Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 6 #50 [ALERT] New And Scary Double-Ransomware Whammy

    CHN-LOGO-2017-1.png CyberheistNews Vol 6 #50
    [ALERT] New And Scary Double-Ransomware Whammy
    Stu Sjouwerman

    Sophos reported on one of the more scary ransomware strains I have seen lately. It's called Goldeneye and encrypts the workstation twice: both the files and the Master File Table (MFT).

    It's a phishing attack with two attachments. One is a PDF and the other an Excel file. The Excel file contains a loader that pulls down all the malware. The PDF is the social engineering ruse that makes the user open the Excel file. If your user is untrained enough to open both attachments and there are crucial files on the local hard disk without a backup, you potentially get to pay ransom TWICE.

    The spam email presents itself as a job application form to be filled out. It has attached an uninfected PDF with the application to get the process started, and in the PDF is a polite reference that the Excel file contains more details -- no explicit demand to open up the file... just business as usual.

    Opening up the Excel file, you get a suggestion how to display the aptitude test. Sophos said: "The crooks don’t openly ask you to do anything obviously risky, such as “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

    In fact, if you permit macros to run in this Excel file, you will quickly regret it: The VBA downloads a copy of the Goldeneye ransomware and immediately launches it."

    The VBA programming language used in Office macros is powerful enough to allow cybercriminals to control Word or Excel programmatically, but also to perform more general actions such as downloading files from the web, saving them to disk, and running them. Yikes.

    Full story with screenshots and links at the KnowBe4 Blog:
    https://blog.knowbe4.com/new-and-scary-double-ransomware-whammy
    SanFran Muni Ransomware Hacker Gets Hacked Back!

    A couple of weeks ago, a yet unknown attacker hacked the computer systems of the San Francisco’s Municipal railway causing a free ride for all that Saturday. The ransomware hacker was hacked back, and intrepid reporter Brian Krebs was contacted by the anonymous counter-hacker who took over the email account that was reported in the ransom note provided in the attack: “Contact for key (cryptom27@yandex.com)”

    The ransom demanded from the San Francisco Municipal Transportation Agency (SFMTA) was 100 BTC, or 73,184 USD with current exchange rates.

    The security researcher who hacked back the Muni hacker broke into the email account by correctly guessing the security question protecting it, and then resetting the password and locking down the account including the secondary address which was cryptom2016@yandex.com.

    “On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.” wrote Krebs.

    “A screen shot of the user profile page for cryptom27@yandex.com shows that it was tied to a backup email address, cryptom2016@yandex.com, which also was protected by the same secret question and answer.”

    The analysis of the Bitcoin wallets used by the Muni hacker revealed that he earned 140,000 dollars in the last three months. In this period he used to continuously switch Bitcoin wallets randomly every few days or weeks to thwart investigations.

    Most of the attempts of extortion targeted US-based construction and manufacturing companies, and in many cases, the victims appear to have complied with the demands. Full story with links and suggestions on what to do about it at the KnowBe4 Blog:
    https://blog.knowbe4.com/sanfran-muni-ransomware-hacker-gets-hacked-back
    Warm Regards,
    Stu Sjouwerman

    Quotes Of The Week

    "A good conscience is a continual Christmas."- Benjamin Franklin

    "I will honor Christmas in my heart, and try to keep it all the year."- Charles Dickens

    Thanks for reading CyberheistNews

    Security News
    New Locky Ransomware Campaign Uses Egyptian Mythology

    The threat actors behind Locky ransomware have moved on from Norse gods such as Zepto, Odin and Thor and into Egyptian mythology with a new campaign that uses the extension .osiris when encrypting files.

    Operations6 tweeted that this campaign is being distributed through phishing emails with Excel email attachments that contain macros to download and install Locky.

    We've been warning about this very popular method of delivering ransomware for the past several months. We've even put together a macros warning screen guide to show you the most common examples we see so you know what to watch out for when a phishing email like this lands in your inbox:
    https://blog.knowbe4.com/knowbe4s-field-guide-to-macro-warning-screens

    The name of the sheet in this particular campaign is in Cyrillic, an indication that the developers are likely located in Russia or the Ukraine. If a user actually opens the doc they get a blank screen with a prompt to enable macros. More about this strain at the KnowBe4 blog, with links and screenshots:
    https://blog.knowbe4.com/locky-ransomware-campaign-using-osiris-extension-from-egyptian-mythology
    Former NSA Director Michael Hayden: "We have a Russia Problem".

    I have been saying this here for the last few years, but if you get it confirmed by a former NSA director, that's nice to hear. The Wall Street Journal just reported on that President Barack Obama has instructed U.S. intelligence agencies to investigate hacking activity aimed at meddling in the 2016 election.

    The same article shows a video with an interview at WSJ's Future of Cybersecurity breakfast, Former NSA Director Michael Hayden says the Russians "weaponized" information gleaned from hacking DNC emails to erode America's confidence in our political process. And he tells WSJ's John Bussey how the U.S. should retaliate.

    This is powerful ammo to send to your C-suite so they can get first-hand information why it is so important to increase IT cybersecurity budget. Here is the blog post with links and a great backgrounder: Why All This Russian Cybercrime In Five Minutes:
    https://blog.knowbe4.com/former-nsa-director-michael-hayden-we-have-a-russia-problem
    New Book Coming Soon From Kevin Mitnick For You

    The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data.

    Kevin Mitnick, the world's most famous hacker, and KnowBe4's Chief Hacking Officer teaches you easy cloaking and counter-measures for citizens and consumers in the age of Big Brother and Big Data.

    I was a beta reader for this book, and even if you are an experienced IT pro, you will still learn new things! I warmly recommend reading it. Here is the Amazon promo copy: "Like it or not, your every move is being watched and analyzed. Consumer's identities are being stolen, and a person's every step is being tracked and stored. What once might have been dismissed as paranoia is now a hard truth, and privacy is a luxury few can afford or understand. More:
    https://blog.knowbe4.com/new-book-coming-soon-from-kevin-mitnick-for-you
    Ransomware Attacks On Business Every 40 seconds

    Kaspersky reported that ransomware attacks on businesses increased three-fold: which represents a change from an attack every 2 minutes in January to one every 40 seconds by October. For individuals, the rate of increase went from every 20 seconds to every 10 seconds.

    With more than 62 new families of ransomware introduced during the year, the threat grew so aggressively that Kaspersky Lab has named ransomware its key topic for 2016.

    2016 revealed the extent to which the Ransomware-as-a-Service business model now appeals to criminals who lack the skills, resources or inclination to develop their own. Under the arrangement, code creators offer their malicious product ‘on demand’, selling uniquely modified versions to customers who then distribute it through spam and websites, paying a commission to the creator – the main financial beneficiary.

    “The classic ‘affiliate’ business model appears to be working as effectively for ransomware as it does for other types of malware. Victims often pay up so money keeps flowing through the system. Inevitably this has led to us seeing new cryptors appear almost daily,” said Fedor Sinitsyn, Senior Malware Analyst, Kaspersky Lab.

    More about the evolution of ransomware in 2016 and an infographic at the Kaspersky Press Center:
    http://tinyurl.com/usa-kaspersky
    Phishing Reply Tracking Is Now Available for All KnowBe4 Customers

    Two of the big cybersecurity attacks are the CEO fraud (aka Business Email Compromise) which has caused 3.4 billion dollars in damages as well as the W-2 Scams which social engineer Accounting/HR to send tax forms. Both attacks have your employees engaging and replying with the bad guys. To help inoculate employees against this type of attack we are launching a new feature: Phishing Reply Tracking (*).

    KnowBe4’s new Phishing Reply Tracking allows you to track if a user replies to a simulated phishing email and can also capture the information in the reply for review within your KnowBe4 admin console. Knowing if users are replying to phishing emails and what they are replying with is an excellent way to make sure users are following the best practices for dealing with phishing emails.

    We have created a new category of system phishing templates called “Reply-To Online” which are specifically designed to test whether users will interact with “the bad guys” on the other end. However, the Phishing Reply Tracking also works with any of our existing 500+ phishing templates.

    Additional options for this feature include:

    • Store the reply-to content.
    • Customizable reply-to address sub-domain, making the reply-to address look similar to your actual domain.
    • Track out of office replies to find out if your users are including company directories and other information with their OOF messages.

    Request a demo and see it in action!
    https://info.knowbe4.com/kmsat-request-a-demo-chn

    Cyberheist 'FAVE' LINKS:
    This Week's Links We Like, Tips, Hints And Fun Stuff

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews