Posts Tagged Ransomware

What Is SamSam Ransomware?

SamSam is a targeted ransomware attack which incorporates custom infection using a wide range of exploits or brute force tactics. The ransomware is also known as Samas or SamsamCrypt. The first version of the ransomware was released in late 2015. The SamSam ransomware attacks do not make use of phishing or malware downloads to infect a network; instead they utilize following modes of infection:

  • Vulnerabilities in Remote Desktop Protocols (RDP)
  • Vulnerabilities in Java based web servers
  • Vulnerabilities in File Transfer Protocol (FTP)
  • Brute force against weak passwords
  • Stolen login credentials

Once, the ransomware has initial foothold on the victim’s network, it compromises the network to gain control. Also, SamSam is a manual attack. Thus, in case an application detects the ransomware, the attackers modify a registry entry to disable the endpoint tool’s detection. This enables them to compromise the application and control the network. SamSam uses a number of applications to accomplish the attack such as Mimikatz, reGeorg, PsExec, PsInfo, RDPWrap, NLBrute, Impacket, CSVDE, PowerSploit and JexBoss.

During the reconnaissance phase, the attackers try to write a plain text file named test.txt to target. If successful, they add the target to a list titled alive.txt on Domain Controller (DC). After ensuring that DC has writing privileges for machines, the ransomware is deployed and pushed to all the machines controlled by DC simultaneously.

The ransomware follows an efficient approach for encrypting the files on infected machines.

  • The encryption is initiated on holidays, weekends or late nights to buy time for maximizing the impact before getting noticed.
  • Files with selective extensions or important files required for running the machines are encrypted first.
  • The remaining applications or files are encrypted later; starting from smaller files and gradually moving towards larger files.
  • A unique AES key is generated for every encrypted file.
  • As soon as encryption is complete, ransomware deletes its installer and removes any traces of the attack.
  • It becomes difficult for victims to download files from off shore backup because the applications required to run the machine are also inaccessible. Thus, they are required to go thorough time consuming process of reloading the disk and installing applications before downloading back up files.

A ransom note is left on target organization’s machines demanding a set amount of bitcoin currency to decrypt a single machine and a lump sum amount for decrypting all the machines at once. Every victim is provided a unique web address on dark web which leads to chat feature for communicating with the attackers. The chat is deleted after a victim pays the ransom.

Security Practices To Prevent SamSam Attack:

  • Regularly install available patches for RDP service. Also, disable the service when not needed by the users.
  • Ensure that no RDP ports are left open during interactions between cloud-based virtual machines and public IPs. If it is required to leave RDP Port of a system open, keep the system behind firewall and instruct users to communicate with this machine via VPN.
  • Enable, two-factor authentication, strong passwords and account lockout policies.

For more information on how to secure your network, call Centex Technologies at (254) 213 – 4740.

, , , , ,

No Comments

Understanding LeakerLocker Ransomware Attack

LeakerLocker is a ransomware that affects mobile devices running on android platform. Unlike other mobile ransomwares that encrypt user data, LeakerLocker Ransomware doesn’t encrypt your data but locks your screen. Cybercriminals claim that the user’s private & confidential information will be transferred to their secure cloud and sent to the victim’s phone contacts if he fails to pay a ransom amount.

The mobile malware research team at McAfee identified the LeakerLocker ransomware on July 7, 2017. It was spotted that the ransomware was spreading via two apps:

  • Wallpapers Blur HD
  • Booster & Cleaner Pro

The apps function like any legitimate app; however once installed, a malicious code is loaded via a command-and-control server. When the access permission is granted, the code collects sensitive data from the user’s phone and blackmails him against it.

What Type Of Data Is Collected?

  • Personal photos
  • Contact numbers
  • Sent and received SMS
  • Phone call history
  • Facebook messages
  • Chrome history
  • Full email texts
  • GPS location history

How To Protect Your Device From LeakerLocker Ransomware?

  • Install An Antivirus Software: Protect your phone from any ransomware attack by installing a reputed antivirus software. These software scan the websites as well as apps to ensure that they are safe and do not contain any type of malware.
  • Update Your Phone: Make sure that you check your phone for android system updates available and download them regularly.
  • Back-up Your Files: It is important to back-up your files regularly to recover them in case of any data loss. You can back-up the information to the cloud or store your data on an external hard drive.
  • Don’t Download Apps From Unknown Sources: Whenever you download an app, make sure that you download it from a trusted source. Avoid downloading third party apps as they may pose a security threat. Also change your system settings and disable them to perform unofficial app installations.
  • Ignore Pop-Up Installations: Be wary of pop-up installations and avoid installing an update or plug-in.
  • Know Before Clicking On A Link: Make sure that you do not click on any links which you receive via an email or text from an unknown source.
  • Check The App Reviews: Read the reviews before downloading any app and also ensure that it is from a reputable developer. Do not download the app if you find something suspicious in the comments

For more information about ransomware attacks and ways to protect yourself from them, call the team of Centex Technologies at (254) 213-4740.

,

No Comments

More About CryptoWall Ransomware

In the wake of rising cyber-attacks, it has become important to be constantly vigilant as well as make efforts to protect data from CryptoWall and its variants. Detected in early 2014; CryptoWall is a nasty ransomware and some reports suggest CryptoWall 3.0 has caused damage of over 325 million dollars since its appearance. It encrypts the files available on the system and the cyber-criminals demand ransom to decrypt these files. The ransomware has been updated time and again and the threat hovers around in 2018 as well.

How Does It Work?

CryptoWall 3.0 uses RSA-2048 encryption to lock away your files and forces you to pay the ransom in order to decrypt them. Some variants of the ransomware have add-on features such as CryptoWall v4 not only encrypts the files but also the filenames thus disabling you to look up the filename to check if you have a file backup available. Whereas CryptoWall v5.1 is based on the HiddenTear malware that uses an AES-256 encryption which is quite different from its previous versions.

The ransomware can be distributed through a variety of ways, some of which have been listed below –

  • Phishing Emails: Often the target victim is sent an email containing malicious files hidden in a zipped folder. As the victim opens the files, the malware is installed in the system. CryptoWall then scans the system for data files and encrypts them.
  • Exploit Kits: The exploit kit takes advantage of the vulnerabilities in the operating system, applications used or websites visited to install the malware and thereby launch a ransomware attack.
  • Advertizements: Malware can be installed into the system through malicious internet advertizements that are hacked by the cyber-criminals. These advertizements run JavaScript in the browser to download the malware. Most of the times the victim fails to notice that a malware has been injected into the system.

CryptoWall hides inside the OS and injects a new code to explorer.exe that installs the malware, deletes the volume shadow copies of your files as well as disables window services. It then runs throughout the system and communicates with Command and Control Server to receive an encryption key to encrypt the files. The encrypted files become inaccessible and can only be decrypted using the encryption key.

Post encryption, the victim gets a ransom note with instructions to pay certain amount of bitcoins as ransom to decrypt the files. However, most of the times it is a trap. A report by the CyberEdge Group reveals that only 19% of the ransomware victims actually got their files back.

How To Protect Against CryptoWall Ransomware?

  • Update your Operating System timely and keep the applications patched
  • Install an anti-virus scanner and update it regularly
  • Use a firewall as it may prevent the connection between CryptoWall and home base
  • Be wary of emails sent from unknown sources and never click on the links attached
  • Always keep a backup of your files at a source other than your system

For more information about IT Security, call Centex Technologies at (254) 213-4740.

,

No Comments

Gandcrab Ransomware

Generally distributed using RigEK toolkit, Gandcrab ransomware demands payment in DASH cryptocurrency. It utilizes “.bit” top level domain and when once it is injected into your computer system it encrypts the data & adds “.GDCB” extension to all the compromised files. For example, imagesample123.jpg (the original file) changes to imagesample123.jpg.GDCB (the infected file).  After encryption, the ransomware generates a “GDCB-DECRYPY.txt” file and places a copy in each existing folder and when the victim tries to open a file it shows up a message that contains information regarding their files being encrypted and instructs what needs to be done next.

The files can be decrypted using a unique key which is stored on a remote server that is controlled by developers of the ransomware. To get that key the victim is generally required to pay 1.5 Dash cryptocurrency which is equivalent to approximately $1130. However, there is no guarantee that your files will be decrypted even after you pay the ransom amount.

Most Common Ways Through Which The Ransomware Can Infect You

  • It can reach your system when you use third party software download sources.
  • Spam emails or emails sent from untrusted sources often contain malicious attachments which when opened install malware into your system.
  • Sometimes your system can get infected through Peer-to-Peer (P2P) networks which install malicious executables by masquerading them as legitimate software’s.
  • Victim often fall prey of fake software updaters which infiltrate into their system.
  • Trojans are another reason that can cause a ransomware attack. They exploit the system and also allow such malwares to be injected in the system.

How To Protect Yourself Against The Ransomware

  • Make sure that you backup your data on a regular basis because if once your files are decrypted by the ransomware, the chances of recovering your data even after paying the ransom amount are meagre.
  • If you are unsure about an email sent from an untrusted source then it is highly advisable to not download the attachments sent along.
  • Ensure that none of the computers are running remote desktop services and are connected to the internet directly. Instead, make sure that they can only be accessed by logging into a VPN first.
  • Download all the Windows updates as soon as they are launched since older versions might contain certain loopholes which may be exploited by the attackers.
  • Make sure that you do not use weak passwords. Also it is important to note that no matter how easy it might seem to have a single password for multiple logins, it should always be avoided as it opens the doors for such attacks in which your confidential data & files might be compromised.

For more information about Cyber Security, call Centex Technologies at (254) 213-4740

,

No Comments

More About Cerber Ransomware

Cybersecurity is a rising concern. The soaring high figures that represent cyberattacks have been a cause of worry for businesses as well as cybersecurity professionals.

Ransomwares and phishing attacks have been a great threat throughout. Cerber is a ransomware that came into picture when 150,000 window users were infected worldwide via exploit kits in July 2016 alone.

What Happens When An Attack Is Launched?

The victim receives an email which contains an infected Microsoft office document attached to it. A malware is injected as soon as the user clicks & opens it.

When a device is attacked by the ransomware, Cerber encrypts the user’s files and demands money to decrypt and get the access back. The malware encrypts files with RC4 and RSA algorithms and renames them with a .cerber extension.

How Do You Know That You Have Been Infected By Cerber?

You will come to know that you have been attacked by the ransomware, when you’ll find a desktop note the moment you log in. Ransom notes will also be left inside folders that have been encrypted by the malware.

Apart from giving a notice about your files being encrypted, it also provides instructions on how to send the ransom amount to the attackers. The amount keeps on increasing with time and ranges from few hundreds to a thousand dollars.

Is It Possible To Decrypt Files Encrypted By Cerber?

It may or may not be possible. Though decryption tools were available for previous versions of Cerber. However, there is very less scope of recovering encrypted files for the most recent versions. Even paying the ransom amount does not guarantee that you will be able to recover your files.

How To Prevent The Ransomware?

Once your files are encrypted it is very difficult to restore them. So it is best to take preventive measures well on time. Install a latest antivirus software. Also make sure that you do not open any link or attachment sent from an unknown source.

Backup your data regularly and educate your employees about cyber security.

What Is Distinctive About Cerber

It has certain features which you must take a note of:

  • It Talks – Surprisingly, it is a malware that talks and speaks to the victims. Some versions contain VBScript due to which you may hear audio alerts and messages informing that your files have been encrypted and you must pay the ransom amount to decrypt them.
  • Works Offline – People might think that disconnecting the device may prevent files from being encrypted. However, this is not true as cerber does not need an active internet connection to operate.

For more information about IT Security, call Centex Technologies at (254) 213-4740.

, , ,

No Comments