Posts

Ransomware Negotiation: How Hackers Target SMBs

It was a Tuesday afternoon. Liz, a local attorney with 26 years of experience, had given up.

She was easily over 20 hours in to trying to free her computer, with all of her files, from a ransomware attack. She just spent a few thousand dollars on a local IT team to break the encryption and remove the malware. They ultimately couldn’t succeed, but charged $2,000 for their time anyway.

Law enforcement and a local FBI contact both shrugged their shoulders. They only offered sympathy instead of a commitment to investigate. With all of her client files locked, she did what roughly 5 percent of small businesses did this year: contact the hacker via the email address in the ransom note.

Shortly later, a message came through: “Hi, the price to decrypt your files is 1.5 bitcoin.”

With icy fingers, she proceeded to converse with the hacker, via a Russian-based email address, who was going by the name Alkash; possibly an Armenian slang term for “alcoholic.” She began to negotiate with him by acting as an elderly person with little money. She told him she had about $350. His reply was simply, “No.”

She didn’t give up. She replied, “I am supporting my kids and I have to use my computer to earn money. Why are you doing this? Don’t you have family?”

He didn’t bite. He replied, “You live in a rich country. I give you 3 days after which I delete the keys to your files.”

She didn’t flinch. She came back and told him to look at the news on how the government treats the poor and how rich people keep their money to themselves. She said her healthcare was being taken away and she was very sick.

“You own a server with open access,” he said. “Why would a poor sick woman own a server?”

This reveals how she was infected. A lot of us think we are too small to be a target, but in the end, all of us our IP and email addresses that will eventually be found. She had little in the way of security, only endpoint antivirus; an easy target.

She convinced the hacker that she could borrow money from a relative to make it $500. The attacker agreed and instructed her to send a few files that he would unlock as a guarantee he will unlock them all when she pays.

Two days after the initial exchange, Liz was able to buy the right amount of bitcoin from a problematic dealer in South America. She finally unlocked her files.

It was done. Her files were back. She sobbed.

It took around 50 hours to get to this point. Fifty hours of living in fear her client files were gone forever. Fifty hours of lost productivity. Fifty hours of being at the mercy of a thief.

Liz was able to return to work and eventually took time off to recuperate from the attack. Later, while on vacation, she received a call from someone who shared an office with her.

“Are you remotely accessing your computer from your vacation spot?” they said.

The answer was solid: “No!”

Someone, possibly Alkash, was accessing her computer and eventually stole her personal credit card information saved in her browser. She returned from her trip and went right back to work to remediate another breach of her system.

A call to the IT team, a security vendor and the FBI gave her another 20-hour headache, a stack of bills and quotes. Between both attacks, Liz estimated she lost around $50,000 in consultant fees and lost productivity alone.

Feeling like she was getting the run around, Liz called someone she knew at SonicWall. The team went to work to segment her office network and set her up with a firewall. It included the Advanced Gateway Security Suite, which comes with the SonicWall Capture Advanced Threat Protection cloud sandbox service,  to stop known and unknown malware attacks, as well as intrusion attacks, against her server.

So, how are things today?

“Great!” says Liz.

She doesn’t have to worry about follow-on attacks, ransomware attempts and deflating calls to the FBI.

Studies have shown that when a small business is hit with a critical cyber-attack, one in six have to stop business for more than 25 hours. Liz knows the truth to that.

Moreover, roughly 60 percent of small companies that experience a crippling cyber attack are run out of business. A fear that Liz mulled over for 50 hours in June 2017.

To better arm yourself against these forms of cyber attacks, please read our eBook, “How ransomware can hold your business hostage.”

Ransomware: Are You Protected From the Next Outbreak?

Will you be ransomware’s next victim? Can ransomware encrypt your data and hold it hostage until you pay a ransom?

Organizations large and small across industries and around the globe are at risk of a ransomware attack. The media mostly reports attacks at large institutions, such as the Hollywood Hospital that suffered over a week offline in 2016 after a ransomware attack encrypted files and demanded ransom to decrypt the data. However, small businesses are affected also. In fact, Kaspersky research reported that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over a 12-month period. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Whether you are part of a large organization or a small business, you are at risk.

The recent WannaCry ransomware attack was the largest ransomware campaign ever. In the course of a weekend, WannaCry spread to over 250,000 computers in 150 countries, crippling operations at hospitals, telecom providers, utility companies, and other businesses around the globe.

Once primarily an issue for Windows desktops, ransomware attacks have now occurred across many device types and operating systems, including KeRanger, a ransomware variant that emerged in 2016 that targeted Apple OS X. This variant was hidden in a compromised version of the Transmission BitTorrent client and affected about 6,500 computers within a day and a half.

These attacks often start with an internet file download or email attachment that seems innocuous but actually is hiding malware that encrypts files. End user productivity grinds to a halt and your help desk lights up. Worse, your business can suffer both financially and also from damage to your reputation.

Can your security solutions protect from this threat? Maybe. Legacy security technologies are often signature based, great for detecting “known” malware, but ineffective against “unknown” or zero-day attacks. To better detect unknown threats, security professionals are adding an additional layer of security and deploying advanced threat detection technologies, such as network sandboxes specifically SonicWall Capture ATP, that analyze the behavior of suspicious files and uncover hidden malware. To learn more about what it takes to keep malicious code out of your network, read our whitepaper: Why Network Sandboxing is Required to Stop Ransomware.

The Seven Habits of Highly Effective Ransomware Attacks

In 2016, SonicWall detected a 600% growth in ransomware families. We saw a wide range of ransomware forms and attack vectors in the 2017 Annual Threat Report; some successful, others not so much.  So, what is at the core of any successful attack? If you understand the seven components of a ransomware campaign strategy, you can better defend yourself from one of the most pernicious forms of malware in history.

1. Intelligent target research

Any good scammer knows how to find the right people in an organization to target with the right message.  Hackers know that municipal and healthcare  are a ripe choice. Even though organizations are providing awareness education, people still click on cleverly created social media posts and emails. In addition to this, hackers can go to any public lead generation database and find the right set of victims for a phishing campaign.

2. Effective delivery

Since 65 percent of ransomware attacks happen through email, a scammer can easily send that infected attachment to someone in accounts payable claiming it is an unpaid invoice.  A similar attack brought BWL of Lansing, Michigan to its knees for two weeks and cost the utility provider around $2.4M USD. Secondly, developing sensationally titled social media posts with a farfetched photo are great at funneling people to infected web destinations, which make up roughly 35 percent of successful attacks.

3. Good code

Because companies are bolstering their security strategy, attackers should focus on ways of circumventing this.  First, aggressive hackers update their code frequently to get past signature-based counter-measures.  Second, the code should have several built-in evasion tactics to sneak past advanced defenses such as network sandboxes.  Cerber’s code provides a great example for other attackers to model. Malicious code authors are hoping the target does not deploy a multi-engine sandbox like SonicWall Capture Advanced Threat Protection, which is much more difficult to evade. Third, the code should worm from system to system to create as much havoc as possible and therefore increase the potential payoff.

4. Great understanding for infected systems

Any good hacker will know what he/she has infected and thereby ask for an appropriate ransom.  Endpoints such as a laptop are worth $1K, servers $5K and critical infrastructure as high as hundreds of thousands of dollars.  Hackers hope that their targets do not have segmented networks so they can infect multiple systems within a single attack. They also rely on inconsistent backups for a higher customer conversion rate.

5. Patience & persistence

In order for organizations to stay safe from an effective attack, they have to be right all the time.  For the attackers, they have to be right just once.  Although awareness, security, and consistent backups are the essential ingredients to ransomware defense, they are not perfect.  This is why good hackers keep trying, repackaging code into different delivery mechanisms and exploit kits.

6. Good customer support

The best ransomware variants have good customer support channels. Attackers use them to negotiate with victims and assure them that they will get their data back if they pay.

7. Good payment management

Although other ransomware variants have used other forms of payment, bitcoin is still the best choice. Bitcoin is easier to obtain and exchange, so ransomware attacks have a higher payout ratio against consumers with infected endpoints. To mitigate bitcoin wallet compromise, hackers will rotate the associated email address with a specific wallet, which also pressures victims to pay quicker.

I hope that you will be able to read these notes to understand what is in the mind of an attacker possibly targeting your industry or organization.  Use these tips to develop a good anti-ransomware and malware strategy.  For more information, please watch this webcast How To Protect Your Organization From Ransomware.

CAPTURE MORE. FEAR LESS: SonicWall Capture ATP for Ransomware Prevention

If you pictured a specific technology exemplified as an animal what would it be?  Cars have been visualized as horses and bulls and the names like Mustang, Pinto, and Taurus all ring a bell with us. We see this in cyber security as well.  We have worms, bugs, and Trojan [horses] (I know that’s a stretch).  If you picture ransomware viruses as malicious bugs then you would see Capture Advanced Threat Protection (ATP) as a spider.

Spiders are the perfect foe of bugs. They sit in wait within perfectly designed traps and focus their energy on processing their prey.  SonicWall Capture ATP, multi-engine cloud-based sandbox, does just that; as a network sandbox it awaits suspicious code in order to process it to see what it wants to do from the application, to the OS, to the software residing on the hardware. If you read up on Cerber ransomware, you will see one of the most advanced persistent threats known today.  You will see how it evades traditional security and employs evasion tactics to get around network sandboxes. Thanks to Capture ATP’s parallel processing multi-engine sandbox, catching Cerber is easily done.

Capture ATP is not only successful versus Cerber and other nasty forms of ransomware, but it also finds many other forms of malware too.  Last year, SonicWall detected over 60 million new and updated malware; that’s roughly two per second.  With that volume of malware being processed on a daily basis, it’s important to have a network sandbox in place to catch yet-to-be-discovered malware before it can make itself known by locking your desktops and encrypting your files.

Watch the video below to see how Solutions Granted, Inc., a Platinum Partner, CEO, Michael Crean, sees the benefits of using Capture ATP.

SonicWall Annual Threat Report Reveals the State of the Cybersecurity Arms Race

In the war against cyber crime, no one gets to avoid battle. That’s why it’s crucial that each of us is proactive in understanding the innovation and advancements being made on both sides of the cybersecurity arms race. To that end, today we introduced the 2017 SonicWall Annual Threat Report, offering clients, businesses, cybersecurity peers and industry media and analysts a detailed overview of the state of the cybersecurity landscape.

To map out the cybersecurity battlefield, we studied data gathered by the SonicWall Global Response Intelligence Defense (GRID) Threat Network throughout the year. Our findings supported what we already knew to be true – that 2016 was a highly innovative and successful year for both security teams and cyber criminals.

Security Industry Advances

Security teams claimed a solid share of victories in 2016. For the first time in years, our SonicWall GRID Threat Network detected a decline in the volume of unique malware samples and the number of malware attack attempts.  Unique samples collected in 2016 fell to 60 million compared with 64 million in 2015, whereas total attack attempts dropped to 7.87 billion from 8.19 billion in 2015. This is a strong indication that many security industry initiatives are helping protect companies from malicious breaches.  Below are some of the other areas where progress is clearly being made.

Decline of POS Malware Variants

Cybersecurity teams leveraged new technology and procedural improvements to gain important ground throughout the year. If you were one of the unlucky victims of the point-of-sale (POS) system attack crisis that shook the retail industry in 2014, you’ll be happy to learn that POS malware has waned enormously as a result of heightened security measures. The SonicWall GRID Threat Network saw the number of new POS malware variants decrease by 88 percent since 2015 and 93 percent since 2014. The primary difference between today’s security procedures and those that were common in 2014 is the addition of chip-and-PIN and chip-and-signature technology particularly in the United States, which undoubtedly played a big role in the positive shift.

Growth of SSL/TLS-Encrypted Traffic

The SonicWall GRID Threat Network observed that 62 percent of web traffic was Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted in 2016, making consumers and businesses safer in terms of data privacy and integrity while on the web. This is a trend we expect to continue in 2017, based on Google’s announcement that it has a long-term plan to begin marking HTTP traffic in its Chrome browser as “not secure.” NSS Labs estimates that 75 percent of web interactions will be HTTPS by 2019.

Decline of Dominant Exploit Kits

We also saw the disappearance of major exploit kits Angler, Nuclear and Neutrino after cybersecurity investigations exposed the likely authors, leading to a series of arrests by local and international law enforcement agencies. The SonicWall GRID Threat Network observed some smaller exploit kits trying to rise to fill the void. By the third quarter of 2016, runner-up Rig had evolved into three versions employing a variety of obfuscation techniques. The blow that dominant exploit kit families experienced earlier in 2016 is a significant win for the security industry.

Cyber Criminal Advances

As with any arms race, advances made by the good guys are often offset by advances made by the bad guys. This is why it’s critical for companies to not become complacent and remain alert to new threats and learn how to counterattack. Below are some of the areas where cyber criminals showed their ability to innovate and exploit new ways to launch attacks.

Explosive Growth in Ransomware

Perhaps the area where cyber criminals advanced the most was in the deployment of ransomware. According the SonicWall GRID Threat Network, ransomware attacks grew 167 times since 2015, from 3.8 million in 2015 to 638 million in 2016. The reason for this increase was likely a perfect storm of factors, including the rise of ransomware-as-a-service (RaaS) and mainstream access to Bitcoin. Another reason might simply be that as cybersecurity teams made it difficult for cyber criminals to make money in other ways, they had to look for a new paycheck.

Exploited Vulnerabilities in SSL/TLS Encryption

While the growth of SSL/TLS encryption is overall a positive trend, we can’t forget that it also offers criminals a prime way to sneak malware through company firewalls, a vulnerability that was exploited 72 percent more often in 2016 than in 2015, according to NSS Labs. The reason this security measure can become an attack vector is that most companies still do not have the right infrastructure in place to perform deep packet inspection (DPI) in order to detect malware hidden inside of SSL/TLS-encrypted web sessions. Companies must protect their networks against this hidden threat by upgrading to next-generation firewalls (NGFWs) that can inspect SSL/TLS traffic without creating performance issues.

IoT Became a New Threat Network

Many people who enjoy using Reddit, Netflix, Twitter or Spotify experienced another of our top threat trends firsthand. In October 2016, cyber criminals turned a massive number of compromised IoT devices into a botnet called Mirai that they then leveraged to mount multiple record-setting distributed denial-of-service (DDoS) attacks. The SonicWall GRID Threat Network found that at the height of the Mirai botnet usage in November 2016, the United States was by far the most targeted, with 70 percent of DDoS attacks aimed at the region, followed by Brazil (14 percent) and India (10 percent). The root cause leading to the Mirai attacks was unquestionably the lax security standards rampant in IoT device manufacturing today. Specifically, these devices do not prompt their owners to change their passwords, which makes them uncommonly vulnerable.

Combatting the New Cyber Threats

It’s worth noting that the technology already exists today to solve many of the new challenges cyber criminals threw at victims in 2016.  SSL/TLS traffic can be inspected for encrypted malware by NGFWs with high-performance SSL/TLS DPI capabilities.  For any type of new advanced threat like ransomware, it’s important to understand that traditional sandboxing solutions will only detect potential threats, but not prevent them. In order to prevent potential breaches, any network sandbox should block traffic until it reaches a verdict before it passes potential malware through to its intended target.  SonicWall’s family of NGFWs with SSL/DPI inspection coupled with the SonicWall Capture multi-engine cloud sandbox service is one approach to provide real-time breach prevention for new threats that emerge in the cybersecurity arms race.

If you’re reading this blog, you’re already taking an important first step toward prevention, as knowledge has always been one of the greatest weapons in the cybersecurity arms race. Take that knowledge and share it by training every team member in your organization on security best practices for email and online usage. Implement the technology you need to protect your network. And most importantly, stay up-to-date on the latest threats and cybersecurity innovations shaping the landscape. If you know where your enemy has been, you have a much better shot of guessing where he’s going.

BlackNurse DDoS Attack Can Interrupt your Network; Discover how SonicWall Blocks

Whenever there’s talk of a DDoS (distributed denial-of service) attack, network administrators think of multiple systems flooding a network device from various locations on the internet. However, when it comes to BlackNurse, a new & quite different type of DDoS, a single laptop can launch the attack to bring down the gateway firewall!

Last week the TDC SOC, Security Operations Center of Denmark Telecom, updated its report stating how BlackNurse, as a non-traditional DDoS attack can harm your network. Typically, a normal ping attack is based on an ICMP Type 8 Code 0, whereas BlackNurse is ICMP Type 3 Code 3. The attack will overload the firewall CPU which, as a result, causes an increase in dropped packets.

Unlike traditional ICMP flood attacks, BlackNurse can consume low-bandwidth pipes and disrupt the operations of your organization. Whether your uplink speed is 100Mbps or even 1Gbps, BlackNurse is effective even at bandwidths as low as 15Mbps.

The typical impact observed on firewalls is high CPU loads. In such cases users on the company’s local network will no longer be able to send or receive traffic to and from the internet. That’s because the firewall is busy processing the heavy load of incoming packets from the attack.

Now as a SonicWall firewall owner the first question coming to your mind is: Am I protected against BlackNurse?

The answer is: YES. All you need to do is to guarantee “ICMP Flood Protection” is enabled in Firewall Settings in user interface (see image below). In order to gain more information on configuring ICMP Flood Protection please refer to the SonicOS admin guide.

Screenshot of ICMP Flood Protection screen

According to Akamai’s September 2016 security report DDoS attacks are on the rise with 70 percent year over year. Security of our customers is our top priority, and SonicWall takes every measure to protect your network against all threats, DDoS included.

Please stay informed and updated with our SonicWall Threat Research updates here.