CyberheistNews Vol 7 #39 New Evil Locky Ransomware Strain Evades Machine Learning Security Software

CyberheistNews Vol 7 #39
New Evil Locky Ransomware Strain Evades Machine Learning Security Software

Here is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with a new ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e.

This model is one of the most popular business scanner/printers in the world. The emails are written to make the user think that the communication is from a vendor.

Basically, Locky is back with a vengeance and a whole new bag of evil tricks.

The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo.

“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”

This is the third recent massive Locky attack

The third in an increasingly sophisticated series of ransomware attacks launched this summer is dubbed IKARUS by Comodo, some other security vendors are calling it Locky Diablo6.

As in previous attacks, the Eastern European Locky cyber mafia is using a botnet of zombie computers which makes it hard to simply block by IP.

“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.

The most innovative hook of this new feature involves the way these criminal hackers manage to evade spam filters.

Here is how it evades machine learning

“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”

“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”

In other words, it looks like that again the bad guys are ahead of your spam filters, whether that is a traditional or new machine-learning flavor.

Now, the Locky payload still ultimately uses an executable file written to disk, so your endpoint security may be able to block it. There are other types of attacks that take advantage of machine learning blind spots (fileless attacks, for example), but this isn't one of them. What the bad guys behind Locky count on is cranking out so many new variants that antivirus (even some machine learning ones) won't recognize and block it.

How vulnerable is your network against a ransomware attack?

Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 infection scenarios and show you if a workstation is vulnerable to infection.

This will take you 5 minutes and may give you some insights you never expected! Get your complimentary download of RanSim here:
Ransomware Numbers Continue to Look Abysmal

DarkReading wrote: "Ransomware is one of the fastest-growing concerns among IT pros, according to several studies out this week.

Even after several years of escalation, ransomware continues its hockey-stick growth by just about every metric. This week, three new studies show how ransomware continues to escalate around the globe, proving to be one of the fastest-growing problems that cybersecurity practitioners face today.

"Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating 'ransomworms,' as observed in the WannaCry and Petya/NotPetya cases," write Europol experts in the agency's Internet Organized Crime Threat Assessment (IOCTA) 2017 report published this week.

"Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile."

Interestingly, many experts proclaimed the highly proliferated worms to be failures because WannaCry and Petya/NotPetya didn't reap financial benefits as effectively as other attacks. According to Europol, less than 1% of victims paid a ransom for WannaCry. But the ill effects remain disruptive and costly no matter which way these attacks are analyzed.

For example, though most industry estimates peg total ransoms paid to attackers in the past two years to be only about 25 million dollars, the FBI believes the total cost of ransomware broke the 1 billion dollar mark in 2016: More:
Ransomware Attackers Increasingly Target Backups

Some ransomware operations have learned to look for and infect connected backups. At the (ISC)2 congress panel discussion, Erich Kron, security awareness advocate at KnowBe4, described a ransomware incident at a Texas police department; the police declined to pay the ransomware because the department's data was backed up.
"What they found out was, their backups were network accessible and had been encrypted too along with all of the other data," Kron said. "And they ended up having to pay to get it all back." Full article:
It's October and That Means It's National Cyber Security Awareness Month!

Many IT pros don’t exactly know where to start when it comes to creating a mature security awareness program that will work for their organization.

Here is some help, and there is no cost. We’ve taken away all the guesswork with our new Automated Security Awareness Program (ASAP).

ASAP is a revolutionary new tool for IT professionals, which allows you to create a customized security awareness program for your organization that will show you all the steps needed to create a fully mature training program in just a few minutes!

The program is complete with actionable tasks, helpful tips, courseware suggestions and a management calendar. Your custom program can then be fully managed from within the KnowBe4 console. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you get budget and reporting to management.
Don’t Miss the October Live Demo... What is the New Mystery Feature?

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

We have added a brand new feature that you want to see!

Join us on Wednesday, October 11, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform. See the latest features and how easy it is to train and phish your users:
  • NEW For the first time, see our new Smart Groups feature.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 13,000+ organizations have mobilized end-users as their last line of defense. Register Now:
What Our Customers Say About Us

Spiceworks is a vertical social network for IT pros. They have review pages for all kinds of products, and here is their page for KnowBe4 containing at the moment 43 reviews, which have been unedited since they started.

You first see the breakout, with the best and worst, and then they have a nifty ratings trend you should click on and see how we did over time. Next you see the first three reviews and to see the rest, scroll down and click on: "View all reviews":

Spiceworks also made a 2-minute video of one of our customers, which you can see here, and use as ammo to add to your request for budget:

Next, recently at the vertical CBANC network for Financials, a manager asked: "We are looking into implementing a social engineering/phishing training program and are currently comparing KnowBe4 with another vendor. Would anybody have insight on the average amount of time they spend monthly on setting up trainings, emails and report review once a baseline is formulated?" Answers here:

You should get a demo and see for yourself why KnowBe4 is the world's most popular platform for new-school security awareness training. Request a Demo:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"Impossible is not a fact. It’s an opinion. Impossible is not a declaration. It’s a dare." - Muhammad Ali

"Nothing is impossible, the word itself says 'I'm possible'!" - Audrey Hepburn

Thanks for reading CyberheistNews
Security News
How to Make Your Employees Care About Cybersecurity: 10 Tips

People are the largest security vulnerability in any organization. Here's some expert advice on how to make cybersecurity training more effective and protect your business.

"If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities," said Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council.

Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.

Alison DeNisco at TechRepublic listed them, with explanations for each one:
  1. Perform "live fire" training exercises
  2. Get buy in from the top
  3. Start cyber awareness during the onboarding process
  4. Conduct evaluations
  5. Communicate
  6. Create a formal plan
  7. Appoint cybersecurity culture advocates
  8. Offer continuous training
  9. Stress the importance of security at work and at home
  10. Reward employees
Here is the full article:
McAfee Labs: "Healthcare Sector Reports Greatest Number of Security Incidents"

Summary: Generalized stats regarding Q2 threats. Identifies Healthcare as #1 threat target prone to accidental data exposure and "human error". The article has interesting stats of Q2 industry if you disregard Faceliker.

McAfee Labs saw healthcare surpass the public sector with the greatest number of security incidents in Q2, while the Faceliker Trojan helped drive the quarter’s 67% increase in new malware samples from the social media landscape.

Sectors under attack

McAfee Labs’ quarterly analysis of publicly disclosed security incidents found the public sector to be the most impacted North American sector over the last six quarters, but healthcare overtook it in Q2 with 26% of incidents.

While overall healthcare data breaches are most likely the result of accidental disclosures and human error, cyberattacks on the sector continue to increase. The trend began the first quarter of 2016 when numerous hospitals around the world sustained ransomware attacks. The attacks paralyzed several departments and, in some cases, the hospitals had to transfer patients and postpone surgeries.

“Whether physical or digital, data breaches in healthcare highlight the value of the sensitive personal information organizations in the sector possess,” Weafer continued. “They also reinforce the need for stronger corporate security policies that work to ensure the safe handling of that information.”

General threat activity

In the second quarter of 2017, the McAfee Labs Global Threat Intelligence network registered notable trends in cyber threat growth and cyberattack incidents across industries:

Security incidents. McAfee Labs counted 311 publicly disclosed security incidents in Q2, an increase of 3% over Q1. 78% of all publicly disclosed security incidents in Q2 took place in the Americas.

Ransomware. New ransomware samples again increased sharply in Q2, by 54%. The number of total ransomware samples grew 47% in the past four quarters to 10.7 million samples.

Attack vectors. Account hijacking led disclosed attack vectors, followed by DDoS, leaks, targeted attacks, malware, and SQL injections.

Malware overall. New malware samples leaped up in Q2 to 52 million, a 67% increase. This Q2 rise in new malware is in part due to a significant increase in malware installers and the Faceliker Trojan. The latter accounted for as much as 8.9% of all new malware samples. The total number of malware samples grew 23% in the past four quarters to almost 723 million samples.

Mobile malware. Total mobile malware grew 61% in the past four quarters to 18.4 million samples. Global infections of mobile devices rose by 8% in Q2, with Asia again leading the regions with 18%.

Mac malware. With the decline of a glut of adware, macOS malware has returned to historical levels, growing by only 27,000 in Q2. Still small compared with Windows threats, the total number of macOS malware samples increased by just 4% in Q2.

Macro malware. New macro malware rose by 35% in Q2. 91,000 new samples raised the total overall sample count to 1.1 million.

Spam campaigns. The botnet Gamut again claims the top rank in volume during Q2, continuing its trend of spamming job-related junk and phony pharmaceuticals. The Necurs botnet was the most disruptive, pushing multiple pump-and-dump stock scams during the quarter. More at Helpnet Security:
Europol Warns Ransomware Has Taken Cybercrime ‘to Another Level’

Europol, the European Union’s police agency, has warned of the significantly rising threat posed by ransomware.

As Associated Press reports, delegates at an international conference were told by Europol Executive Director Rob Wainwright that ransomware had taken the cybercrime threat to “another level.”

An 80-page report published by the agency highlighted the growing threat posed by ransomware attacks:
    • “Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating ‘ransomworms’, as observed in the WannaCry and Petya/NotPetya cases. Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile.”

    • “Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.”
Blog post and links to report:
Interesting News Items This Week

Iranian cyber spies APT33 target aerospace and energy organizations with social engineering:

UK Councils: 27 Percent Confirm Ransomware Outbreaks:

Over half of workers can't recall having cybersecurity training:

Alert: Pornography Email Phishing Scam. Better Business Bureau quotes KnowBe4:

"The volume of phishing attacks targeting the financial industry nearly doubled in the second quarter of this year and is the largest quarterly volume:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews