Web Development Austin, SEO Austin, Austin Search Engine Marketing, Internet Marketing Austin, Web Design Austin, Roundrock Web Design, IT Support Central Texas, Social Media Central Texas

Tag: Ransomware Page 1 of 4

How To Stay Protected Against Clop Ransomware?

Clop ransomware is a member of the CryptoMix family known to infect Microsoft Windows operating systems. The Russian word ‘clop’ translates to “a bug” in English. The APT group known as TA505 uses ransomware widely as a final payload to target a system’s whole network, as opposed to a single machine. This virus functions by encrypting a file and appending the extension “.clop.” After successfully encrypting the file, the virus generates “ClopReadMe.txt” and places a copy in each folder. This file also includes the ransom note.

It was recently uncovered that the threat group had stolen 2 million credit card numbers via POS malware and threatened to demand a $20 million ransom from a German business as well.

How can individuals stay protected from Clop Ransomware?

  1. Be cautious when using computers. Lack of information and negligence are the fundamental reasons for computer virus infestations. So be careful when browsing the internet and downloading, installing, and upgrading software.
  2. Always open email attachments with caution. If the sender’s email address appears suspicious or unusual, do not open the attachment.
  3. Only use direct download links from authorized sources, as malicious programs are commonly distributed via third-party downloaders and installers. Updating software packages are required to keep installed software up to date and secure. The most secure method is to use tools or created features provided by the official developer.
  4. Using pirated software with software cracking tools is illegal and should never be done. You essentially steal intellectual property from software developers and do not pay them. Furthermore, because these tools are regularly used to transmit malware, the risk of malware infection is high.
  5. Blocking a C2 (Command and Control) connection in the middle of an infection chain can prevent malware from propagating. To accomplish such activities, use web filters. One of the most important tactics for preventing ransomware from infiltrating a machine or network is to deploy an effective endpoint security solution.
  6. If the machine has already been infected with the Clop ransomware, run a Windows antivirus tool to remove it. Install and run a reliable antivirus and antispyware software regularly; these capabilities can assist you in detecting and eliminating malware before it causes any harm. If Clop is already p in your system, we recommend running a scan with any NGAV (Next-Generation Antivirus) solution to eradicate the malware.

How can businesses stay protected from Clop Ransomware?

  1. Make a list of your resources and data, identify software/hardware that is legitimately necessary for business objectives, and audit incident and event logs.
  2. Manage software and hardware configurations. Allow admin rights and access only when necessary for an employee to accomplish his tasks. Keep a watch on the network’s services, protocols, and ports. Configure the security settings on routers and other network infrastructure devices. Make a software allow list that only allows legitimate and pre-approved programs to run.
  3. Conduct regular vulnerability assessments. Patch operating systems and software both physically and remotely. Install the most recent software and application versions to address zero-day vulnerabilities published by threat actors.
  4. Put measures in place for data recovery, backup, and asset protection. Set up MFA (Multifactor Authentication), ZTNA (Zero Trust Network Access), and PoLP (Principle of Least Privilege).
  5. Stop phishing emails through sandbox analysis. Install the most recent security updates on the system’s email, endpoint, web, and network layers. Also, implement sophisticated detection methods to identify early warning signals of an attack, such as the existence of suspicious tools on the system.
  6. Employees should be subjected to regular security training and review. Perform penetration testing and red-team drills.

Centex Technologies provides cyber security solutions for businesses. For more information about how to stay protected, contact Centex Technologies at Killeen (254) 213 – 4740, Dallas (972) 375 – 9654, Atlanta (404) 994 – 5074, and Austin (512) 956 – 5454.

Understanding Everything About GoBrut

GoBrut is a computer virus written in Go programming language. The compilation of GoLang programs generates binaries that have all required dependencies embedded in them. It avoids the need of installed runtimes within the machine and simplifies the multi-platform support of Go applications.

Mode Of Infection

GoBrut virus infects Windows and Linux machines using ‘Brute Force’ method.

What Is Brute Force Infection?

A brute force attack is also known as brute force cracking. It involves a computer machine that tries different combinations of usernames and passwords until it finds the correct combination to unlock the victim machine or network.

There are different types of brute force attacks that can be used by GoBrut virus. Some common types are:

  • Dictionary Attack: The attacker uses a dictionary of possible passwords to guess the right password.
  • Exhaustive Key Search: The computer tries every possible combination of characters to find the correct password. The new computers can brute force crack an 8 character alphanumeric password (including capitals, lowercase letters, numbers, and special characters) in about two hours.
  • Credential Recycling: In this type of attack, the attackers use the leaked usernames and passwords from other data breaches.

The virus is mainly used to target servers running Content Management Systems (CMS) and technologies such as SSH and MySQL. Here is a list of commonly targeted platforms:

Content Management Systems

  • Bitrix
  • Drupal
  • Joomla
  • Magento
  • WordPress
  • OpenCart

Databases

  • MySQL
  • Postgres

Administration Tools

  • SSH
  • FTP
  • cPanel
  • PhpMyAdmin
  • Webhostmanagement

After-Infection Process:

  • After successful infection, the infected system becomes a part of the GoBrut botnet. It now requests work from Command and Control server of the botnet.
  • Once the work is received, the infected host will now bruteforce other systems on the network (mentioned in the work request sent by botnet owner).
  • This allows lateral spread of GoBrut virus in the network.
  • After gaining access to a machine’s credentials, the attackers may steal confidential information, photos or other private data.

As the virus uses brute force techniques to steal password, the machines using low-security passwords are at higher risk of infection. Thus, simple ways to protect a system or network from GoBrut virus are:

  • Use of strong and reliable passwords.
  • Regular update of passwords after short intervals.
  • Avoid use of common passwords for different systems.
  • Apply access control for remote logins across all services.
  • Update all services and plugins regularly to combat vulnerabilities.

For more information on the GoBrut virus, contact Centex Technologies at (254) 213 – 4740.

The New Ryuk Ransomware Attack

Ryuk is a type of crypto-ransomware. It uses encryption as a way to block access to a system or file until the ransom is paid. The ransomware is generally dropped with the help of other malware such as TrickBot or Emotet. Another mode of infection used by Ryuk ransomware is ‘Remote Desk Services’.

The Ryuk attacks were popular in third quarter of 2019, however the ransomware went silent at the onset of COVID-19 quarantine. But, it has returned as new Ryuk ransomware with added features and evolution of tools used to compromise target networks and ransomware deployment.

The most notable feature of new Ryuk ransomware is ‘Speed’. Once a system is infected, the attackers gain access of domain controller and enter early stage of deployment just within a day.

The second notable feature of new Ryuk ransomware is ‘Persistence’. The attackers make multiple attempts by sending renewed phishing emails to establish a contact.

How Is A System Infected?

  • The attackers send a phishing email to the target. The email contains a link, which redirects the user to a malicious document hosted on ‘docs.google.com’.
  • When a user opens the document, its contents are enabled. This allows the document to execute a malicious executable identifier ‘print_document.exe’ as a Buer Loader. Buer Loader is a modular malware-as-a-service downloader.
  • When executed, Buer Loader drops malware files and a Cobalt Strike beacon ‘qoipozincyusury.exe’. it is a modular attack tool which is capable of performing multiple tasks such as providing access to operating system features and establishing a covert command & control channel within the compromised network.
  • Additional Cobalt Strike beacons are downloaded on the system for reconnaissance and to hunt for credentials. Numerous commands are run on the infected system to retrieve information such as list of trusted domains, list of members of ‘enterprise admins’, list of administrators for local machine, list of domain admins, network configuration, etc.
  • Using this data, attackers obtain administrative credentials and connect to domain controller, where they dump data of Active Directory.
  • Using domain administrator credentials, another Cobalt Strike service is installed on the domain controller. It is a chained Server Message Block listener. It allows Cobalt Strike commands to be passed on to the server and other computers on the network. This allows attackers to spread the attack laterally onto other systems in the same network.
  • The Ryuk is launched and it attacks the backup server. In case of detection or interruption by security protocols, the attackers use icacls command to modify access control. This gives them complete control of the system folders on the server.
  • Now, they deploy GMER, a rootkit detector tool. It is used to find and shutdown hidden processes such as antivirus. The ransomware is re-deployed and re-launched multiple times to overwhelm remaining defenses.
  • Ransom notes are dropped in folders hosting the ransomware.

Educate the employees to refrain from opening doubtful emails and documents to prevent the new Ryuk attack.

For more information on the new Ryuk ransomware attack, contact Centex Technologies at (254) 213 – 4740.

What Is CryptoWall Ransomware?

A ransomware is a type of malware that encrypts user files on victim computer or network. The attacker then demands a ransom from the victim in exchange for the decryption key. CryptoWall is a family of such file-encrypting ransomware. It first appeared in early 2014 and has numerous variants including Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. The early variants used RSA public key for file encryption, however, the new versions use AES key for file encryption. The AES key is further encrypted using a public key. This makes it impossible to get the actual key needed to decrypt the files.

Mode Of Infection:

Traditionally, CryptoWall ransomware was distributed via exploit kits. But, now spam emails are also used to infect the victims. The spam email contains RAR attachment that includes a CHM file. When the victim opens the CHM file, it downloads ‘CryptoWall binary’ to the system and copies itself into the %temp% folder.

CHM file – Compiled HTML or CHM file is an interactive html file that is compressed inside a CHM container and may hold other files such as JavaScript, images, etc. inside it.

Execution:

  • The Cryptowall binary downloaded on the system is compressed or encoded. Useless instructions and anti-emulation tricks are deliberately inserted in the coding to break AV engine protection.
  • On execution, it launches a new instance of explorer.exe process.
  • In the next step, the ransomware injects its unpacked CrytoWall binary and executes the injected code.
  • The original process automatically exits itself after launching the injected explorer process.
  • The files are encrypted and the ransomware deletes the volume shadow files using ‘vssadmin.exe’ tool. This makes sure that the encrypted files may not be recovered.
  • The CryptoWall binary is copied to various locations such as %appdata%, %startup%, %rootdrive%, etc. The copies are added to the auto start key to help them stay persistent even after the infected system is rebooted.
  • A new svchost.exe process is launched with user privilege and malicious binary code is injected into it.
  • The ransomware connects to I2P proxies to find live command and control server.
  • The server replies with unique encryption key generated specifically for the target system. The key starts the file encryption thread and drops ransom notes in all directories.
  • Finally, it launches Internet Explorer to display ransom notes and the hollowed svchost process kills itself.

Protection:

  • Keep antivirus up-to-date
  • Back up the files
  • Apply windows update regularly
  • Avoid clicking random emails
  • Disable remote desktop connections
  • Block binaries running from %appdata% and %temp% paths

For more information on Cryptowall ransomware, contact Centex Technologies at (254) 213 – 4740.

 

Understanding The Concept Of Ransomware As A Service

Ransomware is a type of malware that extorts money from the target victim by infecting and taking control of the victim’s systems or secured documents stored in the system. Ransomware attacks either locks the computer from normal use or encrypts the documents using a key available with the attacker only.  ‘Ransomware as a Service’ is a kind of ‘Software as a Service’ provided by tech vendor. RaaS can also be defined as a ransomware infrastructure that is rented to hackers on dark web. It is an easy platform for novice hackers (with zero to low knowledge of coding malware) to access ransomware attacks and implant these ransomwares on victim’s machines for claiming extortion money.

How Does RaaS Function?

Here is a simple map of events to explain the functioning of RaaS model:

  • A deceitful vendor offers a tool containing Ransomware on Dark web
  • The package contains all the software and related files needed for a successful ransomware attack
  • Hackers and malicious actors purchase this tool package
  • They use the tools for attacking a victim’s system or network to get hold of computer files and information
  • Depending upon the type of ransomware, it may either lock or encrypt the files
  • The hackers now demand financial ransom in exchange of returning data access to the victim

Similar to other ‘Software as a Service’ models, RaaS involves user services such as provision of desktop, infrastructure, ERP, customer relationship management or other digital services. The buyers of RaaS have the option to order up the capability of the ransomware for launching a more severe attack.

Some important points to note include:

  • RaaS users take deliberate steps to conceal their identity and take deliberate steps to make their actions hard to track. A common practice is to demand payments in digital currency as it is comparatively difficult to trace.
  • Once the victim makes the ransom payment, it is not guaranteed that the hacker will provide the decryption key to the victim. Also, making the ransom payment does not ensure that the hacker will not leak any files or documents.

What Measures Can Be Taken To Combat RaaS Attacks?

Organizations need to take following measures to secure themselves against RaaS attacks:

  • Employees are the most vulnerable entry point but they may be used as first line of defense, if properly educated. Regularly educate them on the latest ransomware attacks and cyber security practices they should employ.
  • Secure the system and network by continuously auditing for any vulnerability. Also, regularly update the cyber security tools for latest versions.
  • Maintain a backup of all the files at a location from where they can be easily retrieved. This helps the business to keep functioning even if the systems are attacked.

For more information on understanding the concept of ‘Ransomware as a Service’, contact Centex Technologies at (254) 213 – 4740.

© Copyright 2022 The Centex IT Guy. Developed by Centex Technologies
Entries (RSS) and Comments (RSS)