Thought leadership. threat analysis, news and alerts.
Hard Lessons from a Ransomware Attack
A regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack.
Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said.
The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks.
How the Mekinac Cyberattack Unfolded
The Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers.
The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files.
“It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000.
Mekinac’s ransomware attackers are still unidentified and their location not determined to date.
What is a Ransomware Attack?
Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key.
In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key.
Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers:
1. Email-Based Attack
In the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers.
The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files.
2. Drive-By Attack
Drive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks.
In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer.
3. Unpatched Servers
The ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update.
Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”
Lessons from Ransomware Attacks
Thompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.”
In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks:
Back Up Important Files
Back up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files.
Keep All Software Up-To-Date
Make sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit.
Implement Domain Whitelisting
Whitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading.
Limit the Number of Users with Administrator Privileges
A computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks.
When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
U.S. Justice Dept. Charges Alleged Member of Lazarus Group Over WannaCry Cyberattack
The U.S. Justice Department has formally charged a North Korean national, believed to be a member of the notorious hacking group known as “Lazarus” over WannaCry cyberattack and two other high-profile attacks, the Sony Pictures cyberattack and the cyberheist at the Bangladesh Bank.
The Justice Department filed a criminal complaintlast June 8, 2018 against North Korean national Park Jin Hyok for WannaCry, Sony and Bangladesh Bank cyberattacks. This criminal complaint though wasn’t made public when it was filed. It was only made public during the recent announcement by the Justice Department.
The WannaCry, Sony and Bangladesh Bank cyberattacks are among the notorious cyberattacks in recent years. On May 12, 2017, WannaCry cyberattack shook the online world after it locked down more than 300,000 computers in over 150 countries in less than 24 hours and demanded ransom payment from victims.
The Sony Pictures cyberattack in November 2014 stunned the company after thousands of its computers were rendered inoperable and unreleased movie scripts and other confidential information were made public.
The cyberheist at the Bangladesh Bank shook the financial sector in February 2016, after the fraudulent transfer of $81 million from the bank. To date, this $81-million fraudulent bank transfer is the largest successful cybertheft from a financial institution.
The criminal complaint, specifically filed by Federal Bureau of Investigation (FBI) Special Agent Nathan Shields, stated that there’s sufficient evidence that shows Park was a member of the conspiracies that resulted to the WannaCry, Sony, Bangladesh Bank successful intrusions as well as attempted intrusions, including the attempted intrusion at the U.S. defense contractor Lockheed Martin.
Shields said that Park, a computer programmer, used to work at a China-based company Chosun Expo. This company, Shields said, is a "North Korean government front company for a North Korean hacking organization”.
Cybersecurity organizations like Symantec, BAE Systems and Kaspersky Lab have called this North Korean hacking organization as “Lazarus”.
"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects),” Shields said.
Shields said that there are numerous connections between Park, his true-name email and social media accounts, and the operational accounts used by the Lazarus group to conduct the successful intrusions and attempted intrusions.
According to Shields, the strongest link between the Lazarus group and the successful intrusions in WannaCry, Sony and Bangladesh Bank, and the attempted intrusion in Lockheed Martin is the FakeTLS table.
Shields said the FakeTLS table was found in WannaCry Version 0. It was also found in all three samples of Macktruck malware found at Sony attack, the Macktruck malware found in a spear-phishing document used in the attempted intrusion at Lockheed Martin, and the Nestegg malware found at Bangladesh Bank cyberheist.
TLS, short for Transport Layer Security, refers to a cryptographic protocol that’s used to increase the security of communications between computers. The “FakeTLS”, meanwhile, refers to a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method. By utilizing “fake” TLS, Shields said, attackers can carry on communications without tripping security alerts as many intrusion detection systems “ignore the traffic because they assume the contents cannot be decrypted and that the traffic is a common communication protocol”.
Shields added that the following technical similarities connect the malware used in WannaCry, Sony, Bangladesh Bank and Lockheed Martin:
Kaspersky Lab, for its part, said Lazarus is operating a malware factory that produces new samples via multiple independent conveyors. “The scale of the Lazarus operations is shocking,” Kaspersky Lab said.
Kaspersky Lab also agrees that Lazarus group was responsible for the WannaCry, Sony and Bangladesh Bank attacks.
According to Kaspersky Lab, from December 2015 to March 2017, its researchers collected malware samples relating to Lazarus group activity which appeared in financial institutions, casinos, software developers for investment companies and cryptocurrency businesses. Kaspersky Lab researchers found that although the Lazarus group was careful enough to wipe any traces of their illegal activities, one server that the group breached contained a serious mistake with an important evidence left behind.
The compromised server, Kaspersky Lab said, was used as a command and control center for a malware. While the group tested the compromised server using VPN/proxy servers to conceal their true IP address, the group committed one mistake as one connection came from a very rare IP address range in North Korea, Kaspersky Lab said.
Symantec, for its part, said there’s a strong link between Lazarus and WannaCry, Sony and Bangladesh Bank attacks.
According to Symantec, evidence gathered from an early version of WannaCry malware found three other malware: Trojan.Volgmer and two variants of Backdoor.Destover – software programs that were used as disk-wiping tools used in the Sony attack. Symantec added that WannaCry shares a code with Backdoor.Contopee – a malware used by the Lazarus group in intrusions at banks.
The attack methods of Lazarus group keep on evolving. One form of cyberdefense, therefore, isn’t enough to counter these attacks. Here are some of the attack methods used by the Lazarus group and corresponding preventive measures:
1. Exercise Caution in Clicking Links
One of the intrusion methods used by Lazarus is via spear-phishing email. According to the FBI, the group made an exact copy of a legitimate Facebook email but the hyperlinked text “Log In” that supposedly lead to the official Facebook page instead goes to a URL controlled by the group and directed victims to a malware.
2. Exercise Caution in Visiting Websites
One of the intrusion methods used by Lazarus, according to Kaspersky Lab, is by hacking government websites through known security vulnerabilities. When a target visits said compromised government website, the target’s computer then becomes infected.
3. Keep All Software Up-to-Date
The simple reason that the Lazarus group was successful in its WannaCry attack is that many have failed to update their Windows operating system. WannaCry Version 2, the one that hit worldwide on May 12, 2017, compromised Windows operating systems that fail to install Microsoft’s March 14, 2017 security update and older versions of Windows that were no longer supported, including Windows XP, Windows 8, and Windows Server 2003.
How to Avoid Being a Victim of Email-Based Ransomware
The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.
Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.
GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.
How Ransomware Victims Are Baited via Email Spam Campaign
The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.
Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:
Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.
This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.
GandCrab Ransomware Earlier Versions
The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.
This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.
Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.
According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.
According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.
A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.
According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.
Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.
Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.
Social Engineering Feature of GandCrab Ransomware
As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.
Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.
Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.
GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.
Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.
Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:
Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading
Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.
According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).
NotPetya versus Bad Rabbit
NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.
Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.
One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.
EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.
The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.
How Bad Rabbit Works
Bad Rabbit infects victims’ computers in the following manner:
The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.
Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.
Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.
Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.
Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.
In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.
ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.
DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).
Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.
According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”
"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.
How to Prevent Bad Rabbit Attacks
As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.
Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.
"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"
In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.
Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.
Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours
Locky is the first ransomware to make $1 million per month based on a Google-led study (PDF). After lying low in the first half of 2017, this notable ransomware made a massive comeback last August 28th, unleashing 23 million malicious emails in just 24 hours.
"In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017," researchers at AppRiver said.
How the Latest Locky Ransomware Works
Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
Each email comes with a ZIP attachment containing a Visual Basic Script (VBS) file. Once opened, this VBS file initiates the downloading of the latest version of Locky ransomware. All the files on the infected computer are then encrypted –conversion of computer data into ciphertext, a data form that can only be read using a decryption secret key or password. After the data encryption, victims are instructed to install the TOR browser and provided with a .onion, also known as dark web site. Below is the screencap of the dark web site.
The dark web site shows a victim how to purchase Bitcoins. It also tells the victim to send .5 Bitcoin – equivalent to a staggering $2,381 – to a certain Bitcoin address as payment to supposedly unlock the encrypted files.
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week.
Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called "Diablo6", named after the “.diablo6” extension to its encrypted files.
“It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage.
History of Locky Ransomware
Locky ransomware was first distributed into the wild in early February 2016. Based on the Google-led study, Locky was the highest grossing ransomware in 2016, earning a total of $7.8 million.
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”.
According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky's total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina.
Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files.
Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites.
One of the main paths of Locky infection is through spam email campaigns. The following are some of the subject lines used in spam emails to the spread the Locky ransomware:
An email with the subject line "Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email.
The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves.
According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:
The other attack path used by Locky ransomware is via compromised websites that redirect to Nuclear or Neutrino Exploit Kit. Unlike in a malicious email campaign whereby the victim has to open an email and click on the attachment, an exploit kit like Nuclear or Neutrino doesn’t require added action from the end user. An exploit kit works like a ghost while a potential victim is browsing a compromised website. In the case of Locky ransomware, the exploit kit acts as the distributor of the malware to the victim’s computer.
How to Prevent Locky Ransomware Attacks
Here are some of the ways to block Locky ransomware attacks:
1. Use Up-to-Date Browser and Software
“Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
2. Exercise Caution When Opening Emails and Attachments
Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs.
When you need help protecting your infrastructure and your data, connect with our team and we will be more than happy to help.
4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks
WannaCry and NotPetya, also known as Petya, have been the most talked about cyber attacks in the past three months. WannaCry was released into the wild in May this year; NotPetya in June this year.
Their popularity is understandable given that the combined victims of these two cyber attacks reached hundreds of thousands worldwide, with WannaCry affecting over 300,000 computers in 150 countries; NotPetya affecting over 12,500 computers in 65 countries.
Most importantly, these two cyber attacks, labeled as ransomware – malicious software that encrypts computer data and asks for ransom money to unlock it – victimized big corporations and big government institutions worldwide.
WannaCry disrupted the operations of UK’s National Health Service, U.S. express delivery company FedEx and Renault's assembly plant in Slovenia. NotPetya, on the other hand, disrupted the operations of the Chernobyl nuclear plant, U.S.-based pharmaceutical company Merck and Danish shipping firm Maersk.
While big corporations affected by NotPetya such as Nuance, TNT Express, Saint-Gobain, Reckitt Benckiser Group and Mondelēz International publicly acknowledged that their operations have been disrupted, and they have suffered economic losses because of the attack, these big corporations have proven their resilience.
“If a public breach damages a brand and causes customers to switch to a competitor, a larger business can weather the impact better than a smaller business,” Cisco said in its 2017 midyear cyber security report. “When attackers breach networks and steal information, small and medium-sized businesses (SMBs) are less resilient in dealing with the impacts than larger organizations.”
Here are 4 lessons small businesses can learn from WannaCry and NotPetya cyber attacks:
1. Use the Latest Operating System
Users of old operating systems are vulnerable to cyber attacks.
Majority of NotPetya ransomware infections, according to Microsoft in a bulletin dated June 29, this year, were observed in computers using Windows 7. Windows 10, on the other hand, according to Microsoft is resilient against the NotPetya ransomware attack.
For WannaCry, users of old Microsoft operating systems – in particular, Windows XP, Windows 8 and Windows Server 2003 – fell victim to this malicious software. Microsoft ended its support for Windows XP on April 8, 2014; Windows Server 2003 on July 14, 2015; and Windows 8 on January 13, 2016.
For Windows XP, Microsoft issued this statement:
"After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system – such as Windows 10 – so you can receive regular security updates to protect their computer from malicious attacks."
In the paper “The hackers holding hospitals to ransom” published in the British Medical Journal (BMJ) two days before the WannaCry attack, Krishna Chinthapalli, a doctor at the National Hospital for Neurology and Neurosurgery in London, found that a number of British hospitals were using Windows XP, an operating system introduced by Microsoft in 2001.
2. Install Security Update of the Latest Operating System
Even if you’re using the latest operating system and you fail to install the latest security update or patch, your computers are still vulnerable to cyber attacks.
Users of Windows 10 – the latest operating system from Microsoft – who failed to install the security update released by Microsoft on March 14, 2017 fell victim to WannaCry.
Microsoft said that its March 14, 2017 update resolves vulnerabilities in Microsoft Windows that “could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” WannaCry exactly exploited this specific security vulnerability mentioned in the March 14th update by Microsoft.
3. Paying Ransom Isn’t a Guarantee that You’ll Get Your Data Back
In a typical ransomware, computer data is encrypted, a ransom note is shown on the computer screen of the victim, the victim pays and the victim recovers data as the data is decrypted.
WannaCry victims paid close to $100,000 – paid in bitcoins; NotPetya victims paid close to $10,000. These earnings are stark contrast to the number one top grossing ransomware Locky which earned $7.8 million, and the second top grossing ransomware Cerber which earned $6.9 million based on the data provided in a Google-led study (PDF).
The reason why these two didn’t earn that much bitcoins is that many victims early on knew that these malicious programs couldn’t restore their data despite paying ransom. According to the Google-led study, WannaCry and NotPetya are "impostors” as they are in reality “wipeware” pretending to be ransomware.
Matt Suiche from Comae Technologies concluded that NotPetya is a wiper as it “does permanent and irreversible damages to the disk”. Suiche differentiates a wiper and a ransomware, this way: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”
Victims of NotPetya also can’t pay ransom as the payment email address isn’t accessible anymore. The email address specified in the NotPetya ransomware notice was immediately blocked by the email provider Posteo. The perpetrator or perpetrators of NotPetya also didn’t replace the blocked address with another one.
In the case of WannaCry, McAfee researchers found that while WannaCry can decrypt files, “WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.”
4. Backup Your Data
Make your organization resilient to cyber attacks by backing up your critical data. You can always get back your operating system or other software applications by reinstalling them. It may, however, be impossible to recreate your data lost to cyber criminals. It’s important then to always backup your critical data.
Backing up data on a regular basis isn’t just helpful in case cyber attackers corrupt your data, it’s also valuable in case your computers are stolen or destroyed as result of fire or other disasters.
Ransomware Victims Have Paid $25 Million in the Span of 2 Years, Google-Led Study Shows
Since 2016, ransomware victims have paid over $25 million to cyber criminals, this according to a new Google-led study – with inputs from the University of California San Diego (UCSD), New York University (NYU) and Chainalysis researchers.
Google researchers – Elie Bursztein, Kylie McRoberts, Luca Invernizzi – in the study called “Tracking desktop ransomware payments end to end” found that over the period of 2 years, ransomware criminals have earned a total of $25,253,505.
"A niche term just two years ago, ransomware has rapidly risen to fame in the last year, infecting hundreds of thousands of users, locking their documents, and demanding hefty ransoms to get them back,” Bursztein, McRoberts and Invernizzi said. “In doing so, it has become one of the largest cybercrime revenue sources, with heavy reliance on Bitcoins and Tor to confound the money trail.”
According to Google, since 2016, there has been an 877% increase in the search queries of the keyword “ransomware” – the term used to refer to a malware that encrypts victims’ computers and demands a ransom payment for the key to unlock the computer.
The top 10 ransomware earners, according to the Google-led study, are Locky ransomware (with a total $7.8 million earning), followed by Cerber ($6.9 million), CryptoLocker ($2 million), CryptXXX ($1.9 million), SamSam ($1.9 million), CrytoWall ($1.2 million), AINamrood ($1.2 million), TorrentLocker ($1 million), Spora ($0.8 million) and CoinVault ($0.2 million).
According to the study, a ransomware goes through the following process:
Aside from being the top grossing ransomware since 2016, the Google-led study cited Locky as one of the notable ransomware for being the first ransomware to earn $1 million per month.
The Google-led study said Locky brought “ransoms to the masses”. This ransomware first appeared in February 2016. According to Symantec, cyber criminals aggressively spread this malware by using compromised websites and massive spam campaigns. This malware encrypts files on victims’ computers and demands ransom payment.
Allen Stefanek, president and CEO, Hollywood Presbyterian Medical Center, publicly admitted that as a result of Locky ransomware attack, the hospital paid 40 bitcoins – equivalent to nearly $17,000. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”
This ransomware is another notable ransomware cited by the study for its consistent income of $200,000 per month for over a year. This malware first appeared in February 2016.
According to Kaspersky Lab, this ransomware, also dubbed as a “multipurpose malware”, when executed via email attachment, encrypts files and demands money for their safe return. This ransomware, according to Kaspersky Lab, also infects computers for other purposes such as for a distributed denial of service (DDoS) attack or as a spambot.
Wipeware vs. Ransomware
Worthy to note is that the Google-led study didn’t include WannaCry and NotPetya (also known as Petya) as part of the top 10 top highest grossing ransomware in the past two years. WannaCry was only ranked 11th, with a total of $0.1 million earning.
The Google-led study classified WannaCry and NotPetya as ransomware “impostors”. The study found that even if WannaCry and NotPetya victims pay ransom, they still couldn’t unlock their computers. "Wipeware pretending to be ransomware is on the rise." the researchers noted.
Matt Suiche from Comae Technologies, who concluded that NotPetya is a wiper, not a ransomware, explained the difference between a wiper and ransomware:
"The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) – a wiper would simply destroy and exclude possibilities of restoration."
WannaCry first appeared last May 12; NotPetya first appeared last June 27. While WannaCry affected hundreds of thousands of computers around the world, NotPetya only affected tens of thousands of computers worldwide. The glaring similarity between WannaCry and NotPetya is how they affected major government institutions and big companies.
WannaCry disrupted the operations of UK’s National Health Service, Renault's assembly plant in Slovenia, U.S. express delivery company FedEx and Spanish telecommunications company Telefonica. NotPetya, meanwhile, disrupted the operations of the Chernobyl nuclear plant, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, Cadbury and Oreo-maker Mondelez and Russian oil and gas giant Rosneft.
How to Protect Your Organization from Ransomware and Wipeware
Here are 4 tips on how to protect your organization from ransomware and wipeware:
1. Backup Your Data
According to the Google-led study, ransomware criminals were able to inflict significant damage to their victims as only 37% of computer users backup their data.
In today’s digital world, organizations’ effectively operate because of data availability. Given the importance of data in your organization, this important commodity should be protected at all cost.
When it comes to data backup, having one backup file may not be enough to safeguard your organization’s data. The United States Computer Emergency Readiness Team (US-CERT) recommends organizations to follow the “3-2-1 rule”:
2. Keep Your Operating System and Other Software Updated
Microsoft’s Windows 10 update, for instance, can help detect the latest batch of Cerber ransomware.
3. Disable Loading of Macros in Office Programs
“To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros,” Microsoft said.
4. Think before You Click
Refrain from opening emails from senders you don’t recognize. Don't click or open the following attachments:
Effects of Petya Cyber Attack Still Linger
Even as weeks have passed since the Petya ransomware attack, its negative effects still linger.
Operational and Financial Costs of Petya Cyber Attack
At the height of Petya’s global attack last June 27, Nuance – a company that offers transcription service to doctors – publicly acknowledged that certain systems within its network were affected by the global malware incident.
Bloomberg reported that nearly four weeks after the ransomware attack, many doctors still can’t use Nuance's transcription service. According to Bloomberg, hospital systems, including Beth Israel Deaconess in Boston, still can’t use Nuance’s transcription platform – one that allows doctors to dictate notes from a telephone. This forces doctors to revert to the old ways of making notes using a pen and paper. The company told Reuters that it expects within two weeks to have its transcription platform service restored to substantially all clients.
Nearly 50% of Nuance’s $1.95 billion in revenue in 2016 came from its health-care and transcription business, Bloomberg reported. As a result of the malware attack, Nuance expects an adjusted 3rd quarter revenue of $494 million to $498 million, short of the $509.8 million revenue that analysts expect, Reuters reported.
TNT Express, a small-package ground delivery and freight transportation company acquired by FedEx in May 2016, is another company that experienced disruption in its operation even after weeks of the Petya ransomware attack. FedEx publicly acknowledged last June 28 that TNT’s worldwide operations were significantly affected by the Petya cyber attack. According to FedEx, as of July 17, all TNT hubs, depots and facilities are operational. FedEx, however, said that customers are still experiencing widespread service and invoicing delays as a significant portion of TNT’s operations and customer service functions reverted to manual processes.
“We cannot estimate when TNT services will be fully restored,” FedEx said in a statement. The courier company added, “Given the recent timing and magnitude of the attack, in addition to our initial focus on restoring TNT operations and customer service functions, we are still evaluating the financial impact of the attack, but it is likely that it will be material.”
FedEx further said that while the company can’t yet quantify the amounts, it has experienced loss of revenue as a result of decreased volumes at TNT, remediation of affected systems and incremental costs associated with the implementation of contingency plans. FedEx added that it doesn’t have cyber or other insurance in place to cover the cost of the attack.
While FedEx still can’t quantify the cost of Petya cyber attack, other multinational companies like Saint-Gobain, Reckitt Benckiser Group and Mondelēz International were able to put a price on the June 27th ransomware attack.
Saint-Gobain, a French multinational corporation that produces a variety of construction and high-performance materials, said that based on its preliminary assessment, Petya’s financial effect on the company’s first half sales is limited to about 1%.
Reckitt Benckiser Group, a British multinational consumer goods company, for its part, said in a statement that Petya’s disruption meant that the company’s revenue growth in the second quarter would be down by 2%. Reckitt’s act of putting a price on cyber attack is a revelation in itself, Bloomberg said, as the company has just spent $18 billion in cash in acquiring baby formula producer Mead Johnson Nutrition Co.
For its part, Mondelēz International, a snacking company with 2016 net revenues of almost $26 billion, in a statement said, “Our preliminary estimate of the revenue impact of this event is a negative 300 basis points on our second quarter growth rate.”
“Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” Bloomberg Intelligence analyst Mandeep Singh said. “Since a lot of the deals get signed toward the end of the quarter, the timing of it could have impacted certain deal closures.”
Secondary Effects of Cyber Attacks
Cyber attacks result in a number of potentially significant secondary effects. The following are 4 of the secondary effects of cyber attacks:
1. Property Damage and Loss of Life
Cyber attack may affect life-critical functions or databases. Affected remote surgery may result in loss of life; critical SCADA alarm systems may damage properties.
2. Reputational loss
Companies may voluntarily acknowledge or acknowledge out of necessity cyber attacks – when pressured by social media revelations from customers, third party revelation or as a disclosure requirement by certain governments. The practice of companies of sending apology notes to clients may have a negative effect on the company’s reputation.
When customers can’t access your company’s site or when your automated processes are disrupted, this automatically impacts the company. Stock prices are typically volatile after a cyber attack. Nuance shares, according to Bloomberg, have dropped almost 8 percent since June 27, when Petya ransomware attack began.
3. Litigation Cost
When a cyber attack disrupts your services and this, in turn, causes the disruption of the services of your customers, these may lead to a costly litigation. In the case of data breach, affected customers may sue your company for the breach. Ruby Corp., formerly known as Avid Life Media – the parent company of the dating site Ashley Madison, said that it will pay $11.2 million to settle a case brought on behalf of nearly 37 million Ashley Madison users whose personal details were exposed in a July 2015 data breach, CNBC reported.
4. Cost of Additional Security Controls
Another consequence of a cyber attack is the cost of additional security controls. The data breach on Ashley Madison prompted Ruby Corp. to spend millions of dollars to improve user privacy and security, according to CNBC. After a data breach, affected companies typically don’t just patch the specific vulnerability, they implement additional security controls such as:
Cyber risk is becoming more and more of a reality for many businesses in the 21st century. In the World Economic Forum’s Global Risks Report 2016, cyber attack was ranked in 11th position in both likelihood and impact.
Our team can help your business evaluate the cyber risks and recommend cyber defence strategy. Connect with us today and protect your business.
Here is why Petya is not a Typical Ransomware
This week, another ransomware called “Petya” attacked major companies around the globe.
Petya attacked the computers at the Chernobyl nuclear plant, forcing workers to manually monitor the plant’s radiation. The ransomware also attacked the computers of major global companies including Russian oil and gas giant Rosneft, Cadbury and Oreo-maker Mondelez, British advertising giant WPP, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, real estate subsidiary of French bank BNP Paribas and multinational law firm DLA Piper.
Microsoft, in a blog post, said that than 70% of the computers attacked by Petya were in Ukraine, while computers in other countries were also affected in significantly lower volumes. Microsoft added that the majority of Petya infections were observed in Windows 7 computers.
How Does Petya Spread and Infect Computers
Cyber security firms Kaspersky Lab and Symantec, and even Microsoft confirmed that Petya ransomware uses the Eternal Blue – a Microsoft Windows’ exploit believed to be originally developed for the use of the U.S. National Security Agency (NSA). The Eternal Blue is the same exploit used in WannaCry – another ransomware that affected hundreds of thousands of computers worldwide less than two months ago.
“Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself,” Symantec said. “However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.”
In addition to exploiting Microsoft Window’s vulnerability, Symantec said this latest ransomware spreads by acquiring usernames and passwords and spreading across network shares. According to Symantec, the Petya ransomware that started propagating last June 27 is a variant of an original Petya – a malware known to be in existence since 2016 – that not just encrypt files, it also overwrites and encrypts the master boot record (MBR).
Kaspersky Lab, for its part, said that this latest ransomware is significantly different from all earlier known versions of Petya, as such the cyber security firm calls it “ExPetr” or “NotPetya”.
In the new Petya – the term we use here as the world media adopted this name – cyber criminals demand from each of their victims to pay $300 in bitcoins to recover files. The following ransom note is displayed on the victim’s infected computer:
Cyber criminals behind the Petra ransomware attack use an email from the German email provider Posteo as a means to contact their victims. Upon learning that its email platform was used by cyber criminals, Posteo blocked the email account used by the Petra perpetrators on the same day that the ransomware was released to the wild.
As a result of Posteo’s email blockade, Petra’s victims will have no way to contact the people behind the latest ransomware attack. The Posteo’s email was supposed to be a venue where the victims would contact the blackmailers, telling them whether they’ve sent the bitcoins and from which they would receive decryption keys.
A complete technical analysis is available from the US-CERT, published on July 1, 2107.
Wiper vs Ransomware
According to Kaspersky Lab, even without the email blockade, there’s still no way that victims can recover their files as the ransomware was designed in such a way that it’s impossible for victims to recover their data. To decrypt files, cyber criminals need the installation ID. Kaspersky Lab said other ransomware such as the old Petya, Mischa and GoldenEye have installation ID for file recovery.
In the new Petya, even the cyber criminals themselves can’t decrypt the victims’ files. The installation key shown in the new Petya ransom note, Kaspersky Lab said, is just a random gibberish, “which means that the threat actor could not extract the necessary information needed for decryption.”
According to Symantec, the encryption performed by Petya is twofold:
“Either it was a sophisticated actor who knew what they were doing – except screwed up horribly on the part where they actually get paid or it wasn’t about the ransom in the first place,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, told the New York Times.
“They are no longer collecting a ransom [referring to the new Petra ransomware],” Justin Harvey, managing director of global incident response at Accenture Security, told the New York Times. “They are just being destructive.”
If the main motive of the ransomware is money, Harvey said, cyber criminals typically set up multiple avenues to collect funds from their victims. The recent ransomware attack uses a single email address and a single bitcoin wallet for electronic payments.
How to Prevent Ransomware Attacks
Here are some of the ways to prevent ransomware attacks like the new Petya:
1. Use the latest operating system and make sure that most current updates are installed
It’s worthy to note that according to Microsoft, most of the Petya victims use Windows 7. Microsoft said that Windows 10 and its new streamlined operating system Windows 10 S block this type of attack by default.
2. Back up your data
Early this month, Nayana, a web hosting company in South Korea, agreed to pay more than $1 million to ransomware criminals to unlock its servers. This is believed to be the biggest ransomware payout on record. Backing up your data either offline or in the cloud protects your business from ransomware attacks. Cyber criminals will have no leverage on your business if you can easily retrieve your data somewhere else.
Businesses must backups and most importantly test the backups by performing test restores. Home users could protect their data by subscribing to one of many cloud storage and file sharing services.
Since the most important thing to protect your data against ransomware is to make sure that the operating system are always up to date, always ask your IT department to demonstrate that they have a solid vulnerability and patch management solution to keep the information safe.
Connect with us today, and our experts will answer your questions.
Steve E. Driz