Weekly Security Roundup
The the latest relevant security news
Updated on the 24th of November 2017
This week’s roundup contains several new ransomware variants discovered this week and information on new ransomware attacks targeting important institutions.
1. Necurs used to infect computers with Scarab ransomware
A new strain of ransomware has been discovered that is being distributed by the Necurs botnet, according to security researchers.
2. New ransomware attack at the Sacramento transit system
Computer hackers directly attacked the Sacramento Regional Transit system computers this weekend, erasing data and threatening to do more harm if SacRT doesn’t pay them one bitcoin, now worth about $8,000.
3. qkG Filecoder ransomware exploits macros and self-replicates
Early variants of a self-replicating ransomware implemented entirely in VBA macros were discovered last week. Samples of the ransomware dubbed “qkG Filecoder” were uploaded to VirusTotal from Vietnam and contain some comments in Vietnamese.
4. Ransomware Attacks Target SMBs via Remote Desktop Protocol
According to the experts, hackers abuse the weak passwords as a common issue in their attacks. After managing to crack and RDP password, the attackers can easily install the malware onto the company’s systems, hoping to get a ransom payment.
5. Uber paid hackers $100,000 to hide year-old breach of 57 million users
Personal information belonging to about 57 million Uber customers and drivers was stolen by hackers last October, a breach the company kept hidden for a year and for which its chief security officer was fired this week.
6. BankBot returns on PlayStore
A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users’ login details.
Check back regularly for updated cyber security news.
Updated on the 17th of November 2017
This week’s roundup contains updates regarding various new ransomware strains identified by security researchers as well as updates on ransomware attacks and their consequences.
1. New Crysis variant on the loose – Cobra
This new version will append the .cobra extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware.
2. New ransomware attack at Sterling Morton High Schooly
An in-development ransomware named J. Sterling Ransomware has been discovered that targets the high school students of the J. Sterling Morton school district in Cicero, Illinois by pretending to be a student survey.
3. New ransomware LockCrypt based on Satana ransomware
LockCrypt got its start under the umbrella of the Satan ransomware-as-a-service (RaaS), which lets would-be attackers piggyback on existing malware code to infect corporate systems.
4. Ransomware damage to reach $11.5 Billion by 2019
Cybersecurity Ventures predicts there will be a ransomware attack on businesses every 14 seconds by the end of 2019. This does not include attacks on individuals, which occurs even more frequently than businesses.
5. City of Spring Hill,Tennessee still not recovered after the ransomware attack early November
The City of Spring Hill, Tenn. is still suffering from the effects of a ransomware attack that struck the municipality in early November when government officials refused to pay the $250,000 ransom demanded by the cybercriminals.
6. New ransomware: XZZX variant of Cryptomix
The new Cryptomix variant appends the xzzx extension to compromised files.This variant also contains 11 public RSA-1024 encryption keys that will be used to to encrypt the AES key used to encrypt a victim’s files. This allows the ransomware to work completely offline with no network communication.
Check back regularly for updated cyber security news.
Updated on the 10th of November 2017
This week’s roundup contains updates regarding various new ransomware strains identified by security researchers as well as updates on ransomware attacks and their consequences.
1. City of Spring Hill computer system hit by ransomware
City spokesman Jamie Page said an employee clicked on a ransomware email. The city’s computer servers were then taken over and encrypted. When the computer system was encrypted, a message appeared demanding $250,000 to unlock it.
2. New ransomware targeting Germany
A new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users’ documents, the ransomware rewrites files with random data.
3. New ransomware: Gibon
Researchers have dubbed a new strain of ransomware GIBON, although its origin remains a mystery. According to an analysis by Lawrence Abrams, the ransomware has been called GIBON due to a user string of “GIBON” used when the malware connects to its command-and-control (C&C) server for instructions, as well as the ransomware’s administration panel where it calls itself “Encryption Machine GIBON.”
4. New analysis on Magniber ransomware
Researchers at TrendMicro and FireEye have identified a new ransomware strain that is a derivative of previous successful ransomware campaigns. Dubbed Magniber, the ransomware, which targets systems running Windows, is a descendant of the Cerber ransomware and is distributed via the same Magnitude exploit kit (EK) used in Cerber attacks (hence the name “Magniber”).
5. Maersk admits $300M ransomware damage
The company admitted this week that the ransomware caused a 2.5 percent decrease in shipping volumes as the company struggled to process freight with systems that had been taken down by the outbreak.
6. New ransomware: Sigma – advice on how to remove it
Sigma virus functions as a new file-encrypting threat. The very modus operandi is similar to other crypto-malware: it encrypts important documents using RSA-2048 and adds random 4-character file extension.
Check back regularly for updated cyber security news.
Updated on the 3rd of November 2017
This week we have updated our ransomware protection content and added information on ransomware-as-a-service. This week’s roundup contains updates regarding Bad Rabbit ransomware attack, new information on the ONI ransomware and new reports on ransomware activity.
1. Bad rabbit ransomware update: “data may be recoverable”
Security researchers found a way to recover data locked by the Bad Rabbit ransomware without paying, and others said money might not have been the driver of the attacks.
2. New inside information on the crippling attack at KQED in June
This summer, criminals somewhere in Russia, Ukraine or maybe down the block, hacked into KQED’s computer system, installed malicious code that encrypted the station’s files, software, and servers, and demanded money for their safe return.
3. North Korea denies involvement in WannaCry ransomware attack
North Korea has slammed Britain for accusing it of being behind a global ransomware attack that hit the National Health Service, calling the allegation a “wicked attempt” to further tighten international sanctions against Pyongyang.
4. New information on ONI (the Devil in Japanese) ransomware and details about how it operates
A new family of ransomware, dubbed ONI, has been discovered being used as a wiper to cover up an elaborate hacking operation in targeted attacks against Japanese companies.
5. Report on the top most dangerous ransomware this year
Ransomware variants NotPetya, WannaCry, and Locky are among those that wreaked havoc for businesses worldwide this year.
6. Hilton agrees on $700,000 settlement over data breach
On Tuesday, Attorney General Eric Schneiderman said that the Hilton Domestic Operating Company, formerly known as Hilton Worldwide, will pay $700,000 in recompense for failing in its duty — not simply by having poor security in the first place which allowed the data breaches to occur, but for then leaving customers in the dark.
Check back regularly for updated cyber security news.
Updated on the 27th of October 2017
This week we have published a blog post on Bad Rabbit including a live attack video, and another blog post on the .asasin variant of Locky. The Bad Rabbit ransomware attack tops the cyber-security news this week, followed by news on new mobile ransomware, significant attacks and news about the new Bitcoin Gold release.
1. Bad Rabbit attacks were planned long ago
Researchers found that the latest Bad Rabbit ransomware attack, making the headlines after targeting important organizations and corporations in Russia, Ukraine, Bulgaria, Turkey and Germany, were prepared in advance.
2. Locky Ransomware Attacks Exploit Microsoft DDE to Increase Effectiveness
The cybercriminals behind the Locky ransomware attacks are upping their game by using an application linking feature in Windows to hit even more victims without being immediately noticed.
3. LokiBot Android Banking Trojan goes ransomware
If users detect something fishy about the malware and they move to remove its administrator privileges, LokiBot will trigger its ransomware behavior.
4. Bitcoin Gold launch party spoiled by cyberattack
As soon as the golden variant of Bitcoin launched on Tuesday, its website came under DDoS attack.
5. Spanish Royal Court hacked
Hacking group Anonymous is targeting Spanish institutions – including the government and the Royal Family – in response to the Catalan independence crisis.
6. Equifax faces U.K. regulatory investigation over cyber attack
The U.K. Financial Conduct Authority opened an investigation into the hack of credit reporting company Equifax Ltd. that saw personal data stolen from at least 143 million people.
Check back regularly for updated cyber security news.
Updated on the 13th of October 2017
This week we have published a listing of our live ransomware attack videos and an aggregated ransomware protection post that we will update periodically. The top cyber-security news this week include new ransomware variants and new reports on the growth of the ransomware business on the dark web.
1. New LOCKY variant (.Asasin) distributed via faulty SPAM campaign
This variant is currently being distributed via spam emails that have a subject line similar to “Document invoice_95649_sign_and_return.pdf is complete” and is being spoofed to appear from RightSignature with the email documents@rightsignature.com.
2. New ransomware family exploiting poor security in remote desktop services
A new variant of what appears to be BTCWare ransomware is currently targeting victims and appending the .[email]-id-id.payday extension to encrypted files. ‘This family of ransomware targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware
3. The black market sales for ransomware grows by over 2500%
In a report released by Carbon Black on Wednesday, the Waltham, Mass.-based computer security company found the market for ransomware on the so-called dark web has soared to $6.24 million year to date, compared with just over $249,000 in 2016
4. Montgomery County estimates post-ransomware-attack investments to reach $280,000
Last month, Montgomery County had its data encrypted by attackers who demanded 9 bitcoins, an online currency not recognized by any government or bank. The county tried to recover its data, but eventually relented and paid the attackers to prevent them from deleting the data. County officials estimate investment in security to reach $280,000
5. New Andorid ransomware released – doublelocker
ESET researchers have spotted the first-ever ransomware misusing Android accessibility services. On top of encrypting data, it also locks the device.
Check back regularly for updated cyber security news.
Updated on the 6th of October 2017
This week we have published an article about ransomware prevention that provides advice on how to reduce the chances of ransomware infections without using any software. The top cyber security news this week include new information on the third data breach at NSA, several new cyber attacks and the approval of new bills aimed at helping companies defend against cyber attacks.
1. More Questions Than Answers After a Third Data Breach at the NSA is Revealed
The Wall Street Journal has revealed a third NSA data breach. Russian hackers said to have used Kaspersky AV to steal sensitive documents
2. Sonic Announces Payment Card Breach
Sonic Drive-in released a data breach notice: credit and debit card numbers used at certain Sonic Drive-In locations may have been impacted.
3. City of Englewood Hit by Ransomware Attack
The City of Englewood says it was hit by a ransomware virus Tuesday night. The information technology department says the virus impacted all city internal systems.
4. New Locky Phishing Campaign Mimics Knoica Minolta Copier Emails
A Locky ransomware variant is distributed via a new phishing scam, where malicious attachments are spread via messages similar to the ones sent out by Konica Minolta machines.
5. Legislature Addresses Ransomware Threat With Criminal Penalties
On the first day of Cybersecurity Awareness Month, new legislation takes effect regarding one of the most destructive types of malware. Under the Act, the use of ransomware is a class E felony, which provides for up to three years of imprisonment, a fine of $3,500, or both.
6. Small Business Cyberattack Protection Bill Gets Senate OK
The bills would give small businesses increased resources from the Department of Homeland Security’s National Institute of Standards and Technology (NIST). Specifically, NIST would publish voluntary small business best practices and guidelines “to help reduce their cybersecurity risks,” according to the Congressional Research Service (CRS).
7. ‘Dark Overlord’ Hackers Posted Stolen Student Info
Student names, addresses and telephone numbers have been posted on a publicly accessible website as part of a cyber attack against the Johnston school district believed to be the work of a hacker group known as the “Dark Overlord
Check back regularly for updated cyber security news.
Updated on the 29th of September 2017
This week we have published an article about enterprise ransomware protection and another one about ways to lose both your money and your data when paying ransom. The top cyber security news this week include the release of the Internet Organised Crime Threat Assessment Report by Europol and a couple of notable ransomware attacks. Here are the cyber security stories this week.
1. Equifax Boss Steps Down Following Data Breach
The Equifax CEO has resigned following the huge data breach affecting this company. Records belonging to 143 M Americans may have been lost.
2. New Locky Ransomware Attacks Beat Machine Learning Tools
Researchers identified new email campaigns distributing a Locky variant initially spotted earlier this year. What is new about it, though, is the fact that the social engineering, in this case, is designed to bypass known email security solutions, especially the ones relying on machine learning.
3. Europol Releases the Internet Organised Crime Threat Assessment Report
This report provides a law-enforcement focused assessment of current trends in cybercrime. Among the key findings, ransomware eclipses most other cyber threats this year.
4. New Reports about Redboot Ransomware that Alters the Disk Partitions
This new variant presents wiper-like features and it is unclear how data recovery is possible in case the victims pay the ransom. It is a new case that shows once again ransom should not be payd and cyber extortionists should not be trusted.
5. BitDefender Releases a Free Ransomware Recognition Tool
Victims of ransomware attacks usually have difficulties trying to recover because of the inability to identify the particular strain infecting the PC. With a ransomware identification tool, victims can find out the particular ransomware variant and look for decryptors online or technical help to assist with recovering.
6. New Ransomware Demands Nudes Instead of Bitcoin
The new ransomware variant discovered by security researchers takes a different approach when it comes to benefits for the attackers. Instead of looking to monetize their illicit activities, the attackers demand personal nude pictures of the victims.
7. Alabama County Pays Ransom to Recover Data
The County was forced to pay $37,000 worth in Bitcoin following a ransomware attack, to recover 70 terabytes of data. Unfortunately paying the ransom encourages the attackers to carry out more cyber extortion activities.
8. New Netflix Scam
Such schemes are built to give hackers access to the victim’s’ personal payment information. Express caution when dealing with unsolicited email, even if this looks like a valid request. Carefully analyze the opportunity to receive such requests and, in general, do not provide such information online. Most companies do not solicit such information via email.
Check back regularly for updated cyber security news.