Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

‘Shock And Awe’ Ransomware Attacks Multiply

by

From Dark Reading - Kelly Jackson Higgins

Ransomware attackers are getting more aggressive, destructive, and unpredictable.

RSA CONFERENCE 2017 – San Francisco - The data-hostage crisis isn’t going away anytime soon: In fact, it’s starting to get a lot scarier and destructive, and with a more unpredictable outcome.

Security experts long have warned that ponying up with the ransom fee only plays into the hands of ransomware attackers; it doesn’t necessarily guarantee victims get their data back and unscathed, even though most of these bad guys thus far honor their promise of decrypting hijacked data after they receive their payment. Ransomware is rising dramatically, growing by a rate of 167 times year over year, according to SonicWall, with some 638 million attack attempts in 2016, up from 4 million the previous year. Kaspersky Lab data as of last October shows there’s a ransomware attack every 40 seconds.

James Lyne, global head of security research at Sophos Labs, warns that ransomware attacks are starting to become more of a no-win for victims, as some attackers are also now stealing the data they encrypt for further monetization, destroying it altogether, and even waging subsequent attacks on a victim. The attackers are more sophisticated with their encryption methods, and more aggressive, instituting tighter payment deadlines and including organized-crime style threats that sound more like a physical hostage negotiation, he explains.

He describes their brazen demands and attacks as a “shock-and-awe” approach that’s catching fire among cybercriminals hoping to more efficiently strong-arm their victims and potentially cash out more quickly.

“We’re seeing more and more inclusion of a timer” and a warning that the victim has X amount of time to pay the ransom or the attackers will begin to delete the files, or purge the data entirely, he says. In one attack Lyne investigated, the attackers warned the victim if he or she balked at payment or contacted law enforcement, they would delete the keys for decrypting the data so it wouldn’t be retrievable at all.

“Not even the cybercriminals can recover the data” then, he says.

“It irrevocably shreds them. You’re not going to get the data back even if you go to a forensics specialist,” Lyne says. “They’re starting to move toward a more aggressive approach of ‘hand over the money more quickly.'”

“It’s a really interesting tactic because it invokes panic in the user” so they are afraid to talk to tech support for help, he says.

Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. “Traditional blackmailers know if someone pays once, they are probably going to pay again,” he says.

Lyne plans to show such case of a repeat attack during his RSAC session entitled Reversing the Year: Let’s Hack IoT, Ransomware and Evasive Payloads. “I’m going to show an example of where they got infected and the user pays, cleans up, and the attacker waits a period of time before doing the exact same thing again,” he says.

So the days of cleanup post-ransomware infection meaning the event is over may soon be gone. Variants such as Ranscam actually erase the victim’s files after promising to relinquish the files after the ransom is paid. The Ranscam attackers basically fool the victim into thinking the data is retrievable; they didn’t even invest in encryption, so it’s a rather evil but ingenious way to wage a low-cost, high-return attack, according to Cisco’s Williams.

Lyne says another big worry is ransomware attackers pilfering the data they locked for future monetization after the victim pays up. To date, most ransomware attacks have been opportunistic rather than targeted, even though industries such as healthcare and law enforcement have been among the hardest hit.

“In truth, most of these we’ve heard of weren’t targeted … the samples I look at have no example that they targeted specific types of businesses,” he says.

Even so, he’s seeing ransomware attackers stealing credentials and other potentially valuable data from their marks. “It encrypts your data, you pay money to get it back and it then nicks your data” as well, says Lyne, who will demonstrate one such attack here.

“It’s not widespread … but it’s something people need to be aware of now,” he says. “You can’t just pay money and consider the incident over.”

Another thing to watch for: ransomware targeting databases, which indeed is a sign of fishing for valuable data.

Headless But Deadly

Another sign of the times with the ransomware boom is campaigns that are abandoned by the attackers but still spread to victims, leaving them stranded with encrypted data and no ransom payment option. “We see this quite a lot,” Lyne says, and it tends to be lower-level, older variants such as Vipasana and Satana, and campaigns where the email or payment contact channel are shut down. “Now there’s ransomware floating around that’s shredware: there isn’t a way to get your data back,” he says.

Craig Williams, senior technical leader and security outreach manager for Cisco Talos, points to CryptoWall 3 as an example of this: “When it was abandoned, it stopped working and there was no key exchange,” which made it benign, he says.

The Talos team was seeing 130,000 ransomware samples per day in December of last year.

With the newer generation of more sophisticated and businesslike ransomware, more of the old-school rudimentary variants are likely to be scrapped in favor of more effective attack tools. Even so, the phishing emails and other ransomware-rigged places will still infect users. “This is a sign of things to come. So you should prepare,” Lyne says.

Meantime, ransomware variants such as Samsam, which included a self-propagation feature that let it spread like a worm, rather than just via email or malicious web content. Worm-like ransomware spreading could infect more victims more quickly, Cisco’s Williams says.

Be Prepared Or Prepare To Lose Data

The best defense from ransomware is preparation: expect the worst, and run regular backups. “Have a backup that works, one that’s not constantly connected to your computer such that you end up with an encrypted backup that’s also infected with ransomware,” Lyne says. There are even ransomware variants that target backups, so offline data backups are the best bet.

Cloud-based backups can be helpful as well, Cisco’s Williams says. “Don’t put your eggs in one basket … Have unique usernames and passwords” for those types of services, he says

Daniel Reardon on Cybersecurity and Health Care Industry

by

This is another great article from Lifars - posted February 3, 2017

Click here to read the full interview of Danial Reardon

Here is a snippet:

LIFARS: Could you tell us about overall risk in the face of ransomware attacks in healthcare industry?

Daniel: The overall risks to the healthcare industry regarding ransomware attacks are very high and they will continue to increase in 2017. While most industries have experienced their issues combating ransomware, the healthcare industry is being targeted more and more and with even greater precision. Why is this?

The healthcare industry and healthcare data affects human lives, and these organizations are in the business of doing whatever they can to help and protect human life. This makes healthcare data (PHI) absolutely mission critical to the nature of their business. These healthcare organizations must operate under HIPAA compliance to satisfy the healthcare data requirements.

I believe the increased risk from ransomware is because the secret is out that hospitals and healthcare organizations have been paying ransoms to get their encrypted data or systems back online. Healthcare organizations are submitting to these criminals, and are taking no chances at losing patient data, potential lawsuits, or even worse, putting human lives at risk.

There are examples out there where healthcare organizations have paid tens of thousands in ransom to get patient data back. Cyber criminals are aware of these payments, and they are using ransomware as their weapon to expose this policy weakness.

While healthcare organizations should primarily focus on preventing ransomware from getting on their networks in the first place, some organizations are paying the ransom because it is the quickest way to get their data back and or/a system back online. Delta Risk has had clients seek our advice on whether they should pay a ransom if they are impacted. While we advise highly not to pay a ransom, there are clients considering it as part of a contingency plan if such a problem where to occur on a mission critical system.

Paying ransoms has really created momentum in the ransomware risks to a healthcare organization. Paying a ransom doesn’t guarantee you will be able to even get the data back, and it will also put a bigger bullseye on the organization’s back as the criminals begin to target any paying organization more aggressively.

Another factor I believe attributed to the increase in ransomware attacks is the cryptocurrency bitcoin. Bitcoin has been a boon for criminals looking to make a quick buck, and it compliments ransomware extremely well. Bitcoin is a means for these criminals to blackmail healthcare organizations without much trace to the financial transaction. It has gotten easier to setup a bitcoin account, and to link a bitcoin account to the malware so that a ransom can distributed easily and anonymously. Bitcoin has perpetuated the spreading of ransomware with criminal intent for financial gain.

As more healthcare devices get integrated online, these devices will continue to expose healthcare organizations to more risks as their digital footprint expands. As the old adage goes, “There is no honor amongst thieves”, so I foresee the ransomware threat to healthcare industry to continue to develop and in a more tactical manner, without any mercy. Spearheaded ransomware that targets entire business functions or operational systems that are mission critical will continue to disrupt healthcare organizations. As long as the potential for profit is greater than the likelihood of getting caught, healthcare organizations will to continue to be a criminal’s primary target.

12 Endpoint Solutions for Corporate Networks under Windows 10 Put to the Test

by

From AV-Test

Microsoft’s offers to users yielded results: Windows 10 installations for corporate users are constantly increasing and have already reached roughly 25 percent worldwide. That’s why the experts at AV-TEST decided to examine 12 corporate solutions for Windows 10.

Normally companies are slow to upgrade to new systems. For Windows 10, however, this trend is moving more quickly than expected. The worldwide share of Windows 10 among all operating systems is already at 25 percent. That is almost four times the market share of Windows 8.1.

Yet even with the new Windows 10, companies cannot rely on the built-in resources when it comes to security. A good client and server security solution is indispensable here. AV-TEST examined 12 security solutions for corporate users in the categories of protection, performance and usability. The tests took place over a two-month period in November and December 2016.

Two products achieve a top rating

The products can score up to 6 points in each test phase. This means a maximum of 18 points can be achieved. If a product reaches 18 or 17.5 points, it is rated a “top product”. The solutions from Bitdefender and Kaspersky Lab (Small Office Security) garnered this special recognition. A total of four products attained excellent results of 17 points: the packages from Symantec, Seqrite, Trend Micro and Kaspersky Lab (Endpoint Security).

All other corporate solutions tested still delivered good results of 14.5 to 16.5 points. This is also the range achieved by the free Microsoft System Center Endpoint Protection module.

For the full report ->

Protecting the endpoint – Advice from Pros Not the vendors

by

It is rare to come across an article that is full of timely, accurate information on how to protect the endpoint, not whitepapers from specific vendors on why their endpoint products are the best, or picking the threat du jour and how to stop.

In the document from Tech Target – “Put Endpoint Security in Capable Hands”, provides clear and concise steps, to protect the endpoints, supplementary defenses, as well as a discussion on Cloud based endpoint security. Written by three highly respected individuals – Eric Cole, Michael Cobb and Karen Scarfone, it is well worth the time to download and read.

Download the paper

 

Sophos again in the Gartner Magic Quadrant as a Leader

by

Sophos has again been placed in the Leader Quadrant in the Gartner Magic Quadrant.

As per Gartner, Sophos strengths include the Intercept X, a behavioural ransomware protection element that allows recovery of files that were encrypted before the ransomware was detected and stopped, the Sophos Synchronized security element, communication between the firewall and endpoints and there cloud-based Sophos Central administration.

In addition the Sophos Intercept X can be installed in conjunction with any other third party antivirus software for an added layer of protection.

For more information on the Sophos product offerings - give us a call at 866-431-897, or email us.

To download the full report, visit Sophos