No More Ransom Helps Victims Avoid $108 Million in Ransom so Far

In just 3 short years No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and McAfee, has prevented ransoms of $108 million by allowing users to decrypt their files using free tools. That, according to Europol as reported on July 26th.

No More Ransom provides a platform for law enforcement and IT security companies to collaborate with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Thank You Contributors!

Amazon AWS and Barracuda host NoMoreRansom.org and a veritable who’s who of anti-virus and security companies have donated encryption keys including but not limited to:

  • Emisoft
  • Avast
  • Bleeping Computer
  • Bitdefender
  • Kaspersky
  • Check Point
  • McAfee

Source: Europol Infographic

200,000 Victims Helped

In its 3 year life over 3 million users from around the world have visited the site and more than 200,000 victims have been helped. 2019 has so far seen the addition of 14 new tools bringing the total number of different ransomwares that can be decrypted as of the July 26, 2019 press release to 109. Nearly 40,000 people have successfully decrypted files ransomed by GandCrab alone, saving roughly $50 million in ransom payments.

“When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.” – Steve Wilson, Head of Europol’s European Cybercrimme Center (EC3)

Who is Your Security Partner?

No More Ransom is a shining example of the security success that can be achieved by partnering with the top security firms in the world. That same philosophy is at work every day at Konsultek. Our partner providers represent the best-in-class solutions for all facets of network security and our security solutions in turn provide our clients with holistic best-in-class solutions for their networks.

If you’re ready to take your security to the next level we’re here to help. Simply call us or hit us up on our contact form.

Buyer Beware – Ransomware Recovery Firms are Charging You to Pay the Ransom!

In a story earlier this week ProPublica.com added a British firm, Red Mosquito Data Recovery, to its list of self-proclaimed ransomware data recovery experts whose premium priced “unlocking expertise” was nothing more than paying the ransom!

In a May 15, 2019 post ProPublica.com published an exhaustive investigative expose’ on two of the largest US based ransomware recovery firms Proven Data and Monstercloud. What investigative journalists Renee Dudley and Jeff Kao discovered was that the sophisticated “trade secret” approach to ransomware unlocking and recovery the firms advertised and promised to clients didn’t really exist.

Desperate People Looking for a Professional Solution

Ransomware is no joke. Just ask Atlanta, Baltimore or any of the thousands of other victims. But beyond the obvious operational shutdown ramifications, dealing with those holding your data ransom is not something that most people are particularly comfortable with or skilled at. And that is exactly what makes the “professional” and “ethical” solutions promised by firms such as Proven Data and Monstercloud so attractive to ransomware victims.

The Latest Technology = Charging You to Pay the Ransom

According to ProPublica.com both firms had a pretty simple and profitable business model. Offer to restore client files using the “latest technology” at a price substantially above what the ransomware criminals were asking and then unbeknownst to the victim, get the very same decryption key by paying the ransom (often at a lower negotiated price) and in the process pocketing the difference! Proven Data paid so many SamSam ransoms on behalf of unwitting clients that the authors of the SamSam ransomware would actually recommend that victims work with Proven Data!

The Honest Open Approach

For many people the service provided by Proven Data and Monstercloud is a valuable one and one worth paying for despite the hazy truth to their approach. Other firms such as Coveware realize this and openly help clients restore their operations by navigating the murky waters of ransom decryption including the bitcoin payment, interacting with the attackers and assisting with the decryption.

“Ransomware Payment Mills Prey on the Emotion of a Ransomware Attack.” “Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.” — Bill Siegel, CEO Coveware

Real Security Solutions Not Smoke and Mirrors

At Konsultek we provide real, customized security solutions for organizations of all sizes and across all industries. We believe the best way to recover from ransomware is to avoid it in the first place by combining security technologies to prevent, detect and respond to threats. To learn more about our solutions please call us or hit our contact form.

Malware Becomes Art

On May 28, 2019 malware officially became art! That’s when the auction closed and a SamsungNC10 laptop containing 6 historically significant viruses was purchased for $1,345,000!

The Persistence of Chaos

The piece, commissioned by cybersecurity firm Deep Instinct, is titled “The Persistence of Chaos” and was created by the artist Guo O Dong.

Speaking to The Verge the artist explained this about his work:

“We have this fantasy that things that happen in computers can’t actually affect us, but this is absurd,” says Guo. “Weaponized viruses that affect power grids or public infrastructure can cause direct harm.”

6 Active Viruses

In total, the six different pieces of malware installed on the SamsungNC10 have been credited with causing approximately $95 billion worth damages around the globe. The laptop is air gapped and therefore ostensibly harmless (though we have shown here that air gapping does not necessarily equate to isolation) and contains active versions of ILOVEYOU, MyDoom, SoBig, WannaCry, DarkTequila, and BlackEnergy.

Coming to a Museum Near You?

While at first the idea of a laptop containing viruses being art might seem ludicrous we have to look no further than the Art Institute of Chicago to see that weaponry has been considered art for hundreds if not thousands of years. And, in the wrong hands with the right intent these viruses and those viruses still to come are indeed weapons. Perhaps even weapons of mass destruction.

Konsultek Knows Security

Viruses are now art. That doesn’t mean they are any less devastating to organizations and their networks. That’s where we come in. Consider us the helpful docent that can help you navigate and understand the black arts of cybersecurity. Give us a call or hit us up on our contact form to learn how our customized security solutions protect organizations of all sizes across all industries.

Malware Bytes Identifies New Malvertising Threat

The allure of watching a new release for free or streaming a season of your favorite show that is unavailable on any of the major streaming platforms might lead you to one of the many sketchy Torrent or streaming video sites out there on the web.

And, you wouldn’t be alone. These sites attract visitors like moths to a flame. And, just like those moths, some of these visitors are going to get burned according to a recent analysis by Konsultek partner Malwarebytes.

Malvertising Flow

The flow, as shown below begins with aggressive advertising on video sharing and torrent sites and then proceeds with the Fallout exploit kit and a new innovative piece of malware now known as Vidar.

 

Vidar – Silent but Slick

Vidar, now for sale for just $700, is named after the Norse son of Odin who is referred to as the “The Silent One”.

According to Malwarebytes  this moniker “seems to be fitting for this stealer that can loot from browser histories (including Tor Browser) and cryptocurrency wallets, capture instant messages, and much more.”

Malvertising Packs 1-2 Punch

In this latest Malvertising scheme the end-user victim ultimately not only has their vital information stolen, but also has their files held ransom after the fact. A combination punch that Floyd Mayweather himself would appreciate.

Konsultek Has You Covered

While common sense and good Internet hygiene will go a long way to keeping your files and information safe, Konsultek and their partners like Malwarebytes are constantly researching, analyzing and defending so that our clients are safe and secure.

In the case of this latest Malvertising campaign Malwarebytes users are protected against this threat at multiple levels. Malwarebytes signatureless anti-exploit engine mitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. The Vidar stealer is detected as Spyware. And GandCrab is thwarted via their anti-ransomware module.

So while you should avoid bad neighborhoods as a matter of practice, it’s good to know that Konsultek has your back if you should happen to stray into one.

 

 

 

SaMSaM Held Atlanta Ransom. Who’s Next?

Image Source: SOPHOSLABS 2019 THREAT REPORT

Image Source: SOPHOSLABS 2019 THREAT REPORT

We’ve written quite a bit about municipalities large and small (think Atlanta, GA and Batavia, IL) becoming the focus of hackers and cybercriminals. Today we’ll shed a little more light on the malware that brought Atlanta to its knees in March.
SaMSaM for Ransom
Dubbed SaMSaM, researchers at Sophos have dedicated a portion of their SOPHOSLABS 2019 THREAT REPORT to this highly profitable group of malware maestros. Sophos describes SamSam’s highly personalized, hi-touch ransomware attacks as being akin to a “cat burglar” as opposed to the more “smash and grab” approach of automated ransomware attacks that utilize commodity ransomware such as GandCrab.

The Advantages of Being Hands-On
Rather than relying on automation to rapidly attack hundreds of systems at once and hoping that some sort of exploitable vulnerability surfaces, for nearly 3 years SamSam has applied an old school hands-on approach to infiltration and infection. It typically begins by brute-forcing RDP passwords, which ultimately leads to harvesting domain admin credentials. With these credentials in hand SamSam then waits for just the right moment, say Friday evening on a holiday weekend to strike – pushing out the malware to as many machines as possible simultaneously
This hi-touch, cat burglar approach has allowed SamSam to focus on vulnerable targets with deep pockets and has yielded known ransom payments totaling $6.5 Million USD in a little under 3 years.
Imitation is the Sincerest Form of Flattery
Even though the mysterious folks behind SamSam do not appear to collaborate, or even brag in forums, their high value exploits have not gone unnoticed and several impersonators have spawned such as the ultra-high ransom group BitPaymer which reportedly charges ransoms in the $50,000 to $1MM dollar range.
Konsultek’s Recommendation – Rein in RDP and Get the Fundamentals Locked Down
Since many of the worst manual ransomware attacks have relied upon Windows Remote Desktop as a point of entry it stands to reason making sure you have this potential avenue of ingress secured should be a top priority. Once this basic vulnerability is secured you should also make sure that your team is practicing good password management and keeping systems up to date and patched. Even the most sophisticated security solutions will be hamstrung if sloppy network hygiene virtually invites hackers in!
If you’d like a free visibility report to potential problems mentioned in this blog, please contact us immediately.

Security Firms Unite to Help Ransomware Victims

The website, nomoreransom.org, began as an offshoot of the collaboration between McAfee, Europol, the Dutch National Police and Kaspersky one year ago. Since that time the site has grown to represent the collaborative efforts of over 109 security and law enforcementpartners including Konsultek partners Checkpoint according to the website ZDNet.com.

Popularity Exceeds Forecast

When pioneering partner and chief scientist at McAfee, Raj Samani, set out to find hosting for the fledging site he figured that it would become popular because of its subject matter but his estimates of just how popular were way too low.

“Part of my responsibility was to find a hosting provider and I remember at the time I was asked how many HTTPs requests do you think you’ll get a day and I thought 12,000 a day would be reasonable,” says Samani.”

To put things in perspective, during the peak of the WannaCry incident the site received more than 8 million hits!

Open Collaborative Sharing and Free Hosting from AWS

What has made nomoreransom.org so successful and such a thorn in the sides of aspiring ransomers is the fact that there are so many partners, each with different perspectives and insights and they are all sharing information freely for the greater good of all. Another huge benefit is that while law enforcement agencies are frequently hampered by the nature of their bureaucracies and the rule of law when they want to act directly, by cooperating with the other partners in the group such as security companies they can effect change more quickly.

AWS is supporting the project by hosting the website (and the enormous amount of traffic and bandwidth) for free. Nice job Amazon!

On the flipside, security firms can’t seize an identified botnet by themselves but by collaborating with law enforcement agencies that can, they now have a more direct path to taking down bad actors.

A Model Similar to Konsultek’s

Konsultek collaborates with the best security companies in the world like Checkpoint, CarbonBlack, Aruba, Forescout and others to develop security solutions that no single company alone could provide by themselves. If it is time for your organization to step up to world class security solutions then by all means give us a call!

 

Two Multinationals See Earnings Drop Because of Petya Cyber Attack

Last Thursday within hours of one another two huge consumer multinationals announced that their second quarter earnings would be negatively impacted because of Petya based cyber-attacks.

According to the Financial Times, Mondelez International, purveyors of confections including Cadbury chocolates and Oreo cookies announced their financial pruning just a few hours after UK-based consumer goods conglomerate Reckitt Benckiser had announced theirs.

Petya Having a Greater Impact than Wanna Cry

If you were to look at a map of the distribution of Wanna Cry vs Petya you might think that Wanna Cry would be having the larger negative impact on global enterprises. However, this is turning out not to be the case, with Petya causing far more turmoil within large corporations because files are vanquished, not held for ransom.

From the Financial Times

“Cyber security experts dealing with the attack, which started in Ukraine, have advised stricken clients there is no hope of recovering infected systems. Unless organisations have backups of encrypted data, it is lost for good, they have warned. Western security officials say the severity of Petya’s impact points to its true purpose: not monetary gain, but pure destruction. Researchers at many of the world’s largest cyber security firms — including FireEye, Talos, ESET, Symantec and Bitdefender — have come to the same conclusion. “We believe with high confidence that the intent of the actor behind [Petya] was destructive in nature and not economically motivated,” Talos, the cyber security arm of Cisco told clients this week.”

Security Needs a Holistic Approach

What’s next? No one knows for certain, but with the NSA’s bag of tricks having been released into the wild a little under a year ago you can bet that the number and potency of attacks is only going to get worse. A holistic approach to security that includes encrypted data backup is going to become de ri·gueur.

At Konsultek we assess each client’s needs and develop security solutions that meet those needs in the most economical way possible. If this sounds like a sensible approach to security to you, give us a call to discuss your particular situation.

 

Hackers Stoop to New Lows and Publish Plastic Surgery Images

Having your sensitive information held for ransom is never good. But what if your sensitive data were the before and after pictures of tens of thousands of plastic surgery patients that had entrusted their bodies, faces and privacy to your clinic?

How much ransom would you pay to keep your patients most intimate secrets private? That is exactly the dilemma facing the Lithuainian based Grozio Chirurgija clinic and its director Jonas Staikunas according to the BBC. And apparently the ransom demanded was more than the director was willing to pay…

 

“An Outrageous Fee”

The breach, perpetrated by the Tsar Team, this April was quickly followed up with a ransom demand the group called “a small penalty fee” – 344,000 Euros – for having a vulnerable network.

On Tuesday this week the images were made public after the clinic refused to pay the ransom. On or about the same time, the hackers started contacting individuals with compromised images directly demanding smaller, single serving ransoms of up to $2,000 Euro.  Tsar Team has also lowered the demands for the whole database to 133,500 Euro stating “a lot of people have paid us to delete their data.”

Medical Facilities Will Continue to be Targeted

With their highly sensitive and personal data, as well as life-support systems ripe for extortion, medical facilities will continue to be targeted by opportunistic cyber-thieves looking to cash in. The recent ransoms of the MedStar Health Network and the Hollywood Presbyterian Medical Center in Los Angeles are just two of the more well publicized breaches. On the heels of WannaCry, you can bet there will be more.

Konsultek Can Help

Our custom security solutions for the medical industry help eliminate the vulnerabilities cyber-criminals use to gain access to sensitive data. So, if you don’t “wanna cry” over lost records or ransoms, please give us a call. Our experienced team is ready to help get your network secure and make sure you never have to cry or shed a tear again!

 

No Honor Among Thieves – Latest Ransomware Based on Competitor’s Stolen Code

We’ve reported on the rise in ransomware attacks previously. Ransomware is readily available for purchase on the Darknet and requires relatively little sophistication to use. This makes it very popular among cyber thieves looking to make a  quick buck holding individuals and organizations hostage.

Image Courtesy of Kaspersky Lab

However, it appears that competition may be heating up in the ransomware space and some speculate that this infighting may be a boon to would be victims because it consumes resources that may otherwise be used for mayhem.

Petya Code Stolen?

Petya, a particularly virulent strain of ransomware that was a pioneer in the malware-as a-service offering, has apparently had its code (or at least key portions of it) by a group that has used the stolen code to create and launch an even more nasty version they dub PetrWrap.

In use since February, PetrWrap uses its own cryptographic keys to lock down a user’s data rather than relying on the “stock” keys that come with a paid subscription to Petya.

Competition Eating Itself?

“We are now seeing that threat actors are starting to devour each other. From our perspective, this is a sign of growing competition between ransomware gangs,” says Anton Ivanov, senior security researcher at Kaspersky Lab. He further postulates “Theoretically, this is good, because the more time criminal actors spend on fighting and fooling each other, the less organised they will be, and the less effective their malicious campaigns will be.”

Konsultek Can Help

Whether this increased competition is good or bad for individuals and organizations will only reveal itself in the months and years ahead. In the meantime we urge you take as many precautions as possible including:

1. Routinely backing up all critical data on drives that are secure.

2. Implementing a robust threat prevention, detection and mitigation strategy

3. Proactively performing penetration tests and other types of network security challenges to identify areas of weakness prior to them allowing ingress by outside threats.

If you would like to discuss best practices in any of these areas, please give us a call. We are here to help!

 

© Copyright 2018 Konsultek