Milwaukee Nursing Home IT Outsourcer Crippled by Ransomware

Virtual Care Provider Inc. (VCPI) a Milwaukee-based company that provides technology services to more than 100 nursing homes across the country has been hit by Russian hackers who are still holding data from the nursing homes hostage.

A Terrible $14MM Miscalculation

As we have reported many times on this blog through the years, government and healthcare organizations are top targets for hackers who believe that these organizations live in a “must pay” world. The problem with this particular attack is that VCPI was perceived by the Russian hackers as being much larger and financially stout than it actually is. As it turns out, there is no way that they can pay the $14MM ransom, even if they wanted to. This obviously is a problem for the hackers and the nursing homes alike.

Do As I Say Not as I Do

In a display of irony that would make O’Henry proud VCPI, which provides internet security and data storage services to nursing homes and acute-care facilities, has a blog post on its site that provides guidance as to how not to fall victim to email phishing attacks! The very same type of attack that led to the ransomware attack!

It’s Not Too Late Till It’s Too Late

According to information shared with Krebsonsecurity.com, by security expert Alex Holden the attack took place over a period of 14 months and up until the final 3 days the catastrophe could have been avoided.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.” –Alex Holden

Prevention, Detection and Response

At Konsultek we create customized security solutions that utilize the most advanced prevention, detection and response technologies available. This holistic approach to security can help your organization stay ahead of cybercriminals and hackers who manage to penetrate your system defenses through social engineering means such as the phishing emails that compromised VCPI. Want to learn more? Give us a call and let’s discuss your specific situation and how we might be of service.

 

Medusa Ransomware Turns Your Files to Stone

Ok. The Medusa Ransomware doesn’t REALLY turn your files to stone, but it makes them just as useless and inaccessible. This latest ransomware burst on the scene in late September and according to Bleeping Computer it appears to be getting distributed worldwide with victims scattered around the globe. Researchers have not yet identified just how Medusa is being spread though we can surmise it is through the usual channels such as phishing, downloads and watering holes.

Just Getting Started

Only time will tell just how big and ugly Medusa will get but submissions to ID Ransomware have been streaming in.

Despite the steady stream of victims reporting in, Medusa is so new very little is known about how it is being spread and even whether or not if you pay the requested ransom you will receive a decryption key!

According to the ransom note generated by Medusa you can email them one of your encrypted files and they will decrypt it for free to prove that they can indeed unlock your files before you send them payment. Speaking of payment, at this time it is not clear from the ransom note posted on Bleeping Computer (shown below) exactly how much you need to send! Perhaps these guys should get some third party help with their ransom demands?

All your data are encrypted!

What happened?

Your files are encrypted, and currently unavailable.

You can check it: all files on you computer has new expansion.

By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.

Otherwise, you never cant return your data.

For purchasing a decryptor contact us by email:

sambolero@tutanoa.com

If you will get no answer within 24 hours contact us by our alternate emails:

rightcheck@cock.li

What guarantees?

Its just a business. If we do not do our work and liabilities – nobody will not cooperate with us.

To verify the possibility of the recovery of your files we can decrypted 1 file for free.

Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:

[id]

 

Attention!

– Attempts of change files by yourself will result in a loose of data.

– Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.

– Use any third party software for restoring your data or antivirus solutions will result in a loose of data.

– Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.

– If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key.

Security Expertise You Can Count On

Whether it is ransomware, brute force hacking, phishing or some other cyber threat, Konsultek has the tools and talent to develop the right security solution for your particular situation.  Not sure just how robust your network security is? No problem! Let our experts check your network’s vulnerability for free.

Our team of experts is happy to provide an outside, independent and unbiased analysis of your network’s security. Simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

You’ll receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

No More Ransom Helps Victims Avoid $108 Million in Ransom so Far

In just 3 short years No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and McAfee, has prevented ransoms of $108 million by allowing users to decrypt their files using free tools. That, according to Europol as reported on July 26th.

No More Ransom provides a platform for law enforcement and IT security companies to collaborate with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Thank You Contributors!

Amazon AWS and Barracuda host NoMoreRansom.org and a veritable who’s who of anti-virus and security companies have donated encryption keys including but not limited to:

  • Emisoft
  • Avast
  • Bleeping Computer
  • Bitdefender
  • Kaspersky
  • Check Point
  • McAfee

Source: Europol Infographic

200,000 Victims Helped

In its 3 year life over 3 million users from around the world have visited the site and more than 200,000 victims have been helped. 2019 has so far seen the addition of 14 new tools bringing the total number of different ransomwares that can be decrypted as of the July 26, 2019 press release to 109. Nearly 40,000 people have successfully decrypted files ransomed by GandCrab alone, saving roughly $50 million in ransom payments.

“When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.” – Steve Wilson, Head of Europol’s European Cybercrimme Center (EC3)

Who is Your Security Partner?

No More Ransom is a shining example of the security success that can be achieved by partnering with the top security firms in the world. That same philosophy is at work every day at Konsultek. Our partner providers represent the best-in-class solutions for all facets of network security and our security solutions in turn provide our clients with holistic best-in-class solutions for their networks.

If you’re ready to take your security to the next level we’re here to help. Simply call us or hit us up on our contact form.

Buyer Beware – Ransomware Recovery Firms are Charging You to Pay the Ransom!

In a story earlier this week ProPublica.com added a British firm, Red Mosquito Data Recovery, to its list of self-proclaimed ransomware data recovery experts whose premium priced “unlocking expertise” was nothing more than paying the ransom!

In a May 15, 2019 post ProPublica.com published an exhaustive investigative expose’ on two of the largest US based ransomware recovery firms Proven Data and Monstercloud. What investigative journalists Renee Dudley and Jeff Kao discovered was that the sophisticated “trade secret” approach to ransomware unlocking and recovery the firms advertised and promised to clients didn’t really exist.

Desperate People Looking for a Professional Solution

Ransomware is no joke. Just ask Atlanta, Baltimore or any of the thousands of other victims. But beyond the obvious operational shutdown ramifications, dealing with those holding your data ransom is not something that most people are particularly comfortable with or skilled at. And that is exactly what makes the “professional” and “ethical” solutions promised by firms such as Proven Data and Monstercloud so attractive to ransomware victims.

The Latest Technology = Charging You to Pay the Ransom

According to ProPublica.com both firms had a pretty simple and profitable business model. Offer to restore client files using the “latest technology” at a price substantially above what the ransomware criminals were asking and then unbeknownst to the victim, get the very same decryption key by paying the ransom (often at a lower negotiated price) and in the process pocketing the difference! Proven Data paid so many SamSam ransoms on behalf of unwitting clients that the authors of the SamSam ransomware would actually recommend that victims work with Proven Data!

The Honest Open Approach

For many people the service provided by Proven Data and Monstercloud is a valuable one and one worth paying for despite the hazy truth to their approach. Other firms such as Coveware realize this and openly help clients restore their operations by navigating the murky waters of ransom decryption including the bitcoin payment, interacting with the attackers and assisting with the decryption.

“Ransomware Payment Mills Prey on the Emotion of a Ransomware Attack.” “Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.” — Bill Siegel, CEO Coveware

Real Security Solutions Not Smoke and Mirrors

At Konsultek we provide real, customized security solutions for organizations of all sizes and across all industries. We believe the best way to recover from ransomware is to avoid it in the first place by combining security technologies to prevent, detect and respond to threats. To learn more about our solutions please call us or hit our contact form.

Malware Becomes Art

On May 28, 2019 malware officially became art! That’s when the auction closed and a SamsungNC10 laptop containing 6 historically significant viruses was purchased for $1,345,000!

The Persistence of Chaos

The piece, commissioned by cybersecurity firm Deep Instinct, is titled “The Persistence of Chaos” and was created by the artist Guo O Dong.

Speaking to The Verge the artist explained this about his work:

“We have this fantasy that things that happen in computers can’t actually affect us, but this is absurd,” says Guo. “Weaponized viruses that affect power grids or public infrastructure can cause direct harm.”

6 Active Viruses

In total, the six different pieces of malware installed on the SamsungNC10 have been credited with causing approximately $95 billion worth damages around the globe. The laptop is air gapped and therefore ostensibly harmless (though we have shown here that air gapping does not necessarily equate to isolation) and contains active versions of ILOVEYOU, MyDoom, SoBig, WannaCry, DarkTequila, and BlackEnergy.

Coming to a Museum Near You?

While at first the idea of a laptop containing viruses being art might seem ludicrous we have to look no further than the Art Institute of Chicago to see that weaponry has been considered art for hundreds if not thousands of years. And, in the wrong hands with the right intent these viruses and those viruses still to come are indeed weapons. Perhaps even weapons of mass destruction.

Konsultek Knows Security

Viruses are now art. That doesn’t mean they are any less devastating to organizations and their networks. That’s where we come in. Consider us the helpful docent that can help you navigate and understand the black arts of cybersecurity. Give us a call or hit us up on our contact form to learn how our customized security solutions protect organizations of all sizes across all industries.

Malware Bytes Identifies New Malvertising Threat

The allure of watching a new release for free or streaming a season of your favorite show that is unavailable on any of the major streaming platforms might lead you to one of the many sketchy Torrent or streaming video sites out there on the web.

And, you wouldn’t be alone. These sites attract visitors like moths to a flame. And, just like those moths, some of these visitors are going to get burned according to a recent analysis by Konsultek partner Malwarebytes.

Malvertising Flow

The flow, as shown below begins with aggressive advertising on video sharing and torrent sites and then proceeds with the Fallout exploit kit and a new innovative piece of malware now known as Vidar.

 

Vidar – Silent but Slick

Vidar, now for sale for just $700, is named after the Norse son of Odin who is referred to as the “The Silent One”.

According to Malwarebytes  this moniker “seems to be fitting for this stealer that can loot from browser histories (including Tor Browser) and cryptocurrency wallets, capture instant messages, and much more.”

Malvertising Packs 1-2 Punch

In this latest Malvertising scheme the end-user victim ultimately not only has their vital information stolen, but also has their files held ransom after the fact. A combination punch that Floyd Mayweather himself would appreciate.

Konsultek Has You Covered

While common sense and good Internet hygiene will go a long way to keeping your files and information safe, Konsultek and their partners like Malwarebytes are constantly researching, analyzing and defending so that our clients are safe and secure.

In the case of this latest Malvertising campaign Malwarebytes users are protected against this threat at multiple levels. Malwarebytes signatureless anti-exploit engine mitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. The Vidar stealer is detected as Spyware. And GandCrab is thwarted via their anti-ransomware module.

So while you should avoid bad neighborhoods as a matter of practice, it’s good to know that Konsultek has your back if you should happen to stray into one.

 

 

 

SaMSaM Held Atlanta Ransom. Who’s Next?

Image Source: SOPHOSLABS 2019 THREAT REPORT

Image Source: SOPHOSLABS 2019 THREAT REPORT

We’ve written quite a bit about municipalities large and small (think Atlanta, GA and Batavia, IL) becoming the focus of hackers and cybercriminals. Today we’ll shed a little more light on the malware that brought Atlanta to its knees in March.
SaMSaM for Ransom
Dubbed SaMSaM, researchers at Sophos have dedicated a portion of their SOPHOSLABS 2019 THREAT REPORT to this highly profitable group of malware maestros. Sophos describes SamSam’s highly personalized, hi-touch ransomware attacks as being akin to a “cat burglar” as opposed to the more “smash and grab” approach of automated ransomware attacks that utilize commodity ransomware such as GandCrab.

The Advantages of Being Hands-On
Rather than relying on automation to rapidly attack hundreds of systems at once and hoping that some sort of exploitable vulnerability surfaces, for nearly 3 years SamSam has applied an old school hands-on approach to infiltration and infection. It typically begins by brute-forcing RDP passwords, which ultimately leads to harvesting domain admin credentials. With these credentials in hand SamSam then waits for just the right moment, say Friday evening on a holiday weekend to strike – pushing out the malware to as many machines as possible simultaneously
This hi-touch, cat burglar approach has allowed SamSam to focus on vulnerable targets with deep pockets and has yielded known ransom payments totaling $6.5 Million USD in a little under 3 years.
Imitation is the Sincerest Form of Flattery
Even though the mysterious folks behind SamSam do not appear to collaborate, or even brag in forums, their high value exploits have not gone unnoticed and several impersonators have spawned such as the ultra-high ransom group BitPaymer which reportedly charges ransoms in the $50,000 to $1MM dollar range.
Konsultek’s Recommendation – Rein in RDP and Get the Fundamentals Locked Down
Since many of the worst manual ransomware attacks have relied upon Windows Remote Desktop as a point of entry it stands to reason making sure you have this potential avenue of ingress secured should be a top priority. Once this basic vulnerability is secured you should also make sure that your team is practicing good password management and keeping systems up to date and patched. Even the most sophisticated security solutions will be hamstrung if sloppy network hygiene virtually invites hackers in!
If you’d like a free visibility report to potential problems mentioned in this blog, please contact us immediately.

Security Firms Unite to Help Ransomware Victims

The website, nomoreransom.org, began as an offshoot of the collaboration between McAfee, Europol, the Dutch National Police and Kaspersky one year ago. Since that time the site has grown to represent the collaborative efforts of over 109 security and law enforcementpartners including Konsultek partners Checkpoint according to the website ZDNet.com.

Popularity Exceeds Forecast

When pioneering partner and chief scientist at McAfee, Raj Samani, set out to find hosting for the fledging site he figured that it would become popular because of its subject matter but his estimates of just how popular were way too low.

“Part of my responsibility was to find a hosting provider and I remember at the time I was asked how many HTTPs requests do you think you’ll get a day and I thought 12,000 a day would be reasonable,” says Samani.”

To put things in perspective, during the peak of the WannaCry incident the site received more than 8 million hits!

Open Collaborative Sharing and Free Hosting from AWS

What has made nomoreransom.org so successful and such a thorn in the sides of aspiring ransomers is the fact that there are so many partners, each with different perspectives and insights and they are all sharing information freely for the greater good of all. Another huge benefit is that while law enforcement agencies are frequently hampered by the nature of their bureaucracies and the rule of law when they want to act directly, by cooperating with the other partners in the group such as security companies they can effect change more quickly.

AWS is supporting the project by hosting the website (and the enormous amount of traffic and bandwidth) for free. Nice job Amazon!

On the flipside, security firms can’t seize an identified botnet by themselves but by collaborating with law enforcement agencies that can, they now have a more direct path to taking down bad actors.

A Model Similar to Konsultek’s

Konsultek collaborates with the best security companies in the world like Checkpoint, CarbonBlack, Aruba, Forescout and others to develop security solutions that no single company alone could provide by themselves. If it is time for your organization to step up to world class security solutions then by all means give us a call!

 

Two Multinationals See Earnings Drop Because of Petya Cyber Attack

Last Thursday within hours of one another two huge consumer multinationals announced that their second quarter earnings would be negatively impacted because of Petya based cyber-attacks.

According to the Financial Times, Mondelez International, purveyors of confections including Cadbury chocolates and Oreo cookies announced their financial pruning just a few hours after UK-based consumer goods conglomerate Reckitt Benckiser had announced theirs.

Petya Having a Greater Impact than Wanna Cry

If you were to look at a map of the distribution of Wanna Cry vs Petya you might think that Wanna Cry would be having the larger negative impact on global enterprises. However, this is turning out not to be the case, with Petya causing far more turmoil within large corporations because files are vanquished, not held for ransom.

From the Financial Times

“Cyber security experts dealing with the attack, which started in Ukraine, have advised stricken clients there is no hope of recovering infected systems. Unless organisations have backups of encrypted data, it is lost for good, they have warned. Western security officials say the severity of Petya’s impact points to its true purpose: not monetary gain, but pure destruction. Researchers at many of the world’s largest cyber security firms — including FireEye, Talos, ESET, Symantec and Bitdefender — have come to the same conclusion. “We believe with high confidence that the intent of the actor behind [Petya] was destructive in nature and not economically motivated,” Talos, the cyber security arm of Cisco told clients this week.”

Security Needs a Holistic Approach

What’s next? No one knows for certain, but with the NSA’s bag of tricks having been released into the wild a little under a year ago you can bet that the number and potency of attacks is only going to get worse. A holistic approach to security that includes encrypted data backup is going to become de ri·gueur.

At Konsultek we assess each client’s needs and develop security solutions that meet those needs in the most economical way possible. If this sounds like a sensible approach to security to you, give us a call to discuss your particular situation.

 

Hackers Stoop to New Lows and Publish Plastic Surgery Images

Having your sensitive information held for ransom is never good. But what if your sensitive data were the before and after pictures of tens of thousands of plastic surgery patients that had entrusted their bodies, faces and privacy to your clinic?

How much ransom would you pay to keep your patients most intimate secrets private? That is exactly the dilemma facing the Lithuainian based Grozio Chirurgija clinic and its director Jonas Staikunas according to the BBC. And apparently the ransom demanded was more than the director was willing to pay…

 

“An Outrageous Fee”

The breach, perpetrated by the Tsar Team, this April was quickly followed up with a ransom demand the group called “a small penalty fee” – 344,000 Euros – for having a vulnerable network.

On Tuesday this week the images were made public after the clinic refused to pay the ransom. On or about the same time, the hackers started contacting individuals with compromised images directly demanding smaller, single serving ransoms of up to $2,000 Euro.  Tsar Team has also lowered the demands for the whole database to 133,500 Euro stating “a lot of people have paid us to delete their data.”

Medical Facilities Will Continue to be Targeted

With their highly sensitive and personal data, as well as life-support systems ripe for extortion, medical facilities will continue to be targeted by opportunistic cyber-thieves looking to cash in. The recent ransoms of the MedStar Health Network and the Hollywood Presbyterian Medical Center in Los Angeles are just two of the more well publicized breaches. On the heels of WannaCry, you can bet there will be more.

Konsultek Can Help

Our custom security solutions for the medical industry help eliminate the vulnerabilities cyber-criminals use to gain access to sensitive data. So, if you don’t “wanna cry” over lost records or ransoms, please give us a call. Our experienced team is ready to help get your network secure and make sure you never have to cry or shed a tear again!

 

© Copyright 2018 Konsultek