web filtering are also useful," he added.

The report also said researchers have found different ransomware strains target specific locations. For example, versions of CryptoWall predominantly hit victims in the U.S., U.K., Canada, Australia, Germany and France. TorrentLocker has attacked primarily the U.K., Italy, Australia and Spain, while TeslaCrypt honed in on the U.K., U.S., Canada, Singapore and Thailand.

And here is the Latest Vicious Ransomware Strain

SecurityAffairs just published a new discovery you need to know about. A Brazilian Infosec research group, Morphus Labs, just discovered a new Full Disk Encryption (FDE) ransomware strain this week, dubbed “Mamba”, a snake with a paralyzing poison.

Mamba, just like Petya, uses a disk-level encryption strategy instead of the conventional file-based one. It simply prevents the OS from booting. Imagine your file servers being hit with this one -- full-disk encryption seems to become a ransomware trend. More:
https://blog.knowbe4.com/meet-mamba-new-full-disk-encryption-ransomware

KnowBe4 has been running the HackBusters site for a few years now, providing you with trending IT security news. We have expanded it with a new exciting online community! I'd like to invite you to be one of the first to join us at:
https://discuss.hackbusters.com.

The forum is divided into four main topics or categories:

• Social Engineering
• Ransomware
• Phishing
• Security Awareness Training

You are welcome to share your thoughts, opinions and ideas in these forums. We look forward to seeing you on our exciting new online community soon! Again, you are invited to be one of the first to join us at:
https://discuss.hackbusters.com.

"Whatever you can do, or dream you can, begin it. Boldness has genius, power and magic in it."- Johann Wolfgang von Goethe - Writer (1749-1832)

"The best time to plant a tree was 20 years ago. The second best time is now."
- Chinese Proverb

Thanks for reading CyberheistNews

The Wall Street Journal wrote: "Plan would require banks to hire chief information security officer, implement measures to detect and deter attacks.

"New York Gov. Andrew Cuomo and the state’s top banking regulator proposed regulations Tuesday that would be among the first in the U.S. to require banks to establish cybersecurity programs.

"If implemented, the regulations would increase the onus on some of the world’s largest banks to invest in cyber protections that could cost them and insurers millions of dollars, according to experts. Banks would be required to hire a chief information security officer and implement measures that detect and deter cyber intrusions and protect consumer data.

"The proposed regulations also contain a requirement that banks notify New York’s Department of Financial Services of any material data breach within 72 hours of the event. A patchwork of state regulations currently cover when companies must disclose breaches, and many large organizations have kept such attacks secret.

“This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber attacks to the fullest extent possible,” Gov. Cuomo, a Democrat, said in a statement.

"The proposed regulations will be open for public comment for 45 days after which a final version will be issued." Full article at the WSJ:
http://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867

Directly related to this is a remark from the intrepid Brian Krebs, InfoSec investigative reporter extraordinaire who explains the ransomware problem in a nutshell:

"I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined.

"He said the folks in finance didn't bat an eyelash when asked to authorize several payments of 600 dollars to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions -- possibly tens of millions -- of dollars, but for whatever reason the company didn't have backups of it." Full story:
http://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/

Ransomware attacks, in particular, have been rapidly multiplying. Between April 2015 and March 2016, more than 718,500 users were hit with encryption ransomware—an increase of 550% compared to the same period in 2014-2015, according to research from Kaspersky Lab.

CIOs are often responsible for protecting their organization's data from cybercrime attempts. TechRepublic recently polled its panel of IT leaders on cybersecurity threats. When asked, "Do you think the level of internet security threats has increased in the last year?," two thirds said yes.

N'Gai Oliveras, IT director, Office of the Comptroller of Puerto Rico recommends increasing training for end users as one solution.

"In these times, we in senior management need to be more focused on providing more security awareness training to our users, instead of looking for more ways to strengthen our networks," he said. "In my opinion, our users are the most effective line of defense in our networks." Full article at TechRepublic:
http://www.techrepublic.com/article/cybersecurity-two-thirds-of-cios-say-threats-increasing-cite-growth-of-ransomware/

Intel Security's McAfee Labs Threat Report for September 2016 provides insight into the latest security statistics and trends, ranging from botnets to ransomware to malware "zoos."

Large companies (with more than 5,000 employees) on average have 31 to 50 data loss incidents per day, according to the study, which was released Sept. 14. Not surprisingly, financial services and retail companies have more data loss incidents than other industry verticals.

Also of particular note is the unending growth of malware, with McAfee Labs now tracking a malware zoo of more than 600 million samples. A number of specific areas of malware are growing fast, with mobile malware growing to more than 10.5 million samples.

Ransomware is also on the rise, with the total volume of ransomware samples known to McAfee now topping 7 million, a 128 percent year-over-year increase from 2015. Not all forms of malware are growing though, new Mac OS malware declined by 70 percent during the second quarter. In this slide show, eWEEK examines key takeaways from the September 2016 McAfee Labs Threats Report:
http://www.eweek.com/security/slideshows/data-loss-incidents-hit-retailers-financial-services-firms-hardest.html?mod=djemRiskCompliance

IT security companies talk all day about how vital it is to keep your data secure with their products, but sometimes it’s hard to really understand the real-world impact that a security breach can have.

In 2016 Kaspersky Lab together with B2B International conducted a global study of more than 4,000 business representatives from 25 countries, looking at their IT security budgets, the complexity of their infrastructure, attitudes towards security threats and solutions, and the real cost of data breaches and security incidents experienced.

According to the report the average small business loses 86K when someone breaches their security. For larger businesses, this average skyrockets up to 861,000 dollars.

The report, Measuring the Financial Impact of IT Security on Businesses, released this week, details the financial impact of security breaches and what companies around the world are doing about it.

Excellent ammo if you need to wrangle budget for new-school security awareness training. Get it at:
https://usblog.kaspersky.com/security_risks_report_financial_impact/

Intel Security released its McAfee Labs Threats Report: September 2016, which assesses the growing ransomware threat; surveys the “who and how” of data loss; explains the practical application of machine learning in cybersecurity; and details the growth of ransomware, mobile malware, macro malware, and other threats in Q2 2016.

A single ransomware gang was able to collect 121 million dollars in ransomware payments during the first half of this year, netting 94 million dollars after expenses, according to the report. It is assumed they refer to the Locky strain.

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs.

Weafer estimated that total ransomware revenues could be in the hundreds of millions. "And that's on the conservative side," he said. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.

Get those users awareness trained!

Another recently released report, this one from Bromium, confirms the most important key findings of the McAfee report. Surveying the past three years of attacks against businesses, Bromium's report ticks off a depressingly familiar list of dangerous trends in online threat landscape:

• High profile data breaches are on the rise, with criminal gangs going the extra mile to penetrate corporate networks and pilfer valuable data.

• Crypto-ransomware attacks are on a steep rise, with dozens of new ransomware families making their debut in 2016 and Locky taking a market-leading position.

• Exploits (esp. those targeted at Adobe Flash) remain a problem, despite the limited success that software vendors have enjoyed in reducing the number of exploits in popular consumer applications.

• Online criminals have proven flexible and resourceful in the face of law enforcement take-downs, quickly migrating their operations to newer exploit kits as older ones disappear.
  
  
• Attacks are becoming increasingly sophisticated and complex, making the job of defenders ever more difficult.

Most importantly, however, Bromium's chief security architect, Rahul Kashyap, warns that although new attack methods are always being developed, malicious actors will continue to rely on proven tactics such as social engineering and watering hole attacks, coupling them with constantly morphing malware to effectively "render AV useless." You can read the full report from Bromium here:
https://www.bromium.com/sites/default/files/rpt-bromium-threat-report-1h2016-us-en.pdf

• When you start, anything is possible. So what are you waiting for? Start your big day!
  http://www.flixxy.com/never-stop-starting.htm?utm_source=4

• Ken Block skillfully maneuvers his 600hp Ford Focus RS RX around the abandoned factories, streets, bridges and even trains in Buffalo, New York:
  http://www.flixxy.com/ken-block-gymkhana-nine-raw-industrial-playground.htm?utm_source=4

• Amazing people doing extraordinary things on water:
  http://www.flixxy.com/water-is-amazing-by-zapatou.htm?utm_source=4

• THE GOOD: iPhone 7 outlasts Galaxy S7 in 35-feet of water, gets dropped from a helicopter:
  https://9to5mac.com/2016/09/17/iphone-7-deep-water-test-video/

• THE BAD: iPhone 7 Has Two Nasty Surprises - See these Scratch and Bend Tests:
  https://www.youtube.com/watch?v=0vYfAqEyGV0

• How To Survive Working With Cats!
  https://www.youtube.com/watch?v=M3hiYI5mBFI

• An exciting combination of tango, strength, flexibility and passion by husband and wife team Virginia and Giovani. These guys are actually good:
  http://www.flixxy.com/duo-fusion-the-worlds-greatest-cabaret.htm?utm_source=4
  
  One of the most unusual aircrafts of all time, the Ekranoplan holds the World record for the greatest lift of any aircraft - an amazing 1,000 tons:
  http://www.flixxy.com/extreme-aircraft-the-ekranoplan.htm?utm_source=4