CyberheistNews Vol 7 #10 [ALERT] New Massive Wave of CryptoLocker Ransomware Infections

CyberheistNews | KnowBe4

CyberheistNews Vol *7 #10
[ALERT] New Massive Wave of CryptoLocker Ransomware Infections

We all thought that evil genius Evgeniy Bogachev had retired at the Black Sea with his tens of millions of ill-gotten gains after he became the FBI's #1 Most Wanted cybercriminal. Well, perhaps he ran out of money.

CryptoLocker is back big time. Researchers have spotted a sudden resurgence this year, specifically identifying clusters of attacks in Europe and the U.S.

For people new to the ransomware racket, Russian cybercrime gangs tend to test and debug their campaigns in Europe, and then attack America in full force. CryptoLocker is ransomware's still very potent granddaddy, and pioneered this highly successful criminal business model in September 2013, hundreds of copycats followed.

In a blog post our friend Larry Abrams from BleepingComputer wrote that the strain -- also known as Torrentlocker and Teerac -- started its comeback toward the end of January 2017, after being quiet the second half of 2016.

Larry pointed to stats from the ID-Ransomware website which show CryptoLocker infections jumped from a just handful to nearly 100 per day to more than 400 per day by February.

He also confirmed CryptoLocker's recent tsunami with Microsoft's Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. The phishing emails are designed to look secure and official because they are digitally signed, but it is all just social engineering to trick the recipient and get them to open attached .JS files that download and install CryptoLocker.

Check Point Software Technologies confirmed with SC Media that its researchers also observed a sudden rise in CryptoLocker attacks. The phishing emails attempt to trick recipients into opening a zipped HTML file. "The HTML contains a JS file, which pulls a second JS file from an Amazon server, which executes the first one in memory," said Lotem Finklesteen, threat intelligence researcher at Check Point.

"Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed. The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany," said Finklesteen.

Ransomware as a global threat

Microsoft's Malware Protection Center blog stated: "Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters.

Geographic distribution data at the KnowBe4 Blog, with links and charts:

Preventing Ransomware Infections

Which user will infect your network with ransomware? We've got something really cool for you: the new Phishing Security Test v2.0!

It has several great new features, and sending simulated phishing emails to train your employees is a fun and an effective best practice to patch your last line of defense... your users.

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget. You can now find out the current Phish-prone percentage of your organization and who might infect your network with ransomware.

With Our Brand-New Phishing Test:
  • You can customize the phishing test based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • Already did a phishing test in the past? For a limited time you can reset it yourself and do a new one.
Start phishing your users now. Fill out the form, and get started immediately. There is no cost.

Go Phishing Now!

Let's stay safe out there.
Scam of the Week: Mystery Shopper Email

Steven Weisman, Esq. warned against this scam and wrote March 5th:

"Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control. Unlike many scams, there actually are legitimate mystery shopper companies, but they never advertise or recruit through emails."

How this scam works is when a victim falls for the recruiting email, they are sent a bogus bank check that the bad guys ask them to deposit and then use for their "mystery" shopping. They spend some of the money on the goods that they buy, and are instructed to keep some of the balance of the check as payment for their services. However, the angle is that the victim gets instructions to return the remaining funds by a wire transfer. Obviously, the check is counterfeit, but the money that the victim transfers by wire is all too real. Here is an example of a recent mystery shopper Scam of the Week email:

I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:

"Mystery Shopper" scams continue to snare unwary victims. Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control. Unlike many scams, there actually are legit mystery shopper companies, but they never advertise or recruit through emails. Here is how this scam works:

You get a bank check they ask you to deposit immediately and then go shop, and they say you get to keep some of the money as well. But the scammers ask you to wire the remaining money back to them right away. And as you might have guessed, their check is bogus but the money you wire back is real, and it's yours.

Here is a general safety rule: Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account. Never accept a check for more than what is owed with instructions to send back the rest which is a major red flag. Last, always be very wary whenever you are asked to wire funds because this is a common theme in many scams.

Think Before You Click!
Why Awareness Needs to Teach Scam Detection and Reaction

Everyone makes mistakes, but do they know it or know what to do next?

Ira Winkler wrote in his column at CSO: "When I realized I did something “stupid”, the important question was, “What do I do next?” I figured it out. Can your users?

First, does your awareness program provide specific examples of what to avoid, or does it provide blanket guidance for how to behave. In this case, while it wasn’t the predefined scam, what I experienced had the same effect. Does your phishing training teach people how to recognize the simulated phishing messages, or phishing messages in general?

Does your social engineering program teach people to recognize specific scams, or all general scams? You need to be very sure you’re teaching people the right things. More:
Don’t Miss the March Live Demo: Simulated Phishing and Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, March 8, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
    • NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
    • NEW Access to the world's largest library of awareness training content through our innovative Module Store.
    • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
    • Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.

    • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 8,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"Life is without meaning. You bring the meaning to it. The meaning of life is whatever you ascribe it to be. Being alive is the meaning." - Joseph Campbell - Author (1904 - 1987)

"The sole meaning of life is to serve humanity." - Leo Tolstoy

Thanks for reading CyberheistNews
Security News
Legislation Update: States Cybersecurity Grant / Hacking Back / FCC / NIST

A newly introduced bipartisan bills in the House and Senate would create a dedicated cyber grant program for the states, by establishing funding first for resiliency planning and then for acquisition of technology, services and best practices implementation. Link:

The group cited studies that showed in 2015, 50 percent of state and local governments had six or more cyber breaches within the last two years. They also noted that in the past year hackers had breached more than 200,000 personal voter records in the states of Arizona and Illinois.

In the wake of those election-system breaches, the Department of Homeland Security declared state voting infrastructure a critical infrastructure. Some states have called that designation a federal overreach and have said they have their own capabilities in place to detect or prevent intrusions. Link:

House Bill Would Empower Companies to Hack Back

The Active Cyber Defense Certainty Act, sponsored by Rep. Tom Graves, R-Ga., would allow companies under attack to break into their attackers’ networks either to stop an attack or to gather intelligence about the attackers’ identity to share with law enforcement.

The bill would not protect companies from prosecution if they destroy any data during those forays, cause injury to someone or otherwise endanger public health or safety, according to a discussion draft. “I believe people should have the legal authority to defend themselves during a cyberattack and the tools to assist the authorities with catching the bad guys, just as they do during a physical attack,” Graves said.

An October report from the Active Defense Task Force, organized by The George Washington University’s Center for Cyber and Homeland Security, urged the government to outline limited circumstances in which a hacked company could penetrate its hacker’s network.

Bills Would Require FCC to Adopt Stronger Data Security Stance

Democratic members of the U.S. House of Representatives House Energy and Commerce Committee have introduced three bills that would require the Federal Communications Commission (FCC) to take a strong position regarding cybersecurity. The bills would require that the FCC adopt rules protecting communications networks; establish an interagency panel to deal with cybersecurity investigations; and require Internet of Things (IoT) devices to adopt certified cybersecurity standards. More at The Hill:

House Committee Forwards Bill That Would Give NIST Auditing Authority

The U.S. House Science Committee has passed (19-14) a bill that would place the onus of auditing government agencies' cybersecurity on the shoulders of the National Institute of Standards and Technology (NIST). Those opposing the measure say that auditing is outside of NIST's expertise. The bill calls for NIST to conduct an initial assessment of all agencies' cybersecurity preparedness within six months.
SANS's John Pescatore said: "By design, NIST is not an operations-oriented agency and in the past has not done well when given cybersecurity operational responsibilities." More at NextGov:
VISA Warns of Flokibot Spear Phishing Infections

VISA warned all its merchants that multiple infosec firms reported on the emerging threat of a new malware variant identified as “Flokibot.”

While Flokibot attacks have focused on the Latin America / Caribbean region (LAC) to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise and suggested mitigation activities to protect the payments ecosystem.

VISA's summary: "Recently, two Flokibot campaigns compromised integrated point-of-sale (PoS) devices and other systems of multiple Brazilian merchants. Although we have no confirmation of other compromises, merchants in other countries—including Australia, Paraguay, Croatia, the Dominican Republic, Argentina, and the U.S.—were also reportedly targeted.

While Flokibot attacks have focused on the LAC region to date, this malware may represent a broader threat to the payments ecosystem. VISA is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise (IOC) and suggested mitigation activities to protect the payments ecosystem."

“Spear Phishing” as Delivery Mechanism

The researches identifies, in the initial phase, cyber criminals are using spear phishing mechanism for Floki payload delivery. For this, they weaponize Microsoft word documents with malicious code in its macro and send it to the targeted audience over email as an attachment. Once the target (victim) receives the email and opens the attachment and in the case the macro is enabled on victim’s machine, the malicious payload is executed which retrieves the Floki Bot malware on the intruders server.

VISA's full PDF with details at the KnowBe4 Blog:
Virtual Session: The Seven Most Dangerous New Attack Techniques, and What’s Coming Next

Could not make it to RSA? Here is a virtual session I warmly recommend.

Which are the most dangerous new attack techniques? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced briefing provides answers from the three people best positioned to know the answers: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the US and the top expert on cyberattacks on industrial control systems. See the 45 minute presentation here, excellent for a break!:
We Found a Hidden Backdoor in Chinese Internet of Things Devices

Here is an item that I found interesting, initially since I'm of the belief that we do not have a good process for evaluating vulnerabilities in all that silicon we purchase from China and other non-US sources. However this article is interesting as it does show that even the software has intentional backdoors configured to allow compromise.

The vulnerability was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposely built in as a debugging aid, according to researchers at TrustWave.

“The issue permits a remote attacker to gain a shell with root privileges on the affected device.” Yikes:
Yahoo CEO Loses Bonus Over Security Lapses

Here is some excellent ammo for InfoSec budget.

Yahoo CEO Marissa Mayer will lose her cash bonus after an independent investigation into security breaches at the search giant found that the company's senior executives and legal team failed to properly comprehend or investigate the severity of the attacks.

Yahoo's top lawyer, Ronald Bell, has resigned without severance pay. The results of the probe, including new details about the 2014 security breach that the company suffered - which compromised 500 million users' accounts - are contained in Yahoo's latest SEC annual filing, released March 1.

Executives Failed to Act

In late 2014, investigators found that "senior executives and relevant legal staff" knew that an attacker had exploited Yahoo's account management tool. "The company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement," it says, but investigators "found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident."

Executives also failed to notify the company's audit and finance committee or the full board of directors about "the full severity, risks, and potential impacts" of the attack, investigators say. More:
Cisco 2017 Cybersecurity Report: 3,000 CSOs Reveal True Cost of Breaches

You should take note of several findings of a recent Cisco study of the impact of data breaches.
    • Customers don't care whether the data breach is caused by a cyber criminal or insider. A breach is a breach.

    • Doesn't matter whether the data is walked out the door or it sneaks past the firewall. A breach is a breach.

    • Doesn't matter whether a human clicks on a malicious link or opened an infected attachment. A breach is a breach.
Cisco's s 2017 edition of its annual cybersecurity report entitled "Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions That Organizations Are Taking," provides insights based on threat intelligence gathered by Cisco's security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.

Cisco noted that, according to its research, in 2016:

More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention.

For organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers -- 40% of them lost more than a fifth of their customer base. 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities.

Criminals are leveraging "classic" attack mechanisms - such as adware and email spam - in an effort to easily exploit the gaps that such complexity can create. (Criminals often don't need to spend resources crafting and executing advanced attacks - simple attacks can do the job.)

Spam is now at a level not seen since 2010, and accounts for nearly two-thirds of all email -- with eight to 10 percent of it being outright malicious. Global spam volume is rising, often spread by large and thriving botnets. (Spam is a serious problem that has not gone away - because it works!)

Just 56 percent of security alerts are investigated and less than half of legitimate alerts actually lead to problems being corrected. Defenders, while confident in their tools, are undermined by complexity and manpower challenges; criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion.

On the positive side, 90% of organizations that experienced a breach in 2016 are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). Full report at:
What Is Your Risk of a Phishing Attack?

So, here are some hard numbers:
  1. 8-24% of users fall victim to phishing attacks, depending on the industry
  2. 136,000 dollars is the median impact of a single phishing attack, in the private sector
  3. 10% is the likelihood that a single phishing attack will cost more than 544,000 dollars
Suppose you are asked the following basic question: What is our risk from a phishing attack? Aberdeen Group’s Monte Carlo analysis helps information security professionals to quantify the risk of a phishing attack, in the language of risk that business decision-makers know and understand.

The bottom line: As described in its research report on The Last Mile in IT Security: Changing User Behaviors (November 2014), Aberdeen’s analysis quantifies the positive impact of helping an organization’s users make their computing behaviors more secure, by making investments in user awareness and training.

Specifically, such investments were found to reduce security-related risks associated with user behaviors by about 60%. Stated another way, the median reduction in annual business impact from user-related security incidents corresponds to an annual return of about 100 times on the investments made in user awareness and training. Get the PDF here:
Cyberheist Subscribers Receive 15% Off InfoSec World 2017
Conference & Expo

InfoSec World 2017 Conference & Expo
April 3-5, 2017
Omni Orlando Resort at ChampionsGate | ChampionsGate, FL

The infosec space is constantly changing, and today’s security practitioners have no choice but to become more entrepreneurial about finding solutions to problems, not just at a technical level, but at a management and leadership level.

InfoSec World 2017 Conference & Expo provides practitioners with the ideal forum for learning about the latest advances and most cutting-edge strategies for ensuring optimal security within their organizations, despite the progressive threat landscape.

Join your peers from around the globe for two and a half days of learning, peer sharing, networking and hands-on education.

Cyberheist members receive 15% off the main conference! Apply promo code OS17-CHEIST at checkout to receive your discount.
What Our Customers Say About Us

"Good Afternoon Stu,

"I just wanted to take the time and give you my feedback on the services that KnowBe4 provides. As the Chief Financial Officer as well as Chief Information Technology Officer, the value that we receive from Knowbe4 cannot be compared to any other service we receive and could not be easily replaced.

"We use over a dozen training modules in our platinum membership and with the help of our account representative, Harley, we have designed a quarterly training program which was implemented at our institution in the beginning of 2017.

"Even in that short time, we are seeing improvements and I am receiving more and more questions from my staff on how we can prevent cyberattacks.

"After Harley reached out to me and told me about the upgrade to Diamond membership and the value in it, I couldn’t sign up fast enough. Harley even scheduled a time to chat with me and navigate through the different aspects of the Diamond membership. She has been a great help in our fight against cybersecurity and her assistance in implementing our cyber strategy has been phenomenal.

"Thank you very much for all that you and your staff are doing to keep us and our customers safe from cyberattacks. I hope to see more and more training modules that are dedicated toward financial institutions and look forward to our continued relationship with KnowBe4."

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews