Massive ransomware infection spreading across the globe. It exploits the EternalBlue exploit from the Shadowbrokers dump released last month.

File Name : tasksche.exe
SHA : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Please apply this patch immediately to all endpoints. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

This malware is using Social Engineering to target companies.  The emails trick users into clicking files and attachments that use a vulnerability which was addressed by MS17-010 in March 2017 to spread, so please check that all your machines have the latest updates installed.

The IT systems of around 40 NHS organizations across the UK have been affected by a ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the attack.

Non-health focused organizations around the world are also being affected, including Spanish telecommunications firm Telefonica which reported a serious issue affecting its internal network as a result of a cyberattack earlier today. The strain is called “Wanna Decrypt0r” which asks $300 from victims to decrypt their computers.

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. According to Avast security researcher Jakub Kroustek, Wana Decrypt0r made over 57,000 victims in just a few hours.

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware appears to use NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits  which were made public earlier this year by a group calling itself the Shadow Brokers.

Looks like initial infection vector is a phishing/macro email.

According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” he told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, WannaCry ransomware explosion is only expected to get worse over the weekend.

MITIGATION STRATEGIES AND RECOMMENDATIONS:  
This section is used to discuss how the threat can be prevented, contained, and removed.  This section can vary depending on the nature of the threat.

Threat Specific Mitigating Guidelines

  • SMB should be disabled if not required for business use.
  • MS17-010 use has been confirmed and that vulnerability should be patched immediately.
  • All SMB-related patches should be applied to servers as soon as practical.
  • Any Microsoft updates that haven’t been applied to servers should be applied as soon as possible.
  • A notice to all users should be sent regarding this attack and a reminder about clicking links or opening files in emails from suspicious or unknown sources should be sent.
  • Review current backup policies and procedures and be prepared to perform a restore in case of infection – it is never a good idea to pay the ransom in a ransomware attack if at all avoidable.
  • Verify as well that no users have Administrative and especially not Domain privileges have been infected and if so please reset the passwords two times.
  • The priority is that your anti-virus can detect the malware. Verify that you have up-to-date signatures.
  • Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances accept execution and in doubt, users should you consult and/or consult the competent computer.

Recommended Best Practices  

Below are recommended IT security best practices.  These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.

  • Disable default user accounts
  • Educate users to void following links to untrusted sites.
  • Always execute browsing software with least privileges possible
  • Turn on Data Execution Prevention (DEP) for systems that support it
  • Maintain a regular patch and update cycle for OS and installed software
  • For additional details please reference: http://technet.microsoft.com/en-us/library/dd277328.aspx

 

The media has released these stories:-

https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack  
http://elpais.com/elpais/2017/05/12/inenglish/1494588595_636306.html
http://www.ibtimes.co.uk/telefonica-hack-ransomware-attack-internal-network-forces-computer-shut-down-1621350

 

Following IP Addresses, hashes and websites must be blocked by network admins:

62.138.10.60
82.94.251.227
213.239.216.222
51.255.41.65
86.59.21.38
198.199.64.217
83.169.6.12
192.42.115.102
104.131.84.119
178.254.44.135
163.172.25.118
108.165.22.125
27.254.44.204

5hdnnd74fffrottd[.]com
babil117[.]com
balprodukt[.]ru
bellevillenorfolkterriers[.]co.uk
bellevillenorfolkterriers[.]co[.]uk
biolume[.]nl
bitsslab[.]com
bitsslab[.]com/
boaevents[.]com
byydei74fg43ff4f[.]net
byydei74fg43ff4f[.]net/af/
demelkwegtuk[.]nl
diejosch[.]de
domainway[.]de
easysupport[.]us
edluke[.]com
enboite[.]be
etadjewellery[.]com
geo-zamer[.]ru
jisrcenter[.]com
jomajaco[.]com
julian-g[.]ro
kbelgesi[.]net
kitchenandgifts[.]com
koreancars-club[.]ru
monowheels[.]ru
oklahomagunlawyers[.]com
outback-cycles[.]de
panaceya-n[.]ru
pgringette[.]ca
phinamco[.]com
prystel[.]com
taddboxers[.]com
takanashi[.]jp
takipediliyoruz[.]com
techno-kar[.]ru
tending[.]info
thegoldclubs[.]com
tiskr[.]com
trans-atm[.]com
trebleimp[.]com
trialinsider[.]com
villa31[.]com
volley-bal[.]be
vscard[.]net
wipersdirect[.]com
ws.osenilo[.]com
ws[.]osenilo[.]com

FileHash-SHA256    09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

FileHash-SHA256     24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

FileHash-SHA256    2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

FileHash-SHA256    2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

FileHash-SHA1    45356a9dd616ed7161a3b9192e2f318d0ab5ad10

FileHash-SHA256    4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

FileHash-MD5    4fef5e34143e646dbf9907c4374276f5

FileHash-MD5    509c41ec97bb81b0567b059aa2f50fe8

FileHash-SHA1    51e4307093f8ca8854359c0ac882ddca427a813c

domain    57g7spgrzlojinas.onion

FileHash-MD5    5bef35496fcbdbe841c82f4d1ab8b7c2

domain    76jdd2ir2embyv47.onion

FileHash-MD5    775a0631fb8229b2aa3d7621427085ad

FileHash-MD5    7bf2b57f2a205768755c07f238fb32cc

FileHash-MD5    7f7ccaa16fb15eb1c7399d422f8363e8

FileHash-MD5    8495400f199ac77853c53b5a3f278f3e

FileHash-MD5    84c82835a5d21bbcf75a61706d8ab549

FileHash-MD5    86721e64ffbd69aa6944b9672bcabb6d

FileHash-SHA1    87420a2791d18dad3f18be436045280a4cc16fc4

FileHash-MD5    8dd63adb68ef053e044a5a2f46e0d2cd

FileHash-MD5    b0ad5902366f860f85b892867e5b1e87

FileHash-SHA256    b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

FileHash-SHA1    bd44d0ab543bf814d93b719c24e90d8dd7111234

FilePath
C:\Windows\mssecsvc.exe
0
FilePath
C:\WINDOWS\tasksche.exe
0
domain
cwwnhwhlz52maqm7.onion

FileHash-MD5    d6114ba5f10ad67a4131ab72531f02da

FileHash-MD5    db349b97c37d22f5ea1d1841e3c89eb4

FileHash-MD5    e372d07207b4da75b3434584cd9f3450

FileHash-SHA1    e889544aff85ffaf8b0d0da705105dee7c97fe26

FileHash-SHA256    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

FileHash-MD5    f107a717f76f4f910ae9cb4dc5290594

FileHash-MD5 f529f4556a5126bba499c26d67892240

FileHash-SHA256    f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

domain    gx7ekbenv2riucmf.onion

domain    sqjolphimrr7jqw6.onion

hostname    www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

domain    xxlvbrloxvriy2c5.onion

5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211
f98a35ab5f9fa47a49db5535b654cebb5bc99bf5
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
45356a9dd616ed7161a3b9192e2f318d0ab5ad10
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
509c41ec97bb81b0567b059aa2f50fe8
51e4307093f8ca8854359c0ac882ddca427a813c
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
84c82835a5d21bbcf75a61706d8ab549
87420a2791d18dad3f18be436045280a4cc16fc4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
bd44d0ab543bf814d93b719c24e90d8dd7111234
db349b97c37d22f5ea1d1841e3c89eb4
e889544aff85ffaf8b0d0da705105dee7c97fe26
f107a717f76f4f910ae9cb4dc5290594
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
920e964050a1a5dd60dd00083fd541a2
2c42611802d585e6eed68595876d1a15
83506e37bd8b50cacabd480f8eb3849b
f99ce7dc94308f0a149a19e022e4c316

There is a new strain of “ransomware” that does not  bother with the whole encryption thing at all.  These bad guys seem to think it’s just an unnecessary distraction and too much work. Better to just start nuking files and then present victims with a ransom note.  It’s called RanScam and here is how it looks:

destructive_ransomware_screen_shot

Ranscam deceives victims by falsely claiming that files have been moved onto an hidden, encrypted partition. However, back at the ranch, this malicious code has deleted selected files and seriously messed with system settings like removing executables that drive System Restore, deleting shadow copies, and breaking Safe Mode etc. Recovering a system from this infection is very hard. This is outright destructive code and the way to recover is wipe and rebuild from bare metal.

They try to extort a ransom of 0.2 Bitcoin (about $125) the crooks really have no mechanism at all to restore compromised files.

The lack of any encryption (and decryption) within this malware suggests this adversary is looking to ‘make a quick buck’ – it is not sophisticated in anyway and lacks functionality which is associated with other ransomware such as Cryptowall.

The malware features a fake payment verification process that automatically returns notices of failure, possibly in the hopes that desperate victims might make a fresh payment. There is no longer honor amongst thieves. Currently the Ranscam campaign does not appear to be widespread and there have been no large-scale email spam campaigns…yet.

 

Proofpoint researchers discovered a new strain of ransomware called “Bart” – no kidding.

The Russian Cyber Mafia behind Dridex 220 and Locky are using the RockLoader malware to download Bart over HTTPS. Bart has a payment screen like Locky but encrypts files without first connecting to a command and control (C&C) server. It spreads with .zip attachments containing JavaScript Code and use social engineering to trick users into opening the attachments. Here is how they look:

bart-1

and the desktop background is replaced with the recover.bmp file:

bart-3

Proofpoint’s Conclusion:

While we are still investigating the technical details of this new ransomware, the connections between Bart and Dridex/Locky are significant. Because Bart does not require communication with C&C infrastructure prior to encrypting files, however, Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables. We will continue to monitor and analyze Bart as additional campaigns and details emerge.

Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.

 

 

 

A Ransomware is a type of malware that criminals develop for malevolent purposes. It downloads into one’s computer and once it is there, it encrypts all the viable data to the extent that the rightful owner cannot access. Important data can be personal information or corporate accounts. Unfortunately, criminals usually have the password to decrypt the data for the desperate user. Therefore, they demand money from the user for him or her to gain access to the information.

 

The Lessons

  • Criminals will not give you the password
  • Adopt technologies like HIPS (Host Intrusion Prevention System), which provide runtime capabilities to identify the points of threat
  • Constantly update your antimalware software to minimize attack

A ransomware is a type of malware that demand ransom from a user in exchange for the return of a kidnapped file. It spreads through attachments sent by an email or clicking on a link in an email that to originate from a bank or a delivery company. Additionally, it can spread through peer-to-peer file sharing networks being passed on through activation keys for popular software such as Adobe Photoshop and MS Office. There are two types of ransomware, the “File Coder” and the “Lock Screen.” The file coder encrypts a file while the lock screen locks the computer and stops the user from using it until he or she pays the Ransom. The Lock Screen prevents the user from accessing a computer by locking the screen.

 

The Lessons:

  • Attackers use psychological means to trick and compel a person to pay, for instance, live transmission of what the webcam is currently seeing, which creates a feeling that someone is really watching you
  • Do not pay the attacker
  • Accept losses
  • Back up data in a different place regularly
  • Get better protection for your computer

Avoid clicking on suspicious mails

 

 

The hour-long webinar is a detailed discussion about the ransomware, its implications and methods of protecting yourself, and clients from possible attacks. Gillware begins by defining a ransomware as type of malware designed for extorting money from innocent people. The two popular types are the crypto and the screen locker. However, there are several types of ransomware. The crypto encrypts all the important files in the computer and gives the user a given amount of time to pay the ransom to get the decryption key. If the user fails, then the files will remain encrypted. Ciampa (2015) asserts that most of these criminals demand a ransom that can be paid easily, averagely $300. Conversely, the locker is another type of malware that restricts access to the device until the ransom is paid. The ransomware has become rampant in the recent years due to improved technology, better distribution strategies, and simpler monetization. Ramachandran (2011) holds the same notion that the presence of internet banking & credit cards and reduction in the use of cash make it easier to transfer payments to criminals, which in this case is referred to as simpler monetization.

 

The modern computers and servers register high performance, which create stringer encryptions that are difficult to manoeuvre. Organizations that encourage Bring Your Own Device (BYOD) and users that use the Tor Browser are the most vulnerable. Almgren, Gulisano & Maggi (2015) assert that ignorant users click on links in emails unknowingly. The mails usually have the malware embedded in them, which infiltrate the computer. The malware spreads to the entire company network including the devices attached to the network when the computer is connected to the organization’s network. The ransomware infiltrates the network and encrypts important looking file extensions, for instance, doc(x), xls(x), jpg, and pdf. The malware encrypts all the contents but does not rename the extensions. Gill has developed a cloud that assists people registered on it to retrieve the information when they are attacked. The files are duplicated in the form of revisions to allow easy retrieval. Furthermore, he recommends a client to use strong automated backups to minimize attacks. Additionally, the users should ensure that the backup is in a position to keep revision history. Companies should use anti-malware to protect their businesses. In addition, the IT administrators should develop ways of monitoring massive amount of changed files within a given time frame using various end-user’s analytic solutions that are available in market.

 

Gills webinar is important to business organizations. Firms are vulnerable because they can lose valuable company/or customer data to the hacker. Moreover, an organization can lose important company secrets, which competitors can use to drive them out of business. Therefore, enterprises can adopt cloud-based storage to reduce possible losses of their data and enhance recovery in case of loss.

 

References

Almgren, M., Gulisano, V., & Maggi, F. (2015). Detection of Intrusions and Malware, and Vulnerability Assessment. 12th International Conference, DIMVA 2015, Milan, Italy, July 9-10, 2015, Proceedings. Springer.

Ciampa, M. (2015). Security+ Guide to Network Security. Boston Mass: Cengage Learning.

Moryn, J. (2016, May 10). An In-Depth Look at Ransomware . Retrieved from Gillware Blog: https://www.gillware.com/data-recovery/an-in-depth-look-at-ransomware

Ramachandran, V. (2011). BackTrack 5 Wireless Penetration Testing Beginner’s Guide: Master bleeding edge wireless testing techniques with BackTrack 5. Birmingham UK: Packt Publishing.

 

 

The YouTube video seeks to raise awareness about Ransomware. This type of malware has extended from individuals to the corporate world. Companies and individuals paid out more than $209 million in ransom in the first quarter of 2016 alone. As at February 2016, over 24 million had been hit by a “Locky”. The figures are alarming and more measures need to be put in place.

The Lessons

  • Seek assistance from cyber security firms for advice on proper security of one’s devices
  • Conducting awareness in the private and public sectors
  • Security education and developing the integrated security ecosystem
  • Individuals and companies to adopt a multi-layered security system to reduce the level of vulnerabilities

[WARNING] The FBI issued an alert about a new scam you need to be aware of. This is an email you receive which threatens to make public all your personal, and sometimes very private information unless you pay a ransom in an electronic currency called Bitcoin.

It is easy to get intimidated by threats like this, and you might be pushed into trying to prevent possible negative consequences. However, do not fall for pressure tactics like this, because if you do, your data will be sold to other scammers who will continue to haunt you.

If you receive email extortion demands, do not answer, and do not pay anything. Report this scam to the FBI’s Internet Crime Complaint Center (IC3) instead. Here is their website: http://www.ic3.gov/default.aspx

Remember… Always Think Before You Click!