Ransoms Continue to Grow in 2020

We’ve said it before and we’ll say it again. Ransomware is here to stay and it is only going to grow in popularity and ransom size.  Coveware’s most recent ransomware report shows an increase in ransom size across the board for the three largest ransomware players; Phobos, Ryuk and Sodinokibi as shown below. The big winner was clearly Sodinokibi as their ransom average leapt by over 4X in the past quarter, driven primarily by their targeting larger victims.

Targeting Strategies Changing

Another interesting observation from Coveware is how these three players are changing their target victim profile as we pass the first quarter of 2020. Sodinokibi has gone up-market targeting select, large enterprise victims where their ability to deploy VPN exploits gives them an “in” to otherwise more sophisticated targets as compared to their usual SMB bread and butter. At the same time Ryuk took the opposite tact and moved their focus down-market while Phobus followed Sodinokibi up-market, albeit to a much lesser extent.

Attack Vectors Vary Widely

When comparing the three ransomware leaders it is fascinating to note which attack vectors are preferred and relied upon for each player’s success. Sodinokibi, being more sophisticated spreads its attacks across email phishing, RDP, software vulnerabilities and a smattering of other vectors while Phobos sticks to RDP and Ryuk primarily phishes with a smidge of RDP.

Good News as Shade Gets a Conscience

In a surprising turn of events, while many ransomwares are getting more aggressive and exploitive the operators behind the infamous and once prolific Shade ransomware have exited the business and publicly posted decryption keys. According to a post on Cisomag.com over 750,000 keys were published!

More Good News Konsultek Has You Covered

Even as the world struggles to recover from the Covid-19 pandemic cybercriminals are hard at work phishing, exploiting and brute-forcing their way into organizations of all size. What you need more than ever is a security partner like Konsultek on your side. Our team of engineers is prepared to help your organization stay secure no matter what your unique circumstances might be. Give us a call to learn how you can become more secure in these trying times.

 

Ryuk Proves Mightier than the Pen

The pen may be mightier than the sword but the January 23, 2020 Ryuk attack on the Tampa Bay Times has shown that Ryuk is mightier than the pen.

“A Nuisance More than Anything”

Fortunately for the Tampa Bay Times their IT department had the procedures, policies and technologies in place to prevent the loss of sensitive customer information and to make recovery a relatively simple process. At this point in time the attack vector is not known.

“We’ve been able to recover pretty much all of our primary systems,” Tampa Bay Times chief digital officer Conan Gallaty said Friday. “This is something that’s been a nuisance more than anything.”

Other Newspapers Not So Lucky

In late December 2018 the LA Times reported on a malware attack that crippled itself as well as sister publications including the Chicago Tribune; Baltimore Sun; Capital Gazette in Annapolis, Md.; Hartford Courant; New York Daily News; South Florida Sun Sentinel and Orlando Sentinel.

“They’re looking at the people that have the most to lose.” – Malwarebytes senior security researcher JP Taggart

Ryuk Continues to be Popular

Ryuk sprang to prominence in 2018, becoming such a popular attack mode that the FBI issued a public warning about it on their website.

Two years later and Ryuk continues to be a favorite tool of cyber-criminals for extracting profit at the expense of their victim’s pain. According to new Malwarebytes data, those attacks have continued. From January 1–23, 2020, Malwarebytes recorded a cumulative 724 Ryuk detections. The daily detections fluctuated, with the lowest detection count at 18 on January 6, and the highest detection count an impressisve 47 on January 14.

Malwarebytes Partner Konsultek Knows Security

At Konsultek we eat, breathe and live information security. With the help of our world class partners such as Malwarebytes, Checkpoint, ForeScout and Gigamon we craft customized security solutions and managed service solutions for organizations of all sizes in all industries. When you are ready to learn more about just how secure your information can be with Konsultek on your side just pick up the phone and give us a call!

Industrial Control System Ransomware Threat

Many times on this blog we’ve discussed the trend towards ever higher value targets when it comes to hacking, malware and ransomware. Well this week wired.com reported on a new ransomware that appears to target Industrial Control Systems (ICS) may have taken the high-value target trend to a whole new level.

ICS – What Runs Industry Around the Globe

Virtually every significant manufacturing and utility concern in the world runs some sort of ICS and many run the same ICS software packages, GE’s, Proficy and Fanuc and Honeywell’s Thingworx. This means that if this new ransomware labeled by researchers as Snake or EKANS proves to be a serious threat much of the world’s industry could be at risk.

Encrypt and Terminate

In addition to encrypting files for ransom EKANS also terminates 64 other software processes, many of which are specific to ICS. The net effect is that victims can find their ability to run and monitor critical processes greatly reduced.

State Sponsored or Cyber Criminals?

It appears to be to soon to know whether we are seeing the culmination of the high-value target cybercrime trend or perhaps a state sponsored actor looking to disguise its tracks by layering on ransomware. Since EKANS shares many similar traits with Megacortex, an ICS ransomware that appeared in the spring of 2019 this has led Vital Kremez, a researcher at Sentinel One to believe we are seeing the former. And that is scary since critical infrastructure and large-scale manufacturing are, well, critical and the last thing we need is to have them being routinely targeted for ransoms by cyber-criminals.

Konsultek Knows Security

Konsultek collaborates with the best security companies in the world like Checkpoint, Forescout and Gigamon to develop security solutions that no single company alone could provide by themselves. If it is time for your organization to step up to world class security solutions then by all means give us a call!

 

Ransomware Costs Soar in 4th Quarter of 2019

Image Source: Coveware

According to security research firm Coveware the costs of ransomware doubled in the last quarter of 2019. Certainly not good news and as the graph above shows the trend is pointing upward indicating that 2020 ransomware attacks are likely to be the most expensive yet.

Double Drivers

The 104% increase in average ransom value from $41,198 to $84,116 reflects a shift in ransomware targets as well as ransomware diversity. Targets are getting larger, have more to lose and much deeper pockets to pay from while some ransomware variants such as Ryuk and Ransomware as a Service (RaaS) Sodinokibi are specifically designed to leverage their impact by a variety of insidious means. For example, at least one Sodinokibi affiliate has developed expertise in exploiting tools used by IT manage service providers (MSPs) which allows one successful attack to be propagated across many companies.

A New Ransom Twist – Data Exposed!

While most ransomware purveyors remain happy to send a decryption key and move along to the next victim after getting paid, or simply move along if the victim declines to pay, at least 3 ransomware campaigns are increasing their odds of receiving payment by threatening to release the recalcitrant victim’s data if payment is not received.

Some Sodinokibi and Maze victims have already had their data publicly exposed after refusing to pay ransoms and BitPyLocker victims have been threatened with public disclosure.

Time and Money

The dollar value of ransoms is not the only thing that is increasing. The amount of downtime jumped roughly 30% in Q4 2019, increasing from an average of 12.1 to 16.2 days. For many victims it is the days to recovery that really drive incident costs skyward as operations grind to a halt.

Image Source: Coveware

Get the Security Experts on Your Team

At Konsultek we eat and breathe network security 24 X 7 X 365. Ransomware, malware, phishing, bruteforce – we’ve seen it all and we’ve developed solutions to keep your network safe and secure. So, no matter how big your organization is or what industry you are in, we have the expertise to develop a custom security solution that fits your needs. To get started with a more secure future simply give us a call.

 

Milwaukee Nursing Home IT Outsourcer Crippled by Ransomware

Virtual Care Provider Inc. (VCPI) a Milwaukee-based company that provides technology services to more than 100 nursing homes across the country has been hit by Russian hackers who are still holding data from the nursing homes hostage.

A Terrible $14MM Miscalculation

As we have reported many times on this blog through the years, government and healthcare organizations are top targets for hackers who believe that these organizations live in a “must pay” world. The problem with this particular attack is that VCPI was perceived by the Russian hackers as being much larger and financially stout than it actually is. As it turns out, there is no way that they can pay the $14MM ransom, even if they wanted to. This obviously is a problem for the hackers and the nursing homes alike.

Do As I Say Not as I Do

In a display of irony that would make O’Henry proud VCPI, which provides internet security and data storage services to nursing homes and acute-care facilities, has a blog post on its site that provides guidance as to how not to fall victim to email phishing attacks! The very same type of attack that led to the ransomware attack!

It’s Not Too Late Till It’s Too Late

According to information shared with Krebsonsecurity.com, by security expert Alex Holden the attack took place over a period of 14 months and up until the final 3 days the catastrophe could have been avoided.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.” –Alex Holden

Prevention, Detection and Response

At Konsultek we create customized security solutions that utilize the most advanced prevention, detection and response technologies available. This holistic approach to security can help your organization stay ahead of cybercriminals and hackers who manage to penetrate your system defenses through social engineering means such as the phishing emails that compromised VCPI. Want to learn more? Give us a call and let’s discuss your specific situation and how we might be of service.

 

Medusa Ransomware Turns Your Files to Stone

Ok. The Medusa Ransomware doesn’t REALLY turn your files to stone, but it makes them just as useless and inaccessible. This latest ransomware burst on the scene in late September and according to Bleeping Computer it appears to be getting distributed worldwide with victims scattered around the globe. Researchers have not yet identified just how Medusa is being spread though we can surmise it is through the usual channels such as phishing, downloads and watering holes.

Just Getting Started

Only time will tell just how big and ugly Medusa will get but submissions to ID Ransomware have been streaming in.

Despite the steady stream of victims reporting in, Medusa is so new very little is known about how it is being spread and even whether or not if you pay the requested ransom you will receive a decryption key!

According to the ransom note generated by Medusa you can email them one of your encrypted files and they will decrypt it for free to prove that they can indeed unlock your files before you send them payment. Speaking of payment, at this time it is not clear from the ransom note posted on Bleeping Computer (shown below) exactly how much you need to send! Perhaps these guys should get some third party help with their ransom demands?

All your data are encrypted!

What happened?

Your files are encrypted, and currently unavailable.

You can check it: all files on you computer has new expansion.

By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.

Otherwise, you never cant return your data.

For purchasing a decryptor contact us by email:

sambolero@tutanoa.com

If you will get no answer within 24 hours contact us by our alternate emails:

rightcheck@cock.li

What guarantees?

Its just a business. If we do not do our work and liabilities – nobody will not cooperate with us.

To verify the possibility of the recovery of your files we can decrypted 1 file for free.

Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:

[id]

 

Attention!

– Attempts of change files by yourself will result in a loose of data.

– Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.

– Use any third party software for restoring your data or antivirus solutions will result in a loose of data.

– Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.

– If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key.

Security Expertise You Can Count On

Whether it is ransomware, brute force hacking, phishing or some other cyber threat, Konsultek has the tools and talent to develop the right security solution for your particular situation.  Not sure just how robust your network security is? No problem! Let our experts check your network’s vulnerability for free.

Our team of experts is happy to provide an outside, independent and unbiased analysis of your network’s security. Simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

You’ll receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

No More Ransom Helps Victims Avoid $108 Million in Ransom so Far

In just 3 short years No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and McAfee, has prevented ransoms of $108 million by allowing users to decrypt their files using free tools. That, according to Europol as reported on July 26th.

No More Ransom provides a platform for law enforcement and IT security companies to collaborate with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Thank You Contributors!

Amazon AWS and Barracuda host NoMoreRansom.org and a veritable who’s who of anti-virus and security companies have donated encryption keys including but not limited to:

  • Emisoft
  • Avast
  • Bleeping Computer
  • Bitdefender
  • Kaspersky
  • Check Point
  • McAfee

Source: Europol Infographic

200,000 Victims Helped

In its 3 year life over 3 million users from around the world have visited the site and more than 200,000 victims have been helped. 2019 has so far seen the addition of 14 new tools bringing the total number of different ransomwares that can be decrypted as of the July 26, 2019 press release to 109. Nearly 40,000 people have successfully decrypted files ransomed by GandCrab alone, saving roughly $50 million in ransom payments.

“When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.” – Steve Wilson, Head of Europol’s European Cybercrimme Center (EC3)

Who is Your Security Partner?

No More Ransom is a shining example of the security success that can be achieved by partnering with the top security firms in the world. That same philosophy is at work every day at Konsultek. Our partner providers represent the best-in-class solutions for all facets of network security and our security solutions in turn provide our clients with holistic best-in-class solutions for their networks.

If you’re ready to take your security to the next level we’re here to help. Simply call us or hit us up on our contact form.

Buyer Beware – Ransomware Recovery Firms are Charging You to Pay the Ransom!

In a story earlier this week ProPublica.com added a British firm, Red Mosquito Data Recovery, to its list of self-proclaimed ransomware data recovery experts whose premium priced “unlocking expertise” was nothing more than paying the ransom!

In a May 15, 2019 post ProPublica.com published an exhaustive investigative expose’ on two of the largest US based ransomware recovery firms Proven Data and Monstercloud. What investigative journalists Renee Dudley and Jeff Kao discovered was that the sophisticated “trade secret” approach to ransomware unlocking and recovery the firms advertised and promised to clients didn’t really exist.

Desperate People Looking for a Professional Solution

Ransomware is no joke. Just ask Atlanta, Baltimore or any of the thousands of other victims. But beyond the obvious operational shutdown ramifications, dealing with those holding your data ransom is not something that most people are particularly comfortable with or skilled at. And that is exactly what makes the “professional” and “ethical” solutions promised by firms such as Proven Data and Monstercloud so attractive to ransomware victims.

The Latest Technology = Charging You to Pay the Ransom

According to ProPublica.com both firms had a pretty simple and profitable business model. Offer to restore client files using the “latest technology” at a price substantially above what the ransomware criminals were asking and then unbeknownst to the victim, get the very same decryption key by paying the ransom (often at a lower negotiated price) and in the process pocketing the difference! Proven Data paid so many SamSam ransoms on behalf of unwitting clients that the authors of the SamSam ransomware would actually recommend that victims work with Proven Data!

The Honest Open Approach

For many people the service provided by Proven Data and Monstercloud is a valuable one and one worth paying for despite the hazy truth to their approach. Other firms such as Coveware realize this and openly help clients restore their operations by navigating the murky waters of ransom decryption including the bitcoin payment, interacting with the attackers and assisting with the decryption.

“Ransomware Payment Mills Prey on the Emotion of a Ransomware Attack.” “Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.” — Bill Siegel, CEO Coveware

Real Security Solutions Not Smoke and Mirrors

At Konsultek we provide real, customized security solutions for organizations of all sizes and across all industries. We believe the best way to recover from ransomware is to avoid it in the first place by combining security technologies to prevent, detect and respond to threats. To learn more about our solutions please call us or hit our contact form.

Malware Becomes Art

On May 28, 2019 malware officially became art! That’s when the auction closed and a SamsungNC10 laptop containing 6 historically significant viruses was purchased for $1,345,000!

The Persistence of Chaos

The piece, commissioned by cybersecurity firm Deep Instinct, is titled “The Persistence of Chaos” and was created by the artist Guo O Dong.

Speaking to The Verge the artist explained this about his work:

“We have this fantasy that things that happen in computers can’t actually affect us, but this is absurd,” says Guo. “Weaponized viruses that affect power grids or public infrastructure can cause direct harm.”

6 Active Viruses

In total, the six different pieces of malware installed on the SamsungNC10 have been credited with causing approximately $95 billion worth damages around the globe. The laptop is air gapped and therefore ostensibly harmless (though we have shown here that air gapping does not necessarily equate to isolation) and contains active versions of ILOVEYOU, MyDoom, SoBig, WannaCry, DarkTequila, and BlackEnergy.

Coming to a Museum Near You?

While at first the idea of a laptop containing viruses being art might seem ludicrous we have to look no further than the Art Institute of Chicago to see that weaponry has been considered art for hundreds if not thousands of years. And, in the wrong hands with the right intent these viruses and those viruses still to come are indeed weapons. Perhaps even weapons of mass destruction.

Konsultek Knows Security

Viruses are now art. That doesn’t mean they are any less devastating to organizations and their networks. That’s where we come in. Consider us the helpful docent that can help you navigate and understand the black arts of cybersecurity. Give us a call or hit us up on our contact form to learn how our customized security solutions protect organizations of all sizes across all industries.

Malware Bytes Identifies New Malvertising Threat

The allure of watching a new release for free or streaming a season of your favorite show that is unavailable on any of the major streaming platforms might lead you to one of the many sketchy Torrent or streaming video sites out there on the web.

And, you wouldn’t be alone. These sites attract visitors like moths to a flame. And, just like those moths, some of these visitors are going to get burned according to a recent analysis by Konsultek partner Malwarebytes.

Malvertising Flow

The flow, as shown below begins with aggressive advertising on video sharing and torrent sites and then proceeds with the Fallout exploit kit and a new innovative piece of malware now known as Vidar.

 

Vidar – Silent but Slick

Vidar, now for sale for just $700, is named after the Norse son of Odin who is referred to as the “The Silent One”.

According to Malwarebytes  this moniker “seems to be fitting for this stealer that can loot from browser histories (including Tor Browser) and cryptocurrency wallets, capture instant messages, and much more.”

Malvertising Packs 1-2 Punch

In this latest Malvertising scheme the end-user victim ultimately not only has their vital information stolen, but also has their files held ransom after the fact. A combination punch that Floyd Mayweather himself would appreciate.

Konsultek Has You Covered

While common sense and good Internet hygiene will go a long way to keeping your files and information safe, Konsultek and their partners like Malwarebytes are constantly researching, analyzing and defending so that our clients are safe and secure.

In the case of this latest Malvertising campaign Malwarebytes users are protected against this threat at multiple levels. Malwarebytes signatureless anti-exploit engine mitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. The Vidar stealer is detected as Spyware. And GandCrab is thwarted via their anti-ransomware module.

So while you should avoid bad neighborhoods as a matter of practice, it’s good to know that Konsultek has your back if you should happen to stray into one.

 

 

 

© Copyright 2018 Konsultek