Double-Ransomware Attack

A new, and very scary ransomware strain has surfaced, called Goldeneye.  It encrypts the workstation TWICE:  First it encrypts the files, then it encrypts the Master File Table.

The attack is received as spam phishing email (HINT:  Need a Spam Filter!), and presents itself as a job application form to be filled out.  Attached is an infected PDF with the “application” which claims will get the process started.  In the PDF is a polite reference to the also attached Excel file, which it states “contains more details”.

When the victim opens up the Excel file, they get a suggestion on how to display the “aptitude test”.

Sophos, the company that first reported Goldeneye, states,

“The crooks don’t openly ask you to do anything obviously risky, such as “Enable macros” or “Turn off the default security configuration”, but they do encourage the victim to make a change to their Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

If you permit macros to run in this Excel file, you will quickly regret it.  The VBA downloads a copy of the Goldeneye ransomware, and immediately launches it.”

The VBA programming language used in Office macros is powerful enough to allow CyberCriminals to control Word or Excel progammatically, but also to perform more general functions…such as downloading files from the web, saving them to disk, and running them.

Once the Excel file is activated, all the malicious activity happens in the background.  However, when the encryption is completed, there’s a whole bunch of files left behind called: “YOUR_FILES_ARE_ENCRYPTED.TXT”, which announces the infection:

Most file-encrypting ransomware strains stop here.  But Goldeneye’s developer has experience, and does a double-whammy attack similar to their Petya/Misha strain and encrypts the Master File Table (MFT) of that machine as well.

Goldeneye works a bit different than previous strains in that first it encrypts the files, then performs a “UAC bypass” and the low-level MFT attack, then reboots and pretends it’s doing a CheckDisk.

Once the “check” is finished, another reboot sounds the alarm with some rather dramatic ASCII art:

Pressing the “Any Key” (anyone else hear Homer Simpson in their head right now?) gives you this:

**In case you’re wondering why Sophos redacted the so-called personal decryption codes in the images above, the encryption is different for your files and for your MFT: the malware uses different algorithms and different keys each time.**

Long story short, if you pay to unlock your scrambled MFT so you can reboot into Windows, then (assuming the CyberCriminals actually send you the decryption key) you’ll get back into Windows only to face the “YOUR_FILES_ARE_ENCRYPTED.TXT” pay page as well.  

If you don’t have reliable backups, you get to pay 1.4 Bitcoins all over again.  

Yes, that’s 2.8 Bitcoins total, which starts to get very expensive!

Want help?  Need an IT partner that cares as much about your business as you do?

Call Technology by Design.  We’ll build a custom IT plan to suit your needs AND your budget!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-292-8293

For Cyber-Extermination!

#itthatworks

Coming Soon to An Internet Provider Near You:  Infected Routers!

One of the latest attacks to be unleashed upon the public:  routers infected by internet-of-things botnet-building malware such as Mirai.

One of the latest victims is London-based TalkTalk, or, to be precise, many of its broadband customers who were issued routers that contain a vulnerability now being exploited by at least one Mirai variant.  Security researchers report that the vulnerability appears to relate to a poor implementation of the TR-064 “LAN-Side DSL COE [Consumer Premises Equipment] Configuration” protocol in its routers.

Although TalkTalk has begin to fix the vulnerability, infected routers are already being used as IoT launch pads for distributed denial-of-service (DDoS) attacks.  Researchers at the security firm Incapsula reported in a December 7/16 blog post that one of its customers (an unnamed bitcoin website) was hit with a DDoS attack on December 5th.  Incapsula states it traced the attack back to 2,398 Mirai-infected TalkTalk routers located in the U.K.  

Another security researcher, speaking on condition of anonymity, told the BBC that he’d exploited the flaw in TalkTalk routers to scrape 57,000 subscribers’ devices and retrieve each one’s service set identifier (SSID) code and media access control (MAC) address, as well as Wi-Fi password.  The researcher said his intention was to highlight that a malicious attacker could have also gained access to the devices, for example, to infect them with Mirai malware, which is known to target known vulnerabilities (including default access credentials) in dozens of different types of routers and other internet-connected devices, including digital video recorders and IP cameras.

Think just because this happened in the U.K. that you shouldn’t worry?  Think again.

Most routers are very similar, no matter where you live.  The UK just happened to be targeted first…this time.  And you can bet that the U.S. and Canada aren’t far behind.

Most people do not change the default settings, including default password, from the one which comes with their equipment.  This provides quick & easy access to your equipment, information, and your business.

A lot of small businesses tend to try to save money by doing their own IT, or by having a friend or family member that “knows a bit about computers” do it.  I’m all for saving money, but on the right things.  If you partner up (yes, your IT person should feel like a partner) with the correct IT company, they can help you protect your business, while saving you money by cutting out stuff you simply don’t need.

Want help?  Need an IT partner that cares as much about your business as you do?

Call Technology by Design.  We’ll build a custom IT plan to suit your needs AND your budget!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-292-8293

For Cyber-Extermination!

#itthatworks

URGENT ALERT:  AdultFriendFinder Scams

A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts including over 15 million “deleted” records that had not been purged from the company’s databases.

The exfiltrated records included 339 million accounts from AdultFriendFinder.com, which the company promotes as the “world’s largest sex and swinger community.”  62 million accounts from Cams.com, and 7 million accounts from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company.

The data accounts for 2 decades worth of data from the company’s largest sites, according to breach notification LeakedSource, which obtained the data.

Why does this matter?  Because outside of the fact that people, even people who had deleted their accounts, private and personal information was stolen, CyberCriminals will be using this information to victimize these people again, and again.  Spammers, phishers, and blackmailers will be rubbing their hands together in anticipation, never mind the divorce lawyers and private investigators that will be pouring over their data for clients.  

All of these 339 million registered AdultFriendFinder users are now a target for a multitude of social engineering attacks.  People that had straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.

As in the Ashley Madison case a while ago, you can expect phishing emails that claim people can go to a website to find out if their private data has been released.  A sample of one of the phishing emails sent out in the Ashley Madison case is:

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value 625 USD) to the following address:

1B8eJ7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]

Sending the wrong amount means I won’t know it’s you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins].  If you need help locating a place to purchase BTC, you can start here…

On the other side of the spectrum, other phishing emails will be received that lures people into clicking on a link to a website to see if their spouse has not been faithful.  The subject line will likely be something similar to “Your spouse was found on the AdultFriendFinder list”.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks