ransomware

Top 9 Cyber Threats for Businesses

2019-10-03 by Michelle Dvorak

Top Cyber Threats for Businesses – Ransomware, BEC Scams, Social Engineering, Phishing Emails, Tax Cyber Threats All Threaten Businesses

The Federal Bureau of Investigations issued a Public Service announcement warning the public about the increasing threat of ransomware to businesses and healthcare organizations. Hackers have attacked smaller municipalities, major cities like Baltimore with expenseive ransomware attacks.

All businesses depend on the security of their systems, networks, websites, emails, and most importantly their data. A cyber threat puts every aspect of your business in danger.

Ransomware

Ransomware attacks are a form of cyber attack in which a malware takes control of a computer or servers and blocks access to files, devices, or the entire IT network until a ransom is paid. Ransomware attacks have been on the rise in one day in 2019 twenty-three government agencies in the state of Texas where infected with ransomware attack. The FBI warned that hackers are now targeting healthcare organizations with ransomware.

There is no guarantee that the system will be returned to its rightful owner if the ransom is paid.

RELATED: What is Ransomware?

BEC Scam

Business email compromise, or BEC, scams are a type of corporate fraud where a hacker impersonates an employee, compromises an email account, or steals employee data. Generally, the goal of a BEC scam is to steal money or conduct identity theft. BEC scams can affect a company of any size. In 2018 hackers stole over 1.3 billion dollars from companies using BEC scams. A Common BEC scam is to send a fraudulent invoice to someone in a company who is responsible for accounts payable. Often the contact information for the accounts payable employee is acquired during a previous social engineering attack or phishing email campaign. Tax fraud or W2 scams are types of BEC scams.

FREE 5.11 Tactical $99 Side Trip Bag with $199+ purchase. Use Code FREEBAG19
While Supplies Last

Often hackers compromise a corporate email account by resetting passwords. The hacker then sends an email from a legitimate corporate account to someone responsible for payments. A tricked employee who is received a legitimate looking invoice from an actual corporate email account may be fooled into transferring money to the hacker to pay the invoice.

What is a BEC Scam?

Phishing Email Scams

Phishing emails are malicious emails sent to a victim with the goal I’m getting the victim to click on a link, download a file, go to a spoof website, or take other fraudulent action. The hacker may want to infect the victim’s computer with malware, steal money by tricking the recipient into entering in banking credentials, or steal sensitive corporate data to use in further cyber attacks.

Malware Attacks

Malware is any unwanted software app including adware, spyware, ransomware, worms, RAT malware, or computer virus. Malware is used to spy on a victim’s computer or an entire IT network. Malware can also be used to steal login credentials or financial information. It can also be used to gain access to other hardware or computers attached to the same network or to download more malware. Ransomware is a form of malware that controls access to infected computers and holds access until a ransom is paid. Adware is a type of malware that shows advertisements on a device to earn money through clicks.

READ: 5 Phishing Email Examples

Industrial Espionage

Industrial Espionage or spying is carried out by organized and skilled hacking groups known as advanced persistent threat (APT) groups. APT hacking groups often work at the behest a foreign government. APT groups attack with a low and slow approach to hacking. They infiltrate and spy on corporate computers and networks to learn as much about the devices connected to the network and gain administrative access. APR groups also conduct industrial espionage to spy on corporate trade secrets, steal money, infect other machines and servers connected to a corporate network.

Get out, stay out! SAVE when you purchase the BioLite Energy Bundle+
Includes everything you need to feel at home while off-grid

Tax Fraud

Business tax fraud involves a hacker or scammer tricking a corporate employee into sending employee federal W2s or other tax forms. Tax fraud often begins with a phishing email. The hacker convinces a human resource employee to send one or more employee tax forms to an account controlled by the hacker. Because the tax forms contain personal information like names, addresses, and government identification numbers tax fraud results in identity theft. Tax fraud often begins with a spear phishing email.

Social Engineering Attacks

Social engineering is a tactic used by hackers to learn more information about a potential target. Social engineering is when a hacker gathers information about employees including names, email addresses, and job titles from publicly available online resources. Hackers get this information from corporate websites and social media accounts like LinkedIn and Facebook. The hacker then uses the personal information to send targeted spear phishing emails.

The personalized nature of the information contained in the email makes it seem as though the phishing email is coming from someone who is familiar to the recipient. Because the recipient is convinced, they know the sender, they’re more likely to follow the instructions in the scam email.

Social media accounts often contain the answers to common password reset questions. The answers to password reset questions combined with an email address can be used to hack into more sensitive accounts like credit cards, banks and corporate emails.

Identity Theft

Identity theft is one of the top forms of scams identified by the Federal Trade Commission. Identity theft occurs when a hacker steals a person’s name address government identification numbers and other personal information. The hacker opens financial accounts in the name of the victim. And identity theft victim might find that there are credit cards, car loans, and even mortgages opened in their name.

Unpatched Software or Hardware

Unpatched software and Hardware can easily result and malware ransomware and other cyber tax spreading across an entire corporate Network easily. The 2018 malware attack known as one guy spread easily across Europe and Asia because hundreds of thousands of Windows computers, we’re not kept up-to-date with the latest security patches.

Patching apps software and Hardware is one of the easiest ways to protect your corporate data devices and network from hackers.

Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Cyber Security News 26 July 2019

2019-07-26 by Michelle Dvorak

Equifax Massive Data Breach Results in Financial Settlements, Bulgarian Data Breach Suspects Arrested, South African City Power Impacted by Ransomware Attack

Equifax Data Breach Results in FTC Settlement

Equifax reached a settlement with the US Federal Trade Commission. Equifax will have to pay $700 million to compensate for a massive data breach which affected about 147 million people.

Equifax was hacked after failing to keep its IT system up-to-date with the latest security patches leaving the system vulnerable to a cyber attack. In 2017, Hackers breached the system and stole about 147 million names, and birthdates, including 145.5 million Social Security numbers, and 209,000 payment card numbers. About 700,000, UK consumer records were also compromised.

Beginning in 2020, all U.S. consumers will be entitled to six free Equifax credit reports each year for the next seven years. They are also entitled to cash payments from $125 up to $20,000. The Equifax settlement is awaiting approval from the U.S. District Court for the Northern District of Georgia.

Over 100,000 University of Western Australia alumni were notified that their data may have been compromised after hardware was taken from a university building. The alert was sent by the university’s Vice Chancellor, Dawn Freshwater. She reported that thieves stole twenty laptop computers from a campus administration building. The theft occurred in late June and was reported to police. The laptops are password protected. The stolen data mostly affects applicants who applied to the University of Western Australia between 1988 and January 2018.

The University of Western Australia, a public research university, is located in Perth in the state of Western Australia. The stolen data includes tax file numbers, student identification numbers, and in some cases names, birthdates, and passport information. No banking or credit card information was compromised.

Ransomware Impacts South Africa’s City Power

A ransomware attack has crippled the operations of City Power, a South African utility company. The ransomware blocked customers from purchasing electricity through City Power’s prepaid vending system and also inhibited the utility’s ability to respond to service calls. The corporate database was compromised which affected most applications and networks leaving customers unable to use the website. City Power is located in Johannesburg, South Africa and is one of the area’s largest power suppliers.

Ransomware attacks continue to infect cities and universities. In the past two months three Florida cities were hacked in ransomware cyber attacks. Two of those cities, Riviera Beach and Lake City, opted to pay hackers their ransom to have data restored. The city of Baltimore, Maryland, Indiana’s La Porte County, and Lawrenceville, Georgia all were attacked by hackers. Universities have also been recent targets with Northwest Indian College and New York City’s Monroe College both reporting cyber attacks.

Two Bulgarians Charged for Hacking Ministry of Finance

Two employees at a Bulgarian cyber security research firm, Tad Group, have been charged in connection to the massive data theft from Bulgaria’s Ministry of Finance. The breach affects almost five million Bulgarian citizens. Tad Group employees, Georgi Yankov and Kristian Boykov, were both charged with terrorism. Boykov was initially charged with crimes against information systems, but that charge was dropped and changed.

Hacked data from Bulgarian citizens, foreigners, and businesses contains financial information, personal identifiable numbers, tax returns, addresses, and income history. With only seven million citizens, this data breach affects almost everyone in Bulgaria. Compromised data also includes files from the European Union’s anti VAT fraud network, EUROFISC, Bulgaria’s Ministry of Finance tax agency, the National Revenue Agency, may face a maximum of 20 million Euros (about $22.5 million USD.)

Michelle Dvorak

www.metrony.com/

Cyber Security News Update July 05 2019

2019-07-05 by Michelle Dvorak

WannaHydra Ransomware Attacks Android Devices

Cyber security researchers found a new version of WannaLocker malware that is more dangerous than pervious variations as it includes spyware and a banking Trojan and targets mobile devices. The new variation has been named WannaHydra ransomware and targets four major banks in Brazil. This malware is an Android version of the WannaCry ransomware.

WannaHydra ransomware encrypts files on the infected Android device’s external storage. The ransom for the decryption key costs 40 Renminbi (about $5.80 USD.) WannaHydra malware also collects device information such as the device manufacturer, hardware conifguration, phone number, text messages, call logs, photos, contact list, microphone audio data, and GPS location information.

Mobile devices are not immune from malware or hacking. They are commonly used on open, public WiFi connections giving hackers the opportunity to compromise a device. Routine actions, like checking email or posting on social media, can be intercepted by packet sniffers that can glean usernames and passwords from the unencrypted internet traffic. Most malware attacks also involve a social engineering attack. Skilled hackers take time to collect personal information about their targets.

US Customs and Border Protection suspends Perceptics

In other cyber security news, US Customs and Border Protection (CBP) suspended a contractor for a cyber security violation that affected about 100,000 travelers. The contractor, Perceptics, makes automobile license plate reading technology used to scan and identify vehicles crossing US land borders. The company’s technology is also used by several US states as well as foreign governments to surveil their roadways.
Perceptics transferred photos of automobile passengers crossing a Canadian-US border to their own servers in violation of their contract with CBP. The servers were then hacked and the photos and locations of over 100,000 vehicles were compromised. Hackers also stole CBP business data including government agency contracts, budget spreadsheets, and PowerPoint presentations. Perceptics has contracted with CBP for over 35 years. The company was using the photos to test some of its new vehicle scanning technology.

US Customs and Border Protection routinely surveils vehicle passengers at all border crossings without the knowledge and consent of travelers. It is not known where or how long the data is retained. There is no federal policy limiting or informing the public about facial recognition or any other biometric data taken at the federal, state, or local levels.

Firefox Vulnerability

Cyber security researcher, Barak Tawily, successfully developed a cyber attack against Firefox web browser. The exploit takes advantage of the way Firefox implements Same Origin Policy (SOP) for the “file://” scheme Uniform Resource Identifiers. The bug allows any file in a folder to access to other files in the same folder or its subfolders. It also could allow hackers who exploit Firefox’s SOP scheme to read the content of any file and send any compromised data from the computer to a remote server. The vulnerability is not cyber security news to the IT community and was already known to the Mozilla, the company that produces Firefox. However, this is the first time someone developed a cyber attack against targeting Firefox using this scenario. Firefox has no plans to fix this issue.

Michelle Dvorak

www.metrony.com/

City of Baltimore Hacked by Ransomware

2019-05-08 by Michelle Dvorak

City of Baltimore, Maryland Hacked by Ransomware Again

Baltimore, Maryland has once again been struck by another ransomware attack. The cyber attack began yesterday morning and is the second ransomware attack for Baltimore. It is unknown at this time which malware variant was used in the attack, City employees were unable to work on their computers and many phone systems were down. City employees were instructed to disconnect their computers and many were told to go home.

Unlike last year’s malware attack, essential services like fire, police, and emergency medical services including 911 and 311 phone systems were unaffected. The ransomware attack halted customer service and financial transaction for many city of Baltimore departments. Residents were unable to pay their bills for city and county accounts. Late water bill fees are suspended due to the ransomware attack. The Department of Public Works resorted to using Twitter to communicate. Public Works tweeted that email and customer service phone lines were not functional

Baltimore was the target of another ransomware attack just over one year ago. In March of 2018, Baltimore’s 911 and emergency dispatch system was hacked in another ransomware attack that disabled the city’s computer emergency dispatch system. The ransomware controlled the 911 system for about 17 hours. Dispatchers were forced to revert to manual mode to handle emergency, safety, and medical calls until control of the computer system was restored.

Ransomware is not the only cybersecurity issue for Baltimore. In January 2019, former Baltimore Mayor Pugh ordered a cybersecurity investigation after a Department of Public Works water department employee gave himself privileged access to the director’s computer system. According to the Baltimore Inspector General, an analysis of the employee’s machine found hacking tools.

Other Hacked Cities

Baltimore joins the list of cities to be attacked and shut down by hackers. In April of this year, hackers diverted payroll money from the city of Tallahassee, Florida’s direct deposit system. The month before, the tornado warning sirens in two Texas cities were hacked, disabling them ahead of a major storm.

Like Baltimore, the city of Atlanta, Georgia was also the target of a ransomware attack in March 2018. “The city will not be paying any ransom at all,” Baltimore mayoral spokesman Lester Davis said. Also like Baltimore, Atlanta officials stated they would not pay any ransom money to hackers to regain control of their systems. The Atlanta damage was extensive. Municipal services were interrupted and data was destroyed. The cost of damages was estimated at $2.7 million.

How Are Computers Hacked?

Computers can be hacked in a number of attack vectors. Hackers send phishing emails to gain access and reset login credentials to email systems, bank accounts, as well as other important online accounts. Sometimes the goal of the attack is to gather more data for a future cyber attack. Most times, hackers are out to gather data or steal money. Personal information may be gleaned from social media sites such as Facebook, Twitter, Instagram, or others to develop a more targeted spear phishing attack. Skilled hackers develop malware and viruses to infiltrate entire networks. Hackers may hold a computer or system and demand a ransom for the return of control of the system. In 2016, US Presidential candidate Hillary Clinton’s campaign was the target of a Russian spear phishing attack. Campaign workers and volunteers were tricked by targeted spear phishing emails into giving up their email credentials. The hackers gained access to campaign email accounts and infected servers with malware.

What is Ransomware?

Malware is any unwanted software or app residing on a computer, network, hardware, smartphone or another device. Malware can also be called a virus although there are differences between the two. Malware can include viruses, spyware, adware, trojans, worms, and other exploits. Ransomware is a type of malware in which the computer, device, or data is taken over and controlled by the malware. Hackers demand a ransom, typically payable in cryptocurrency, to return control of the system to its owner.

Baltimore has shut down most of its servers to prevent the malware from infecting more machines. It is unknown how many servers or computers were affected by hackers. So far, there is no evidence that any personal data like payment information had been stolen because of the attack.

One of the best defenses against cyber attacks is to keep all hardware, computers, software, and application updated with the latest security patches. Web browsers like Chrome and Firefox regularly release updated versions of their software. The security updates address known and newly discovered vulnerabilities. Personal computers and smartphones can be set to accept updates automatically. Every app can be checked for updates by going into the settings of the respective app.

System administrators can protect systems by maintaining security patches and staying abreast of the latest cyber attack vectors. Recently a list of the 100 most commonly used passwords was published. Hackers use these lists to launch brute force attacks against online login systems. Lists of common passwords can be used as a dictionary of prohibited passwords. End users should avoid using any password on this list. Of course, strong passwords should be required by system administrators.

Michelle Dvorak

www.metrony.com/

What is Ryuk Ransomware?

2019-04-18 by Michelle Dvorak

Ryuk Ransomware – Smaller and More Expensive to Recover Infected Files

Ryuk ransomware is a virus that targets businesses and demands an exceptionally large ransom to restore data and return control of infected hardware. It is estimated that Ryuk ransomware has earned its hackers over three million US dollars, making it one of the most lucrative ransomwares. Targeted at enterprise organizations, Ryuk has infected companies worldwide. Because of its similarities to HERMES ransomware, it is suspected that Ryuk is most likely connected to the North Korean Lazarus Group.

Ryuk ransomware first appeared in August 2018 as a modified version of Hermes malware. Unlike Hermes though, this malware only targets enterprise IT systems. Organizations pay a large ransom to restore control over their files. Ransoms range between 15 BTC to 50 BTC. Each ransom is sent to a unique wallet. Because of the limited targets and individual wallets, Ryuk ransomware has been hard to track.

The ransomware encrypts computers, storage devices, and data centers in the infected companies. To infect a machine, Ryuk must gain admin privileges. It is sent via phishing emails and spread as a secondary payload through botnets like TrickBot and Emotet. TrickBot is commonly distributed via spam email. There are both 32- and 64-bit versions of Ryuk in circulation. Not a spear-phishing campaign, these emails are sent to a large number of recipients in a target organization in the effort to infect as many computers as possible. More encrypted machines equate to a larger ransom.

What is Ransomware?

Ransomware is a type of malware that infects a computer, hardware, IT system of any device and controls the system until a ransom is paid. While malware is any type of unwanted program from adware, cookies, to more serious computer viruses. Ransomware is delivered by to victims via email. Recipients can become infected when they click on a link in an email and end up on a spoofed website. Email can also be accompanied by attachments that contain malicious executable files.

Recent notable ransomware attacks include GandCrab, SamSam, Bad Rabbit, Petya, Not Petya, and the more famous WannaCry. WannaCry ransomware struck Europe and parts of Asia last. WannaCry took hijacked the British healthcare computers disabling patient care until it was resolved.

These malware attack served as reminders that one of the best ways to guard against malware, ransomware, and hackers is to keep all devices, software, and apps up to date with the latest security patches.

How Does Ryuk Ransomware Work?

Ryuk ransomware kills over 40 computer processes and stops over 180 services on infected machines mostly belonging to antivirus, database, backup, and document editing software. After infection, one of two versions of a ransom note are sent to victims. In one scenario, the victims can recover their files free of charge. In the other scenario, victims must pay a ransom to recover their data. The note warns users not to reset or shut down the computer because all will be lost.

According to Checkpoint, Ryuk does not encrypt files with the extensions exe, dll, or hrmlog – called whitelisting. The hrmlog is a debug log file created by the HERMES malware. Both Ryuk and HERMES whitelist similar folders (e.g. “Ahnlab”, “Microsoft”, “$Recycle.Bin”)

Multiple Ryuk attacks occurred in late 2018, mostly in the United States. The Onslow Water and Sewer Authority (OWASA) was infected by Ryuk on October 15, 2018. OWASA was unable to access their computers while customer services and data was not affected by the attack. Damage to the OWASA network required that some systems be rebuilt after the ransomware attack ended.

Both Data Resolution and Tribune Publishing were affected by Ryuk 2.0, a new variant. The attack on Dataresolution.net, a Cloud hosting provider, hijacked the company’s data center. Data Resolution shut down its entire network to stop the cyber attack. Again, no user data was accessed or compromised. The goal of the ransomware was to control the network.

In December 2018, multiple Tribune Publishing newsprint organizations were hit by Ryuk ransomware. The publishers were unable to send finished pages to printing services. No other damage was done to the network.

The latest Ryuk malware attack was reported by the city of Stuart, Florida in April 2019.

Michelle Dvorak

www.metrony.com/

GandCrab Ransomware Removal

2019-02-21 by Michelle Dvorak

GandCrab Ransomware – How to Get Your Files Back

GandCrab is a global ransomware that infects computers to take control of the device. Like other ransomwares, GandCrab locks up the use of a computer and makes demands for money in exchange for restored access by the rightful owner. The files on the computer are locked and held for ransom until the owner of the machine pays. The price tag is a $600 ransom payment. The ransomware has caused hundreds of millions of dollars in data losses and payments.

GandCrab ransomware was discovered near the end of January 2018. It quickly spread worldwide and is amongst the most common ransomware. The ransomware keeps evolving and if infected, it is important to know which version of GandCrab you are infected with, so you have the correct decrypter.

Bitdefender, maker of antivirus software, estimates that GandCrab has about 40% of the ransomware market. The most infected machines are in the United States and United Kingdom. South Korea, China, and Germany are also among the top contires afflicted with the malware.

How Does GandCrab Ransomware Infect Computers?

Originally GandCrab was spread by hackers who directly logged into exposed devices using stolen credentials. Hackers manually ran the ransomware then set it to spread throughout the entire network. Now GandCrab hackers are delivering ransomware to companies via vulnerabilities in remote IT support software used by service providers that manage customer workstations. GandCrab is also delivered as an email attachment.

What is Ransomware?

Ransomware is a type of malware. Ransomwares take control of a device and files or the entire device. The owner must pay a ransom to regain control of the device and the files. Of course, there is no guarantee that device or the files will be recovered even if the ransom is paid. Malware also corrupts devices and either destroys their usefulness or uses the device for its own mission. Malware does not demand payment.

GandCrab reappeared in the period leading up to Valentine’s Day. During holidays people tend to not be as careful about what emails they open. Hackers take advantage of the increased email and web traffic and use it to deliver malware and ransomware like GandCrab. Ransomware can be delivered with fake online greeting cards, spam that appears to offer gifts, and spoofed websites to trick readers into clicking on a link that start a ransomware download. Malicious apps, hacked email accounts and phishing emails can also be used to deliver ransomware or phish for login credentials.

How to Remove GandCrab Malware for Free

GandCrab can be defeated without paying the ransom. Bitdefender’s series of GandCrab decrytpers have unlocked over 10,000 machines. Bitdefender has released three versions of its GandCrab decrypter. The current decrypter can recover files locked up by GandCrab 5.2 The first iteration was first released in late February 2018. The application was updated in October 2018. Up until now GandCrab versions 1.x, 4.x, and 5.0.0 through 5.0.3 could be decrypted.
The latest version of GandCrab is version 5.2 and Bitdefender has a new decrypter our which is downloadable for free from their website.

Michelle Dvorak

www.metrony.com/

Hackers Attack Tribune Newspapers

2019-01-02 by Michelle Dvorak

Hackers Attack Tribune LA Times

Tribune Newspapers were the target of a weekend cyber attack. Hackers infected Tribune with ransomware named Ryuk the LA Times reported. The cyber security attack infected Tribune’s publishing network and systems crucial to news production and printing processes. The goal of the hackers appears to be to disrupt production of the papers rather than to steal data. The ransomware attack began Thursday night and infected critical newspaper publishing systems by Friday.

Hackers delayed weekend deliveries of the Los Angeles Times and other Tribune newspapers in the United States. The ransomware delayed distribution of Saturday editions of the Los Angeles Times and San Diego Union-Tribune. The west coast printing editions of the Wall Street Journal and New York Times were also hacked.

Tribune Publishing said in a statement Saturday that “the personal data of our subscribers, online users, and advertising clients have not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation.”

What is Ransomware?

Ransomware is a type of malware attack. Hackers infect a computer, router, server, tablet, smartphone, or other electronic devices. In a ransomware attack, hackers take over a machine in exchange for payment to release control of the system. One of the best ways to protect against malware and hackers is to keep internet systems up to date and patched with the latest software.

The malware shut down servers critical for storing news articles and photos which made it difficult to print the papers. It is believed that the hackers initiated the cyber attacked from outside the United States.

Michelle Dvorak

www.metrony.com/

SamSam Ransomware – How to Defend Your Network

2018-12-06 by Michelle Dvorak

DHS Warns of SamSam Ransomware

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) issued a warning about SamSam ransomware. NCCIC posted a bulletin warning that SamSam hackers are targeting multiple industries, some of which maintain critical functions. Hacked companies were mostly in the United States, however, some are in other countries although the bulletin did not specify where.

SamSam ransomware is also known as MSIL/Samas.

How Does SamSam Ransomware Work?

Hackers exploit Windows servers to gain access to a network. All reachable hosts are infected with the SamSam ransomware after the system is breached. SamSam hackers then grant themselves administrator privileges. Malware is injected on the server which then, in turn, runs an executable file. While many ransomware campaigns rely on a victim completing an action, such as opening an email, downloading a file, or clicking on a link, SamSam can infect an IT system without any interaction from the user.

Hackers use Remote Desktop Protocol (RDP) to gain persistent access to victims’ computer networks. Access is gained through brute force attacks or stolen login credentials. Brute force attacks are when automated dictionaries are used against a computer system to try millions of password combinations in a short period of time. Hackers can also buy login credentials on the dark web or use other information obtained through social engineering to gain access.

Like all ransomware, SamSam hackers demand a ransom in the form of Bitcoin via the dark web. After paying the ransom victims usually, receive links to download cryptographic keys to regain control of their network.

DHS and FBI recommend the following steps to strengthen system security:

Audit your network for systems that use RDP for remote communication. Disable the service if unneeded
Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port
Any system with an open RDP should be behind a firewall and require a virtual private network (VPN) to access it
Force the use of strong passwords
Lockout users after multiple unsuccessful login attempts to defend against brute force attacks
Use two-factor authentication (2FA)
Ensure that all hardware and software is kept up-to-date.
Schedule regular data back-ups
Require third party RDP service access to adhere to internal policies for remote access
Disable RDP on critical devices.
Regulate and limit external-to-internal RDP connections
Restrict the ability permissions to install and run software applications.
Scan for and remove suspicious email attachments
Ensure the scanned attachment is its true file type meaning the file extension matches the file header)
Disable file and printer sharing services

Michelle Dvorak

www.metrony.com/

Top Five Worst Ransomware Attacks

2018-08-23 by Michelle Dvorak

Top Five Worst Ransomware Attacks

Recent ransomware attacks are becoming more complex and harder to decrypt. They are also easier to launch and distribute. Global cyber attacks are launched with emails that are personalized to trick the reader. Much of the information used in a targeted spear phishing email attack is gained from social engineering.

What is Ransomware?

Ransomware is a portmanteau of two words “ransom” and “malware.” Ransomware is a form of malware that infects a laptop, hardware, software, or entire IT system. The hacker who launched the ransomware attack usually takes control of an internet connected device and blocks all other access to the device or certain files on the device. To regain control of the computer, the hacker demands something, usually money as a ransom. When the hacker’s ransom is paid, control of the computer system is (supposedly) returned to the owner. There is generally a deadline by which the ransom must be paid.

WannaCry

WannaCry was a global ransomware malware that struck Europe in 2017. European firms such as FedEx, Portugal Telecom, and Russia’s Megafon were all infected with WannaCry. The entire British healthcare system was locked up by WannaCry. The ransomware also spread to Taiwan.

This malware is based on the United States’ NSA’s Eternal Blue hacking tool which hacked itself and release on the dark web.

WannaCry locked up computers in exchange for $300 in Bitcoin. The malware only made about $50,000.

Locky

Locky is one of the happiest sounding names in ransomware. This variant showed up in 201 and persisted into 2017. It was especially notorious because it was delivered via email in the form of an attached pdf invoice. If the email reader opened the attached file, the ransomware would start installing itself and infecting the machine immediately.

Hollywood Presbyterian Medical Center paid $17,000 ransom money as Bitcoin for a decryption key for patient data. BY the time it was over, Locky had infected one million machines!

Petya

Petya was a 2017 ransomware infected machines in Europe, as well as the United States, the Middle East, Spain, Germany, Israel, the UK, Netherlands and the United States. Russia was hit the hardest The Ukrainian National Bank, Russia’s state power company, the metro system, and the main airport in Kiev were all affected with the Petya ransomware outbreak. Even Chernobyl’s radiation monitoring system was infected with the malware.

Petya also demanded $300 in Bitcoin to release control of infected machines. However, the ransomware had a fatal flaw. The ransom deposits were all funneled to one email address used for a Bitcoin wallet. That email box was quickly closed down by the email provider, this making the ransomware pointless.

Petya only affected unpatched Microsoft Windows machines by exploiting Eternal Blue technology.

NotPetya

NotPetya is a variant of Petya malware. This ransomware is an especially malicious and nasty version of ransomware call sabotageware. Most ransomware is out to rake in money for the hacker who created it. In the case of sabotageware, NotPetya was only out to encrypt and destroy files. There was not ransom and no decryption. Like it close malware cousin, Petya, this malware runs a fake CHKDSK display while it begins to encrypt the unsuspecting victim’s files.

It is believed that Russian and Ukraine were the targets of a politically motivated cyber attack.

Bad Rabbit

Bad Rabbit is another ransomware which a variant of Petya malware is. It was targeted at enterprise networks. And you already know that Petya uses the NSA’s Eternal Blue which was released into the wild by, you guessed it, hackers!

Bad Rabbit’s patience was on a short leash as victims had only 41 hours to transfer 0.5 Bitcoin (which was worth a LOT more at the time) to receive the decryption keys. Fortunately, it was easy to defeat Bad Rabbit proactively, with a few helpful system changes discovered by Kaspersky Labs.

The ransomware was distributed through a fake Adobe Flash update. Russia was hit hardest by Bad Rabbit. There were however, infections in Ukraine, Turkey, Germany, Poland, South Korea, and the United States.

The best defense is user education. Learn to distinguish a legitimate email from a phishing email. Another important defense against malware is keeping hardware and software updated with the latest security patches.

Michelle Dvorak

www.metrony.com/

What is Malware?

2018-08-22 by Michelle Dvorak

What is Malware, Ransomware, or Computer Virus

Cyber security issues are in the news every week! The United States electoral process is scrambling to button up defenses against would-be hackers and malware. Private companies like Microsoft have set up their own defense task forces. Governments must allocate budgets to reinforcing IT systems and educating staff on safe procedures. Home technology user must defend their routers, laptops, and credit cards from hackers. Business travelers are especially susceptible to data breaches.

There are many flavors cyber security attacks to understand and defend against. A few types you may have already heard are email phishing scams, spear phishing attacks, social engineering, DDos attacks, data breaches, and malware.

Malware is any type of unwanted computer program, application, software, or hardware. The goal of malware is to cause harm to a system. Malware can infect laptops, smartphones, routers, or entire enterprise networks. Computer viruses are a common term for malware.

Often hackers use malware to take control or lock up a computer and hold control of it hostage waiting for some monetary compensation. Malware that holds out for money is known as ransomware.

In other cyber attacks, the malware creator’s goal may be to retrieve certain files or other information about the device owner. Personal data can then be used in other hack attempts to gain access to bank accounts. Once in financial account, hackers can transfer away money from the legitimate account towner.

How Does Malware Work?

Malware works its way into electronic devices and IT systems often by tricking an unsuspecting email recipient or website user into taking an action that transfers the malware onto their device. This can be accomplished through a phishing email that instructs the reader to reset a password or visit a spoof website for information. These email scams frequently inform readers that a password needs to be reset. The spoof website can look very official and may even look exactly like a website the victim visits frequently – like their banking app. Phishing emails and spear phishing are commonly used to launch a malware infection.

Malware may also be embedded on commercial hardware. A skilled hacker may manage to infect devices before they are delivered to an end user. Recently we learned that Russian malware has infected thousands of home and small office routers in the United States.

Why Must We Be Concerned About Malware?

A single infected device brought into a trusted network compromises the integrity of the entire network. Malware attacks are becoming almost daily events. The scopes of these cyber attacks are becoming larger as well. It’s not just one person losing a few kilobytes of data from their laptop, entire IT systems are taken offline. For example, the entire British healthcare system was taken down by WannaCry malware in May 2017. This could have been prevented by keeping computers patched. However, the machines were not kept up-to-date and the malware spread rapidly IT networks all over Europe.

How Can I Defend Against Malware?

The most important thing you can is keep your software and hardware up-to-date with the latest security patches and versions. When the British healthcare system was infected with WannaCry ransomware last year, it could have all been prevented by patching the machines with a Microsoft security update that was released two months earlier.

Using a good security hardware and software can also help. You may need to enlist the help of a professional to set up a firewall in your home or office. You can also use antivirus software to defend individual machines.

Don’t forget that phones are subject to malware too!

Michelle Dvorak