DMA Locker Ransomware: Flaws Fixed and Widespread Attacks Expected

After the recent news that TeslaCrypt has been decommissioned comes a new highly serious threat: DMA Locker ransomware.

Malwarebytes has recently reported that DMA Locker ransomware, which is now in its 4th incarnation – could pose a significant threat to businesses and individuals over the coming weeks. Version 4 of the ransomware has already been added to the Neutrino exploit kit and is currently being distributed. Malwarebytes expects DMA Locker ransomware attacks to become much more widespread.

Spate of DMA Locker Ransomware Attacks Expected

DMA Locker ransomware was first seen in the wild in January of this year, yet the malicious file-encrypting malware posed little threat in its early forms, containing numerous flaws that allowed security companies to develop decryption tools.

The early forms of DMA Locker ransomware were capable of encrypting files offline and did not used a command and control server. When files were encrypted, the key to unlock the encryption was stored on the device. This allowed the malware to be reverse engineered to crack the encryption.

A new version of the ransomware was released a month later, yet it used a weak random generator and it was a relatively easy task to guess the AES key. A couple of weeks later saw the release of version 3, which saw previous flaws corrected by the authors.

However, version 3 of DMA Locker ransomware contained another flaw. While it was not possible to decrypt locked files without a decryption key, the attackers used the same key for the entire campaign. If a business had multiple infections, only one key would need to be purchased. That key could then be posted online and be used by other victims.

However, this month version 4 was released. The latest version corrects the issues with version 3 and uses a separate key for each infection. The ransomware also communicates with a command and control server and cannot work offline.

Infection with early versions of the ransomware occurred via compromised remote desktop logins – or logins that were easily guessed. Consequently, the number of recorded infections remained low. However, the latest version has been added to exploit kits which take advantage of vulnerabilities in browsers making silent drive-by downloads of the ransomware possible. This makes attacks much more likely to occur.

The ransomware is potentially highly serious, encrypting a wide range of file types. Many ransomware strains only encrypt specific file types. TeslaCrypt for example was developed to attack gamers, and encrypted saved game files and files associates with Steam accounts. DMA Locker does not search for specific files, and instead encrypts everything that is not in its whitelist of file extensions. It is also capable of encrypting files on network drives, not just the computer on which it has been downloaded.

To prevent attacks, businesses should use web filtering software to block users visiting sites containing exploit kits and stop command and control server communications. Regular backups should also be performed and files stored on air-gapped drives. In case of attack, files can then be recovered without paying the ransom.

CEO Fraud Scam Costs Chief Executive His Job (And His Company 40.1 Million Euros)

A successful CEO fraud scam that resulted in a fraudulent bank transfer being made from company accounts to a cyberattacker has cost the CEO his job.

CEO Fraud Scan Results in Losses of 40.9 Million Euros

Earlier this year, FAAC – an Austrian aircraft component manufacturer –  was targeted by attackers who managed to pull off an audacious 50 million Euro ($55 million) CEO fraud scam. A wire transfer was made for 50 million euros by an employee of the firm after receiving an email request to transfer the funds from CEO Walter Stephan. The email was a scam and had not been sent by the CEO.

Unfortunately for FAAC, the CEO fraud scam was discovered too late and the transfer of funds could not be stopped. While the company was able to recover a small percentage of its losses, according to a statement released by FAAC, the company lost 41.9 million Euros as a result of the attack which contributed to annual pretax losses of 23.4 million Euros.

The bank transfer represented approximately 10% of the company’s entire annual revenue. Given the high value of the transfer it is surprising that the transfer request was not queried in person – or over the telephone with the CEO.

The CEO and the employee who made the transfer were investigated but do not appear to have been involved in the scam. The attackers were not believed to be linked to FAAC in any way.

Heads Roll After Huge Losses Suffered

Earlier this year, FAAC sacked its chief finance officer as a direct result of the scam. The CEO was recently sacked following a meeting of the company’s supervisory board. Stephan had worked at the company as CEO for 17 years.

This CEO fraud scam is one of the largest ever reported, although this type of scam is becoming increasingly common. Earlier this year the FBI issued an advisory about the high risk of CEO fraud scams following many attacks on U.S companies over the past year. In April, the FBI reported that $2.3 billion has been lost as a result of this type of scam.

CEO email fraud involves a member of the accounts department being sent an email from the CEO – or another senior executive – requesting a bank transfer be made from the company accounts. A reason is usually supplied as to why the transfer request needs to be made, and why it must be made urgently.

Oftentimes, the scammer and the target exchange a few emails. An email is initially sent asking for a transfer to be made, followed by another email containing details of the recipient account where the funds must be sent and the amount of the transfer. The scams are effective because the request appears to come from within the company from a senior executive or CEO. Oftentimes the attackers manage to compromise the CEO’s email account, and spend time researching the style the CEO uses for emails and who transfer requests have been sent to in the past.

According to the FBI, the average transfer amount is between $25,000 and $75,000, although much larger scams have been pulled off in the past. Irish budget airline Ryanair fell victim to a CEO fraud scam and wired $5 million to a Chinese bank, although the funds were able to be recovered. The Scoular Co., wired $17.2 million to scammers in February last year, while Ubiquiti suffered a loss of $46.7 million as a result of a CEO fraud scam.

Easy Steps to Prevent CEO Email Fraud

There are steps that can be taken that can greatly reduce the risk of these scams being successful.

  1. Implement policies that require all bank transfers – or those above a certain threshold – to be authorized by telephone or through other communication channels.
  2. Ensure bank transfer requests are authorized by a supervisor and are not left to one single employee
  3. Configure spam filters to block spoofed domains to prevent scam emails from being delivered
  4. Provide training to all accounts department staff and warn of the risk of CEO fraud scams

Hospital Ransomware Infection Not Resolved After Ransom Paid

Resolving a hospital ransomware infection may not be as easy as paying the attackers’ ransom demand, as was shown by the Kansas Heart Hospital ransomware attack last week.

Hospital Ransomware Infection Not Removed After Ransom Paid

The Kansas Heart Hospital ransomware attack which occurred last week was the latest in a string of attacks on healthcare organizations in the United States. Ransomware was accidentally installed on a hospital worker’s computer and files were locked and prevented from being accessed.

A ransom demand was received demanding payment for decryption keys to unlock the infection. The decision was taken to pay the ransom to resolve the hospital ransomware infection quickly.

After the ransom was paid, the attackers did not make good on their promise and failed to unlock all of the files. Some Instead the hospital was issued with a second ransom demand.

In this case, the initial ransom demand was relatively low. Ransomware attackers typically demand a fee of approximately $500 per device to unlock an infection. If multiple computers have been infected, that figure is then multiplied by the number of devices that need to be decrypted.

Ransomware locks each individual machine separately, and a different key is required to unlock each one. Otherwise a victim could pay up and then publish their key and no one else would be required to pay.

Kansas Heart Hospital did not disclose how much was paid, but this could well have been the fee to unlock a single machine. However regardless of the amount, the incident shows that even if a ransom is paid there is no guarantee that the attackers will play ball and make good on their promise. Further demands may be made from more Bitcoin. Resolving a hospital ransomware infection may not necessarily mean just paying the ransom demand.

Healthcare Industry Under Attack

Over the past few months the healthcare industry has come under attack from criminals using ransomware. Some authors of ransomware have taken steps to prevent healthcare providers’ computers from being attacked by their ransomware by including checks to determine the environment in which the ransomware has been installed. However, not all attackers feel they have a moral responsibility to prevent attacks which could cause people to come to physical harm.

Hollywood Presbyterian medical center, Alvarado Hospital Medical Center, King’s Daughters’ Health, Kentucky’s Methodist Hospital, California’s Chino Valley Medical Center and Desert Valley Hospital, and MedStar Health have all been attacked with ransomware this year.

That list is likely to continue to grow. Hospitals and medical centers are attractive targets for ransomware gangs. Many healthcare organizations have under-invested in cybersecurity measures to protect their networks and many hospital employees have not received extensive training in security awareness. This makes it easy for attackers to install ransomware.

Furthermore, if patient data are locked this can have a negative effect on patient health. If patients are at risk of harm, organizations are much more likely to respond to ransom demands and pay up to ensure patients do not suffer. If patients are harmed as a direct result of poor investment in cybersecurity or mistakes that have been made by healthcare employees, healthcare organizations are likely to face lawsuits that could result in damages far in excess of the ransom being demanded.

With attacks likely to continue, healthcare providers must take steps to prevent ransomware attacks from occurring, and develop policies that can be implemented immediately upon discovery of a ransomware attack. As the Kansas Heart hospital ransomware attack has shown, paying a ransom is no guarantee that the file encryption will be unlocked. Hospitals may find that they still have to recover files from backups or explore other means of unlocking infections.

Dridex Botnets Being Leveraged to Deliver Cerber Ransomware

The threat from Cerber ransomware has increased substantially after the gang behind the file-encrypting software have leveraged Dridex botnets to deliver a malicious payload that loads the ransomware onto users’ devices.

Cerber ransomware was first discovered in the wild in February 2016, but researchers at security firm FireEye noticed a massive increase in infections in recent weeks. Initially, Cerber ransomware infections occurred as a result of visiting malicious websites hosting the Nuclear or Magnitude exploit kits. Nuclear and Magnitude probe visitors’ browsers for a number of zero day vulnerabilities, although infections primarily occurred by exploiting a vulnerability in Adobe Flash (CVE-2016-1019). Now the ransomware is being installed via infected files sent via spam email.

Cerber differs from many ransomware strains by being able to speak to victims. The ransomware is able to use text-to-speech to tell victims they have been infected and that their files have been encrypted.

Massive Increase in Cerber Ransomware Infections Discovered in April

The number of infections remained relatively low since the discovery of the new ransomware earlier this year; however, there was a massive spike in infections around April 28 according to FireEye. The ransomware was being downloaded using Microsoft Word macro downloaders.

The attached files are usually disguised as invoices, receipts, or purchase orders, while the emails – written in English – urge the user to open the attachment. If macros are enabled on the computer a VBScript will be installed in the victim’s %appdata% folder. If macros are not enabled users will be prompted to enable them in order to view the contents of the file. Doing so will guarantee infection.

Once installed, the script performs a check to determine whether the infected computer has an Internet connection by sending an HTTP request to a website. If an Internet connection is present, the script will perform a HTTP Range Request, that will ultimately result in the final stage of the infection. FireEye reports the technique has previously been used to deliver the financial Trojans Dridex and Ursnif.

Cerber has been configured to encrypt Word documents, emails, and Steam gaming files, which are given a “.cerber” extension. To unlock the encryption, the victims are told to visit one of a number of websites with the domain “decrypttozxybarc”. Further instructions are then provided on how to unlock the encryption, although a Bitcoin ransom must first be paid. In addition to encrypting files, Cerber ransomware adds the victim’s computer to a spambot network.

The ransomware uses a number of obfuscation techniques to avoid detection by spam filters and anti-virus programs. If the emails are delivered and the macros are allowed to run, victims’ files will be encrypted. To prevent infection, it is important to have macros disabled and to be extremely cautious about opening email attachments, and never to open files deliver via email from an unknown sender. The decrypttozxybarc domain should also be added to web filter blacklists.

Web Filtering Services for MSPs: Why MSPs Can’t Afford Not to Offer Web Filtering to Clients

There are a number of companies that offer web filtering services for MSPs; however, while many managed service providers are happy to provide web filtering to their clients if the service is requested, web filtering is not generally offered to clients as part of an MSP’s range of standard Internet services. Yet, by leveraging web filtering services for MSPs it is possible to substantially increase profits for very little effort.

Web filtering services for MSPs have been developed to be easy to implement, easy to sell to clients, and straightforward to manage, so why are more MSPs not offering web filtering to their clients as part of their Internet services?

Some MSPs may feel that there is not much of a market for web filtering. Draconian Internet usage policies may ensure that Internet access is not abused, yet highly restrictive Internet policies can have a negative impact on staff morale and productivity. Most employees can be trusted to get all of their daily tasks completed, while still occasionally checking Facebook, purchasing something on Amazon, and viewing the occasional YouTube video.

However, providing totally free access to the Internet is unwise. Not preventing employees from accessing illegal and inappropriate website content can cause employers many problems. Some of those problems can prove very costly to resolve.  Any organization that has not chosen to filter the Internet – even to a minimal degree – may not be aware of the risks. If MSPs explain these risks, they are likely to find many of their clients will want to sign up for web filtering services.

What are the Main Benefits of Using Web Filtering Services?

There are two main reasons for using a web filter to control Internet content:

Reducing the Risk of Malware Infections

As we have seen in recent months, there is a clear and present danger of a serious malware infection. Cyberattacks are taking place with increasing regularity, new malware is being released at alarming rates, and cybercriminals have embraced ransomware and are using it to extort money out of businesses.

IT teams struggle to implement patches promptly, leaving their networks at risk of attack. This is mainly due to the frequency at which patches are released. Keeping all software – including web browsers and plugins – 100% up to date, 100% of the time is an uphill struggle.

If end users visit malicious websites containing exploit kits, malware and ransomware can be easily loaded onto networks. Issuing staff members with acceptable use policies (AUPs) can reduce the probability of end users visiting high-risk websites, while policies can help to reduce the risk from shadow IT installations, but unless those policies are enforced there is a risk that some employees will break the rules.

Numerous organizations have experienced phishing attacks even when training has been provided on how to identify phishing emails. Unfortunately, scammers are getting much better at crafting highly convincing emails to fool users into visiting websites containing exploit kits that can download malware.

Business email compromise scams have been increasing in recent months, prompting the FBI to issue warnings due to the high risk of attack. Scammers are impersonating CEOs, CISOs, and executives to get end users to visit websites and divulge their login credentials or download malware.

With so many Internet threats to deal with, policies are no longer enough to keep organizations’ networks free from malicious software and infections can prove very costly to resolve.

Controlling Personal Use of the Internet

Many companies take a relaxed attitude to personal Internet use, provided it is kept within certain limits. This is arguably the best option for employers and employees. Blocking personal access to the Internet can have a negative effect on staff morale, and all employees will need to use the Internet from time to time for personal reasons.

That said, there will always be some members of staff that choose to abuse their Internet access and this can lead to serious problems for employers. Not only is there a risk of malware infections, abuse of the Internet can have legal implications for employers. The use of illegal file sharing websites for copyright-infringing downloads, the accessing of illegal website content such as child pornography, or even the viewing of legal pornography in the workplace can cause many HR issues.

Of course, web filtering is not only about blocking access. It allows companies to monitor use of the Internet and identify employees who are breaking the rules before serious HR or legal issues arise. Web filtering also allows organizations to place limits on online activities at certain times of the day to ensure the workforce remains productive and bandwidth is not wasted.

Summary of the Benefits of Filtering the Internet

  • Blocks malware, ransomware, botnets, adware, and spyware installations
  • Prevents the accessing of illegal website content
  • Stops the downloading and installation of shadow IT
  • Prevents bandwidth wastage
  • Allows employers to monitor employees’ Internet usage
  • Prevents many HR issues
  • Helps organizations to comply with industry regulations
  • Can help to increase employee productivity

Benefits of Web Filtering Services for MSPs

  • Protects clients from Internet threats
  • Easily increases client revenue
  • Helps MSP’s to attract more clients and win new business
  • Allows MSPs to provide a more comprehensive range of Internet services

Web Filtering Services for MSPs can be Easily Incorporated into Existing Service Packages

Web filtering services for MSPs no longer require expensive appliances to be purchased, and it is not necessary to use local IT support teams to visit clients to install and configure web filters. In fact, it is not even necessary to install software on clients’ devices or servers at all. Clients can have their Internet filtered within 5 minutes of them saying yes to a sales representative if cloud-based web filtering services are used.

Cloud-based web filtering services for MSPs require clients to make a small change to their DNS settings, something that even the most technically inept employee could be talked through over the phone. By pointing the DNS to the service provider’s servers, the Internet can be filtered quickly and painlessly.

Web filtering services for MSPs can be easily offered to clients alongside managed service providers’ solutions. WebTitan Cloud – and WebTitan Cloud for WiFi – are offered as web filtering services for MSPs without any branding. MSPS are able to add their own logos and corporate color schemes, tailor block pages, and customize reports with their own branding. If required, MSPs can also host the solution within their own infrastructure or use a private cloud for clients.

The management overhead is low and the configuration of new accounts is quick and easy. New client accounts can be set up in approximately 20 minutes. Even reporting is taken care of with a full suite of pre-configured, schedulable reports, including instant email alerts.

The cost for the client is low with only a small spend required per user, per year, and the margins offered by TitanHQ on web filtering services for MSPs are generous. This allows MSPs to easily increase profits, in some cases, by tens of thousands of dollars.

If you want to attract new business, increase client spending, and easily increase profits, web filtering services for MSPs could well be the answer.

For further information on our web filtering services for MSPs, including a product demonstration and details of pricing, contact our sales team today.