Email & Web Spam
Our news section dedicated to email & web spam highlights many scenarios in which organizations – and individuals within organizations – act on fraudulent communications sent via email or presented to them on a hacked website. The news items report not only cyberattacks launched via email and the web, but also on the damage that is caused and the consequences of the attack.
Trends in email & web spam attacks are also identified within our news items, plus information on how many of the attacks can be avoided – typically with an email spam filter and/or a web content filter. If yours is an organization at risk from email & web spam, we recommended that you speak with one of our technical sales team today.
According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.
Half of US Ransomware Attacks Affected Healthcare Organizations
The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.
For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.
US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.
The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.
Ransomware Attacks on Police Departments Have Increased
Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.
The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.
Defending Against Ransomware
Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.
Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.
Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.
Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.
The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.
A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.
WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.
However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.
Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals. If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.
Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.
Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.
Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.
Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A spam filter can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.
A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.
To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.
It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.
While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.
200 Ransomware Families Now Discovered
As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.
The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.
Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.
More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.
Massive Campaign Spreading New Locky Ransomware Variant
One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.
Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.
There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.
Ransomware Problem Unlikely to Be Solved Soon
Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.
Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.
Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.
Are you Prepared for a Ransomware Attack?
With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.
Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.
An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.
Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.
Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.
With attacks increasing, there is no time to wait. Now is the time to get prepared.
Many top companies have not done enough to prevent email spoofing using their domains. A new study conducted by security firm Detectify has revealed that many top website domains are wide open to abuse because email servers have been misconfigured or do not use authentication.
Website Owners are Not Doing Enough to Prevent Email Spoofing
Detectify conducted the study to determine how widespread the problem really is. The top 500 Alexa ranked websites were scanned to determine whether vulnerabilities existed that would allow spammers to send spoofed emails from the domains. The Swedish security firm found that fewer than half of the websites tested had configured their email servers correctly. The majority had either misconfigured their email servers or had failed to use authentication, which could prevent email spoofing. 276 of the domains were discovered to be vulnerable. More than half of the most visited websites could therefore be used by spammers to send spoofed emails.
Email spoofing is the sending of emails using a forged email address. This can either be the sending of an email that appears to come from a particular domain – Using a very similar domain name for example – or sending fake emails from the domain itself. In the case of the former, there is little companies can do to prevent this and it is largely down to email recipients to carefully check the sender’s address.
However, organizations can take steps to prevent spammers from sending emails from their own domains. If fake emails are sent from their domains customers may be fooled into thinking the messages are genuine. Criminals use email spoofing for phishing, spearphishing, and malware/ransomware campaigns. It is easier for them to achieve their objective if the message recipients trust the domain from which the email is sent.
How to Prevent Email Spoofing
There are three main ways that companies can address vulnerabilities and prevent domain spoofing. The most common method is to use the Sender Policy Framework, or SPF. By using this setting the website owner can specify which servers are permitted to send emails using the domain. There are three possible settings – hardfail, softfail, and neutral. To prevent email spoofing, hardfail should be selected. This will reject suspected spam emails and will ensure they are not delivered. If the softfail setting is used, emails will still be delivered although they should be marked as suspected spam. If neutral is used there is no control and all emails will be sent and delivered.
The 276 domains that Detectify discovered were vulnerable had used the softfail or neutral settings. Softfail is often used instead of hardfail to prevent the loss of emails that are incorrectly flagged. However, many free email providers such as Gmail fail to mark messages as spam if the softfail setting has been used.
Detectify recommended that websites use the hardfail setting and also use DMARC – Domain Based Message Authentication Reporting and Conformance. DMARC is a much more reliable way to prevent spoofed emails from a domain. DMARC creates a link between the email and the domain name. This makes it easier to determine whether an email is genuine or if it just looks real. DMARC also sends reports to advise the domain owner who is sending emails from their domain.
However, only 42% of the websites tested used DMARC, and in many cases, the settings had been configured incorrectly. While SPF and DMARC are not infallible, they can make it much harder for spammers to send spoofed emails.
Healthcare ransomware infections have made the headlines in recent weeks, although the University of Calgary ransomware attack shows that no organization is immune: In fact, university ransomware attacks are on the rise.
Organizations in the healthcare and financial sectors are the main targets for cybercriminals, although education is the third most likely industry to be attacked. Universities store huge volumes of highly sensitive data and state-sponsored hacking groups frequently conduct attacks.
Foreign governments are keen to obtain research data and ransomware attacks on universities may just be a smokescreen. All too often DDoS attacks are performed for this purpose, yet ransomware can be just as effective. While IT departments scramble to secure systems and recover data, attackers may be plundering data.
University of Calgary Ransomware Attack: $20K Paid for Decryption Keys
The University of Calgary ransomware attack occurred late last month and resulted in computer systems being severely disrupted. The IT department worked around the clock in an attempt to contain the infection and restore computer services one by one. While the University had made backups of critical data, the decision was taken to pay the attackers’ ransom demand as a precaution. To obtain the decryption keys the University had to pay the attackers $20,000.
However, even after paying the ransom, unlocking the encryption and recovering data has been a long winded process. The decryption keys had to be assessed and evaluated, and the process of decrypting the infection took a considerable amount of time.
If multiple computers are infected with ransomware, separate decryption keys are required for each device. Each computer must be restored separately and decryption keys do not always work and may not allow all data to be recovered.
The keys have to be used with care and an infection can take up a considerable amount of an IT department’s time to resolve. Systems and data need to be checked after the infection has been removed and additional cybersecurity measures implemented to protect against future attacks.
The University of Calgary ransomware attack has cost tens of thousands of dollars to resolve and shows that paying the attackers ransom demand is not a quick fix that will enable files to be quickly recovered. The recovery process is time consuming, expensive, and requires a considerable amount of resources.
During the time that systems are down, workflows are seriously disrupted. In the case of university ransomware attacks lives may not be put at risk as is the case with healthcare attacks, but the costs of ransomware attacks on universities can be considerable. The total cost of resolving a ransomware infection is far in excess of any ransom payment.
Protecting Against University Ransomware Attacks
Unfortunately for universities, protecting against ransomware can be difficult as public and private networks often overlap. Staff and students are often allowed to connect personal devices to networks, and controlling devices that connect to networks can be a difficult task. While businesses can conduct cybersecurity training and can teach staff basic security best practices to adopt, this can be difficult for universities with huge volumes of staff, students and researchers.
It is therefore important to implement a number of strategies to reduce the risk of a ransomware attack being successful.
It is essential that regular data backups are made and backup devices must be air-gapped. Staff and students should be encouraged to save files on backed up network drives, and cybersecurity training should be provided where possible. Students should be informed of the risk and advised of security best practices via email and noticeboards.
Many universities already use a web filtering solution to control the content that can be accessed via university wired and WiFi networks. Web filters can also be configured to reduce the risk of drive-by malware downloads. Anti-spam solutions can also prove effective as part of a multi-layered cybersecurity strategy and can prevent malicious emails from being delivered.
Technology should also be implemented to identify intrusions when they occur. A network intrusion detection system is a wise precaution alongside traditional anti-virus and anti-malware solutions.
It may not be possible to prevent all university ransomware attacks, but it is possible to manage risk and reduce the damage caused if ransomware is installed on devices or networks.
Microsoft has recently given Windows users a new incentive to upgrade to Windows 10: A ransomware worm called ZCryptor. The new ransomware variant exhibits worm-like capabilities and is able to self-replicate and infecting multiple devices. The malicious file-encrypting software infection will not be prevented by upgrading to the latest version of Windows, although additional protections are included in the Windows 10 release to make infection more difficult.
The new ransomware variant, called ZCryptor.A, is primarily distributed via spam email messages containing malicious macros, although the Microsoft security advisory indicates the ransomware worm is also installed via fake installers such as those claiming to update Adobe Flash to the latest version.
If ZCryptor is installed, the ransomware searches for removable drives and installs an autorun.inf file on the device. When the drive is disconnected and connected to another computer, the ransomware is able to spread, infecting a new machine.
The ZCryptor ransomware worm is capable of encrypting 88 different file types according to the Microsoft advisory, although some samples have been detected that are capable of infecting as many as 121 different files types.
Once installed, the ransomware generates a fake Windows alert indicating a removable drive cannot be detected. The pop-up will continue to be displayed while the ransomware is running and is communicating with its command and control server. The purpose of the pop-up is unclear, although presumably this is generated to prompt the user to disconnect the drive. This could be a ploy to get the victim to connect the removable drive to a different computer thus spreading the infection.
The ransomware worm displays an HTML window explaining that all personal files on the computer have been encrypted. A ransom demand of 1.2 Bitcoin is demanded ($500) for the decryption key to unlock the infection. Victims are given 4 days to pay the ransom or the ransom demand increases to 5 Bitcoin. The attackers claim that after 7 days the unique decryption key will be permanently destroyed, and all encrypted files will remain permanently locked.
While anti-virus software developers have been able to find vulnerabilities in a number of other ransomware variants and develop fixes, no known fix currently exists for a ZCryptor infection. Victims will either have to restore all of their files from a backup or will have to pay the ransom. Of course, there is no guarantee that the attackers will make good on their promise and will supply a valid decryption key.
Ransomware Worm Represents Next Stage of Malware Development
Many organizations now employ web filtering solutions such as WebTitan to block malicious URLs containing exploit kits. By blocking these attack vectors, it is becoming harder for cybercriminals to infect computers.
Spam filters have similarly been developed to be much more efficient and effective at blocking malicious spam email. SpamTitan now blocks 99.97% of spam, making it much harder for malicious attachments and links to reach end users.
Due to the improved cybersecurity protections in place in many organizations, ransomware developers have had to develop new methods to spread infections. The development of ransomware that exhibits worm-like behavior does not come as a surprise. Security researchers believe that these ransomware worms are likely to become much more common and that self-propagating ransomware and malware will soon become the norm.
A recent ransomware research study has shown the individuals running ransomware campaigns do not actually earn that much money and the success rate of attacks is relatively low. However, the threat from attacks cannot be ignored due to the volume of individuals now running their own ransomware campaigns.
For the ransomware research study, web intelligence company Flashpoint trawled underground forums and marketplaces and monitored communications over a period of five months. The purpose of the ransomware research study was to improve understanding of how ransomware campaigns are run, to learn about the players involved, and the tactics they used to run campaigns and infect end users. It helps to know thy enemy when forming a defense strategy against attacks.
For its ransomware research study, Flashpoint investigated Russian ransomware campaigns from December 2015. The attacks were predominantly carried out on organizations and individuals in the West.
Ransomware Research Study Shows Campaigns are Not as Profitable as Many People Think
Considering the disruption caused and the money lost by victims of ransomware attacks, many people believe the criminals behind the campaigns are making big bucks, but that is not necessarily the case. In fact, even “ransomware bosses” – the individuals offering ransomware-as-a-service – are not raking in anywhere near as much money as many people think.
The majority of cybercriminals who run ransomware campaigns earn well under $10,000 a month. According to the ransomware research study report, only one in five individuals who run ransomware campaigns admitted to earning in excess of this figure. The report suggests that the average monthly earnings from this type of campaign is around $600 per month.
The typical ransom is around $300 per infected computer, although the people who run the campaigns have to give the ransomware bosses 60% of their earnings. They are allowed to keep the remaining 40%, suggesting most of the people running these campaigns only get 2-3 ransoms per month.
The ransomware research study data suggest that far from allowing criminals to obtain big money from ransomware campaigns, the attacks only yield similar returns to other forms of cybercriminal activities. The only difference being the attackers can usually get their hands on money faster. Stealing data such as credit card numbers or healthcare data requires the attacker to find a buyer for those data before any money is received.
The report suggests that the typical infection rate from a campaign is between 5% and 10%, yet few of the victims end up paying the ransom. Many ransomware victims are protected having made backup copies of important files and some are able to unlock the infections using tools from security companies. Others are willing to lose data rather than pay the ransom.
Ransomware bosses that push ransomware-as-a-service using an affiliate model can make around $7,500 per month, which equates to around $90,000 a year – approximately 30 ransom payments per month for the bosses.
Most Ransomware Campaigns are Run by Novices
While there are criminal gangs and highly skilled cybercriminals who invest a lot of time and effort into their ransomware attacks, the report suggests that the majority of attackers are novices; not skilled hackers. The report suggests that many individuals choose to run campaigns using ransomware-as-a-service in the hope that they will get lucky and get a big payout. These individuals tend to run spamming campaigns based on quantity rather than quality, and send high numbers of spam emails using botnets.
Flashpoint’s ransomware research study shows just how easy it is to start sending out ransomware campaigns. This is why so many individuals choose to give it a try. All that is needed is a very small injection of capital to get started, a lack of morals about how money is earned online, and a modicum of knowledge to allow individuals to send out mass spam emails.
Adverts for ransomware-as-a-service are easy to find with the Tor browser and advice on distribution is not difficult to find. Would-be criminals with no experience are recruited with a promise of a big payout, even though the reality is that for most people the payouts will be low.
More experienced and skilled individuals send phishing emails directing victims to websites containing exploit kits, which probe for vulnerabilities and automatically download the ransomware. Another popular method of infection is to sneak adverts containing malicious links onto legitimate advertising networks.
Only a small percentage of attackers are highly skilled. These individuals tend to send out targeted campaigns. These attackers target organizations and businesses with the aim of infecting multiple machines and infiltrating networks causing widespread disruption.
These campaigns tend to involve a considerable amount of planning, and require the attacker to research targets and design targeted emails that have a high change of eliciting the desired response. According to Flashpoint’s director of Eastern European Research and Analysis, Andrei Barysevich, “The success rate of this type of operation is significantly higher, enabling criminals to earn upwards of $10,000 a month or more.”
For organizations infected with ransomware the costs can be severe. Add up the cost of disruption to the business, the time and resources required to remove infections and restore files, and the cost of implementing more robust security measures, and the cost of a ransomware attack could be tens of thousands of dollars.
With no shortage of takers for ransomware-as-a-service, and ever more sophisticated ransomware being developed, organizations must develop a host of defenses to prevent attacks from being successful.
A successful CEO fraud scam that resulted in a fraudulent bank transfer being made from company accounts to a cyberattacker has cost the CEO his job.
CEO Fraud Scan Results in Losses of 40.9 Million Euros
Earlier this year, FAAC – an Austrian aircraft component manufacturer – was targeted by attackers who managed to pull off an audacious 50 million Euro ($55 million) CEO fraud scam. A wire transfer was made for 50 million euros by an employee of the firm after receiving an email request to transfer the funds from CEO Walter Stephan. The email was a scam and had not been sent by the CEO.
Unfortunately for FAAC, the CEO fraud scam was discovered too late and the transfer of funds could not be stopped. While the company was able to recover a small percentage of its losses, according to a statement released by FAAC, the company lost 41.9 million Euros as a result of the attack which contributed to annual pretax losses of 23.4 million Euros.
The bank transfer represented approximately 10% of the company’s entire annual revenue. Given the high value of the transfer it is surprising that the transfer request was not queried in person – or over the telephone with the CEO.
The CEO and the employee who made the transfer were investigated but do not appear to have been involved in the scam. The attackers were not believed to be linked to FAAC in any way.
Heads Roll After Huge Losses Suffered
Earlier this year, FAAC sacked its chief finance officer as a direct result of the scam. The CEO was recently sacked following a meeting of the company’s supervisory board. Stephan had worked at the company as CEO for 17 years.
This CEO fraud scam is one of the largest ever reported, although this type of scam is becoming increasingly common. Earlier this year the FBI issued an advisory about the high risk of CEO fraud scams following many attacks on U.S companies over the past year. In April, the FBI reported that $2.3 billion has been lost as a result of this type of scam.
CEO email fraud involves a member of the accounts department being sent an email from the CEO – or another senior executive – requesting a bank transfer be made from the company accounts. A reason is usually supplied as to why the transfer request needs to be made, and why it must be made urgently.
Oftentimes, the scammer and the target exchange a few emails. An email is initially sent asking for a transfer to be made, followed by another email containing details of the recipient account where the funds must be sent and the amount of the transfer. The scams are effective because the request appears to come from within the company from a senior executive or CEO. Oftentimes the attackers manage to compromise the CEO’s email account, and spend time researching the style the CEO uses for emails and who transfer requests have been sent to in the past.
According to the FBI, the average transfer amount is between $25,000 and $75,000, although much larger scams have been pulled off in the past. Irish budget airline Ryanair fell victim to a CEO fraud scam and wired $5 million to a Chinese bank, although the funds were able to be recovered. The Scoular Co., wired $17.2 million to scammers in February last year, while Ubiquiti suffered a loss of $46.7 million as a result of a CEO fraud scam.
Easy Steps to Prevent CEO Email Fraud
There are steps that can be taken that can greatly reduce the risk of these scams being successful.
- Implement policies that require all bank transfers – or those above a certain threshold – to be authorized by telephone or through other communication channels.
- Ensure bank transfer requests are authorized by a supervisor and are not left to one single employee
- Configure spam filters to block spoofed domains to prevent scam emails from being delivered
- Provide training to all accounts department staff and warn of the risk of CEO fraud scams
Resolving a hospital ransomware infection may not be as easy as paying the attackers’ ransom demand, as was shown by the Kansas Heart Hospital ransomware attack last week.
Hospital Ransomware Infection Not Removed After Ransom Paid
The Kansas Heart Hospital ransomware attack which occurred last week was the latest in a string of attacks on healthcare organizations in the United States. Ransomware was accidentally installed on a hospital worker’s computer and files were locked and prevented from being accessed.
A ransom demand was received demanding payment for decryption keys to unlock the infection. The decision was taken to pay the ransom to resolve the hospital ransomware infection quickly.
After the ransom was paid, the attackers did not make good on their promise and failed to unlock all of the files. Some Instead the hospital was issued with a second ransom demand.
In this case, the initial ransom demand was relatively low. Ransomware attackers typically demand a fee of approximately $500 per device to unlock an infection. If multiple computers have been infected, that figure is then multiplied by the number of devices that need to be decrypted.
Ransomware locks each individual machine separately, and a different key is required to unlock each one. Otherwise a victim could pay up and then publish their key and no one else would be required to pay.
Kansas Heart Hospital did not disclose how much was paid, but this could well have been the fee to unlock a single machine. However regardless of the amount, the incident shows that even if a ransom is paid there is no guarantee that the attackers will play ball and make good on their promise. Further demands may be made from more Bitcoin. Resolving a hospital ransomware infection may not necessarily mean just paying the ransom demand.
Healthcare Industry Under Attack
Over the past few months the healthcare industry has come under attack from criminals using ransomware. Some authors of ransomware have taken steps to prevent healthcare providers’ computers from being attacked by their ransomware by including checks to determine the environment in which the ransomware has been installed. However, not all attackers feel they have a moral responsibility to prevent attacks which could cause people to come to physical harm.
Hollywood Presbyterian medical center, Alvarado Hospital Medical Center, King’s Daughters’ Health, Kentucky’s Methodist Hospital, California’s Chino Valley Medical Center and Desert Valley Hospital, and MedStar Health have all been attacked with ransomware this year.
That list is likely to continue to grow. Hospitals and medical centers are attractive targets for ransomware gangs. Many healthcare organizations have under-invested in cybersecurity measures to protect their networks and many hospital employees have not received extensive training in security awareness. This makes it easy for attackers to install ransomware.
Furthermore, if patient data are locked this can have a negative effect on patient health. If patients are at risk of harm, organizations are much more likely to respond to ransom demands and pay up to ensure patients do not suffer. If patients are harmed as a direct result of poor investment in cybersecurity or mistakes that have been made by healthcare employees, healthcare organizations are likely to face lawsuits that could result in damages far in excess of the ransom being demanded.
With attacks likely to continue, healthcare providers must take steps to prevent ransomware attacks from occurring, and develop policies that can be implemented immediately upon discovery of a ransomware attack. As the Kansas Heart hospital ransomware attack has shown, paying a ransom is no guarantee that the file encryption will be unlocked. Hospitals may find that they still have to recover files from backups or explore other means of unlocking infections.
The threat from Cerber ransomware has increased substantially after the gang behind the file-encrypting software have leveraged Dridex botnets to deliver a malicious payload that loads the ransomware onto users’ devices.
Cerber ransomware was first discovered in the wild in February 2016, but researchers at security firm FireEye noticed a massive increase in infections in recent weeks. Initially, Cerber ransomware infections occurred as a result of visiting malicious websites hosting the Nuclear or Magnitude exploit kits. Nuclear and Magnitude probe visitors’ browsers for a number of zero day vulnerabilities, although infections primarily occurred by exploiting a vulnerability in Adobe Flash (CVE-2016-1019). Now the ransomware is being installed via infected files sent via spam email.
Cerber differs from many ransomware strains by being able to speak to victims. The ransomware is able to use text-to-speech to tell victims they have been infected and that their files have been encrypted.
Massive Increase in Cerber Ransomware Infections Discovered in April
The number of infections remained relatively low since the discovery of the new ransomware earlier this year; however, there was a massive spike in infections around April 28 according to FireEye. The ransomware was being downloaded using Microsoft Word macro downloaders.
The attached files are usually disguised as invoices, receipts, or purchase orders, while the emails – written in English – urge the user to open the attachment. If macros are enabled on the computer a VBScript will be installed in the victim’s %appdata% folder. If macros are not enabled users will be prompted to enable them in order to view the contents of the file. Doing so will guarantee infection.
Once installed, the script performs a check to determine whether the infected computer has an Internet connection by sending an HTTP request to a website. If an Internet connection is present, the script will perform a HTTP Range Request, that will ultimately result in the final stage of the infection. FireEye reports the technique has previously been used to deliver the financial Trojans Dridex and Ursnif.
Cerber has been configured to encrypt Word documents, emails, and Steam gaming files, which are given a “.cerber” extension. To unlock the encryption, the victims are told to visit one of a number of websites with the domain “decrypttozxybarc”. Further instructions are then provided on how to unlock the encryption, although a Bitcoin ransom must first be paid. In addition to encrypting files, Cerber ransomware adds the victim’s computer to a spambot network.
The ransomware uses a number of obfuscation techniques to avoid detection by spam filters and anti-virus programs. If the emails are delivered and the macros are allowed to run, victims’ files will be encrypted. To prevent infection, it is important to have macros disabled and to be extremely cautious about opening email attachments, and never to open files deliver via email from an unknown sender. The decrypttozxybarc domain should also be added to web filter blacklists.
Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.
Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.
While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.
CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.
How to Block Exploit Kits from Downloading Malware
To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.
It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.
A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!
A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.
Finding new revenue avenues for MSPs can be difficult. There are many ways for MSPs to increase client spending and win new business, although new revenue avenues for MSPs that are easy to implement and manage, are straightforward to sell to clients, and also offer good margins are few and far between. Fortunately, there is a product that can easily be incorporated into existing client offerings which is highly desirable, has a low management overhead, and offers MSPs excellent margins. That service is WebTitan Cloud. WebTitan Cloud is a web filtering service that has been developed with MSPs in mind.
New Revenue Avenues for MSPs: Internet Filtering-as-a-Service
The benefits of WebTitan Cloud are considerable. Our web filtering solution can be used to protect virtually all organizations from a wide range of Internet threats: Something that is increasingly important given the increase in phishing attacks and the proliferation of malware and ransomware in recent years. The cost of resolving malware infections is considerable, and data theft and loss can have catastrophic consequences for SMBs. Heavy fines can be issued by regulators for data breaches, and reputation damage from customer data theft can be considerable.
Employees need to be provided with Internet access to work efficiently; however, Internet access is often abused. Employees are wasting a considerable amount of time each day on personal Internet use. Social media networks are accessed, gambling sites used at work, and gaming sites used by many employees during working hours. By limiting access to these websites organizations can greatly increase the productivity of the workforce. Filtering the Internet to prevent employees and customers from accessing inappropriate website content can also prevent HR issues from developing and can reduce legal risk.
Our web filtering solution can also be used to manage bandwidth. Most organizations face bandwidth issues at some point, yet with careful configuration of our web filter, bandwidth can be effectively managed. Bandwidth-heavy Internet services can be limited to ensure that fast Internet access can be enjoyed by all.
WebTitan Cloud – An Easy Way for MSPs to Increase Profits
WebTitan Gateway is a powerful web filtering product that can keep networks protected from web-borne threats and can be used to control the content that can be accessed by employees and customers. While WebTitan Gateway can be offered by MSPs to their clients, TitanHQ has developed a new product that has been tailored to the specific needs of managed service providers.
WebTitan Cloud is a 100% cloud-based web filtering solution that requires no software installations and no hardware purchases. Our web filtering service can be applied in a matter of minutes without the use for on-the-ground IT support teams. Being DNS-based, all that is required is a small change to DNS settings. Point the DNS to our servers and website content can be filtered in as little as 2 minutes.
Configuring new clients’ web filtering settings is a quick and easy process. It takes approximately 20 minutes to add a new client and upload their Internet policy settings. Furthermore, configuring client accounts is a straightforward admin task requiring no technical skill. If clients want to manage their own settings, they can be provided with their own login and administrative roles can be easily delegated. With WebTitan Cloud, filtering the Internet could not be any simpler.
A Web Filtering Service that’s a Perfect Fit for MSPs
There are many companies now offering a web filtering service that can be used by MSPs, but few offer a product or service that has been created with MSPs in mind. With many solutions the cost of implementation is high, margins for MSPs are low, implementation is impractical, and management causes major headaches. On top of that, the lack of white label options means clients could easily end up going direct and cutting an MSP out of the equation. WebTitan Cloud is different.
WebTitan Cloud is offered as a white label, allowing MSPs to easily incorporate a web filtering service into their existing product offerings. MSPs are able to add their own logos, configure block screens, and change color schemes to match their own corporate branding. A range of APIs are also included to make integration with back-office systems as easy as possible. We even offer multiple hosting options. WebTitan Cloud can be run on our servers, in a private cloud, or even within an MSP’s infrastructure.
With WebTitan Cloud, MSPs can start providing a much more comprehensive Internet service to clients and easily boost their profits. For further information on WebTitan Cloud, how our service can be incorporated into your existing portfolios, and for details of pricing, contact our sales team today.
The risk of phishing attacks has increased considerably over the past 12 months, according to a new data breach report from Verizon. Ransomware attacks are also on the rise. The two are often used together to devastating effect as part of a three-pronged attack on organizations.
Firstly, cybercriminals target individual employees with a well-crafted phishing campaign. The target is encouraged to click a link contained in a phishing email which directs the soon-to-be victim to a malicious website. Malware is then silently downloaded to the victim’s device.
The malware logs keystrokes to gain access to login credentials which allows an attacker to infiltrate email accounts and other systems. Infections are moved laterally to compromise other networked devices. Stolen login credentials are then used to launch further attacks, which may involve making fraudulent bank transfers or installing ransomware on the network.
The Risk of Phishing Attacks is Growing
Verizon reports that due to the effectiveness of phishing and the speed at which attackers are able to gain access to networks, the popularity of the technique has grown substantially. In years gone by, phishing was a technique often used in nation-state sponsored attacks on organizations. Now there is a high risk of phishing attacks from any number of different players. Even low skilled hackers are now using phishing to gain access to networks, steal data, and install malware. Out of the nine different incident patterns identified by the researchers, phishing is now being used in seven.
Phishing campaigns are also surprisingly effective. Even though many companies now provide anti-phishing training, attempts to educate the workforce to minimize the risk of phishing attacks is not always effective. The 2016 Verizon data breach report suggests that when phishing emails are delivered to inboxes, 30% of end users open the emails. In 2015 the figure was just 23%. Rather than employees getting better at identifying phishing emails they appear to be getting worse. Even worse news for employers is 13% of individuals who open phishing emails also double click on attached files or visit the links contained in the emails.
Ransomware Attacks Increased 16% in a Year
Ransomware has been around for the best part of a decade although criminals have favored other methods of attacking organizations. However, over the past couple of years that has changed and the last 12 months has seen a significant increase in ransomware attacks on businesses. According to the data breach report, attacks have increased by 16% in the past year. As long as companies pay attackers’ ransom demands attacks are likely to continue to increase.
How Can Web Filtering Software Prevent Ransomware Infections and Reduce the Risk of Phishing Attacks
Defending a network from attack requires a wide range of cybersecurity defenses to be put in place. One of the most important defenses is the use of web filtering software. A web filter sits between end users and the Internet and controls the actions that can be taken by end users as well as the web content they are allowed to access.
A web filter can be used to block phishing websites and malicious sites where drive-by malware downloads take place. Web filtering software can also be configured to block the downloading of files typically associated with malware.
Training employees how to avoid phishing emails can be an effective measure to reduce the risk of phishing attacks, but it will not prevent 100% of attacks, 100% of the time. When training is provided and web filtering software is used, organizations can effectively manage phishing risk and prevent malware and ransomware infections. As phishing attacks and ransomware infections are on the increase, now is the ideal time to start using web filtering software.
IT professionals are well aware of the shadow IT risk. Considerable risk is introduced by employees installing unauthorized software onto their work computers and mobile devices. However, this has been clearly illustrated this week following the discovery of a new malware by the Talos team. To date more than 12 million individuals are believed to have installed the new Trojan downloader.
Seemingly Genuine Software Performs a Wide Range of Highly Suspect System Actions
Many users are frustrated by the speed of their PC and download tools that will help to resolve the problem, yet many of these are simply bloatware that perform no beneficial functions other than slowing down computers. These can be used to convince users to pay for additional software that speeds up their PCs, or worse. The software may perform various nefarious activities.
It would appear that the new malware is of this ilk. Furthermore, it is capable of being exploited to perform a wide range of malicious actions. The software performs a wide range of highly suspect functions and has potential to steal information, gain administration rights, and download malicious software without the user’s knowledge.
The new malware has been referred to as a “generic Trojan” which can check to see what AV software is installed, detect whether it has been installed in a sandbox, determine whether remote desktop software has been installed, and check for security tools and forensic software.
By detecting its environment, the malware is able to determine whether detection is likely and if so the malware will not run. If detection is unlikely a range of functions are performed including installing a backdoor. The backdoor could be used to install any number of different programs onto the host machine without the user’s knowledge.
So far more than 7,000 unique samples have been discovered by Talos. One common theme is the use of the word “Wizz” throughout the code, with the malware communicating with “WizzLabs.
Analysis of the malware revealed that one of the purposes of the software was to install adware called “OneSoftPerDay”. The company behind this adware is Tuto4PC, a French company that has got into trouble with authorities before for installing PUPs on users’ computers without their knowledge.
By allowing the malware to run, researchers discovered it installed System Healer – another Tito4PC creation – without any user authorization. Whether the malware will be used for nefarious activity other than trying to convince the users to download and pay for PUPs is unclear, but the potential certainly exists. With 12 million devices containing this software, at any point these machines could be hijacked and the software used for malicious purposes.
The Shadow IT Risk Should Not Be Underestimated
The shadow IT risk should not be underestimated by security professionals. Many seemingly legitimate software applications have the capability of performing malicious activities, and any program that does to such lengths to detect the environment in which it is run and avoid detection is a serious concern.
Organizations should take steps to reduce Shadow IT risk and prevent installation of unauthorized software on computers. Policies should be put in place to prohibit the installation of unauthorized software, and software solution should be employed to block installers from being downloaded. As an additional precaution, regular scans should be conducted on networked devices to check for shadow IT installations and actions taken against individuals who break the rules.
Anti-phishing strategies can be employed to protect networks from attack; however, a new report from Verizon shows that phishing is proving more successful than ever. Anti-phishing strategies are being employed, but they are not sufficient to prevent attacks from taking place. End users are still opening phishing emails and divulging their login credentials to attackers.
Anti-Phishing Strategies Are Being Implemented But Employees are Still Falling for Phishing Scams
According to the new report a greater percentage of employees are now falling for phishing scams. Last year’s Verizon Data Breach Report showed that 23% of phishing emails were being opened. This year the number has risen to 30%.
Opening a phishing email does not result in a network being compromised or the attacker gaining access to email accounts. For that to happen, an end user must open an infected email attachment or click on a link to a malicious website.
How often are employees taking this extra step? According to the Verizon data breach report, 12% of end users open the phishing email and double click on an attached file.
A similar percentage (13%) of end users click on the malicious links contained in the emails. These links either direct the user to a website containing an exploit kit or to a site where login credentials or other sensitive data are entered and revealed to attackers.
Anti-phishing methods are being taught to company employees, but attacks are still succeeding with alarming frequency. Phishing is proving to be a highly effective method of cyberattack.
The report also indicates that when attacks are successful attackers have plenty of time to exfiltrate data. Organizations are also finding it much harder to detect breaches when they occur. Attacks are taking minutes from the sending of a phishing email to network access being gained, yet it can take months for breaches to be detected.
Training Alone is Insufficient to Protect Against All Phishing Attacks
Anti-phishing strategies adopted by many organizations are not robust enough to prevent successful attacks. Anti-phishing strategies that rely too heavily on training staff members how to identify phishing emails are likely to fail.
It only takes one employee to respond to a phishing email for a network to be compromised and it is a big ask to expect every employee to identify every phishing email, 100% of the time.
Providing staff members with anti-phishing training can help to reduce risk, although software solutions should also be employed. A robust spam filtering solution should be implemented to ensure the majority of phishing emails are blocked and never delivered to end users’ inboxes. No anti-spam solution is effective 100% of the time, although blocking 99.9% of phishing emails is possible with solutions such as SpamTitan.
Attackers are using ever more sophisticated methods to fool end users into clicking on malicious links. A great deal of time and effort goes into spoofing domains and producing carbon-copy spoof websites. Preventing these websites from being visited is one of the best defenses against phishing attacks. Web filtering solutions can be highly effective way of reducing the risk of a phishing attack being successful.
A web filter can be configured to block phishing websites and other potentially harmful websites. Even if links are clicked, the user is prevented from compromising their device and network.
K-12 schools in the United States have been put on alert after it was discovered that backdoors have been installed on a number of servers running Follet’s Destiny Library Management System. More than 60,000 schools in the United States use Destiny to track school library assets, a number of which now face a high risk of cyberattack.
A security vulnerability in the JBoss platform has recently been used to launch attacks on a number of organizations in the United States. The vulnerability has allowed malicious actors to gain access to servers and install ransomware. The main targets thus far have been hospitals, including Baltimore’s Union Memorial which was infected as a result of a ransomware attack on its parent organization MedStar. The attackers gained access to servers at MedStar and used SamSam ransomware to lock critical files with powerful encryption. The discovery of the ransomware resulted in the forced shutdown of MedStar’s EHR and email causing widespread disruption to healthcare operations.
Over 2000 Backdoors Discovered to Have Been Installed on Servers Running JBoss
Since the attack took place, Cisco’s Talos security team has been scanning the Internet to locate servers that are vulnerable via the JBoss security vulnerability. Earlier this week Talos researchers discovered 3.2 million servers around the world are vulnerable to attack. However, there is more bad news. Attackers have already exploited the security vulnerability and have installed backdoors in thousands of servers. In some cases, multiple backdoors have been installed by a number of different players by dropping webshells on unpatched servers running JBoss. 2,100 backdoors were discovered and 1,600 IP addresses have been affected.
Hospitals have been targeted as they hold a considerable volume of valuable data which are critical to day to day operations. If attackers are able to lock those files there is a high probability that the hospitals will be forced to pay a ransom to unlock the encryption. Hollywood Presbyterian Medical Center had to pay a ransom of $17,000 to unlock files that had been encrypted in a ransomware attack. Schools are also being targeted.
Poor patch management policies are to blame for many servers being compromised. The JBoss security vulnerability is not new. A patch was issued to correct the vulnerability several years ago. If the patch had been applied, many servers would not have been compromised. However, some organizations, including many schools, are not able to update JBoss as they use applications which require older versions of JBoss.
Destiny Library Management System Vulnerabilities Addressed With A New Patch
A number of schools running Destiny Library Management System were discovered to have been compromised by attackers using the JexBoss exploit to install backdoors, which could be used to install ransomware. Follett discovered the problem and has now issued a patch to address the security vulnerability and secure servers running its Destiny Library Management System. The patch plugs security vulnerabilities in versions 9.0 to 13.5, and scans servers to identify backdoors that have been installed. If non-Destiny files are discovered they are removed from the system.
Any school using the Destiny Library Management System must install the patch as a matter of urgency. If the Destiny Library Management System remains unpatched, malicious actors may take advantage and use the backdoors to install ransomware or steal sensitive data.
In February, the Federal Bureau of Investigation (FBI) issued an alert over a new ransomware called MSIL (AKA Samas/Samsam/Samsa), but a recent confidential advisory was obtained by Reuters, in which the FBI asked U.S. businesses and the software security community for help to deal with the growing enterprise ransomware threat from MSIL.
The new ransomware is particularly nasty as it is capable of infecting networks, not just individual computers. In February, the FBI alert provided details of the new ransomware and how it attacked systems by exploiting a vulnerability in the enterprise JBoss system. Any enterprise running an outdated version of the software platform is at risk of being attacked. The FBI’s list of indicators was intended to help organizations determine whether they had been infected with MSIL.
Just over a month later, the FBI sent out a plea for assistance, requesting businesses to contact its CYWATCH cybersecurity center if they suspected they had been attacked with the ransomware. Any business or security expert with information about the ransomware was also requested to get in touch.
Recent high profile attacks on healthcare organizations and law enforcement have resulted in ransoms being paid to attackers in order to unlock ransomware infections. Oftentimes there is no alternative but to pay the ransom demand in order to recover data. However, paying ransoms simply encourages more attacks.
The Enterprise Ransomware Threat is Now at A Critical Level
Ransomware is not new, but the methods being used by cybercriminals to infect systems is more complex as is the malicious software used in the attacks. The volume of attacks and the number of ransomware variants now in use mean the enterprise ransomware threat is considerable, with some security experts warning that ransomware is fast becoming a national cybersecurity emergency.
The healthcare industry is being targeted as hospitals cannot afford to lose access to healthcare data. Even if electronic patient medical files are not encrypted, systems are being shut down to contain infections. This causes massive disruption and huge costs, which attackers hope will make paying the ransom the best course of action.
Dealing with the enterprise ransomware threat requires a multi-faceted approach. Attackers are using a variety of methods to install ransomware and blocking spam email is no longer sufficient to deal with the problem. MSIL attacks are being conducted by exploiting vulnerabilities in enterprise software systems, end users are being fooled into installing ransomware with social engineering techniques, drive by downloads are taking place and the malicious file-encrypting software is also being sent via spam email.
How to Protect Against Enterprise Ransomware Attacks
The FBI is trying to encourage business users and individuals never to open untrusted email attachments and to ensure they are deleted from inboxes. Fortunately, the high profile attacks on large institutions have put enterprises on high alert. With awareness raised, it is hoped that greater efforts will be made by enterprises to reduce the risk of an attack being successful.
Some of the best protections include:
- Ensuring all software is kept up to date and patches are installed promptly
- Using spam filtering tools to reduce the risk of infected attachments being delivered to end users
- Backing up all systems frequently to ensure data can be restored in the event of an attack
- Conducting regular staff training sessions to help end users recognize phishing emails and malicious attachments
- Disabling macros on all computers
- Using web filtering solutions to prevent drive-by downloads and block malicious websites
- Issuing regular security bulletins to staff when a new enterprise ransomware threat is discovered
A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.
Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.
Rampant Ransomware Prompts ICIT to Issue Warning
The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.
According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.
Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.
Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.
Ransomware Mitigation Policies are Essential
Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.
The report suggests four key areas that can help with ransomware mitigation.
- Forming a dedicated information security team
- Conducting staff training
- Implementing layered defenses
- Developing policies and procedures to mitigate risk
An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.
Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.
Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall. Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.
With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.
Phishing scams have increased significantly in the past few weeks as cybercriminals step up their campaigns during tax season, with many using a technique referred to as business email compromise to fool victims into sending employee W-2 form data to the attackers.
Beware of Business Email Compromise Campaigns During Tax Season
Some organizations have thwarted attacks, but many have fallen for the phishing scams and have emailed highly sensitive employee data to the criminals behind the campaigns. Business email compromise is used in spear phishing campaigns: Highly targeted and highly convincing attacks on small numbers of employees within an organization.
Most phishing campaigns are random. Emails are sent out by the million in the hope that some individuals will fall for the scams. The email campaigns are not particularly convincing and rely on greed or naiveté in many cases to attract a click or the disclosure of sensitive data.
Business email compromise campaigns on the other hand are much more convincing. They tend to involve very carefully constructed emails, good grammar, do not contain the spelling mistakes common in most spam emails, and are hand written and sent to a very select number of individuals within an organization or to just one person. They are often personal, referring to the target by their first name. They also use business email addresses for the attack. An email sent from within the company, or seemly from within the company, is much more likely to be trusted.
Corporate images are often used, email signatures copied, and the email address of the sender is spoofed. Victims are researched, as are the companies. The key to the success of these campaigns is their realism. The aim is to get an employee to take a specific action without thinking that the request is anything other than genuine. If the scam is successful, the victim may never know that they have been duped.
The email requests, at first glance at least, appear to be genuine. They are sent from a senior executive or the CEO of the company. When they are sent from an authority figure from within the company the request is less likely to be questioned.
In the past few weeks a number of companies have received business email compromise phishing emails and have sent attackers a list of employee W-2 form data, including Social Security numbers, dates of birth, names, and details of employee earnings for the year. These data can be used by the criminals to file false tax returns in the names of company employees.
W-2 Phishing Scams Target Californian Companies
Magnolia Health Corporation recently announced one of its employees had fallen for a business email compromise scam and had sent a full list of employees to the attacker. The mistake was discovered, although not for a week. The attack took place on February 3, 2016.
Also on February 3, Californian company BrightView also received a phishing email requesting employee data and sent information, as requested, to the email scammers. BrightView discovered the mistake the following day.
Polycom, a content collaboration and communication technology also based in California, was attacked in the same manner on February 5, and also fell for the business email compromise scam. California-based Snapchat similarly was fooled by the business email compromise scam and emailed the data of 700 employees to the attackers. Mercy Housing Inc., and Central Concrete Supply Co., also suffered similar attacks recently.
The attacks have not been limited to California. Alaskan Telecommunications company GCI also fell victim to a similar attack, which resulted in the data of 2,500 employees being sent to a scammer.
BEC scams are convincing and employees need to be particularly vigilant especially at this time of year. To reduce the risk of a BEC attack being successful, it is important that staff receive training on how to identify a business email compromise scam. Policies should also be introduced to make it harder for employees to fall for the scams, such as requiring all data requests to be verified by two employees, one of whom should be within the Information Security team.
Until tax season draws to a close we are likely to see even more companies fall for these scams.
The Marcher Trojan was first discovered in the wild around three years ago; however, malware does not remain the same for very long, so it is no surprise to see yet another Marcher Trojan variant appear. This time the method of attack differs substantially from previous incarnations of this money-stealing malware.
Marcher Trojan Delivered Using Fake Adobe Flash Update
This time, attackers are targeting users of online pornography and are attempting to trick them into installing the Marcher Trojan on their Android phones by disguising the malware as an Adobe Flash installer package. Adobe Flash may be on its last legs, but a considerable number of porn websites host Flash videos. Users of pornographic websites therefore need Adobe Flash in order to view adult videos.
The attackers are targeting users of pornographic websites by sending links to new porn sites via SMS messages and spam email. Clicking the links contained in those messages will direct the user to a malicious website where they are asked to download an update to Adobe Flash.
Adobe Flash updates are frequently released due to the high number of zero-day vulnerabilities discovered in the software. Users are therefore likely to think there is nothing untoward about the update. The attackers have named it AdobeFlashPlayer.apk to make the download appear genuine.
After downloading the update, the user is required to change settings on the phone to allow apps from unknown sources to be installed. They are then asked to give the fake Adobe Flash update administrator privileges. Once installed, the owner of the device will be unaware that they have just compromised their Android phone.
The malware will then start communicating with the attackers C&C server and will send a list of the apps installed on the device to the attackers. That information is then used to display the appropriate fake login screens for apps installed on the device. Those login screens record bank and credit card details and send them to the attackers.
Another method of attack used by the malware is to send a MMS message to the user asking them to download the X-Video porn app from the Google Play store. The X-Video app is not malicious and can be installed for free; however, after installing the app the user receives a fake prompt asking them to update their Google Play credit card information.
The Marcher Trojan can also prevent users from visiting the real Google Play store without first entering their payment card details into the fake Google Play payment screen.
Fortunately, the malware is easy to remove. The app can be deactivated and then uninstalled. But the user would need to know they have been infected in order to do that.
Blocking Adult Content to Protect WiFi Network Users
Any business that allows employees to access WiFi network can improve network security by blocking access to adult websites. Preventing WiFi network users from accessing adult sites and other websites commonly used to deliver malware can greatly improve security posture.
The Marcher Trojan is being used to steal money from Android users, although the malware has been used to deliver at least 50 different payloads. Other Trojan downloaders deliver ransomware and other nasty malware. Once on a network the malicious software can cause a considerable amount of damage.
WebTitan can be used to prevent the downloading of files commonly used by hackers to hide malware such as SCR, EXE, and ZIP files. It can also be used to block access to risky websites and those known to contain malware.
For business WiFi networks, a web filter is now becoming less of an option and more of a necessity to prevent malware and ransomware downloads and keep users’ devices and networks malware free.