Why is Ransomware Still Around?

/0 Comments/in , /by

Ransomware is an advanced form of malware that attempts to get users to pay a fee or spoofed fine in order to regain access to their device or files.  The simplest version will place an image on one’s screen claiming the user downloaded illegal content or is using pirated software and will demand the payment of a fine or be arrested.  Other versions like Cryptowall or Cryptolocker will actually encrypt all the files on a computer and demand payment in trade for the key to decrypt the files… with some not delivering what they promised. First arriving on the scene in 2005 as an Eastern European threat, it grew into a global attack by the end of 2013.

To help put ransomware into perspective, look at the organizations that have already been hit by an attack.  Most people don’t report these types of things but others have.  The City of Detroit was hit with a ransom of $800K… and didn’t pay.  An entire hospital district was hit in nine different locations and had to pay out. Ransomware authors are seeing a payday and you can expect them to continue until it is no longer profitable.  They are sending their code in email, packaging it in files and also placing it on the internet hoping to lure people in with free content or to pull a bait and switch move that could cost a business dearly.

Security organizations have been working tirelessly to stop this attack by building in mechanisms to stop unauthorized encryption as well creating signatures to stop known attacks for this group of malware.  In the chart below you’ll see SonicWall next-generation firewalls blocked nearly 90 Million ransomware attempts in May 2016 alone.  These happy stats are the result of the hundreds of ransomware signatures actively stopping this attack. So after years of battling ransomware, why is it still an issue?  With such a great rate of success from security vendors, why haven’t attackers given up the fight?

Despite our success, you have to keep mind that signatures only work for the things we know about.  We know all the various variants of Locky, Tescrypt, Crowti, and others, but they evolve and change to better evade the defenses of security technologies.  The mission for a firewall vendor is to rapidly create new signatures for all of the ransomware variants before any new iterations can victimize businesses.  SonicWALL has been doing this using a mix of people and technology but now we have a new tool customers can use that can stop brand new ransomware versions (and all other malware variants) called SonicWall Capture ATP.

In my next blog, I’ll explain in greater detail how SonicWall Capture works. In the meantime, you might want to read our e-book, How ransomware can hold your business hostage.

Read the article

Ransomware attack resulted to free train rides over the holiday weekend (Nov 30, 2016)

/in /by

Over the holiday weekend, the San Francisco Municipal Transportation Agency became a victim to a ransomware attack. It locked up the Muni’s public transportation ticket machines resulting to free rides on trains and city buses. It was reported that the ransomware demanded $73,000 in exchange for giving back Muni’s data but the transporation agency avoided paying the ransom and was able to restore its systems back.

According to reports, the ransomware extortion message was visible at multiple Muni train station booths that said “You Hacked, ALL Data Ecnrypted.” It also gave an email address (cryptom27@yandex.com) which was seen tied to a ransomware family known as HDDCryptor.

Like another ransomware called Petya which we wrote about here, HDDCryptor is another variant the rewrites the computer’s master boot record boot sectors and locks out the victim from their computer.

Infection Cycle:

Upon execution, this Trojan drops the following files in this location:

  • %SYSTEMROOT%DC22dcinst.exe – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dcrypt.exe – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dcrypt.sys – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dcapi.dll – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dccon.exe – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22 netpass.exe – Network Password Recovery tool (non-malicious)
  • %SYSTEMROOT%DC22mount.exe [Detected as GAV: HDDCryptor.MB (Trojan)]

It registers a service named “DefragmentService.” It uses the Network Password Recovery utility from NirSoft to gather all shared drive information and saves that data into a file %SYSTEMROOT%DC22 netpass.txt. It also uses the command “net use” to display all information about the computer’s shared resource and network connections. This data is then saved to %SYSTEMROOT%DC22 netuse.txt. It also adds a new user account with the username “mythbusters” and password “123456” using the “net user” command.

Executing the netpass.exe file individually brings up the UI of this freeware.

It then spawns mount.exe to start hard drive encryption. Mount.exe uses the information in netuse.txt and netpass.txt to enumerate shared drives, mount on the drives and start the encryption.

The ransomware uses the open source encryption tool named DiskCryptor which supports AES, Twofish and Serpent encryption algorithms.

All the activities that this Trojan has executed are logged into a file as it happens – %SYSTEMROOT%DC22log_file.txt.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: HDDCryptor.MB (Trojan)

Critical Business Threats: Ransomware and Employee Online Shopping

/0 Comments/in /by

According to a recent PWC survey, 54 percent of respondents buy products online every month. And millions of employees shopped online yesterday with their work devices on business networks. The critical business threat: Will any of your business computers or networks get infected with malware when employees make personal online purchases?

We believe so, and our SonicWall Global Response Intelligent Defense (GRID) network research backs this up.

Good News: Chip Cards Are Working

Research gathered through the SonicWall GRID Network indicates that the new chip-and-sign credit cards and point of sale (POS) systems are more effective than legacy technologies in detecting and blocking breaches. After big data breaches at retailers like Target and Home Depot, many retailers upgraded to chip-based POS systems.

Whenever new malware is discovered, we create a software signature set that is automatically propagated to all of our customers’ firewalls, to help keep their systems safe from attack. In 2014, before the new chip cards and POS systems, our team released 14 new POS-related malware signature sets.

In 2015, this number decreased to nine new POS malware signature sets. And in 2016 to-date, after the broad adoption of chip-based cards and readers, we have only had to release a single new signature.

Bad News: SPAM Is Now a Huge Business Threat

As POS systems have become harder to hack, the bad guys are looking for more efficient ways to steal online. Falling back on the tried and true email-based phishing attacks, personal shopping phishing emails are now a real threat to your business systems and networks.

Our email security research team observes that SPAM email usually increases in volume significantly during Cyber Week, starting the week before Black Friday, then drops off after Cyber Monday. Our numbers show a dramatic 2x increase in SPAM this year from 2015. In the run-up to Thanksgiving and Black Friday we saw 110 percent growth, increasing to 143 percent growth through Cyber Monday.

One of our SPAM honeypots collected the following data for Cyber Week:

  • Average number of SPAM messages 2015: 33,725 a day
  • Average number of SPAM messages 2016: 82,888 a day

More Bad News: Ransomware Targets Businesses

Increasingly we are finding that if malware makes it into your business network, it will be ransomware. First released in 1989, ransomware can infect your system and lock out users from accessing devices or files. When the victim pays a ransom (usually electronic money or bitcoins) the device can be unlocked by the hackers. Needless to say, ransomware can put your business-critical data and systems at risk.

Network Security Must-Haves

Online shopping will only continue to grow, especially over holidays, so it’s important to be proactive to keep your business systems protected. Along with monitoring employee access and updating policies, here are some must-haves.

  • Ensure your firewall is next-generation with content filtering on, including encryption scanning and packet filters; your goal is to monitor and inspect all incoming data and stop ransomware
  • Consider a cloud-based protection service like our Capture Advanced Threat Protection Service; a good one will speed up your response time, leverage the power of multiple engines to stop zero-day attacks, and automate remediation
  • Manage network bandwidth to limit or stop streaming; streaming is one of the easiest ways to let malware in
  • We strongly recommend EV SSL certificates for every external business website
  • Vet your SSL certificates and sources, to ensure they are publicly rooted and aren’t bringing in malware from the dark web
  • Audit your SSL certificates regularly to ensure they are up to date
  • It goes without saying but back up your data regularly; if ransomware does infect your network you will need to quickly access business-critical data

Online Shopping Safety for Consumers

  • If you don’t have one yet, upgrade to a chip-based credit card
  • Always look for an EV SSL certified logo on sites you shop
  • Use mobile devices (tablets or phones) and shop with store apps from businesses you know and trust; these apps are vetted and tested
  • Avoid shopping on sites with a Windows-based laptop; Windows is the most targeted operating system (OS) for hackers
  • Remain on the site until you complete a transaction; don’t follow redirects
  • Stay current with the latest OS software updates on your devices so you have the latest security patches; always update from the trusted site of the software provider, not a third-party site or a pop up
  • Update your apps regularly, especially ones that you provide sensitive data to: credit card numbers, banking and health information
  • Create complex, hard-to-crack passwords and keep them in a secure place
  • Change your passwords often and keep them hidden ­– not on sticky notes on your computer

Cerber ransom payment doubles (Nov 23, 2016)

/in /by

The Cerber Ransomware continues to spread and generate income for its operators. We have covered this Ransomware family in a previous SonicALERT back in August but it has since evolved and some details about its internal operations and presentation have changed. For example, a new information page is used and the ransom has now doubled in value from $500 to $1000 since August. This increase in price is a strong indicator of past success.

Infection Cycle:

The latest variant of this trojan uses the following icon:

The Trojan makes the following DNS requests:

  • vyohacxzoue32vvk.3sc3f8.bid
  • btc.blockr.io

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%README.hta (ransom information page)
  • %USERPROFILE%Local SettingsTempREADME.hta (ransom information page)

It then encrypts various files on the filesystem and renames them to {10 random alphanumeric characters}.9d4b. It copies README.hta to every directory that contains the newly encrypted files.

It displays the following information on the desktop background:

The links lead to a website located on tOR network:

The Trojan reports its infection to a remote C&C/key server:

It checks the status of the supplied bitcoin address that requires funding to verify payment:

Upon inspecting the transaction activity of the bitcoin address we can see that it is still generating income at the time of writing this alert . It has generated the equivalent of almost $21,000 for its operators so far. This is not the only bitcoin address used. We have observed other bitcoin addresses being used to pay the required ransom:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cerber.HM (Trojan)

Spam campaign roundup: The Thanksgiving Day Edition (Nov 23, 2016)

/in /by

Thanksgiving day is right around the corner. This marks the start of the holiday shopping season with Black Friday being the busiest shopping day of the year. Consumers are expecting great deals and looking out for incredible promotions. More shoppers are expected to shop online for gifts this holiday season and cyber criminals are also leveraging on this opportunity to take advantage of unsuspecting shoppers.

And true enough, the SonicWALL threat research team has observed a steady increase in Black Friday and Thanksgiving related spam emails over the past week.

As Thanksgiving weekend approaches, we have been receiving an increasing amount of spam emails as shown in the figure above and this number is expected to increase all throughout the weekend and through Cyber Monday. Because consumers are spending more time shopping online, cybrecriminals are preying on shoppers who might not be aware of the risks. As usual, these emails have a common theme of trying to lure consumers to click on the links and provide personal information purporting to be from popular retailers and promising amazing deals and deep discounts. The following are some of the common email subjects to watch out for:

  • Score Smart on Blackfriday
  • The Hottest gift this Holiday Season…(75% off Black Friday Sale)
  • *ALERT* Black Friday Sale Starts! All 80% Off & Free Shipping Now.
  • Government Overrun: “Super Flashlight” – Black Friday 75% off
  • Thanksgiving Sale – SAVE up to 85% on everything.
  • Feeling Tired? Try This After Thanksgiving – Feel GREAT By Christmas.

Below is an example of an email purporting to be from a popular shoe brand. The link will take you to a URL different from the real merchant’s website. This fake website even copied the layout of the actual brand’s website to be even more convincing.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWALL Gateway Antivirus and Email Security service constantly monitor and provide protection against such malicious spam and phishing threats.

IT Security Done Right Enables State and Local Governments

/0 Comments/in , /by

News reports about new data breaches have become an all too frequent occurrence.  But cyber attacks can’t and don’t stop state and local governments from getting on with the business of governing. It’s easy to fall into a state of paralytic fear about attacks and data breaches, but in the meantime, state and local governments need to deliver the services their citizens rely upon, and continue to leverage technology to expand and improve those services.

If IT security is viewed as a defense mechanism by government, and even by security professionals themselves, government doesn’t work at well as it needs to.  A more productive attitude is to view security as an enabler of ongoing and new information technology efforts, providing a secure foundation for governments to take advantage of new technologies, provide employees and citizens with the ability to access the services they need from any device, and most importantly, streamline and improve those services.

In other words, we at SonicWall want to help state and local government IT security to become the Department of Yes. Making this change in viewpoint, doing security the right way, is the subject of the Government Computer News article, Take a Positive Approach to Security.

In the article, SonicWall’s Ken Dang goes into detail on how to accomplish this. Improving protection of government assets needs to be coupled with improving legitimate access to resources, which in turn improves efficiency, a key consideration for resource-constrained IT departments. Ken discusses a contextual approach to access, in which requests are evaluated based on a case by case basis, with the particular user’s specific requests placed in the context of the time and place of the request itself.

For the contextual approach to be effective, access information needs to be shared among all the different security devices and solutions throughout the government’s IT.  It’s important to have the proper tools to do this – which we’re happy to provide –but it requires breaking down organizational silos, getting people used to the idea that security is done better when the groups responsible for the many different aspects of security cooperate and communicate.

Contextual security particularly mandates this relationship when it comes to networks and user identities. Without transparency and full awareness between the two, the opportunity to improve overall security posture becomes a lost opportunity. But when government IT embraces that transparency and awareness, and leverages its capabilities by inspecting every packet on the network, even encrypted packets (which bear an increasing share of attack exploits) – that’s the path to security done right.

Add up all the above, couple it with our cost-effective, easy to install, SonicWall next-generation firewalls and other network security solutions, and IT security for state and local governments moves away from being an obstacle and towards being an enabler of better, more effective and responsive government.

READ THE ARTICLE

Understand the Risks Online Shopping During Black Friday Poses to Your Network

/0 Comments/in , /by

As I was driving home the other day one of my children spotted a house with old Halloween decorations on it. With the holidays coming, it’s a good reminder of the potential impact they can have on an organization. Black Friday, Cyber Monday and the weekend in between kick off the unofficial holiday shopping season which goes until the end of the year. Add in Thanksgiving and we’re looking at a lengthy period of consumer shopping, much of which is done online.

Let’s take a look at some of the numbers to put this into perspective. According to the National Retail Federation (NRF), in 2015:

  • Holiday sales increased 3% to over $625B
  • Seven in 10 retailers reported an increase in their overall holiday sales revenue
  • 81% saw an increase in online sales
  • Mobile, including both phones and tablets, accounted for 30.4% of online sales
  • Black Friday had the highest sales revenue for 68% of retailers, regardless of channel, while Cyber Monday saw the highest online/mobile sales

The expectation for 2016 is similar – higher sales and an increase in the use of mobile devices for online shopping which is great news for retailers. Interestingly, despite the growth in mobile transactions, the NRF found that online purchases using desktops still brought in the highest transaction size during the 2015 holiday season. Either way, there continues to be a transition toward online purchasing even when consumers collect their items at the store.

In an earlier blog I touched on three potential impacts online shopping by employees during Black Friday and other holidays can have on organizations – loss of productivity, bandwidth consumption and network security. Let’s take a closer look at the affect it can have on security.

No matter the device they use – desktop computer, laptop, tablet or smartphone – anytime employees shop online at work over the corporate network it introduces risk. Inadvertently downloading malware from websites, even those that are known to be legitimate sites, is a very real danger. Hackers are continually finding new ways to develop more sophisticated versions of threats such as viruses, worms, and Trojans that can evade detection. One tactic they use to deliver these threats is phishing emails which lure recipients into clicking on a link in an email that appears to be legitimate. Once the employee complies, the malware is downloaded onto the device and it can spread throughout a network. Phishing emails are very popular during the holidays, often disguised as retailer promotions. According to a Prosper Insights & Analytics Post-Holiday Consumer Survey, 24% of respondents said they visited a website they shopped on last holiday season through an email promotion. Clearly hackers have learned that email promotions are popular with online shoppers.

Another threat you’re likely to hear more about during the holiday season is ransomware. This attack uses malware that denies access to data or systems unless the victim pays a ransom to the cybercriminal. Without access to files, data or entire systems most organizations can’t function. Some victims pay the ransom and if only a few systems are affected the cost can be manageable. But imagine the price if you have hundreds or even thousands of networked devices. It’s enough to put some organizations out of business.

Whether we like it or not, employees will use the devices available to them to shop online during Black Friday and other holidays. When they do it from the office or store, most likely they will use your organization’s network to connect to the Internet and this introduces risk. Fortunately there are steps every organization can take to secure their network and protect themselves and their customers from threats like phishing attacks and ransomware during the holiday online buying season. Deploying a SonicWall next-generation firewall with our Capture Advanced Threat Protection service stops unknown and zero-day threats before they can enter your network.

Thanksgiving Holiday and Shopping Season Are Coming (Nov 21, 2016)

/in /by

Thanksgiving Black Friday Day and Cyber Monday

Thanksgiving Day is upon us this week and Black Friday/Cyber Monday is right around the corner-your purchasing season begins. Nowadays, Black Friday is no only about traditional in-store purchasing, but also it’s about surfing online in cozy couch while watching TV; it’s about picking and comparing products while checking others’ reviews and get them the second day at your front door; it’s even about waiting for the deals and discount when you are playing games, pasting your pictures online with your mobile devices. However convenience always comes with risks: SPAM Emails lurk; new Ransomware emerge out-of-the-blue; Exploit Kits, and Phishing websites are ready with their traps. So, how do you fulfill your shopping list in the happy holiday season without being bothered? Let’s run through some of the typical threats facing online shopping in the coming weeks.

Online Shopping

SonicWALL has investigated multiple popular online shopping websites including Amazon, eBay etc. The following is a typical Amazon webpages browsing pattern around Thanksgiving week in 2015. The high-lighted days are Black Friday and Cyber Monday.

This graph shows how there is a slight decrease in Amazon Browsing traffic on Thanksgiving Day (11/26/2015) and Black Friday (11/27/2015) compared with the pattern from the previous weeks. The graph also shows the large increase in Amazon traffic on Cyber Monday (11/30/2015) and during the following work days. SonicWALL devices are mostly protecting small- and medium-sized organizations. For this reason the traffic during the holidays are usually lower compared to traffic during the same days in regular weeks. It shows that a lot of people are busy with family related activities during the Thanksgiving holiday. The spike right after the Thanksgiving weekend definitely shows a strong signal of purchasing/browsing of online stores during the week of Cyber Monday.

SPAM Email Threat

At the same time SPAM Email related to Thanksgiving and Black Friday during the Thanksgiving week we collected from previous years (2013, 2014 and 2015) shows a steady growth during the week. The SPAM emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to special offers and deep discounts. Typical subjects of SPAM emails can be seen below. You can find more examples from the previous SonicAlerts (listed above).

  • Let your Smartphone find your parked car, Thanksgiving special on Wednesday, November 25, 2015.
  • Get your 1K Black Friday Visa Gift Card!
  • [Thanksgiving Insane Discount Today] 1 Ink Saves You 85% on Printer Ink Today w/ $0 Shipping Right Now

POS malware has been observed for Black Friday in previous years. However, we believe that POS malware is on the decline, as retailers are increasingly aware of this threat, although it is still happening, for example Wendy’s data breach. We have not seen as many large-scale breaches attributed to POS malware compared to those seen in previous years, for example the Target, and Home Depot data breaches. Also, a lot of the retailers have improved their security measures, for example, by using chip-based credit card readers, which help mitigate the POS threat. In our opinion, POS will not be a major threat during this Thanksgiving week.

Fake Deal Apps

Fake branded mobile apps–most of them on Android–falsely advertise access to early Black Friday and Cyber Monday deals. Fake Deal Apps have been observed in the past to lure victims with the promise of discounts. The real motivation for these apps are to steal personally identifiable information (PII) from the phones. Although not as common as SPAM, we believe this threat is on the increase, and new fake android apps will surface for Black Friday/Cyber Monday week in 2016 as well.

Ransomeware and EK

Ransomware are popular this year, but we haven’t observed popular Ransomware attacks based on Black Friday in the past. Exploit Kits are decreasing this year after the most popular Angler was brought offline. They will not have big campaign in the Thanksgiving holiday.

Shopping Suggestions

Based on our observations and the predictions above, we suggest you follow the basic rules below when you shop online:

  1. Keep your browsers / operation system up to date
  2. Use SSL secured sites for shopping
  3. Be cautious about the fake websites and the suspicious advertisements on the webpages
  4. Do not open the links or attachments from unknown or suspicious Emails
  5. Be careful with the links when they are shortened like bit.ly, goo.gl
  6. Use different password when you have multiple online accounts
  7. Pay by credit card for the extra protection from banks
  8. Do not install suspicious apps from link in the Emails or messaging apps like WhatsApp
  9. Use official apps instead of browser for shopping with mobile device
  10. Avoid shopping on public Wi-Fi

Mirai and the IoT DDoS Attacks – A new Threat in Old Form

/in /by

Mirai is a bot-net management framework targeting Linux-based IoT (Internet-of-Things) devices such as DVRs, CCTV systems, and IP cameras. It was the tool responsible for 2 of the largest DDoS attacks on record. And both of them happened in the past 2 months:

-In late September, the on hosting company OVH was attacked by 145607 cameras/dvr (1-30Mbps per IP). The attack traffic has exceeded 1.5Tbps.

-In Oct 21, one of the major DNS service providers Dyn, has suffered a massive DDoS attack from over 380,000 infected devices. Many prominent websites such as Amazon, Twitter and Spotify have experienced service outage for nearly 2 hours.

Mirai, the creation tool of the botnets, does not exploit any advanced vulnerabilities. It used only the oldest, simplist way of attack: the weak telnet password.


Mirai has hard-coded a dictionary of 63 username/passwords, most of them are default credential for popular IoT devices.[1]


The Mirai has become an open-source tool on github now, with more than 1800 folks. The password dictionary is located in mirai/bot/scan.c. Anyone could further develop it and create similar kind of DDoS attacks.[2]

In response of this incident, Xiongmai, one of the Webcam manufacture company, has recalled some of its products (mostly webcams), while strengthening password functions.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • IPS 11999: Mirai Telnet Scanning

References:

[1] https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
[2] https://github.com/jgamblin/Mirai-Source-Code/tree/master/mirai
[3] https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/
[4] http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/

CryptoLuck Ransomware Infects Victims Using Signed Google Update (Nov 18, 2016)

/in /by

The Sonicwall Threats Research team observed reports of a new Variant of Ransomware family named GAV: Cryptoluck.A actively spreading in the wild.

The Malware injects its own into legitimate Google Update Service to avoid detection by Systems administrators.

Infection Cycle:

The Malware uses the following icons:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile% Application Data76ffGoogleUpdate.exe [ Legitimate Google Update Service ]

    • %Userprofile% Application Data76ffgoopdate.dll [ Injected DLL ]

    • %Userprofile% Application Data76ffcrp.cfg

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    • %Userprofile% Application Data76ffGoogleUpdate.exe

Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data76ff folder.

The GoogleUpdate.exe is a legitimate Google Update Service that is signed by Google as shown below:

The Malware encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back. When files are encrypted they will have the .[victim_id]_luck extension appended to filename.

After encrypting all the personal documents and files it shows the following text file:

Once infected, the victims data is encrypted and given a 72 hour countdown to pay 2.1 bitcoins to the cyber criminals in exchange of the decryption key that supposedly allows recover of the encrypted files.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cryptoluck.A (Trojan)