Ransomware

Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that's distributing the dangerous Locky ransomware.

The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties.

The flaw as described is, in this writer's opinion, ultimately of little risk to El Reg's tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk.

The attack is also significant in that it breaks Facebook's security controls.

In a proof-of-concept video by Checkpoint researchers Roman Ziakin and Dikla Barda, an attacker is shown exploiting the flaw by sending a .jpg image file through Facebook Messenger.

The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded.

FB image preview

Images sent over Messenger appear as previews, not attachments.

They must then double-click the saved .hta file to unleash the Locky ransomware.

While the attack is not automated and, it does break Facebook's hypervigilant security model and is fairly regarded by Checkpoint as a Facebook "misconfiguration".

Facebook will undoubtedly fix the flaw; The Social Network™ already warns users who open a browser javascript console to protect against malicious code.

Checkpoint's chaps says the attack is useful because Facebook is a trusted asset.

“As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms,” Ziakin and Barda write.

“Cyber criminals understand these sites are usually white listed, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."

Facebook's javascript console warning

Facebook's javascript console warning.

Those users who do open the hta file will unleash one of the worst ransomware variants in mass circulation, encrypting their local files in a way that leaves backup restoration or ransom payment as the only options available to them.

There is no decryption method for Locky, and most victims will find their backup files also deleted.

Locky is under active development. Its authors have recently switched to the .zzzzz encrypted file extension with a new downloader that has lower antivirus detection rates. ®

Youtube Video

Sponsored: Magic quadrant for enterprise mobility management suites


The Register - Security

The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1.

encryption ransomware hits

PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:

Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity.

Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities.

Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time.

During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible.

“Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally altered the way security professionals view the threat landscape,” explained Aaron Higbee, CTO at PhishMe. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties. Our research has shown that the quarter-over-quarter number of analyses has been on a steady increase since the malware’s introduction at the beginning of 2016. Thanks to its adaptability, it’s showing no signs of slowing down.”

encryption ransomware hits

While ransomware dominates the headlines, PhishMe’s Q3 Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016.

Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns.

Rohyt Belani, CEO at PhishMe added, “The rapid awareness of and attention to ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics. This sustained tenacity shows that awareness of phishing and threats is not enough. Our research shows that without a phishing defense strategy, organizations are susceptible to not just the voluminous phishing emails used to deliver ransomware, but also the smaller and less-visible sets of emails used to deliver the same malware that has been deployed for years. We must empower people to act as both human sensors for detecting attacks and partners in preventing threat actors from succeeding.”


Help Net Security

Brazilian cybercriminals are expanding their tactics and have recently adopted ransomware as a new means of attack, Kaspersky Lab reveals.

Security researchers from the Moscow-based security firm have analyzed a new variant of the Brazilian-made ransomware "Xpan" Trojan (Trojan-Ransom.Win32.Xpan). The malware has been used by the “TeamXRat” group, also identified as “CorporacaoXRat” (the Portuguese equivalent of “CorporationXRat”) to target local companies and hospitals. The ransomware’s signature is extension “.___xratteamLucked,” which is appended to encrypted files.

While Xpan isn’t the first ransomware to come out of Brazil – TorLocker and HiddenTear copycats were seen in local attacks – it packs code improvements that reveal increased interest in this type of malware. The threat is developed by an organized gang that uses targeted attacks via Remote Desktop Protocol (RDP) to infect systems, Kaspersky says.

When executed, the ransomware checks the system’s default language, sets a registry key, obtains the computer name from the registry, and deletes any Proxy settings defined in the system. During execution, Xpan logs all actions to the console, but clears it when the process is completed. It then informs victims that their files were encrypted using a RSA 2048-bit encryption.

Unlike the previous ransomware used by the TeamXRat group, Xpan doesn’t use persistence, has switched from Tiny Encryption Algorithm to AES-256, and encrypts all files on the system, except for .exe and .dll files, and those that include blacklisted substrings in the path. The malware, Kaspersky says, uses the implementation of cryptographic algorithms provided by MS CryptoAPI.

The security researchers have identified two versions of the Trojan, based on their extensions and the different encryption techniques. The first version uses the “___xratteamLucked” (3 ‘_’ symbols) extension and generates a single 255-symbol password for all files, while the second one uses the “____xratteamLucked” (4 ‘_’ symbols) extension and generates a new 255-symbol password for each file.

Before encryption, the ransomware attempts to stop popular database services, and deletes itself when the process has been completed. After encryption, the Trojan modifies the registry so that, when the victim double-clicks on a file with the extension “.____xratteamLucked,” the ransom note is displayed using msg.exe (a standard Windows utility).

The TeamXRat attacks are performed manually by hacking servers via RDP brute force and installing the ransomware on them. After gaining  access to a server, the attackers disable the installed anti-virus product and begin installing their malware.

“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy,” Kaspersky researchers explain.

RDP vulnerabilities are also exploited for remote code execution when an attacker sends a specially crafted sequence of packets to a targeted system. Servers that haven’t been patched are extremely valuable to cybercriminals, as the reports on the xDedic server marketplace revealed.

“Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal,” Kaspersky notes.

The good news when it comes to the Xpan ransomware is that Kaspersky managed to break the malware’s encryption, allowing for free file decryption. In fact, the researchers already helped a hospital in Brazil to recover from an Xpan attack. The security researchers expect new ransomware variants to come from the same threat actor.

Related: Apocalypse Ransomware Leverages RDP for Infection

Related: Shade Ransomware Updated With Backdoor Capabilities

 

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

State and local government agencies, as well as K-12 educational institutions are being targeted in a newly discovered spam email campaign aimed at distributing a new ransomware variant, Proofpoint researchers warn.

Dubbed MarsJoke, the malware was observed in late August, but the first large-scale spam campaign involving this piece of ransomware kicked off only on Sept. 22, 2016. The distribution of this spam is fueled by the Kelihos botnet, which has been recently associated with other campaigns as well, Proofpoint reveals.

The MarsJoke ransomware email campaign spotted last week featured emails containing links to an executable file named “file_6.exe,” which was hosted on various sites with recently registered domains. Apparently, the attackers registered the abused domains for this specific campaign, marking a major shift from the usual attached document campaigns that well-known ransomware families such as Locky employ.

By referencing to a major national air carrier in the subject line and using a convincing email body, along with stolen branding, the attackers attempted to convince victims of the legitimacy of emails. Some of the used subject lines included “Checking tracking number,” “Check your package,” “Check your TN,” “Check your tracking number,” “Tracking information,” and “Track your package.”

In addition to state and local government agencies, and K-12 educational institutions, the spam was also targeting healthcare, telecommunications, insurance, and several other verticals, though in smaller numbers, Proofpoint says.

The MarsJoke malware distributed in this campaign is said to mimic the style of CTB-Locker, as well as to create .bat, and .txt instruction files and save them throughout the file system, to alert the victim on the infection. The ransomware doesn’t change the extension of the encrypted files, though it uses temp files with different extensions during the encryption process (it deletes them when the encryption has finished).

Infected users need to follow the instructions included in a locker window, but can also install the Tor browser and visit an onion portal to view these instructions. The malware also changes the victim’s desktop background and displays a ransom message in several languages, including English, Russian, Italian, Spanish, and Ukrainian. Victims are warned that, if a 0.7 Bitcoin ransom isn’t paid within 96 hours, their files are deleted.

MarsJoke connects to the command and control (C&C) server to report on the new infection, as well as to deliver information such as signature, malware version, and more. Data is URL-encoded, base64-encoded, Proofpoint says.

“Ransomware has become a billion dollar a year industry for cybercriminals. In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections,” Proofpoint notes.

According to the security firm, MarsJoke does not appear to be “just another ransomware.” Given the large message volume observed in this campaign, and corroborating it with the intended targets, it’s clear that the threat requires more attention, researchers say. “The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims,” Proofpoint concludes.

Related: CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Related: DetoxCrypto Ransomware Sends Screenshots to Operators

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

Locky malware, currently one of the most active ransomware threats, has influenced a transition to new types of attachments used in malicious emails, Trend Micro researchers warn.

Ransomware often distributed via spam emails, especially now that the notorious Angler Exploit Kit (EK) is gone, and Locky appears responsible for a surge of certain delivery methods, researchers say. According to Trend Micro, 71% of known ransomware families arrive via email.

During the first half of the year, 58% of ransomware threats came from email attachments, the security company notes. File types used by attackers to deliver their malicious payloads include JavaScript, VBScript, and Office files with macros, all coded in ways meant to evade detection from traditional security solutions.

Email is a tried-and-tested method for malware delivery and is particularly effective when targeting enterprises and small and medium businesses (SMBs). Locky’s operators have been using this delivery method from the beginning, but they switched between various types of email attachments to ensure increased efficiency for their attacks.

Trend Micro security researchers explain that, on the one hand, this continuous switch between email attachments contributed to Locky’s prevalence, while on the other the increase in the use of certain file types in email attachments was influenced by this ransomware family alone.

“The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky,” researchers say.

Locky switched to JavaScript attachments in June and August, but researchers note that ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0 are using this technique as well. Locky was also seen using VBScript attachments, and it switched to Windows Scripting file (WSF) attachments around mid-July to August. Also in August, FireEye Labs researchers observed Locky reverting to malicious macros in Office docs attached to spam emails.

Most recently, Locky was seen using DLLs and .HTA file attachments for distribution, and researchers forecast that attackers will also adopt executable files such as .COM, .BIN, and .CPL for malware distribution purposes. Because many of these file types aren’t normally used to deliver malware, cybercriminals can more easily avoid detection.

“To block spam emails with JS, VBScript, WSF and HTA attachments, companies should use email solutions with different anti-spam filters such as heuristics and fingerprint technology.  In addition, solutions with blacklisting mechanism can block known malicious sender IPs. To detect macro downloaders by Locky and Cerber, email solutions should have macro scanning feature that can detect any malicious macro components of threats,” Trend Micro researchers say.

The spam emails used to deliver ransomware usually contain common subject lines and employ social engineering to determine victims to execute the malicious files. Emails with subject lines that involve invoices, parcel delivery, confirmation of order, banking notifications, and payment receipts should be considered suspicious, the security researchers say.

Related: CryptXXX Now Being Distributed via Spam Emails

 

Related: Spam Campaign Distributing Locky Variant Zepto Ransomware

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

Admitting it needs more information about the recent surge in ransomware attacks, the FBI issued a ransomware alert, urging victims to provide details of the attacks -- and, if at all possible, to avoid paying off the attackers.

The FBI ransomware alert included a list of nine key pieces of information to include in reports of attacks. In addition to urging victims not to pay ransoms, the FBI offered advice on best practices to defend against ransomware attacks.

"The FBI urges victims to report ransomware incidents to federal law enforcement to help us gain a more comprehensive view of the current threat and its impact on U.S. victims," the alert stated.

"Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally, either by paying the ransom or by restoring their files from backups, may not feel a need to contact law enforcement."

However, noting the need for a greater understanding of the threat, the FBI ransomware alert urged victims to report any incidents to give law enforcement agencies the data they need to understand the threat, as well as to justify further investigations and, in some cases, provide information related to ongoing cases. "Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims."

The FBI ransomware alert encourages victims to contact their local FBI office, and/or file a complaint with the Internet Crime Complaint Center, with nine pieces of information about the attack, including the date of infection; the ransomware variant; information about the victim company; how the infection occurred; the requested ransom amount; the attacker's bitcoin address; ransom paid, if any; overall cost of the infection, including the ransom; and a "victim impact statement."

As for whether to pay ransoms, the message was clear: "The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain."

However, the FBI acknowledged refusing to pay ransoms isn't always feasible. "While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers."

The alert included a list of recommended defenses against ransomware attacks, including regular and verified backups using offline storage. When using cloud storage for backups, the alert warned, "Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization."

In other news

  • Mozilla patched a flaw in its implementation of certificate key pinning that enabled remote code execution on Firefox and Tor browsers, and would enable the unmasking of Tor users. Mozilla's implementation of key pinning, used to secure connections with its software update servers, did not use the HTTP Public Key Pinning protocol. The implementation mishandled pinned certificate expirations and created windows of vulnerability between the time Mozilla's key pinning certificates expired and the time the new certificates were updated. The bug was first described by security researcher Movrcx, who wrote that the vulnerability, when chained with other flaws, "allows a malicious exit node operator or global adversary to conduct a silent remote code execution attack on all platforms of the Tor Browser." Movrcx estimated the cost to launch an attack based on the flaw at roughly $ 100,000. The Tor Project wrote in a blog post about the extension update vulnerability that it "allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update -- e.g., for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g., nation states)."
  • Microsoft will soon open its third Transparency Center in Beijing. Scott Charney, corporate vice president for Microsoft's trustworthy computing group, wrote, "Our new facility in Asia enables government IT experts to test and analyze our products closely and gain confidence that our software will stand up to their security needs when deployed broadly. These facilities are designed to provide deep ability to understand the security we deploy, and do so in an environment that ensures our products remain proprietary and protected. Simply put, governments have the ability to review our products and services, both manually and by running tools, but they cannot alter what is delivered to customers." The first Transparency Center was opened in July 2014 at Microsoft's Redmond, Wash., campus, and the second opened a year later in Brussels; the Beijing center will not be the last. "We plan to bring this capability to even more government customers through the addition of other new Microsoft Transparency Centers that will be announced in the coming weeks," Charney wrote.
  • Three news organizations sued the FBI for details of the hack purchased to gain access to the iPhone connected to last year's mass shooting in San Bernardino, Calif. The Associated Press, Gannett Co., which owns USA Today, and Vice Media filed a suit under the Freedom of Information Act "to learn who the government paid and how much it spent to hack into an iPhone in its investigation into last year's San Bernardino, California, massacre," according to the AP report. "The lawsuit seeks records about the FBI's contract with an unidentified vendor who provided a tool to unlock the phone used by Syed Rizwan Farook, who, with his wife, killed 14 people at a holiday gathering of county workers in December 2015."

Next Steps

Find out more about why businesses are unprepared for the next wave of ransomware.

Learn about ransomware attacks in the cloud.

Read about 10 ways to stop ransomware targeting healthcare data.


SearchSecurity: Security Wire Daily News

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher $ 16K

September 19, 2016 , 3:04 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Mamba Ransomware Encrypts Hard Drives Rather Than Files

September 20, 2016 , 3:29 pm


Threatpost | The first stop for security news

A single ransomware author and distributor was able to collect $ 121 million in ransomware payments during the first half of this year, netting $ 94 million after expenses, according to a report released today.

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Weafer estimated that total ransomware revenues could be in the hundreds of millions.

"And that's on the conservative side," he said.

Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.

There were also nearly 2 million new mobile malware samples, also the highest ever recorded. Total mobile malware grew 151 percent in the past year, according to the report.

The report also included the results of a data protection benchmark study, surveying security practitioners around the world. According to the survey, companies with more than 5,000 employees reported a median of 31 to 50 data loss incidents -- per day.

WHAT SHOULD YOU DO: How to respond to ransomware threats

The smallest companies in the survey, with between 1,000 and 3,000 employees, reported a medium of 11 to 20 data loss incidents per day.

The worst-hit were government organizations and financial services, with an average of 22 incidents per day, followed by retail with 20 incidents and health care with 19.

[ MORE: The history of ransomware ]

The breaches were serious enough that 68 percent required public disclosure, the report said.

According to Weafer, the research highlighted two major gaps in security focus -- physical media, and cloud services. Nearly 40 percent of the data losses involved some kind of physical media, such as stolen or lost laptops or thumb drives.

"There's a significant amount of data going out by physical medium," he said. "Are you actually monitoring those areas?"

Only 37 percent of organizations do the kind of monitoring of user activity and media connections that could address these types of losses, according to the survey.

The survey showed significantly higher losses via physical media than the Verizon breach report, which put the number of security incidents involving physical theft or loss at less than 10 percent of the total. But the Verizon report is largely based on incidents that involve outside forensics, Weafer explained. Stolen or lost devices may not require that kind of investigation, he said.

There's also a security focus gap when it comes to use of cloud services, Weafer said.

"By and large, they're not really monitoring a lot of cloud services where their data is stored, particularly public cloud services," he said.

According to the survey, only 12 percent of respondents had confidence in their visibility of their data in the cloud.

Nearly 90 percent have some protections in place, however.

"They're looking at restrictions of which employees are allowed to go into the cloud," he said. "The basic things. But what data is there, how to monitor it -- they're still catching up."

This story, "A single ransomware network has pulled in $ 121 million" was originally published by CSO.


InfoWorld Security

In its latest quarterly report on the cloud, Netskope reported that 43.7% of malware found in the cloud is carrying ransomware and one in 10 of the enterprises monitored by Netskope yielded ransomware-infected files in sanctioned cloud apps.

Although the Netskope Threat Research Labs report covered only cloud apps that were officially approved by the enterprises using them, it discovered an average of 26 pieces of malware in cloud apps across organizations where cloud ransomware was present -- and over half of all infected files were shared publicly.

Sanjay Beri, founder and CEO at Netskope, said in a statement: "With the rise of ransomware, the cloud threat landscape is now increasingly complicated; IT teams need deeper intelligence, protection, and remediation that can help them stop malware and ransomware in their tracks and prevent them from spreading."

Netskope reported cloud ransomware being delivered through Javascript exploits and droppers, Microsoft Office macros, PDF exploits and Linux malware. "Ranging from one to hundreds of pieces of cloud malware at each organization, for enterprises infected with malware, the average amount found in cloud apps was 26 pieces of malware." Netskope also reported that 55.9% of the cloud malware "was shared with others, including internal or external users, or publicly, a significant increase from last quarter's 26.2%."

Solutions to the cloud ransomware threat have yet to catch up. Netskope's recommendation was to have security teams focus on the cloud malware threats. "With these threats often delivered through phishing and email attacks, security teams should consider training sessions for employees on spotting suspicious emails and not opening attachments from unknown sources or suspicious email addresses. Within a cloud context, files that have been encrypted can easily affect other users when they are in sync folders."

Other suggestions from Netskope included "using a cloud access security broker (CASB) to detect and remediate ransomware that affects files in cloud applications, as well as enabling the versioning function in Box, Dropbox, Microsoft OneDrive, Google Drive, and other file-sharing applications in order to roll encrypted files back to their last known good version and fully recover from ransomware attacks."

Experts agreed that as cloud ransomware becomes more common the risks will continue to grow -- and finding solutions will be challenging.

"Now more than ever, companies need to prepare for a ransomware attack by implementing fully-baked business continuity plans," said Richard Walters, senior vice president of security products at Intermedia, the Mountain View, Calif., business cloud app firm. "These should incorporate off-site, real-time cloud backups to ensure file archives can't be deleted and employees can access clean versions of the files on another device."

"The number of options for enterprises to reduce risk is decreasing," said Vishal Gupta, CEO at Seclore, the Sunnyvale, Calif., enterprise digital rights management firm. "Infrastructure protection strategies focused on protecting the device, the application or the network are moving to the necessary but not sufficient category. The amount of malware infiltrating even 'secure' cloud applications and data being delivered via containers like office files and PDFs is already at 43.7%, and increasing every day. Focusing on securing the information itself as it moves in and out of cloud apps, which is part of a data-centric security model, is the future of security."

"The fact that ransomware attacks are now so pervasive in the cloud only reinforces the need for a multi-dimensional defense strategy, including the use of machine learning and artificial intelligence techniques to pinpoint small changes in behavior that identify malicious carriers such as email, while flagging telltale signs that a user has been infected" said Larry Lunetta, vice president of strategy at Niara, the Sunnyvale, Calif., security analytics firm.

"One of the biggest risks ransomware poses on enterprises isn't the ransom that the executives might have to pay, it's employee downtime," Walters said. "The major damages occur when employee productivity is abruptly halted by ransomware attacks, jeopardizing business operations and sales. Companies can't afford the crippling effects of downtime, as that tends to be pricier than the ransom itself."

Gupta said the risks for enterprises vary. "At the least, a breach is an embarrassment -- at the worst, it means lost intellectual property, compliance violations, lawsuits and loss of reputation. Risk assessment can also be a very subjective exercise since the true risks of information breaches is almost never obvious."

Next Steps

Find out more about how cloud ransomware attacks are targeting cloud providers.

Learn about why the cloud may not be a solution for healthcare IT pros battling ransomware.

Read about how ransomware as a service growth is tracking the continued growth in cloud computing.


SearchSecurity: Security Wire Daily News