Artemis.A, New InfoStealer in the Wild. (January 26, 2017)

/in /by

The Sonicwall Threats Research team observed reports of a new InfoStealer family named GAV: Artemis.A_43 and actively spreading in the wild.

Artemis malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempbWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%Local SettingsTempTrojan.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%Local SettingsTempTrojan.exe.tmp

    • Trojan.exe.tmp [Key logs data ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • “%Userprofile%Local SettingsTempTrojan.exe” ..

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • “%Userprofile%Local SettingsTempTrojan.exe” ..

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware retrieves a list of running processes and websites visited by user and send it to its own C&C server by Bas64 format.

The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:

The malware gathers data such as following examples:

  • COMPUTERNAME

  • USERNAME

  • Date

  • Windows version

Command and Control (C&C) Traffic

Artemis performs C&C communication over 1177 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Artemis.A_43 (Trojan)

Three Ways to Protect Your Business Against Ransomware-as-a-Service

/0 Comments/in , /by

Last week I was at one of our sales offices in Utah. I heard an interesting story about how a dentist office called in to ask for threat prevention against ransomware. The dentist office had been affected by ransomware twice in a short period of time. Twice, they paid the ransom to ensure business continuity and customer retention. This is a common story across many small to medium-sized businesses (SMBs) though we seldom hear about them in the media.

According to a study conducted in June 2016 by Osterman Research Inc., 30 percent of the ransom amounts demanded are $500 or less, reflecting the size of businesses affected by the attacks. SonicWall’s GRID threat research team has seen massive increases in ransomware infections for 2016, mostly coming from small and medium businesses. A new variant of ransomware, Ransomware-as-a-Service (RaaS), designed to be user friendly and deployable by anyone, can simply download the virus either for free or for a simple fee.

Ransomware-as-a-Service

Even simple measures can help protect against ransomware. Here are three ways:

Training

The same study shows that 67 percent of U.S. cyberattacks originate via phishing through emails. Organizations requiring employees to do security awareness training once a year at least are less likely to get infected than companies that do it less frequently. Training alone is not sufficient, but can provide the necessary first line of defense for a lot of businesses.

Data backup

Ransomware exists because organizations keep paying the attackers for their data.  With a good data backup infrastructure, businesses can redeem itself quickly by cleaning up their network and restoring the data from backup.

Technology

Advanced threats like ransomware attack all kinds of businesses. After multiple attacks, a big business can revive itself and get back on track. However, SMBs cannot afford such multiple attacks. Small amounts paid multiple times can quickly add up, and result in closure of a small business. It is even more important today for SMBs to invest in strong and advanced security solutions available through next-generation firewalls.

SonicWall firewalls have been protecting SMBs all over the globe for more than 25 years. With the comprehensive SonicWALL Gateway Security Suite providing gateway anti-virus, URL/web filtering and intrusion prevention services, businesses were protected 24x7x365 against known malware. With the recent increase in unknown malware and zero-day threats, the new Advanced Gateway Security Suite (AGSS) includes SonicWall Capture ATP,  a multi-engine network sandboxing solution, providing advanced threat protection to all SonicWall firewalls including the TZ Series for SMBs.

Discover best practices and download our solution brief: How to protect against ransomware.

Use the Advanced Gateway Security Suite from SonicWall.

Download Solution Brief

Adobe Flash Player memory corruption vulnerability CVE-2017-2930 (Jan 20, 2017)

/in /by

A memory corruption vulnerability exists in Adobe Flash Player versions 24.0.0.186 and earlier. An attacker can lure the victim into opening specially crafted malformed flash file.
This vulnerability will allow the remote attacker to run malicious code in context of the current user.

CVE-2017-2930 can be triggered by a swf file with an ActionRecord structure that contains an invalid value in ActionGetURL2.

The flash player crashes when the swf is opened.

The flash file tries to open an invalid address multiple times, which creates many instances of IE causing a Denial of Service (DoS) and the machine to become unresponsive.

The PoC can be found here.
Adobe has patched this vulnerability in the Jan 2017 patch Tuesday.

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • SPY 1274 : Malformed-File swf.MP.525_2

Fake Super Mario Run(s) to Android with malware (January 17, 2017)

/in /by

Super Mario Run received a stellar launch on Apple devices as it was downloaded 2.85 million times on its launch day – December 15 2016. Its popularity has been going strong since its launch as it continues to increase its user base. As of mid-January 2017 there is still no concrete confirmation about the availability of Mario for Android devices, but this has not stopped users from searching for Mario Run for Android.

Attackers have taken note of this popularity and created fake apps that pose as Mario Run but have malicious content hidden in them. These apps can be downloaded from third party app-stores as shown below:

The official placeholder for this app on Google Play says it’s open only for pre-registration (As of January 15, 2017):

Sonicwall Threats Research team observed few cases where Super Mario Run was being used as a medium to spread malicious apps, this blog highlights these cases.

Mario Run with embedded DroidJack

We saw two instances where Droidjack was embedded as part of the app. Droidjack is an Android Remote Administration Tool (RAT) that has a plethora of features, few of them are as listed below:

  • Read and delete call logs
  • Make calls
  • Read, write and delete SMS messages
  • Read, create and delete contacts
  • Take pictures from the front/back camera
  • Record videos from front/back camera

The figure below shows DroidJack code in the apk:

Marcher banking malware hiding behind Mario Run

Marcher is a known banking malware for Android, it tries to steal sensitive banking and credit card information from the users after infecting a device. The Marcher variant for Mario is no different, it targets the presence of few Banking apps on the phone and shows a custom screen when these apps are executed on the device. This custom screen accepts data from the user and sends it directly to the attackers, meanwhile the user thinks he passed this data to the legitimate banking app. We have listed few banking apps below, the entire list can be seen in the appendix:

  • Barclays Zambia – com.barclays.android.barclaysmobilebanking
  • HSBC Mobile Banking – com.htsu.hsbcpersonalbanking
  • Santander UK Personal Banking – uk.co.tsb.mobilebank
  • Lloyds Bank Mobile Banking – com.grppl.android.shell.CMBlloydsTSB73
  • Bank of Scotland Mobile Bank – com.grppl.android.shell.BOS

It also shows a custom screen which accepts Credit Card information when Google Play app is opened. Additionally this malware checks the presence of few apps which perform security checks on the device, it disables these apps upon finding them. Few apps that are targeted are listed below, the entire list can be found in the appendix:

  • DU Antivirus – com.duapps.antivirus
  • Eset Mobile Security & Antivirus – com.eset.ems.gp
  • AVG AntiVirus FREE for Android – avg.antivirus
  • 360 Security Lite Speed Boost – com.qihoo.security.lite
  • IKARUS mobile.security – com.ikarus.mobile.security

Adware installer laden Mario Run

Adware on Android has been a nuisance for a while now, it’s no surprise to find adware try and use Mario’s popularity for its own gain. We got our hands on an adware installer that uses Mario Run as a guise. Upon installation this adware starts downloading secondary adware apps and stores them on the device as shown below:

Additionally it shows an overlay on the device which is essentially an advertisement that promotes more adware apps:

The adware has capabilities to capture sensitive details about the device like IMEI number:

During our analysis we observed the adware communicate with the following domains:

  • xtra1.gpsonextra.net
  • mobogames.ru
  • show-app-ads.ru

SonicWALL provides protection against multiple versions of this threat via the following signatures:

  • GAV: AndroidOS.DroidJack.MA (Trojan)
  • GAV: AndroidOS.Marcher.AV (Trojan)
  • GAV: AndroidOS.Downloader.BR (Trojan)


Appendix

The following samples were analyzed in this blog:

  • Malware type: Embedded DroidJack component
  • MD5: 69b4b32e4636f1981841cbbe3b927560
  • Package Name: net.droidjack.server

  • Malware type: Embedded Marcher component
  • MD5: 03e459c685cd7320384af4cc938b1a69
  • Package Name: jse.hjevdybdgjgmyosekskxdczwyqunha

  • Malware type: Embedded Marcher component
  • MD5: d332560f1fc3e6dc58d94d6fa0dab748
  • Package Name: uiq.pizfbwzbvxmtkmtbhnijdsrhdixqwd

  • Malware type: Embedded Adware downloader
  • MD5: cab7c1ed86d87e1a174bae0557a09c0e
  • Package Name: app.android_files_downloader_25311216

Complete list of Banking apps that are monitored by the analyzed Marcher embedded Mario Run app:

  • Mes Comptes – LCL pour mobile – fr.lcl.android.customerarea
  • L’Appli Societe Generale – mobi.societegenerale.mobile.lappli
  • CIC Euro Information – com.cic_prod.bad
  • Mes Comptes BNP Paribas – net.bnpparibas.mescomptes
  • Royal Bank of Scotland – com.rbs.mobile.android.ubr
  • Halifax Mobile Banking app – com.grppl.android.shell.halifax
  • La Banque Postale – com.fullsix.android.labanquepostale.accountaccess
  • Barclays Zambia – com.barclays.android.barclaysmobilebanking
  • Banque Caisse d’Epargne – com.caisseepargne.android.mobilebanking
  • Rbs Mobile Payment – com.rbs.mobile.android.rbs
  • Cyberplus Banque Populaire – fr.banquepopulaire.cyberplus
  • Ma Banque – fr.creditagricole.androidapp
  • HSBC Mobile Banking – com.htsu.hsbcpersonalbanking
  • Santander UK Personal Banking – uk.co.tsb.mobilebank
  • Lloyds Bank Mobile Banking – com.grppl.android.shell.CMBlloydsTSB73
  • Bank of Scotland Mobile Bank – com.grppl.android.shell.BOS
  • Rbs Mobile Payment – com.rbs.mobile.android.natwest
  • Santander UK plc Personal Banking – uk.co.santander.santanderUK

Complete list of Security apps that are monitored by the analyzed Marcher embedded Mario run app:

  • DU Antivirus – com.duapps.antivirus
  • Eset Mobile Security & Antivirus – com.eset.ems2.gp
  • Eset Mobile Security & Antivirus – com.eset.ems.gp
  • AntiVirus & Mobile Security – com.anhlt.antiviruspro
  • AVG AntiVirus FREE for Android – avg.antivirus
  • AVG AntiVirus FREE for Android – com.antivirus
  • CM Speed Booster – com.cleanmaster.boost
  • 360 Security Lite Speed Boost – com.qihoo.security.lite
  • com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
  • Anti-virus Dr.Web Light – com.drweb
  • Clean Master (Boost&Antivirus) – com.cleanmaster.mguard
  • IKARUS mobile.security – com.ikarus.mobile.security
  • Antivirus Free – Virus Cleaner – com.zrgiu.antivirus
  • CM Security AppLock AntiVirus – com.cleanmaster.security
  • NQ Mobile Security & Antivirus – com.netqin.antivirus
  • NQ Mobile Security & Antivirus – com.nqmobile.antivirus20
  • CCleaner – com.piriform.ccleaner
  • 360 Se
    curity – Antivirus Boost – com.qihoo.security
  • Super Virus Detector – droiddudes.best.anitvirus
  • NQ Mobile Security & Antivirus – com.nqmobile.antivirus20.clarobr
  • Norton Security and Antivirus – com.symantec.mobilesecurity
  • Mobile Security & Antivirus – com.avast.android.mobilesecurity
  • Bitdefender Antivirus Free – com.bitdefender.antivirus
  • Trustlook Free Antivirus & Security – com.trustlook.antivirus
  • Kaspersky Antivirus & Security – com.kms.free
  • DU Speed Booster & Cleaner – com.dianxinos.optimizer.duplay
  • Cheetah Mobile CleanMaster SDK – com.cleanmaster.sdk
  • AVD Tablet AntiVirus FREE 2017 – com.antivirus.tablet
  • DFNDR: Antivirus & Booster – com.psafe.msuite
  • Womboid Systems Antivirus – com.womboidsystems.antivirus.security.android

Retail Networks at the Forefront – Have a Plan and Check Out SonicWall at NRF Retail’s the BIG Show

/0 Comments/in , , /by

The data is still coming in, but it’s looking like consumer spending this holiday season will once again outperform previous years. Multiple research firms including the National Retail Federation (NRF) are predicting a growth in sales over the same period in 2015. Credit card vendor Mastercard is forecasting a 19% increase in online sales over the holidays. Increasingly, much of that shopping has transitioned from traditional brick-and-mortar stores to online. E-commerce continues to grow each year. For example, Deloitte is projecting a 17-19 percent increase in online sales between the beginning of November and January 2017.

Not all the news is good however. Major retailers Macy’s, Sears and Kmart announced recently that each will be closing a number of stores across the country due to lagging sales. Some of this may be attributable to the shift in how consumers make their purchases. With the rise in online shopping, whether through a PC or mobile device, fewer buyers are braving the crowds and winter weather to drive to a physical store, especially over the holidays. Instead, they turn to the web to search for the best deal they can find online. Therefore, having a robust digital storefront for secure e-commerce is an essential piece of any successful retail plan.

Another key component of the retail plan is securing the network from threats such as breaches and ransomware. Over the past few years numerous high-profile retailers have been in the news as hackers have gained access to supposedly secure customer data including credit card numbers. If you’ve never been the victim of identity theft, count yourself lucky. Over the holiday season the number of attacks typically goes up as hackers know consumers will spending more time online researching gifts and making purchases. Or, they will make that purchase in person at the store. Either way, this represents a good opportunity for hackers to target retail networks. And, while it’s the big vendors that make the headlines, smaller retailers aren’t immune from these attacks. In some ways they are more vulnerable as many don’t have an IT manager who is responsible for network security.

The onus to protect against the loss of confidential information falls on both consumers and retailers. For each there are steps that can be taken to safeguard against threats.

Consumers

  • Pay in cash at the store
  • Use a chip-enabled credit card whenever possible
  • Change account passwords frequently

Retailers

  • Implement chip card readers in your store(s)
  • Deploy a next-generation firewall that uses advanced security technologies including sandboxing and SSL decryption and inspection
  • Make it a policy to change employee and account passwords regularly (And don’t use “password1”)

Want more information on securing your retail network? Coming on the heels of the holiday shopping season is what’s been dubbed “NRF Retail’s BIG Show”. It’s the National Retail Federation Convention and EXPO in New York City, January 15-17. The event features a wide variety of industry-focused discussions from retailer leaders. Over at the EXPO you can talk directly with vendors who offer products and services for retailers. Don’t miss SonicWall’s booth #2535  on the EXPO floor where you can talk to our network security experts about our next-generation firewalls and SonicWall Capture Advanced Threat Protection sandboxing service, a CRN Products of the Year award winner.

In addition, SonicWall Systems Engineer Sr. Manager Bobby Cornwell and Sr. Product Marketing Manager Kent Shuart will present “Compromise vs. Protection: A ‘Cybercriminal’ and Network Security Technologist Face-off.”

Where: Room 2, Level 1 of the EXPO Hall

When: On Monday, January 16 at 1:30 pm. Join this discussion for a demonstration showing how the next generation of malware can be used against your retail organization and what you can do to protect your network and your data.

See our new Retail Security infographic and download: Network Security for Your Retail Business.

DOWNLOAD WHITEPAPER

Microsoft Security Bulletin Coverage (Jan 10, 2017)

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of January, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

MS17-001 Security Update for Microsoft Edge

  • CVE-2017-0002 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS17-002 Security Update for Microsoft Office

  • CVE-2017-0003 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS17-003 Security Update for Adobe Flash Player

  • CVE-2017-2925 Adobe Flash Player Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-2926 Adobe Flash Player Vulnerability
    ASPY:1270 “Malformed-File swf.MP.533”

  • CVE-2017-2927 Adobe Flash Player Vulnerability
    ASPY:1271 “Malformed-File swf.MP.534”

  • CVE-2017-2928 Adobe Flash Player Vulnerability
    ASPY:1272 “Malformed-File swf.MP.524_2”

  • CVE-2017-2930 Adobe Flash Player Vulnerability
    ASPY:1274 “Malformed-File swf.MP.525_2”

  • CVE-2017-2931 Adobe Flash Player Vulnerability
    ASPY:1275 “Malformed-File swf.MP.526_2”

  • CVE-2017-2932 Adobe Flash Player Vulnerability
    ASPY:1276 “Malformed-File swf.MP.527_2”

  • CVE-2017-2933 Adobe Flash Player Vulnerability
    ASPY:1277 “Malformed-File swf.MP.528_2”

  • CVE-2017-2934 Adobe Flash Player Vulnerability
    ASPY:1278 “Malformed-File swf.MP.529_2”

  • CVE-2017-2935 Adobe Flash Player Vulnerability
    ASPY:1279 “Malformed-File swf.MP.530_2”

  • CVE-2017-2936 Adobe Flash Player Vulnerability
    ASPY:1280 “Malformed-File swf.MP.531”

  • CVE-2017-2937 Adobe Flash Player Vulnerability
    ASPY:1281 “Malformed-File swf.MP.532”

MS17-004 Security Update for Local Security Authority Subsystem Service

  • CVE-2017-0004 Local Security Authority Subsystem Service Denial of Service Vulnerability
    IPS:12571 “LSASS DoS Vulnerability (MS17-004)”

This Ransomware is still in the Christmas spirit (Jan 10, 2017)

/in /by

Ransomware continues to be the most prevalent malware nowadays and this week, the SonicWALL Threat Research team received a report of yet another variant. This ransomware however appears to still be in the Christmas spirit a couple of weeks after the holiday. Besides encrypting the victim’s files, this ransomware also gathers information from the compromised computer and sends them out to a remote server.

Infection Cycle:

Upon execution, this ransomware makes a DNS query to the following server:

  • onion1.pw

It then gathers information about the compromised machine such as the computer name, user login information, whether the user has administrative privileges, computer system information, currently running processes and installed programs. All these data are then sent out to a remote server.

It appends the extension “.RMCM1” to all the files it encrypted. It also leaves a copy of the file named “YOUR_FILES_ARE_DEAD.HTA” in every directory where files have been encrypted.

This .HTA file opens a window titled “Merry X-Mas!” and warns the user that their files will be deleted if payment has not been made within the given time limit. Contact information of the cybercriminals is listed as part of this warning message as well.

To ensure that this warning message appears during start up, the following key has been added to the registry:

  • HKCRSofwateMicrosoftWindowsCurrentVersionRun “Adobe2” “%USER%DesktopYOUR_FILES_ARE_DEAD.HTA”

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Ransom.XMAS (Trojan)

  • GAV: Ransom.XMAS_2 (Trojan)

SonicWall Capture ATP Stands Up Against Malware Test

/0 Comments/in /by

What would happen if you gathered five days of newly discovered malware and unleashed it upon an end-point protected by SonicWall?

I have been working with SonicWall firewalls for 10 years, and I was beta testing SonicWall Capture as part of my role here as an escalation engineer. Since we are big believers in drinking our own champagne, I was testing on my home network. I logged in and stared at it for days but it just did nothing. I was starting to get concerned. Did it just not work? Was there a bug? I was sure it was configured properly, but still – nothing. Then I realized I was not downloading anything malicious enough to trigger it. My wife does Facebook and the banking I hangout on sites like blog.sonicwall.com. The cat does hop on the keyboard at times but other than that, we’re not downloading much malware.

I hatched a plan to download as much malware as possible. I scoured the internet and found a python script that did exactly this. It was a bit broken and I had to hack it up a bit to make it work, but in no time I was downloading thousands of potential viruses at a time. Super excited, I logged back in and navigated to the Capture feature and found that it actually did something: it analyzed two files and tagged them as clean.

This was making me sad, so I started digging a little deeper. After combing through the logs, I determined that the vast majority of what I was trying to download was being caught by all the other security services. As an example, some of the files were hosted on known botnets so they were blocked by the botnet filter before they even had a chance to hit the Capture engine. I turned off all the security things and ran my script again.

Once again, I logged into Capture with my fingers crossed and lo and behold, this thing was lit up like a Christmas tree. “OK so now I know it works,” I thought to myself. Next, I dug around a little bit and once I was satisfied, I shut my script down. Every time I tested a new firmware version I fired up the script to verify that it worked and then shut it down again.

A few weeks ago I was running the script, putting SonicWall Capture Advanced Threat Protection (ATP) through a rigorous test and I showed a few people, who showed a few other people, who thought it would be a good idea to show it to you guys.  The result of that is this video with an awesome introduction by my buddy Brook Chelmo, SonicWall Capture’s senior product marketing manager. Brook is great at explaining all the bits and pieces that make this work. Just watch the video and you’ll see what I mean.

[embedyt] http://www.youtube.com/watch?v=vzSJtuLwiIA&width=600&height=400[/embedyt]

In order for us to get the maximum number of malicious files, we turned off several safety mechanisms (e.g. botnet filtering) on the SonicWall next-gen firewall management console and ran a python script that pulled potential malware from a number of sites. The results were outstanding, and we identified a number of pieces of malware that were previously unknown to us and that would not have been caught without SonicWall Capture ATP.

Learn how SonicWall Capture ATP Service eliminates malware through the technology chain from the internet to the end-point. This is a security service you can purchase for your SonicWall next-gen firewall. Although most of the potential malware was stopped by SonicWall Gateway Anti-Virus (because it was known to us), a handful of malicious code was discovered by the SonicWall Capture ATP network sandbox.  The video above dives into the reports generated for malware discovered in sandbox pre-filtering, as well as SonicWall Capture ATP’s multi-engine processing.

Download the Tech Brief

BleedGreen FireCrypt Ransomware Kit fails at DDoS (Jan 6th 2017)

/in /by

The Sonicwall Threats Research team has received reports of a new Ransomware named FireCrypt. It is created by a malware kit called BleedGreen. The kit is used to generate FireCrypt executables based on a limited set of options provided including DDoS of the Pakistan Telecommunication Authority website.

The Kit executable file uses the following icon:

The Kit, which requires .NET 4.0 to run uses the Windows Command Prompt as its configuration interface. It mentions its in-built features and provides an option to supply an icon to the generated malware executable:

Infection Cycle:

Once the generated file is run on the target machine it kills Task Manager if running and makes the following DNS Query:

  • www.pta.gov.pk

It is believed that the following communication to the Pakistan Telecommunication Authority website is part of an intended DDoS attack although it appears to be ineffective:

The Trojan scans the filesystem for files to encrypt. Javascript code that was found embedded in the executable file shows a list of file extensions that the malware looks for to encrypt using AES-256:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Start MenuProgramsStartupEkstrwhbiMZYosv.exe (copy of original) [Detected as GAV: FireCrypt.A (Trojan)]
  • %USERPROFILE%DesktoptFyROkGeXTevLgT-filesencrypted.html
  • %USERPROFILE%DesktoptFyROkGeXTevLgT-READ_ME.html
  • %USERPROFILE%Local SettingsTempdbgRKSvXIYceWvY-(num).html x453 (where num is a number between 1 and 453)

tFyROkGeXTevLgT-filesencrypted.html contains a list of files that were encrypted by the Trojan.

tFyROkGeXTevLgT-READ_ME.html contains the following message:

As with most ransomware FireCrypt uses Bitcoin as its ransom payment method.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: FireCrypt.A (Trojan)

Prevent Ransomware Threats: Simple Online Shopping Safety Tips for New Year’s Deals

/0 Comments/in /by

My guess is that if you are reading my blog, you are doing some of your new year shopping online.  What I am concerned about is what the shopping season means to cybercriminals and how you can protect your network.  This season, give yourself the gift of the Human Firewall and learn how to protect yourself.

Here are my key concerns:

  • Credentials stolen through credit card theft
  • Ransomware activated by clicking on a fake email link or a suspect website

Keeping yourself safe from these attacks is a matter of building your virtual street smarts.  I know many are looking for the best deal, but be wary of where you go to do your shopping.  I can envision sites popping up that advertise that they have, IN STOCK, that hard to find, specific item you want.  You go to that site, click on a link and, WHAM! You get a virus, or worse: ransomware.

Maybe you are lucky and avoid that site, but your credit card information is stolen from a legitimate site with a compromised shopping cart, or from an email scam.  How do you protect yourself? Be sure to read the tips in the ransomware blog by Bill Conner, President and CEO of SonicWall.

  1. Make sure your anti-virus software is up to date.
  2. Do NOT click on attachments or links from emails where you do not know the sender.
  3. Consider incognito browsing, which allows you to browse without storing local data and passwords that could be retrieved at a later date. This is especially important if anyone else uses your device.  (Incognito browsing also helps if you do not want anyone to know what cool gifts you purchased.)

If you are a business looking for insights, don’t be lulled by the feeling that you do not have anything of value to steal.  Every business has something a cybercriminal wants: your employee information, partner information, intellectual property or just the access to your bank account.  You can add to your business’ level of protection by taking a few simple actions:

  1. Do not give broad access to temporary employees. If they need to access the POS system, give them rights to only that area, rather than carte blanche access to your whole network.
  2. Make sure all the protection features of your next-generation firewall are turned on. If this slows your network down, consider a post-holiday upgrade to something better.
  3. When in doubt, ask for help. If you do not know how to implement any of these strategies, find someone who does. If you have not done this yet, take a look at the PCI security guidelines.  They provide a great starting point for protection.

There are many things that you can do to protect yourself and your business during the action-packed season.  I wanted to cover a few that you may have missed in the face of shopping New Year’s deals.  Celebrate the season and the best to you all in the New Year.

Download our eBook: “8 Ways to Protect Your Network Against Ransomware

DOWNLOAD EBOOK