Double-Ransomware Attack

A new, and very scary ransomware strain has surfaced, called Goldeneye.  It encrypts the workstation TWICE:  First it encrypts the files, then it encrypts the Master File Table.

The attack is received as spam phishing email (HINT:  Need a Spam Filter!), and presents itself as a job application form to be filled out.  Attached is an infected PDF with the “application” which claims will get the process started.  In the PDF is a polite reference to the also attached Excel file, which it states “contains more details”.

When the victim opens up the Excel file, they get a suggestion on how to display the “aptitude test”.

Sophos, the company that first reported Goldeneye, states,

“The crooks don’t openly ask you to do anything obviously risky, such as “Enable macros” or “Turn off the default security configuration”, but they do encourage the victim to make a change to their Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

If you permit macros to run in this Excel file, you will quickly regret it.  The VBA downloads a copy of the Goldeneye ransomware, and immediately launches it.”

The VBA programming language used in Office macros is powerful enough to allow CyberCriminals to control Word or Excel progammatically, but also to perform more general functions…such as downloading files from the web, saving them to disk, and running them.

Once the Excel file is activated, all the malicious activity happens in the background.  However, when the encryption is completed, there’s a whole bunch of files left behind called: “YOUR_FILES_ARE_ENCRYPTED.TXT”, which announces the infection:

Most file-encrypting ransomware strains stop here.  But Goldeneye’s developer has experience, and does a double-whammy attack similar to their Petya/Misha strain and encrypts the Master File Table (MFT) of that machine as well.

Goldeneye works a bit different than previous strains in that first it encrypts the files, then performs a “UAC bypass” and the low-level MFT attack, then reboots and pretends it’s doing a CheckDisk.

Once the “check” is finished, another reboot sounds the alarm with some rather dramatic ASCII art:

Pressing the “Any Key” (anyone else hear Homer Simpson in their head right now?) gives you this:

**In case you’re wondering why Sophos redacted the so-called personal decryption codes in the images above, the encryption is different for your files and for your MFT: the malware uses different algorithms and different keys each time.**

Long story short, if you pay to unlock your scrambled MFT so you can reboot into Windows, then (assuming the CyberCriminals actually send you the decryption key) you’ll get back into Windows only to face the “YOUR_FILES_ARE_ENCRYPTED.TXT” pay page as well.  

If you don’t have reliable backups, you get to pay 1.4 Bitcoins all over again.  

Yes, that’s 2.8 Bitcoins total, which starts to get very expensive!

Want help?  Need an IT partner that cares as much about your business as you do?

Call Technology by Design.  We’ll build a custom IT plan to suit your needs AND your budget!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-292-8293

For Cyber-Extermination!

#itthatworks

Coming Soon to An Internet Provider Near You:  Infected Routers!

One of the latest attacks to be unleashed upon the public:  routers infected by internet-of-things botnet-building malware such as Mirai.

One of the latest victims is London-based TalkTalk, or, to be precise, many of its broadband customers who were issued routers that contain a vulnerability now being exploited by at least one Mirai variant.  Security researchers report that the vulnerability appears to relate to a poor implementation of the TR-064 “LAN-Side DSL COE [Consumer Premises Equipment] Configuration” protocol in its routers.

Although TalkTalk has begin to fix the vulnerability, infected routers are already being used as IoT launch pads for distributed denial-of-service (DDoS) attacks.  Researchers at the security firm Incapsula reported in a December 7/16 blog post that one of its customers (an unnamed bitcoin website) was hit with a DDoS attack on December 5th.  Incapsula states it traced the attack back to 2,398 Mirai-infected TalkTalk routers located in the U.K.  

Another security researcher, speaking on condition of anonymity, told the BBC that he’d exploited the flaw in TalkTalk routers to scrape 57,000 subscribers’ devices and retrieve each one’s service set identifier (SSID) code and media access control (MAC) address, as well as Wi-Fi password.  The researcher said his intention was to highlight that a malicious attacker could have also gained access to the devices, for example, to infect them with Mirai malware, which is known to target known vulnerabilities (including default access credentials) in dozens of different types of routers and other internet-connected devices, including digital video recorders and IP cameras.

Think just because this happened in the U.K. that you shouldn’t worry?  Think again.

Most routers are very similar, no matter where you live.  The UK just happened to be targeted first…this time.  And you can bet that the U.S. and Canada aren’t far behind.

Most people do not change the default settings, including default password, from the one which comes with their equipment.  This provides quick & easy access to your equipment, information, and your business.

A lot of small businesses tend to try to save money by doing their own IT, or by having a friend or family member that “knows a bit about computers” do it.  I’m all for saving money, but on the right things.  If you partner up (yes, your IT person should feel like a partner) with the correct IT company, they can help you protect your business, while saving you money by cutting out stuff you simply don’t need.

Want help?  Need an IT partner that cares as much about your business as you do?

Call Technology by Design.  We’ll build a custom IT plan to suit your needs AND your budget!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-292-8293

For Cyber-Extermination!

#itthatworks

URGENT ALERT:  AdultFriendFinder Scams

A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts including over 15 million “deleted” records that had not been purged from the company’s databases.

The exfiltrated records included 339 million accounts from AdultFriendFinder.com, which the company promotes as the “world’s largest sex and swinger community.”  62 million accounts from Cams.com, and 7 million accounts from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company.

The data accounts for 2 decades worth of data from the company’s largest sites, according to breach notification LeakedSource, which obtained the data.

Why does this matter?  Because outside of the fact that people, even people who had deleted their accounts, private and personal information was stolen, CyberCriminals will be using this information to victimize these people again, and again.  Spammers, phishers, and blackmailers will be rubbing their hands together in anticipation, never mind the divorce lawyers and private investigators that will be pouring over their data for clients.  

All of these 339 million registered AdultFriendFinder users are now a target for a multitude of social engineering attacks.  People that had straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.

As in the Ashley Madison case a while ago, you can expect phishing emails that claim people can go to a website to find out if their private data has been released.  A sample of one of the phishing emails sent out in the Ashley Madison case is:

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value 625 USD) to the following address:

1B8eJ7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]

Sending the wrong amount means I won’t know it’s you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins].  If you need help locating a place to purchase BTC, you can start here…

On the other side of the spectrum, other phishing emails will be received that lures people into clicking on a link to a website to see if their spouse has not been faithful.  The subject line will likely be something similar to “Your spouse was found on the AdultFriendFinder list”.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT:  Fake Retail Apps for iPhone and Android

The New York Times has issued a warning to the public about a new kind of ID theft:  App ID Theft…just in time to deceive holiday shoppers!

Every holiday season, “retail apps” become popular.  Starbucks started the trend, but others have since copied.

Both Apple’s App Store and Google Play are getting crowded with fake “imposter” apps.

The counterfeiters are masquerading as big retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like Zappos.com and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.

The fake apps trick you into dowloading them to your smartphone or tablet, and ask you to load your credit card.

5 Things to Remember When Downloading Apps:

1. Be very judicious in deciding what app to download.  Better safe than sorry!
2. If you decide to download an app, first check the reviews.  Apps with few reviews, or bad reviews, are a big Red Flag!
3. Never click on a link in any email to dowload a new app.  Only go to the website of the retailer to get the link to the legit app on the AppStore or Google Play.
4. Give as little information as possible if you decide to use an app.
5. Be very, VERY, reluctant to link your credit card to any app!

For more information on the New York Times’ warning, go to: http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

New Locky Ransomware Released

There seems to be a new Locky ransomware phishing attack released this past week.

The emails claim to be “credit card suspended” or “suspicious money movement” warnings.

Graham Cluley reports:

“In the last few days there have been a spate of spammed-out attacks using similar techniques to dupe unwary internet users into clicking on an attachment that will lead to their Windows PC being infected with the notorious Locky ransomware.”

This attack is now using threats claiming that there have been “suspicious movements” of funds out of your bank account and/or that your credit card account has been suspended.

Here are a couple of examples of the phishing emails being received:

1.  “Suspicious movements” email:

2.  “Suspended card” email:

Attached to the email is a ZIP file containing a malicious Javascript file (.JS) that, once opened, downloads that most recent version of the Locky ransomware from a remote server.

The Locky CyberCriminals are extremely well-organized, and highly automated.  They change the names and contact details used in these phishing emails, so you cannot rely on them being the same.  Ransomware is CyberCrime’s most successful and lucrative business model, so you can count on the threat being around for a long time.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT:  Another Tech Support Scam Making the Rounds

Tech support scams are getting more and more sophisticated.  

Security giant Symantec states, “These scams remain one of the major and evolving forces in the computer security landscape.  Between January 1 and April 30 this year, the Internet Crime Complaint Centre (IC3) received 3,668 complaints related to tech support scams, which amounted to adjusted losses of almost US $2.27m.”  And that’s just in the U.S.

Now, there’s a new scam that’s popping up on computer monitors everywhere.

The scam starts when the victim unknowingly visits a compromised website.  Then, according to Symantec, “the web page displays a fake ‘hard drive delete timer’ that warns the user that their hard drive will be deleted within five minutes.  A warning audio tone is also played in the background, which again warns the user that their system is infected.”

Victims then receive a popup “alert” on their monitor, claiming to be from the victims’ “Internet Service Provider”, or Microsoft, or something similar.  The popup ‘alert’ states it is warning the user that their hard drive will be wiped of all data…unless, of course, they call the fake customer support number (which of course they are nice enough to provide you with).  

Another variation is that your screen goes blue, and claims that your computer needs to be repaired.

DO NOT call any numbers provided to you via popups.  Do NOT click on any links.  Do NOT open any attachments.

If you think the warning might be legitimate, call your Internet provider, or whoever the popup is claiming to be from…but look up the phone number yourself.  Or go to their website by typing their website into the address bar yourself.  Never call numbers provided, click on links, or open attachments.

From January 1, 2016 through October, Symantec has blocked more than 157 million tech support scams.  

The U.S., UK, and Canada were the countries targeted the most by tech support scams.

 

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

ALERT:  Exotic Ransomware

New ransomware strain released by “EvilTwin” or “Exotic Squad” was discovered in early October.

Although the ransomware looks like all the other ransomware on the surface, in looking deeper, it could prove VERY annoying in the future.

The Exotic Ransomware will encrypt all files, just like other ransomware.  What it does differently than other ransomware, is that it also ecrypts executables in targeted folders on a victim’s computer, which makes the programs unusable.  Then it will hit the Desktop twice, making it appear although it was continuously monitoring for new files.

The encrypted files will then look similar to the ones below, when you go to look for them:

The ransomware will then download a background image for the lockscreen & display the lock screen similar to below:

When the timer reaches 0, Exotic will shutdown the computer.  

The ransomware appears to be in the development state, with 3 variants released over 3 days.  The latest contains the Jigsaw Ransomware-like screenlocker ransom note that demands $50 USD to decrypt the files.  

You shouldn’t be seeing it too much yet.  But you can bet it’s being geared up for widespread release soon!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks