CyberheistNews Vol 7 #32 [ALERT] A Big Locky Ransomware Phishing Attack Infects With the New Diablo6 Strain

CyberheistNews Vol 7 #32
[ALERT] A Big Locky Ransomware Phishing Attack Infects With the New Diablo6 Strain

Security researcher Racco42 discovered a new phishing campaign that is pushing a new Locky strain which appends the .diablo6 extension.

Larry at Bleepingcomputer wrote: "Locky is back and currently being heavily distributed worldwide. While Locky was at one point considered the largest distributed ransomware, over time it became much more common to see other ransomware such as Cerber, Spora, and now even GlobeImposter.

While it is too soon to tell if this is just another brief surge or an attempt to become a large player again, what we do know is that this particular campaign is strong with a wide distribution."

This phishing campaign arrives in your end-user's inbox with subject lines like E 2017-08-09 (698).docx. The message body simply states "Files attached. Thanks". It is not possible to decrypt the Locky Ransomware Diablo6 strain. More technical details and screenshots at the KnowBe4 Blog:
Report: "Ransomware Attack Downtime, Not Ransom Demand, is the Business Killer"

I have been saying this here for the last few years, and I am encouraged to see it now confirmed by a new survey from our friends at Malwarebytes.

They released their “Second Annual State of Ransomware Report”, and the study surveyed 1,054 companies with less than 1,000 employees across North America, France, U.K., Germany, Australia, and Singapore.

The report, conducted by Osterman Research, explores ransomware attack frequency, impacts of attacks in SMB environments, costs of attacks, attitudes towards ransom payments, preparedness and more.

22% of impacted businesses had to cease operations immediately

Survey results found that more than one-third of businesses have experienced a ransomware attack in the last year. Twenty-two percent of these impacted businesses had to cease operations immediately.

“Businesses of all sizes are increasingly at risk for ransomware attacks,” said Marcin Kleczynski, CEO, Malwarebytes. “However, the stakes of a single attack for a small business are far different from the stakes of a single attack for a large enterprise. Osterman’s findings demonstrate that SMBs are suffering in the wake of attacks, to the point where they must cease business operations.

To make matters worse, most of them lack the confidence in their ability to stop an attack, despite significant investments in defensive technologies. To be effective, the security community must thoroughly understand the battles that these companies are facing, so we can better protect them.”

“Second Annual State of Ransomware Report” top findings include:
    • The impact of ransomware on SMBs can be devastating. For roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours. Further, among SMBs that experienced a ransomware attack, 22 percent reported that they had to cease business operations immediately, and 15 percent lost revenue.
    • Most organizations make addressing ransomware a high priority, but still lack confidence in their ability to deal with it. Seventy-five percent of organizations surveyed place a high or very high priority on addressing the ransomware problem. Despite these investments, nearly one-half of the organizations surveyed expressed little to only moderate confidence in their ability to stop a ransomware attack.
    • For many, the source of ransomware is unknown and infections spread quickly. For 27 percent of organizations that suffered a ransomware infection, decision makers could not identify how the endpoint(s) became infected. Further, more than one-third of ransomware infections spread to other devices. For two percent of organizations surveyed, the ransomware infection impacted every device on the network.
    • SMBs in the U.S. are being hit harder than SMBs in Europe by malicious emails containing ransomware. The most common source of ransomware infections in U.S.-based organizations was related to email use. Thirty-seven percent of attacks on SMBs in the U.S. were reported as coming from a malicious email attachment and 27 percent were from a malicious link in an email. However, in Europe, only 22 percent of attacks were reported as coming from a malicious email attachment. An equal number were reported as coming from malicious link in an email.
    • Most SMBs do not believe in paying ransomware demands. Seventy-two percent of respondents believe that ransomware demands should never be paid. Most of the remaining organizations believe that demands should only be paid if the encrypted data is of value to the organization. Among organizations that chose not to pay cybercriminals’ ransom demands, about one-third lost files as a result.
    • The financial services industry is most concerned about ransomware. Transportation entities are least concerned. Fifty-four percent of firms in the financial services industry are concerned or extremely concerned about ransomware. Meanwhile, only 26 percent of transportation entities are this concerned about ransomware.

    • Current investments in technology might not be enough. Over one-third of SMBs claim to have been running anti-ransomware technologies, while about one-third of businesses surveyed still experienced a ransomware attack.
“It’s clear from these findings that there is widespread awareness of the threat of ransomware among businesses, but many are not yet confident in their ability to deal with it,” said Adam Kujawa, Director of Malware Intelligence, Malwarebytes. “Companies of all sizes need to remain vigilant and continue to place a higher priority on protecting themselves against ransomware.”

To view the full global “Second Annual State of Ransomware” report for more detailed findings and analysis, visit:

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP to prevent ransomware infections because your filters never catch all of it. Get a quote now and you will be pleasantly surprised:
Cyber-Attacks Soar by a Quarter as Phishing Dominates

Cyber-attacks were up by a quarter in Q2 2017, with a surprising twist: global manufacturing is now the top target. The report from NTT Security also shows that phishing is still the most popular threat vector, two-thirds (67%) of attacks came in the form of just such a threat.

NTT is a very large global managed security provider, and they came out with: "Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report" showing there was a 24% increase in attacks on its worldwide customer base in the period of April to June, with a third (34%) of all attacks targeting manufacturers.

This data actually gets confirmed by Verizon, who claimed in their recent Data Breach Investigations Report 2017 that phishing attacks were way up from the previous reporting period. The tactic of embedding malicious VBA macros into documents sent via phishing emails was particularly popular.

Here are a few NTT highlights:
  • In terms of attack types, 'reconnaissance' (33%) dominated the manufacturing threat landscape in the period, followed by brute-force attacks (22%) and regular malware (9%).
  • Public-facing Microsoft SQL (MSSQL) servers were popular targets for brute-forcing.
  • Over a third (37%) of manufacturers claimed they don’t have an incident response plan in place. OUCH
“The motivations for these attacks are often criminal in nature, including extortion via ransomware, industrial espionage, and theft of data such as account numbers,” said Jon Heimerl, manager of NTT Security’s Threat Intelligence Communication Team.

“What poses an even greater problem is that when these breaches are successful, yet go undetected, they allow hackers to establish footholds in organizations’ networks where they have no restraints and wreak havoc over extended periods.”

“This is very concerning as manufacturers’ IT security liabilities often impacted not just the manufacturing organizations, but suppliers, as well as related industries and consumers,” said Heimerl. Blog Post with links:
Find out Which User's Passwords Are Weak for a Chance to Win!

Are your user’s passwords…P@ssw0rd? Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.

KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus, you’ll be entered to win a Nintendo Switch!

Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!

This will take you 5 minutes and may give you some insights you never expected.
OK, Who -Is- This Stu Guy Anyway? [VIDEO]

I had a freelance video PR crew follow me one day at Black Hat, and here are two short clips that will give you an idea of who the heck I am.

One is the show, the other one is an interview question. If you do not know me, I hope I am making a good first impression! :-D

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"If you focus on the hurt, you will continue to suffer. If you focus on the lesson, you will continue
to grow."
- Buddha

"The best revenge is no revenge. Just forget they exist." - Buddha

Thanks for reading CyberheistNews
Security News
APT28 Uses Spear Phishing and NSA EternalBlue Exploit to Attack Hotel Wi-Fi

Russian APT28 (aka the Fancy Bear hacking group) is harnessing EternalBlue; NSA's Windows SMB exploit which made the WannaCry ransomware and Petya so effective — and are using it to spread laterally in cyber attacks against hotels in Europe. Wait for the same thing to happen in the U.S. (By the way, did you apply the MS17-010 patch yet?)

Researchers at FireEye posted that they uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July. Successful execution of the macro within the malicious document results in the installation of APT28’s signature GameFish malware.

As soon as GameFish is successfully installed, it takes advantage of EternalBlue to worm its way into the network and compromises personal computers used for controlling both guest and and internal Wi-Fi networks. Once in control of these machines, the malware deploys an open source Responder tool, allowing it to steal any credentials sent over the wireless network.

"This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version," Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet. FireEye warns that publicly accessible Wi-Fi networks present a significant threat and "should be avoided when possible".

With the public release of the EternalBlue exploit, it's not surprising that hacking groups are looking to harness that and other Vault7 leaks for their own gain. It's an epic fail that the American intelligence community lost control of this toolkit and let the genie out of the box.


For C-level execs that need to do a lot of travel, I recommend an iPad Pro, with its own cell-phone number, and use VPN to connect to any remote servers. I would tell them to avoid Wi-Fi on the road all together. Also, never run any software updates while traveling. I have successfully used this setup for a few years now.

Phish Your Users With Office Document Attachments That Have Macros

It's a must these days to send all employees simulated phishing attacks with Office attachments that have macros and see if they open that document and click on "Enable Editing". If they do, that means a social engineering failure and they need to get some remedial training immediately. Also, give them access to the KnowBe4 complimentary Phish Alert Button so that they can forward phishy emails to your Incident Response team.

Complimentary Phish Alert Button

When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4's complimentary Phish Alert Button to your employees' desktops. Once installed, the Phish Alert Button allows your users to sound the alarm as a last line of defense when suspicious and potentially dangerous phishing emails slip past all the other layers of protection your organization relies on to keep the bad guys at bay.

Get Your Phish Alert Button Here:
Destructive, Disk-Encrypting Mamba Ransomware Springs Back to Life

The Mamba family of ransomware has suddenly returned -- and it's encrypting the entire hard drives of targeted organisations again.

A powerful form of ransomware, which encrypts whole hard drives instead of just files, has suddenly returned -- and there's no way for victims to decrypt the data.

Similar tactics have been used in other ransomware attacks, most notably Petya, which experts said was designed to outright destroy data rather than generate ransom money.

The return of Mamba ransomware has been flagged by Kaspersky Lab. Its return comes after researchers recently suggested that ransomware designed for destruction, rather than extorting a Bitcoin ransom for profit, is set to become the new normal.

While Mamba isn't a particularly common form of ransomware, it claimed a high-profile victim in the form of the San Francisco Municipal Transportation Agency in November last year. The attack forced the SFMTA operators to temporarily open the gates of ticket barriers and allow passengers to travel on the trains for no charge in order to minimise disruption.

The effectiveness of the ransomware stems partially from its use of a legitimate open source software tool, DiskCryptor, to fully lock down the hard drive of targeted organisations. Mamba first appeared in September 2016 and mainly targets corporates and other large organisations.

Unlike other forms of ransomware which usually have a set ransom, the attackers behind Mamba alter their demand depending on the number of systems infected.

"For every victim this group is demanding different amounts of bitcoins. This depends on how many endpoints and server were affected," Anton Ivanov, Senior Malware Analyst at Kaspersky Lab told ZDNet:
Social Engineering: The Basics

Excellent article if you submit budget for awareness training and need a "Social Engineering 101" for the people holding the purse strings. The article forgets to mention KnowBe4 but never mind. :-)

"That firewall won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Here's what you need to know to protect your organization and your users.

Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

Even if you've got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building's physical security, and you've invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Here are answers to some frequently asked questions about social engineering, including the common tactics social engineers use and tips for ensuring your staff is on guard."" Here goes:
In Illinois, Cybersecurity Training for State Employees Now Required by Law

On Aug. 7, Gov. Bruce Rauner signed legislation, which he called a welcome display of "bipartisanship," aimed at educating end users and strengthening the state's first line of defense against cyberattacks.

The state of Illinois, which has taken pioneering strides with various blockchain projects in testing new Internet technology, is taking additional steps to improve cybersecurity at its first line of defense: with end users.

On Monday, Aug. 7, Gov. Bruce Rauner signed House Bill 2371, an amendment to the state’s Data Security on State Computers Act requiring annual cybersecurity training from the Department of Innovation and Technology (DoIT) for state employees.

The amendment allows DoIT to adopt rules to implement the training and to make the training an online course. It also requires that the education cover how to detect phishing scams; prevent spyware infections and identity theft; and how to prevent and respond to data breaches. It takes effect on Jan. 1, 2018. More:

OCR Tells Organizations to Step up Phishing Scam Awareness

And proof that this is needed comes from the OCR, which tells organizations to step up phishing scam awareness, because employees still falling for email schemes, leading to more breaches.

"Employees are still falling for phishing scams that are leading to major breaches, including those related to ransomware attacks such as WannaCry, say federal regulators who are urging healthcare entities to step up their workforce training and awareness of email schemes.

In its latest monthly cybersecurity email newsletter, the Department of Health and Human Services notes that a 2017 study by consulting firm KPMG found a 10 percent increase over the past two years in the number of healthcare providers and health plans that have had instances of security-related HIPAA violations or cyberattacks impacting protected health information."

Phishing, however, is a favorite vehicle of hackers launching attacks that are increasingly resulting in breaches of PHI, OCR says.

"This increase in HIPAA violations includes breaches due to ransomware events, such as WannaCry, and other cyberattacks which could have been prevented by an informed workforce trained to detect and properly respond to them," OCR adds. "Training on data security for workforce members is not only essential for protecting an organization against cyberattacks, it is also required by the HIPAA Security Rule." More:
Interesting News Items This Week

IRS Warns of Fake Tax Software Update Scheme:

Malicious code written into DNA infects the computer that reads it:

Botched Firmware Update Bricks Hundreds of Smart Door Locks:

FireEye's Post Mortem: Analyst Didn't Change Passwords:

‘Stunning’ growth in records exposed in data breaches:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews