Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Ransomware Surveys Fill in Scope, Scale of Extortion Epidemic

by

From Dark Reading - Terry Sweeney

Half of all surveyed organizations have been hit with ransomware campaigns in the last year, many more than once

Some 50% of organizations have been hit with a ransomware infection in the last year, and of those, 85% have suffered from three or more attacks, according to a user survey conducted by security vendor SentinelOne.

As a result, 70% of respondents report an increase IT security spending, and 65% have changed their security strategies to focus on mitigation. More than half — 52% — say they’ve lost faith in their antivirus protection.

“It’s not surprising to see high levels of apathy towards traditional antivirus software, and we don’t expect the ransomware epidemic to slow down anytime soon,” says Jeremiah Grossman, chief of security strategy for SentinelOne, in a statement. “The situation is likely to get far worse, as some of the ill-gotten gains will be invested into research and development designed to improve encryption strength and utilize new delivery methods, as witnessed with Locky.”

Tis the season for vendors’ ransomware surveys. PhishMe reports this week that developers of Locky ransomware have shown “creativity, agility, and adaptability” in their repeated improvements to the malware, frustrating the efforts of analysts, researchers and infosec professionals to prevent or mitigate attacks. And Cato Networks says that 73% of CIOs view defending against ransomware and other emerging threats as their top priority for 2017.

While few security pros would deny that ransomware is a growing problem, the trio of vendor reports begins to put the scope and scale of this malware epidemic into sharper contrast.

“Infosec professionals need to understand that ransomware leverages the current malware infrastructure, it’s extremely easy to create, and it scales very well. It’s also very lucrative for the bad guys,” Grossman tells Dark Reading in a phone interview. Left unaddressed, the proliferation of ransomware threatens to mirror that of spam. “We have an opportunity now, but if we wait too long, ransomware’s going to be everywhere,” he adds.

Grossman also distinguishes between two kinds of ransomware attacks: indiscriminate and targeted. With indiscriminate campaigns, the bad guys know nothing about the content or value of the data they’re encrypting. In a targeted attack, bad actors will go after a healthcare organization, for example, because it’s literally life and death and widely assumed that they’ll pay. “A couple weeks ago, a company was targeted and four hospitals had to reschedule patient operations while they dealt with ransomware infection,” Grossman explains.

SentinelOne surveyed 500 “cybersecurity decision makers” at organizations with more than 1,000 employees in October 2016, including 200 people in the US, and 100 each in the UK, France, and Germany.

What can organizations do to protect themselves against this kind of extortion? One obvious preventive measure is performing regular data backups, so if an organization’s servers or desktops get hit with a ransomware attack, they’ll have unencrypted copies in reserve that allow them to carry on with business as usual. “One thing ransomware has done is inadvertently exposed the lack of backup data” on the part of end-users, Grossman explains.

It really comes down to patching, especially since browsers are getting hit with drive-bys; another protection is to monitor inbound attachments on email and to disable macros. “Should malware get into the system and start to execute, there’s technology available that detects bad apps at runtime,” Grossman recommends.

SentinelOne’s survey highlighted other issues for companies hit with ransomware:

  • Company data most often affected by ransomware campaigns was financial data (52%), employee information (46%) and customer information (37%);
  • 68% of respondents agreed that traditional security techniques can’t protect organizations from the next generation of malware;
  • Most companies still assume responsibility for data breaches and ransomware attacks; only 42% say they would demand answers from their IT security vendors.

The Next Generation of Ransomware Might Leak you Data, Not Destroy It

by

From Fast Company, Steve Mellendez

Security experts warn of new types of malware that threaten to publish instead of encrypt valuable, confidential information.

Right when internet users have learned to be wary of malware that encrypts files and holds them for ransom, security experts are warning that digital extortionists are taking more aggressive steps to get paid.

“You’re seeing different techniques with the goal of improving the conversion rates of people actually paying,” says Jerome Segura, lead malware intelligence analyst at the security firm Malwarebytes.

Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.

“This is a very recent change in the tactics they’re using,” he says, noting that they’ve appeared only within the past few months.

Dunbar has yet to see malware make good on threats to leak data, and Ensey says that at least some variants appear to display fake progress bars purporting to show data transfers to attackers’ servers without actually uploading any files. Storing and leaking files is logistically more difficult than just encrypting them on victims’ own computers, experts say.

But Ensey predicts that by next year there will be actual data leaks attributed to ransomware, if only to motivate more attack victims to pay the ransom.

“I would not guess that we’re far off from public examples of that,” he says.

Previously, security experts advised companies and individual users to make regular backups of important files so they’d be ready to restore them if they were encrypted or damaged by malware. But that’s of less help if malware creators instead threaten to distribute information, potentially exposing companies to liability, or individual users to embarrassment or risk of identity fraud, he says.

“My thinking now is that organizations really have to focus on: How do we isolate sensitive or private information from places where ransomware tends to find itself?” he says. “You have to make it so it’s incredibly hard for that ransomware to touch or gain access to any kind of sensitive data through a standard channel.”

Preventing leaks by computers infected with malware is ultimately similar to protecting data against insider threats. That means that organizations shouldn’t simply have an unencrypted network drive with confidential materials like sensitive business plans or medical records, Ensey says.

Earlier versions of ransomware have already struck institutions with large troves of mission-critical, confidential information, such as hospitals, which could be motivation enough for entities to pay to keep patient records from falling into the wrong hands. But individual consumers represent the bulk of ransomware victims, according to a report released in April by the security firm Symantec. People could feel forced to pay to safeguard anything from financial and medical documents to explicit pictures, particularly if ransomware attacks on smartphones become more common.

“The variants that are out today are mostly Windows-based, so it’s desktop computing,” Ensey says. “If they can adapt it to mobile, I think then you might have an audience for this that would in fact pay the ransom.”

Ransomware creators have recently gotten more aggressive in other ways, too, according to Segura, sometimes actually permanently deleting files rather than leaving them encrypted if victims don’t quickly pay up. Some malware varieties have also focused their energies on particular classes of files likely to be of interest, such as spreadsheets, and future attackers may well use more sophisticated prices to determine how much ransom to charge.

“It’s a business decision. Like marketers, how do you [set] the price?” Segura says. “Finding the sweet spots where people are willing to pay is really important to the economics of the ransomware business.” That might mean charging more when it comes to victims with more apparent business documents or photos, or adjusting ransom amounts for targets in certain geographical regions.

Users looking to stay safe should maintain multiple backups to minimize the risks from disk-encrypting malware and keep sensitive information encrypted or off networked machines altogether. Once files are leaked, it can be difficult or impossible to remove them from the internet.

“If the information is published in some server that’s out of U.S. jurisdiction, for example, then having that information taken down is going to be very, very difficult,” Segura says. That applies equally to business data and sensitive personal files like texts and photos.

“If you think you don’t want your mother or grandmother to see that picture, think about putting it somewhere secure, because you don’t want it leaked,” he says.

 

NIST Releases Version of Cybersecurity Framework for Small Businesses

by

Steve Zurier - Dark Reading

Researchers offer a step-by-step approach for covering the basics of cybersecurity.

NIST has been working closely with the Small Business Administration on cybersecurity issues for small business since 2003.

Now, as a follow-up to years of collaboration, NIST recently released a streamlined version of its Cybersecurity Framework geared to small businesses owners.

Released earlier this month, Small Business Information Security: The Fundamentals, runs 54 pages and offers small businesses a snapshot of the core concepts of the framework, which include the following: identify, protect, detect, respond and recover.

Patricia Toth, a supervisory computer scientist and co-author of the report with Celia Paulsen, says the guide came out of numerous workshops NIST held in tandem with the SBA over the past several years.

“We wanted to get some of the main points of the Cybersecurity Framework to the small business audience, but realized that the average small business owner wouldn’t want to pour through the entire framework,” Toth points out.

Frank Dickson, an analyst with IDC who covers security, says the streamlined document NIST put together for small businesspeople does a good job covering the basics of security.

“The only point I would add is that the document stresses strong passwords and while that’s good cyber hygiene, I’d like to see people look more toward stronger authentication,” Dickson says.

Toth adds while stronger authentication makes sense for more mature organizations, the average small business is generally just starting to think about stronger security, so they decided to get people focused on stronger passwords.

Even though it’s streamlined at 54 pages, small business owners may still not know where or how to get started security. Here’s a thumbnail that outlines six steps:

  1. Manage risk. Small business owners should start by asking what information is most important to the business and what’s essential for them to protect. For example, if a marketing booklet gets leaked it’s probably not as sensitive as if a customer list was exposed.
  2. Train the staff. Run a lunchtime seminar on how to identify phishing attacks and how to notify suspicious email and report it to the owner. It’s also important for the staff to be aware of the company’s policies on using Facebook, YouTube videos or general Internet browsing time. If there are no policies, then make your wishes known to the staff.
  3. Stay up to date. Keep in mind there are small businesses with close to 100 employees and those with under 10. For the companies with under 10 employees, they may have a tech person who comes to set up the network, but they don’t always have that person handle software updates and patches. We understand there’s a lot going on at your company and you are focused on sales, but don’t let updates and patches sift through the cracks. Automate as much as possible, but try to do the updates when they come out.
  4. Run backups routinely. So many small businesses don’t do this and with ransomware as much as a threat as it is today, running offsite backups has become more important than ever. Decide if backups need to be run once a day or once a week, but once a month won’t keep your company safe.
  5. Investigate cyber insurance. Cyber insurance may or may not be worth it to your company. However, it makes sense to talk to some insurance brokers and see where you stand. Whatever you do, don’t call about cyber insurance without having your security program in place. The rates you pay and how much cyber insurance your company qualifies for will be based on your overall security posture. A ratings system has been evolving and has not been standardized yet, and be prepared to do some homework before asking a broker about cyber insurance.
  6. Seek out a professional IT company. Even larger small businesses tend to have an IT person or outsourced contractor who comes in and sets up and manages the network. Use business contacts or your trade association to find out technology companies with experience running network security, preferably in your industry if possible. These companies can set up individual password accounts, secure the routers, install firewalls and web filters and explain how the system runs to the owner or the owner’s designated in-house tech person. Too many companies try to go it alone and then complain about spending money on a professional IT company. Don’t be that company. One breach of a prized customer list or sales results that get into the wrong hands and it could cost you your business. Working with professional IT people is well worth the expense, especially in this threat landscape.

Outsider attack, the main cyber threat US companies are not prepared for

by

By Razvan Muresan, Bitdefender - Business Insights

The main cyber threats companies are not prepared for are: outsider attack (43%), data vulnerability (38%), insider sabotage (35%), user errors (35%), and phishing (35%), according to a Bitdefender survey on US IT decision makers.

Outsider attacks and data vulnerability pose a significant risk for all companies and represent the main threats that companies are unprepared to handle, and CIOs are aware that cybercriminals can spend large amounts of time inside organizations without being detected - APTs are often defined as designed to evade detection.

Cyber criminals also use tactics to draw attention away from what they are doing and where they have succeeded, while these cyberattacks impact business decisions, mergers/acquisitions and competitive positions, as recent reports confirmed.

“To limit the risks of insider sabotage and user errors, companies must establish strong policies and protocols and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” Bitdefender’s Bogdan Botezatu, Senior e-Threat Specialist recommends. “The IT department must create policies for proper usage of the equipment, and ensure they are implemented.”

In the past two years, companies witnessed a rise in security incidents and breaches, with a significant increase in documented APT (Advance Persistent Threat) type of attacks targeting top corporations or government entities (such as APT-28). This type of attack is intended to exfiltrate sensitive data over a long period or silently cripple industrial processes. In this context, concerns for security are rising to the top levels, with decisions taken at the board level in most companies. Both IT decision makers and CEOs are concerned about security, not only because of the cost of a breach (unavailable resources and/or money lost), but also because the reputation of their companies is at risk when customer data is lost or exposed to criminals. As real cases have shown, the bigger the media coverage a security breach receives, the greater the complexity of the malware causing it. On top of this, migrating corporate information from traditional data centers to a cloud infrastructure has significantly increased companies’ attackable surface, bringing new threats and more worries to CIO offices regarding the safety of their data.

Read the full white paper here.

Methodology

This survey was conducted in October 2016 by iSense Solutions for Bitdefender on 250 IT security purchase professionals (CIOs/CEOs/ CISOs – 26 percent, IT managers/directors – 56 percent, IT system administrators – 10 percent, IT support specialists – 5 percent, and others), from enterprises with 1,000+ PCs based in the United States of America.

More than half of the organizations surveyed are from the IT hardware and software / electronic and electrical engineering industries, while 24 percent are from manufacturing, 6 percent from transportation, 4 percent are providers of telecommunication services, 4 percent are utility or public services companies, and the rest come from construction, retail, distribution, media or other industries.

Some 62 percent of the organizations surveyed have over 3,000 employees, 14 percent between 2,000 and 2,999, and 24 percent between 1,000 and 1,999.

Regarding IT infrastructure development in the organizations, 39 percent of the companies have 3,000+ computers, 21 percent between 2,000 and 2,999, and 40 percent between 1,000 and 1,999. The average proportion of employees working on computers in the organizations surveyed is 74 percent.

Geographically, a third of the organizations are in the West, 30 percent in the North-East, 28 percent in the South and 11 percent in the Mid-West.

Contact us for more information on BitDefender.

 

Call centre agents warned about malicious email attachments from potential customers

by

by Howard Solomon - IT World Canada

Contact centre agents should be warned about allowing alleged customers sending them email with attachments after a security vendor discovered a new wave of attacks against three customers including North American hospitality companies, attacks similar to ones from the Eastern European based Carbanak crime group

In a blog posted Monday, Trustwave said it came to that conclusion after investigating incidents.

In one instance an attacker called a customer contact line saying that they were unable to use the online reservation system so wanted to send their information to the agent by email attachment, said the report. The attachment was a malicious Word document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware. The malware replaced text in a Word document with that of its own, which to the agent looks like a request for information from the hotel for a corporate function.

The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it. “This malware was capable of stealing significant system and network information,” says Trustwave. “It was also used to download several other reconnaissance tools to map out the network.” Downloaded tools have included Nmap, FreeRDP, NCat, NPing, and others.

Beaconing messages are sent out to 179.43.133.34 via standard HTTP GET requests every five minutes, said Trustwave, to let a command and control server know a system has been compromised. “Using this simple methodology allows the beaconing to hide very well within standard corporate network traffic.” However, the report adds, its uniformity of structure also allows analysts to identify it relatively quickly as well.

If not stopped, however, the process downloads malware that executes a new iteration of svchost.exe and injects its malicious code into this running process. This hides the malware within the svchost.exe process. It then searches Kaspersky antivirus processes and terminates them if running on the victim system.

It then downloads kldconfig.exe, kldconfig.plug, and runmem.wi.exe, which Trustwave says are all well-known Carbanak malware tools. Variations of them were used in the banking intrusions in 2015. Additionally, the decrypted code references “anunak_config” which is the encrypted configuration file that it downloads from its control server. The Anunak crime group is generally believed to be synonymous with Carbanak.

“This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems (which Carbanak used so effectively in recent banking attacks), or install completely different remote desktop programs, such as VNC or AMMYY … Finally, this malware, like so many others, is designed to target credit card data by scraping memory on Point-of-Sale systems., which is presumably the end goal.”

In short, “the attacker uses social engineering to gain their foothold in the victim network, downloads reconnaissance tools to scan the network and move laterally into the card holder data environment, and then infects systems able to process card transactions.”

“The persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave.” says author Brian Hussey, the company’s director of global incident readiness and response. “The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.”

Have a question on how to protect yourself - give us a call 866-431-8972.