Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

How does Locky ransomware use DGA in its attacks?

by

From SearchSecurity (TechTarget) Nick Lewis

Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky’s techniques and how to detect it.

Security researchers say a new brand of ransomware called Locky has borrowed a technique from the Dridex banking malware. What is the Dridex malware technique and what elements of Locky make it different from other types of ransomware?

The Locky ransomware continues to improve its attack capabilities. Fortinet blogged about updates they identified in recent versions of the malware. Locky ransomware has incorporated a domain name generating algorithm to improve the resilience of the command-and-control (C&C) communications. Locky also incorporated an update to the C&C where the communications are minimally encrypted to prevent analysis over the network. Adding this functionality required significant efforts by the malware authors. Given how the malware is regularly updated with new functionality incorporating new attack techniques, this might suggest an experienced cybercriminal operation instead of low-skilled hackers.

The Locky ransomware appears to have borrowed the initial idea for the domain generation algorithm (DGA) from the Dridex malware. The DGA uses the infected machine’s year, month, day as well as seed values. This makes it possible to predict the domains Locky will register, and to sinkhole those domains in advance. Researchers at Forcepoint Security Labs analyzed an updated sample of the Locky ransomware that has a significantly improved DGA without the previous shortcomings.

Even though the Locky ransomware has incorporated functionality for DGA into the malware, it still has a backup IP address used for C&C of the botnet. The C&C encrypted communication was broken by Fortinet and could be detected over the network. Fortinet also released indicators of compromise for the C&C systems and indicators that a local computer should be checked to identify whether the system is infected, if the files had not yet been encrypted.

Ransomware Raises the Bar Again

by

From Dark Reading - Kelly Jackson Higgins

The infamous form of attack now ranks as the top threat to financial services, but preparedness can pay off for victims.

Ransomware just got even more real: it’s now the number one attack vector in the financial services sector, which traditionally has been considered a model industry for best security practices.

Some 55% of financial services firms recently surveyed by SANS report ransomware as the top attack threat, followed by phishing (50%), which previously held the top spot. More than 32% of financial firms say they’ve lost anywhere from $100,000 to a half-million dollars due to ransomware attacks.

Ransomware’s infiltration of the security-forward financial services industry underscores the dramatic rise in ransomware over the past year and growing pressure on preparedness. The malware that infects machines and holds them for ransom payment by the victim is the fastest-growing form of malware today, with more than 4,000 ransomware attacks per day since January 1 of this year. That’s an increase of 300% since 2015, and security experts at Trend Micro say ransomware cost enterprises some $209 million in the first half of 2016.

Attackers are also tucking ransomware alongside and inside other attacks. Some ransomware attacks hold the machine for ransom and then also use it to wage distributed denial-of-service (DDoS) attacks on other victims. More than half of DDoS attacks worldwide ultimately lead to ransomware and other malware attacks, according to a new study by Neustar.

Meanwhile, organizations of all sizes and industries are getting infected with ransomware. The difference between those who get stung and those who survive relatively unscathed is preparedness – and sometimes a little luck.

Take the Hyannis, Mass.-based Barnstable Police Department, which was hit with its first-ever ransomware infection last month. Craig Hurwitz, director of IT at the department, says he noticed something was amiss when the department’s dispatch software and records management system stopped working. He took a closer look and spotted files being encrypted and file extensions getting altered.

“I tried to get a file and it wasn’t there,” he recalls. “And there was a text file in the directory saying ‘pay me now.'”

The police department reverted to radio dispatch to patrol cars, and Hurwitz contacted the backup and array vendor from which the Barnstable Police Department had recently purchased a system for data backup and storage capacity, as well as its data timestamp feature. At the time the department purchased the storage array system from Reduxio Systems, it was more about protecting against hard drive corruptions and server crashes. “At the time we weren’t thinking about ransomware specifically,” he says.

The recovery process with the backup system took 35 minutes with no loss of data or any ransom payment to the attackers. The malware never spread beyond the application server where Hurwitz found it. “They [Reduxio] cloned the drives … and set the timestamp two minutes before the infection had started … and remounted the drives,” Hurwitz says.

Backing up data regularly and keeping a clean backup has always been one of the key recommendations for surviving a ransomware infection. Even endpoints running the most up-to-date software, email filters, and other security layers can get hit with ransomware: all it takes is for a user to fall for a phishing email and to open a malicious attachment or link.

But how a backup is managed can be the difference between losing data to the attackers unless you pay, or retrieving data and eradicating the ransomware.

Travis Smith, senior security research engineer at Tripwire, says the old 3-2-1 strategy applies: “Always have three copies of data, one that is offsite [or] offline,” he says. “What’s also very important for companies to adopt in today’s ransomware world: we’ve seen ransomware that targets backup systems, so when you try to bring backups back online you don’t have the ability to restore from the backups.”

Backups of critical data should be tested at least every six months, he says, to ensure the data is uncorrupted and accessible.

Smith says clean backups work for about three-fourths of ransomware victims. “Seventy-five percent are successful [in ransomware recovery] if they have backups,” he says, meaning they can get to their data and not pay any ransom to the bad guys.

Users shouldn’t be storing critical data on their endpoints, either, he notes. Stick with a shared server for that information. “So then you only need to back up one critical server,” he says. “If a laptop gets infected with ransomware and the data isn’t backed up on a centralized server, you’ve lost that data.”

If backups aren’t done properly, it may be cheaper for an organization to pay the ransom, which is not recommended. Regular backup tests can drive down the cost of data restoration and make it more cost-effective than having to resort to actually paying a ransom if the data isn’t properly backed up, he says.

Phishing Attacks on the Rise, Human Error to Blame

by

By Robert Urrico - Credit Union Times

Many of the cybersecurity threats prevalent today such as oversharing on social media, unsafe use of Wi-Fi, and company confidential data exposure contributes to the ever-growing problem of phishing.

Pittsburgh-based cybersecurity firm Wombat Security Technologies’ Beyond the Phish Report, analyzed nearly 20 million questions and answers from their survey for this report. The report delved into how well end users are able to identify and manage security threats within an enterprise.

News and headlines, as well as numerous studies, have proven that phishing attacks are on the rise, and Wombat said its survey of security professionals showed the same. The threat of phishing attacks is real. In the last year, the list of organizational phishing victims increased by 13% to 85%, and 60% of enterprises said the phishing attack rate increased overall.

“Clearly, phishing is a focus area across the industry, but the efforts can’t stop there,” Joe Ferrara, president and CEO of Wombat said. “To reduce cyberrisk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”

Social Media plays a big part in our lives but end users struggled here the most, missing 31% of the questions we asked them around what they should and should not do to keep themselves and their organizations safe.

“What’s more, in our survey of security professionals, we found that only about half are assessing users around this topic. Most companies allow social media access on work devices while admitting they are not very confident that their employees know what to do to keep their organization safe,” the report revealed.

The report also disclosed that not only is there room for improvement in protecting organizations against phishing attacks but in simply recognizing the existing dangers. Other key findings include:

  • End users missed 30% of questions about protecting and disposing of data securely, second only to safe social media use.
  • Professional services and healthcare employees performed the lowest on the nearly 1 million questions asked about safe passwords.
  • Healthcare industry had the highest assessment percentage of end users’ ability to protect confidential information with 31% of questions on the topic missed by those in that industry. The financial section weighed in at 22%.

Wombat suggested with the rise in the remote workforce and end users who value the ability to work outside of the office, organizations need to educate their employees on how to stay safe while they are outside the office. Improper use of free Wi-Fi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26% of questions missed by end users on this important topic.

 

The 3 Biggest Mistakes in CyberSecurity

by

August 23, 2016 - Chris Moschovitis - Information Management

Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.

In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.

Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?

The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:

1. They think cyber security is a technology problem.

2. They follow a cyber security check list once-and-done.

3. They don’t have a cyber security awareness training program in place.

First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.

Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.

Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.

Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in you work in a regulated industry. There, the concept, language, even governance of risk management is part of the daily lexicon.

Not so with small and mid-market business less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.

More importantly: A company’s Information Technology generates Value. It does so a myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media and technology businesses etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.)

Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.

Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.

Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.

Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.

Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.

It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.

The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.

Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.

Cyber Threat and Vulnerability Assessment

by

A NetSHIELD Cyber Threat and Vulnerability Assessment can help you to understand: Baseline Security–who and what is really on your network. Build a trust list and identifying unknown and unwanted assets

Threat Prevention – identify zero-hour malware not detected with AV. Capture, in real time, successful phishing attacks with no false positives. Ensure IT and employee productivity and create tangible, teachable moments for reinforcing employee cyber-awareness.

Vulnerability Assessment and Compliance Report – discover and prioritize vulnerabilities that exist on your network and run compliance assessments for PCI, HIPAA, SOX, etc.

Sign up for 7 days of auditing and monitoring.

To register: