CyberheistNews Vol 7 #7 [ALERT] DynA-Crypt Ransomware Steals and Deletes Your Data

CyberheistNews Vol 7 #07
[ALERT] DynA-Crypt Ransomware Steals and Deletes Your Data

Our friend Larry Abrams at Bleepingcomputer alerted the world about a new strain of ransomware called DynA-Crypt that was put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.

Larry said: "DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim's computer.

"Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of steaming **** that just makes a mess of a victim's programs and data.

"The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere."

A DynA-Crypt Infection Means a Full-Blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.

When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, when it is ready to send, it will zip it all up into a file called %LocalAppData%\, and email it to the developer.

The Ransomware Portion of DynA-Crypt Can Be Decrypted

The ransomware portion of DynA-Crypt is powered by a PowerShell script that uses a standalone program called AES to encrypt a victim's data. This script will scan a computer for files that match the following extensions and encrypt them.

When it encrypts a file it will append the .crypt extension to the encrypted file's name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt. The ransomware will also delete the computer's Shadow Volume Copies so that you are unable to use it to recover files.

When done encrypting a computer, DynA-Crypt will display a lock screen asking you to pay 50.00 USD in bitcoins to an enclosed bitcoin address.

Get Your Decryptor at Bleepingcomputer

The good news is that this thing can be easily decrypted, so do not for any reason pay the ransom if you are infected with this program. If you need help with this ransomware, just leave a comment and a decryptor will be provided.

CRYSIS Ransomware Is Back and Uses RDP Brute Force to Attack U.S. Healthcare Orgs

And in other ransomware news, remember the CRYSIS ransomware? The attacks started up again, mostly targeting US healthcare orgs, using brute force attacks via Remote Desktop Protocol (RDP).

The number of attacks has more than doubled in volume in January 2017 over that same timeframe in 2016. This most recent wave included a wide variety of sectors worldwide, but the U.S. healthcare sector was hit the hardest.

Security researchers at Trend Micro observed that the same cyber mafia that perpetrated the 2016 CRYSIS attacks are behind this recent wave of ransomware attacks, evidenced by the very same file names and malware placement as were used earlier.

The problem: User accounts with weak credentials, open RDP ports. More:
Scam of the Week: Valentine’s Day Phishing Attacks

It is time to remind your users that heartless con artists use social engineering tactics to trick people looking for love.

The FBI's Internet Crime Complaint Center warns every year that scammers use poetry, flowers, and other gifts to reel in victims, the entire time declaring their "undying love."

These callous criminals -- who also troll social media sites and chat rooms in search of romantic victims -- usually claim to be Americans traveling or working abroad. In reality, they often live overseas and it's a whole industry with planned criminal campaigns focused on days like this.

Pick up a ready-to-send blurb to send to your employees at our blog, and see the new templates you can use for a campaign (which you should send today):
Live Webinar: Ransomware Hostage Rescue Guide, Part 2

2016 was a “Ransomware Horror Show”. If you've been in the IT trenches over the past year, you've probably noticed that announcements of new ransomware strains are accelerating and there is no end in sight for 2017.

In this webinar, we will cover the final 3 sections of the very popular KnowBe4 Ransomware Hostage Rescue Manual in depth.

Join Erich Kron CISSP, Technical Evangelist at KnowBe4 for a live webinar “Ransomware Hostage Rescue Guide, Part 2”, Thursday, February 16, 2017, at 2:00 PM EST. We will look at recent infections, give actionable info that you need to prevent infections, and cover what to do when you are hit with ransomware.

Erich will cover these topics:
  • Recent High-Profile Attacks
  • Should I Negotiate or Pay the Ransom?
  • I’m Infected, Now What?
  • Proven Methods of Protecting Your Organization
  • Ransomware Prevention and Attack Response Checklists

Kevin Mitnick does Reddit AMA Feb 17th

By the way, our chief hacking officer Kevin Mitnick will be doing an AMA on Reddit Friday, February 17th at 3pm EST. Check username KevinMitnickOfficial at that time and get your questions answered!
[Heads-Up] First-Ever Russian Malicious Mac Macro Discovered

Appleinsider reported Feb 9, 2017: "Mac malware discovered in Microsoft Word document with auto-running macro", which was the second example of malware targeting macOS users this week.

Security researchers have detected the first in-the-wild instance of hackers who are making use of malicious macros in Word documents to install malware on Mac computers – an old Windows technique. The hack uses the same social engineering tactic, tricking victims into opening infected Word documents that subsequently run malicious macros. More at the KnowBe4 Blog:
At RSA in San Francisco This Week? Here's Your Exhibit Hall Pass

Drop by KnowBe4’s Booth 3127, North Hall at the Kevin Mitnick New Book Signing! Meet the ‘World’s Most Famous Hacker’, get a signed copy of his new book: Tuesday, February 14, 3-6pm at KnowBe4’s Booth. I'll be there too.

Get your light-up "Axe To Grind With Ransomware!" swag, and see a demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users. Be entered to win a 500-dollar cash prize.

Don’t have a pass yet? We’ve got you covered. Use code XE7KNWBE4 to register for your complimentary Exhibit Hall Only Pass. We'll see you at Booth 3127:

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"Efforts and courage are not enough without purpose and direction." - John F. Kennedy

"If you don't change direction, you may end up where you are heading." - Lao Tzu

Thanks for reading CyberheistNews
Security News
New Version of RanSim Shows If Your Antivirus "Cheats"

Bad guys are constantly coming out with new malware versions to evade detection. Are your defenses effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 ransomware infection scenarios and show you if a workstation is vulnerable to infection.

NEW False Positive Scenarios

These "FP" scenarios do not emulate ransomware and should not be blocked by your antivirus. If either of these two new scenarios are blocked, RanSim will report it as “incorrectly blocked” in your results and you know your AV is "cheating". Here's how RanSim works:
  • 100% harmless simulation of real ransomware infection scenarios
  • Does not use any of your own files
  • Tests 10 different types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
This is complimentary and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!

Here is the Zendesk article with technical background and FAQ:
FUN Dept: Programmer Develops Phone Bot to Target Windows Support Scammers

The man who developed a bot that frustrates and annoys robocallers is planning to take on the infamous Windows support scam callers head-on. Roger Anderson last year debuted his Jolly Roger bot, a system that intercepts robocalls and puts the caller into a never-ending loop of pre-recorded phrases designed to waste their time.

Anderson built the system as a way to protect his own landlines from annoying telemarketers and it worked so well that he later expanded it into a service for both consumers and businesses. Users can send telemarketing calls to the Jolly Roger bot and listen in while it chats inanely with the caller.

Now, Anderson is targeting the huge business that is the Windows fake support scam. More at Slashdot:
Ransomware Soars in 2016, While Malware Declines

A global cyberthreat report released Tuesday found that 2016 was a mixed bag: malware was down slightly, but ransomware attacks soared, up 167 times the number recorded in 2015.

In addition to that huge increase in ransomware, 2016 saw a new line of cybercrime from a large-scale DDoS attack through internet of things devices. The principal case occurred in October when the Mirai botnet attacked unprotected IoT devices, such as internet-ready cameras, resulting in a DDoS attack on Dyn servers.

The 2016 report, by cybersecurity company SonicWall, looked at data from daily network feeds sent from more than 1 million sensors in nearly 200 countries. During all of 2016, SonicWall found that unique samples of malware fell to 60 million samples, down from 64 million in 2015, a 6.25 percent decrease. Total malware attempts also fell to 7.87 billion from 8.19 billion, a 4 percent decrease. More:
'File-less Malware' Banking Attacks on the Upswing

The press was reporting breathlessly about malware attacks using malicious code just running in memory, without laying anything down on disk. Yes, it is a sophisticated attack, and yes it's on an uptrend. And no, it's nothing new.

What is buried down in the articles though is the fact these threats sneak in through phishing. Gartner analyst Avivah Litan suggests that IT "controls the endpoints" and has a few technical controls she recommends. What we can add here is step employees through new-school security awareness training so that they spot the red flags and do not fall for the phishing attack to start with. Here are the articles:
Social Media Phishing Attacks Soar 500%

Humans are the biggest risk to enterprise security, report.

Social media phishing attacks went up by a massive 500% in Q4, driven by a huge increase in fraudulent accounts including many posing as customer support for big name brands, per Proofpoint. They revealed their findings in the Q4 2016 Threat Summary and Year in Review report.

The security vendor claimed fraudulent accounts across sites like Twitter and Facebook increased 100% from the third to fourth quarter.

This type of accounts is used for phishing, malware distribution, spam and other criminal purposes. In fact, Proofpoint observed a 20% increase in Facebook and Twitter spam from Q3 to Q4, with the quarter recording the second highest spam volume in the year.

Yet it was a new variety of phishing that raised eyebrows; “angler phishing” is a relatively fresh tactic in which the black hats register fake Twitter accounts that masquerade as customer support accounts and use social engineering to trick users in clicking on links and open attachments:

Here is a link to the full report:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews