The Central Texas IT Guy

Web Development Austin, SEO Austin, Austin Search Engine Marketing, Internet Marketing Austin, Web Design Austin, Roundrock Web Design, IT Support Central Texas, Social Media Central Texas

Tag: Ransomware Page 1 of 4

What Is Monti Ransomware?

By

On February 28, 2023

In Cybersecurity

Monti ransomware is a form of malicious software that encrypts files on an infected computer, rendering them unavailable to the user. It is a member of the Dharma ransomware family, which is known for its ability to encrypt files on an array of operating systems. The Monti ransomware encrypts files with a difficult-to-crack encryption, effectively holding the files until a ransom is paid.

Once a machine is infected with Monti ransomware, the user will receive a message with instructions for paying the ransom.

How Monti Ransomware Affects Systems

As is the case with the majority of ransomware, the Monti ransomware is primarily distributed by phishing emails or by exploiting unpatched software vulnerabilities. Sometimes, it can be transmitted via malicious websites or file downloads. Monti ransomware is not limited to Windows-based machines but may also attack Mac and Linux systems.

Once ransomware has been installed on the victim’s computer, it will search for and encrypt files with particular file extensions. A new file extension, such as “.monti” or “.id-.[random string], will be appended to the encrypted files. The victim will then be given with a ransom message containing instructions on how to pay the ransom in order to regain access to their files.

Preventing Monti Ransomware

Preventing Monti ransomware involves taking several steps to protect a computer and its data. Here are some measures that can help with it:

  • Updated and Patched Software: Unpatched software vulnerabilities are frequently exploited by ransomware. Updating your software reduces the chance of exploiting these vulnerabilities.
  • Email Attachments: Be wary of email attachments, as the Monti ransomware frequently spreads via phishing emails with infected attachments. Do not open or download attachments unless you are sure they are secure.
  • Use Antivirus Solutions: Antivirus systems can identify and fight ransomware before it may infect a machine. Use reliable anti-virus software and ensure that it is always up-to-date.
  • Regular Data Backups: By regularly backing up your crucial files, you can avoid losing them in the event of a ransomware attack. Ensure that you keep your backups in a secure area, such as an external hard drive or a cloud storage service.
  • Use robust passwords: The Monti ransomware can spread via brute-force assaults on weak passwords. Use two-factor authentication whenever possible, and use strong, unique passwords for all accounts.

What To Do If Your System Is Attacked By Monti Ransomware

If you are infected by Monti ransomware, you must immediately act to reduce the damage. You can do the following:

Disconnect from the network/internet: Remove your computer from the internet or internal network to prevent ransomware from spreading to other devices on the network. You may disable the network cable or switch off Wi-Fi on your system to disengage your system from the network.

Check for malware: Typically, the Monti ransomware appends the “.Monti” extension to encrypted files and puts a ransom letter titled “FILES ENCRYPTED.txt” on the desktop.

Restore your files: You can restore your files from a recent backup if you have one. Ensure that the backup is clean before restoring it to prevent reinfection.

Seek professional help: Contact a reputable cybersecurity organization or IT professional to set up a computer network or restore a computer system/network.

Reinstalling OS: Depending on the severity of the ransomware infection, you may need to reinstall the operating system to fix the damage it caused. Make a backup of any vital files before reinstalling.

To know more about how to protect your computer network from cyber-attacks, consult with Centex Technologies. You may contact Centex Technologies offices at Killeen (254) 213 – 4740, Dallas (972) 375 – 9654, Atlanta (404) 994 – 5074, and Austin (512) 956 – 5454.

 

What Is BitPaymer Ransomware?

By

On November 28, 2022

In Cybersecurity

BitPaymer is a ransomware type cyber threat that typically targets Windows-based systems on a compromised network. Also known as “wp_encrypt,” it was first discovered in 2017 and has launched different versions since then.

What Are The Attack Vectors of BitPaymer Ransomware?

BitPaymer uses multiple attack vectors to infiltrate the target network or system. The most commonly used attack vectors are:

  1. Phishing emails targeting organization’s employees
  2. Software downloads via third party, fake or malicious links
  3. Brute force attacks

What Does BitPaymer Ransomware Do?

BitPaymer Ransomware uses multiple steps to spread laterally across a network & infect multiple systems. Let us understand how the ransomware works:

  1. After infecting a system, the ransomware conceals itself & stays in the victim system to gather information such as login credentials, shared drives, IP addresses, private network details, etc.
  2. It further scans for servers running Microsoft Exchange & Microsoft SQL.
  3. The malware then penetrates Active Directory running on the network for lateral movement by infecting all other systems connected to the network.
  4. Once the systems are infected, the ransomware now encrypts all the files on the victim systems using RC4 and RSA-1024 encryption algorithms.
  5. The encrypted files are saved using “.locked” file extension. Some new versions of the BitPaymer ransomware use “.LOCK” as the file extension.
  6. A text file is generated for every encrypted file with extension “readme_txt” to inform the victim of encryption and provide details to contact the hacker.
  7. The ransomware also deletes the recovery checkpoints from the Windows system.
  8. A personalized ransomware note is also left on the desktop which includes ransom fee and steps that should be taken for data recovery.

What Makes BitPaymer Ransomware Unique?

BitPaymer Ransomware differs from other ransomware in many ways:

  1. The ransomware is very well-coded as compared to majority of ransomware that use Ransomware-As-A-Service codes.
  2. The hackers manually attack the Active Directory running on the network & also spend time to know the victim thoroughly.
  3. In some strains of the ransomware, the hackers build custom binary for every victim and even use the victim organization’s name in encrypted file extension.
  4. The ransomware makes extensive efforts to stay concealed in the target system.

How To Stay Protected Against BitPaymer Ransomware?

  1. Educate employees by conducting cyber security workshops to make them capable of spotting phishing attacks.
  2. Ensure regular data backup at multiple locations.
  3. Thoroughly review all RDP connections & secure them.
  4. Make sure to download & install the latest security updates on all servers & systems.

To know more about cyber security solutions for businesses, contact Centex Technologies. You can contact Centex Technologies at Killeen (254) 213 – 4740, Dallas (972) 375 – 9654, Atlanta (404) 994 – 5074, and Austin (512) 956 – 5454.

How To Stay Protected Against Clop Ransomware?

By

On July 30, 2022

In Cybersecurity

Clop ransomware is a member of the CryptoMix family known to infect Microsoft Windows operating systems. The Russian word ‘clop’ translates to “a bug” in English. The APT group known as TA505 uses ransomware widely as a final payload to target a system’s whole network, as opposed to a single machine. This virus functions by encrypting a file and appending the extension “.clop.” After successfully encrypting the file, the virus generates “ClopReadMe.txt” and places a copy in each folder. This file also includes the ransom note.

It was recently uncovered that the threat group had stolen 2 million credit card numbers via POS malware and threatened to demand a $20 million ransom from a German business as well.

How can individuals stay protected from Clop Ransomware?

  1. Be cautious when using computers. Lack of information and negligence are the fundamental reasons for computer virus infestations. So be careful when browsing the internet and downloading, installing, and upgrading software.
  2. Always open email attachments with caution. If the sender’s email address appears suspicious or unusual, do not open the attachment.
  3. Only use direct download links from authorized sources, as malicious programs are commonly distributed via third-party downloaders and installers. Updating software packages are required to keep installed software up to date and secure. The most secure method is to use tools or created features provided by the official developer.
  4. Using pirated software with software cracking tools is illegal and should never be done. You essentially steal intellectual property from software developers and do not pay them. Furthermore, because these tools are regularly used to transmit malware, the risk of malware infection is high.
  5. Blocking a C2 (Command and Control) connection in the middle of an infection chain can prevent malware from propagating. To accomplish such activities, use web filters. One of the most important tactics for preventing ransomware from infiltrating a machine or network is to deploy an effective endpoint security solution.
  6. If the machine has already been infected with the Clop ransomware, run a Windows antivirus tool to remove it. Install and run a reliable antivirus and antispyware software regularly; these capabilities can assist you in detecting and eliminating malware before it causes any harm. If Clop is already p in your system, we recommend running a scan with any NGAV (Next-Generation Antivirus) solution to eradicate the malware.

How can businesses stay protected from Clop Ransomware?

  1. Make a list of your resources and data, identify software/hardware that is legitimately necessary for business objectives, and audit incident and event logs.
  2. Manage software and hardware configurations. Allow admin rights and access only when necessary for an employee to accomplish his tasks. Keep a watch on the network’s services, protocols, and ports. Configure the security settings on routers and other network infrastructure devices. Make a software allow list that only allows legitimate and pre-approved programs to run.
  3. Conduct regular vulnerability assessments. Patch operating systems and software both physically and remotely. Install the most recent software and application versions to address zero-day vulnerabilities published by threat actors.
  4. Put measures in place for data recovery, backup, and asset protection. Set up MFA (Multifactor Authentication), ZTNA (Zero Trust Network Access), and PoLP (Principle of Least Privilege).
  5. Stop phishing emails through sandbox analysis. Install the most recent security updates on the system’s email, endpoint, web, and network layers. Also, implement sophisticated detection methods to identify early warning signals of an attack, such as the existence of suspicious tools on the system.
  6. Employees should be subjected to regular security training and review. Perform penetration testing and red-team drills.

Centex Technologies provides cyber security solutions for businesses. For more information about how to stay protected, contact Centex Technologies at Killeen (254) 213 – 4740, Dallas (972) 375 – 9654, Atlanta (404) 994 – 5074, and Austin (512) 956 – 5454.

Understanding Everything About GoBrut

By

On December 31, 2020

In Security

GoBrut is a computer virus written in Go programming language. The compilation of GoLang programs generates binaries that have all required dependencies embedded in them. It avoids the need of installed runtimes within the machine and simplifies the multi-platform support of Go applications.

Mode Of Infection

GoBrut virus infects Windows and Linux machines using ‘Brute Force’ method.

What Is Brute Force Infection?

A brute force attack is also known as brute force cracking. It involves a computer machine that tries different combinations of usernames and passwords until it finds the correct combination to unlock the victim machine or network.

There are different types of brute force attacks that can be used by GoBrut virus. Some common types are:

  • Dictionary Attack: The attacker uses a dictionary of possible passwords to guess the right password.
  • Exhaustive Key Search: The computer tries every possible combination of characters to find the correct password. The new computers can brute force crack an 8 character alphanumeric password (including capitals, lowercase letters, numbers, and special characters) in about two hours.
  • Credential Recycling: In this type of attack, the attackers use the leaked usernames and passwords from other data breaches.

The virus is mainly used to target servers running Content Management Systems (CMS) and technologies such as SSH and MySQL. Here is a list of commonly targeted platforms:

Content Management Systems

  • Bitrix
  • Drupal
  • Joomla
  • Magento
  • WordPress
  • OpenCart

Databases

  • MySQL
  • Postgres

Administration Tools

  • SSH
  • FTP
  • cPanel
  • PhpMyAdmin
  • Webhostmanagement

After-Infection Process:

  • After successful infection, the infected system becomes a part of the GoBrut botnet. It now requests work from Command and Control server of the botnet.
  • Once the work is received, the infected host will now bruteforce other systems on the network (mentioned in the work request sent by botnet owner).
  • This allows lateral spread of GoBrut virus in the network.
  • After gaining access to a machine’s credentials, the attackers may steal confidential information, photos or other private data.

As the virus uses brute force techniques to steal password, the machines using low-security passwords are at higher risk of infection. Thus, simple ways to protect a system or network from GoBrut virus are:

  • Use of strong and reliable passwords.
  • Regular update of passwords after short intervals.
  • Avoid use of common passwords for different systems.
  • Apply access control for remote logins across all services.
  • Update all services and plugins regularly to combat vulnerabilities.

For more information on the GoBrut virus, contact Centex Technologies at (254) 213 – 4740.

The New Ryuk Ransomware Attack

By

On November 28, 2020

In Security

Ryuk is a type of crypto-ransomware. It uses encryption as a way to block access to a system or file until the ransom is paid. The ransomware is generally dropped with the help of other malware such as TrickBot or Emotet. Another mode of infection used by Ryuk ransomware is ‘Remote Desk Services’.

The Ryuk attacks were popular in third quarter of 2019, however the ransomware went silent at the onset of COVID-19 quarantine. But, it has returned as new Ryuk ransomware with added features and evolution of tools used to compromise target networks and ransomware deployment.

The most notable feature of new Ryuk ransomware is ‘Speed’. Once a system is infected, the attackers gain access of domain controller and enter early stage of deployment just within a day.

The second notable feature of new Ryuk ransomware is ‘Persistence’. The attackers make multiple attempts by sending renewed phishing emails to establish a contact.

How Is A System Infected?

  • The attackers send a phishing email to the target. The email contains a link, which redirects the user to a malicious document hosted on ‘docs.google.com’.
  • When a user opens the document, its contents are enabled. This allows the document to execute a malicious executable identifier ‘print_document.exe’ as a Buer Loader. Buer Loader is a modular malware-as-a-service downloader.
  • When executed, Buer Loader drops malware files and a Cobalt Strike beacon ‘qoipozincyusury.exe’. it is a modular attack tool which is capable of performing multiple tasks such as providing access to operating system features and establishing a covert command & control channel within the compromised network.
  • Additional Cobalt Strike beacons are downloaded on the system for reconnaissance and to hunt for credentials. Numerous commands are run on the infected system to retrieve information such as list of trusted domains, list of members of ‘enterprise admins’, list of administrators for local machine, list of domain admins, network configuration, etc.
  • Using this data, attackers obtain administrative credentials and connect to domain controller, where they dump data of Active Directory.
  • Using domain administrator credentials, another Cobalt Strike service is installed on the domain controller. It is a chained Server Message Block listener. It allows Cobalt Strike commands to be passed on to the server and other computers on the network. This allows attackers to spread the attack laterally onto other systems in the same network.
  • The Ryuk is launched and it attacks the backup server. In case of detection or interruption by security protocols, the attackers use icacls command to modify access control. This gives them complete control of the system folders on the server.
  • Now, they deploy GMER, a rootkit detector tool. It is used to find and shutdown hidden processes such as antivirus. The ransomware is re-deployed and re-launched multiple times to overwhelm remaining defenses.
  • Ransom notes are dropped in folders hosting the ransomware.

Educate the employees to refrain from opening doubtful emails and documents to prevent the new Ryuk attack.

For more information on the new Ryuk ransomware attack, contact Centex Technologies at (254) 213 – 4740.

© Copyright 2022 The Centex IT Guy. Developed by Centex Technologies
Entries (RSS) and Comments (RSS)