Tag: Ransomware Page 2 of 4

What Is CryptoWall Ransomware?

On November 23, 2020

A ransomware is a type of malware that encrypts user files on victim computer or network. The attacker then demands a ransom from the victim in exchange for the decryption key. CryptoWall is a family of such file-encrypting ransomware. It first appeared in early 2014 and has numerous variants including Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. The early variants used RSA public key for file encryption, however, the new versions use AES key for file encryption. The AES key is further encrypted using a public key. This makes it impossible to get the actual key needed to decrypt the files.

Mode Of Infection:

Traditionally, CryptoWall ransomware was distributed via exploit kits. But, now spam emails are also used to infect the victims. The spam email contains RAR attachment that includes a CHM file. When the victim opens the CHM file, it downloads ‘CryptoWall binary’ to the system and copies itself into the %temp% folder.

CHM file – Compiled HTML or CHM file is an interactive html file that is compressed inside a CHM container and may hold other files such as JavaScript, images, etc. inside it.

Execution:

The Cryptowall binary downloaded on the system is compressed or encoded. Useless instructions and anti-emulation tricks are deliberately inserted in the coding to break AV engine protection.
On execution, it launches a new instance of explorer.exe process.
In the next step, the ransomware injects its unpacked CrytoWall binary and executes the injected code.
The original process automatically exits itself after launching the injected explorer process.
The files are encrypted and the ransomware deletes the volume shadow files using ‘vssadmin.exe’ tool. This makes sure that the encrypted files may not be recovered.
The CryptoWall binary is copied to various locations such as %appdata%, %startup%, %rootdrive%, etc. The copies are added to the auto start key to help them stay persistent even after the infected system is rebooted.
A new svchost.exe process is launched with user privilege and malicious binary code is injected into it.
The ransomware connects to I2P proxies to find live command and control server.
The server replies with unique encryption key generated specifically for the target system. The key starts the file encryption thread and drops ransom notes in all directories.
Finally, it launches Internet Explorer to display ransom notes and the hollowed svchost process kills itself.

Protection:

Keep antivirus up-to-date
Back up the files
Apply windows update regularly
Avoid clicking random emails
Disable remote desktop connections
Block binaries running from %appdata% and %temp% paths

For more information on Cryptowall ransomware, contact Centex Technologies at (254) 213 – 4740.

Understanding The Concept Of Ransomware As A Service

By centexitguy

On October 30, 2020

In Security

Ransomware is a type of malware that extorts money from the target victim by infecting and taking control of the victim’s systems or secured documents stored in the system. Ransomware attacks either locks the computer from normal use or encrypts the documents using a key available with the attacker only. ‘Ransomware as a Service’ is a kind of ‘Software as a Service’ provided by tech vendor. RaaS can also be defined as a ransomware infrastructure that is rented to hackers on dark web. It is an easy platform for novice hackers (with zero to low knowledge of coding malware) to access ransomware attacks and implant these ransomwares on victim’s machines for claiming extortion money.

How Does RaaS Function?

Here is a simple map of events to explain the functioning of RaaS model:

A deceitful vendor offers a tool containing Ransomware on Dark web
The package contains all the software and related files needed for a successful ransomware attack
Hackers and malicious actors purchase this tool package
They use the tools for attacking a victim’s system or network to get hold of computer files and information
Depending upon the type of ransomware, it may either lock or encrypt the files
The hackers now demand financial ransom in exchange of returning data access to the victim

Similar to other ‘Software as a Service’ models, RaaS involves user services such as provision of desktop, infrastructure, ERP, customer relationship management or other digital services. The buyers of RaaS have the option to order up the capability of the ransomware for launching a more severe attack.

Some important points to note include:

RaaS users take deliberate steps to conceal their identity and take deliberate steps to make their actions hard to track. A common practice is to demand payments in digital currency as it is comparatively difficult to trace.
Once the victim makes the ransom payment, it is not guaranteed that the hacker will provide the decryption key to the victim. Also, making the ransom payment does not ensure that the hacker will not leak any files or documents.

What Measures Can Be Taken To Combat RaaS Attacks?

Organizations need to take following measures to secure themselves against RaaS attacks:

Employees are the most vulnerable entry point but they may be used as first line of defense, if properly educated. Regularly educate them on the latest ransomware attacks and cyber security practices they should employ.
Secure the system and network by continuously auditing for any vulnerability. Also, regularly update the cyber security tools for latest versions.
Maintain a backup of all the files at a location from where they can be easily retrieved. This helps the business to keep functioning even if the systems are attacked.

For more information on understanding the concept of ‘Ransomware as a Service’, contact Centex Technologies at (254) 213 – 4740.

Necurs Botnet

By centexitguy

On January 25, 2020

In Security

PDF Version: Necurs-Botnet

What Is SamSam Ransomware?

By centexitguy

On July 15, 2019

In Security

SamSam is a targeted ransomware attack which incorporates custom infection using a wide range of exploits or brute force tactics. The ransomware is also known as Samas or SamsamCrypt. The first version of the ransomware was released in late 2015. The SamSam ransomware attacks do not make use of phishing or malware downloads to infect a network; instead they utilize following modes of infection:

Vulnerabilities in Remote Desktop Protocols (RDP)
Vulnerabilities in Java based web servers
Vulnerabilities in File Transfer Protocol (FTP)
Brute force against weak passwords
Stolen login credentials

Once, the ransomware has initial foothold on the victim’s network, it compromises the network to gain control. Also, SamSam is a manual attack. Thus, in case an application detects the ransomware, the attackers modify a registry entry to disable the endpoint tool’s detection. This enables them to compromise the application and control the network. SamSam uses a number of applications to accomplish the attack such as Mimikatz, reGeorg, PsExec, PsInfo, RDPWrap, NLBrute, Impacket, CSVDE, PowerSploit and JexBoss.

During the reconnaissance phase, the attackers try to write a plain text file named test.txt to target. If successful, they add the target to a list titled alive.txt on Domain Controller (DC). After ensuring that DC has writing privileges for machines, the ransomware is deployed and pushed to all the machines controlled by DC simultaneously.

The ransomware follows an efficient approach for encrypting the files on infected machines.

The encryption is initiated on holidays, weekends or late nights to buy time for maximizing the impact before getting noticed.
Files with selective extensions or important files required for running the machines are encrypted first.
The remaining applications or files are encrypted later; starting from smaller files and gradually moving towards larger files.
A unique AES key is generated for every encrypted file.
As soon as encryption is complete, ransomware deletes its installer and removes any traces of the attack.
It becomes difficult for victims to download files from off shore backup because the applications required to run the machine are also inaccessible. Thus, they are required to go thorough time consuming process of reloading the disk and installing applications before downloading back up files.

A ransom note is left on target organization’s machines demanding a set amount of bitcoin currency to decrypt a single machine and a lump sum amount for decrypting all the machines at once. Every victim is provided a unique web address on dark web which leads to chat feature for communicating with the attackers. The chat is deleted after a victim pays the ransom.

Security Practices To Prevent SamSam Attack:

Regularly install available patches for RDP service. Also, disable the service when not needed by the users.
Ensure that no RDP ports are left open during interactions between cloud-based virtual machines and public IPs. If it is required to leave RDP Port of a system open, keep the system behind firewall and instruct users to communicate with this machine via VPN.
Enable, two-factor authentication, strong passwords and account lockout policies.

For more information on how to secure your network, call Centex Technologies at (254) 213 – 4740.

Understanding LeakerLocker Ransomware Attack

By centexitguy

On April 26, 2019

In Security

LeakerLocker is a ransomware that affects mobile devices running on android platform. Unlike other mobile ransomwares that encrypt user data, LeakerLocker Ransomware doesn’t encrypt your data but locks your screen. Cybercriminals claim that the user’s private & confidential information will be transferred to their secure cloud and sent to the victim’s phone contacts if he fails to pay a ransom amount.

The mobile malware research team at McAfee identified the LeakerLocker ransomware on July 7, 2017. It was spotted that the ransomware was spreading via two apps:

Wallpapers Blur HD
Booster & Cleaner Pro

The apps function like any legitimate app; however once installed, a malicious code is loaded via a command-and-control server. When the access permission is granted, the code collects sensitive data from the user’s phone and blackmails him against it.

What Type Of Data Is Collected?

Personal photos
Contact numbers
Sent and received SMS
Phone call history
Facebook messages
Chrome history
Full email texts
GPS location history

How To Protect Your Device From LeakerLocker Ransomware?

Install An Antivirus Software: Protect your phone from any ransomware attack by installing a reputed antivirus software. These software scan the websites as well as apps to ensure that they are safe and do not contain any type of malware.
Update Your Phone: Make sure that you check your phone for android system updates available and download them regularly.
Back-up Your Files: It is important to back-up your files regularly to recover them in case of any data loss. You can back-up the information to the cloud or store your data on an external hard drive.
Don’t Download Apps From Unknown Sources: Whenever you download an app, make sure that you download it from a trusted source. Avoid downloading third party apps as they may pose a security threat. Also change your system settings and disable them to perform unofficial app installations.
Ignore Pop-Up Installations: Be wary of pop-up installations and avoid installing an update or plug-in.
Know Before Clicking On A Link: Make sure that you do not click on any links which you receive via an email or text from an unknown source.
Check The App Reviews: Read the reviews before downloading any app and also ensure that it is from a reputable developer. Do not download the app if you find something suspicious in the comments

For more information about ransomware attacks and ways to protect yourself from them, call the team of Centex Technologies at (254) 213-4740.