now browsing by tag


#school | #ransomware | Oregon Business – Data Risk

Source: National Cyber Security – Produced By Gregory Evans

Small businesses face a heavy risk when it comes to cyber security. The best defense relies on an active, educated employer.

On March 9, 2018, the Oregon Clinic discovered an unidentified party had accessed an email account. The data breach gave attackers access to names, birth dates, medical information, and in some cases, the social security numbers of patients and staff. 

The clinic was able to recover from the attack, and went on to offer patients impacted by the breach one full year of identity monitoring services. 

But other businesses which have been subjected to cyberattacks face more dire consequences.

According to a recent study by insurance carrier Hiscox, the average cost to a business when it is subjected to a cyberattack is around $200,000. 

Small businesses suffer most from these costly attacks. Due to the massive price tag associated with an infringement, 60% of small businesses go out of business within six months of being victimized, according to the National Center for the Middle Market. 

Attackers target small businesses for a variety of reasons. Some try to gain access to employee and client information, such as email accounts, bank numbers and social security numbers. Hackers also install ransomware, which, as the name implies, will hold a network hostage until the business owner pays a fee to be released. 

Hackers also target servers to create a “zombie” network, which uses a business server as a launching pad to conduct other attacks to avoid detection. 

Other attackers, especially ones from foreign governments, take over a network to mine for bitcoins. 

Close to 50% of all cyber attacks are perpetrated against small businesses, which hackers often perceive as low-hanging fruit. According to a report compiled by Verizon, nearly half of small businesses reported a data breach in the past two years. 

Despite the likelihood of an attack, and the relative risk involved, less than half of small business owners reported spending money on cyber security last year. 

This is in part because maintaining a good cybersecurity defense is costly. Unlike virus protection, a business cannot simply install a defensive program against cyberattacks and remain safe.

“The demand for these cybersecurity professionals is so high that the price they command for their services is also very high,” says Dr. Wayne Machuca, lead instructor for Mt. Hood Community College’s cybersecurity program. “This precludes small and medium-sized businesses from being able to afford and adequately staff around their cybersecurity needs.” 

There are 4,600 cybersecurity job openings in Oregon, according to cybersecurity employment website CyberSeek. Despite Oregon’s reputation as a state with a heavy tech sector, there are twice the number of cybersecurity job openings as there are qualified professionals to fill them. 

Ruth Swain is the interim director of the Small Business Development Center at Mt. Hood Community College, which helps small businesses protect themselves against cyber threats through the Oregon Center for Cybersecurity. 

With Machuca’s help, the center has developed a program which allows students in their last year of school to provide training and cybersecurity expertise to small businesses owners and their employees free of charge. 

“We worked with the interns and instructors here to come up with a cybersecurity prevention checklist for small businesses,” says Swain. “The advising is free, so we are encouraging businesses to sign up.”

The program was awarded a grant from the National Science Foundation, and Machuca says they have used the grant money to replicate the program along with its sister colleges.  “It’s really exciting stuff,” he says. 

Skip Newberry, president and CEO of the Technology Association of Oregon and executive sponsor of Cyber Oregon, an organization dedicated to delivering the latest cybersecurity information and best practices to businesses, says businesses which cannot afford a cybersecurity professional on staff should train employees to recognize cyberattacks. 

“The first and best defense is adequate training for employees,” he says. “In this day and age, anyone who uses technology should be trained in how to spot phishing and spear phishing attempts, and best practices for managing passwords, which is how the vast majority of cyber breaches occur within small businesses.”

Much of the training is preventative, but if an attack has occurred, the most important thing for a business is not to keep silent. 

To subscribe to Oregon Business, click here.

Source link

The post #school | #ransomware | Oregon Business – Data Risk appeared first on National Cyber Security.

View full post on National Cyber Security

#comptia | #ransomware | Councils’ parking app hit by ransomware attack

Source: National Cyber Security – Produced By Gregory Evans

Five days into an outage, the maker of PayMyPark – a parking payment app used by Wellington, Hutt, Tauranga, Christchurch, Dunedin and other city councils – has admitted it was the victim of a ransomware attack.

• Toll admits some customers still suffering delays on day 18 of ransomware attack
• Air NZ service provider Travelex held to ransom by hackers demanding $8.5m

“We responded to this incident as soon as we were notified and commissioned a
thorough investigation which is being undertaken by the PwC Cyber Response Team,” Arthur D Riley Ltd (ADR) said in a statement.

In follow-up comments, a spokeswoman said no ransom was paid. She did not say how much was demanded to free its data.

Like Toll and Air NZ partner Travelex before it, ADR chose to grind it out and rebuild its systems over several days.

PayMyPark went off-line on Saturday, and users have since been demanding answers from councils, who before this afternoon have been able to offer little information.

“As a result of this ongoing investigation, we believe we have identified how this attack
occurred and have taken steps to get PayMyPark back online,” ADR said.

“We want to assure all our customers and users that we have not identified any breach
of private or personal information or data as a result of this ransomware attack.

“We can also confirm that PayMyPark does not hold any credit card or other personal
financial information.”

The company says its systems are now secure, and that its app will be back online as of 6am tomorrow.

ADR is also heavily involved in parking enforcement systems, and exports of data to collection agencies and courts. The spokeswoman said, “ADR took the parking enforcement systems down as a precaution, but no data or information has been compromised.”

Wellington City Council alerted users via Twitter on Saturday that there were “server problems”. There is still no estimated time for ADR to get the system back online.

A WCC spokesman told the Herald that council staff were meeting with ADR this afternoon. The council hoped to learn more at that meeting, however, it could offer no new information following the get-together.

Source / ADR website
Source / ADR website

Dunedin City Council has come the closest to providing an explanation, saying in response to a question on Facebook: “Someone attempted to breach our supplier’s website. Due to the security systems in place, no personal information or credit card details were accessed. Cyber security specialists were called in and as a security measure, the site and app were taken offline. They are working to get the site and app back online as a high priority.”

Many drivers were confused about whether they should pay for parking if they had money still in their PayMyPark account, but the system was still down.

Celeste Wansink asked Dunedin Council, “When I have money sitting in an account (PayMyPark) waiting to be used for parking, why should I pay at the meter?” (The council did not immediately reply).

Mike James vented: “Typical DCC [Dunedin City Council], no real back up plan.”

Wellington City Council said people could still pay at meters using cards or cash.

“In the unlikely event you get a ticket, you can appeal your ticket once the system is back online,” the council said on its Facebook page.

Robyn Gilchrist posted in response: “This has been playing up for days… In a cashless society you need a need a more reliable service.”

A number wondered why Wellington had dumped its previous app, Phone2Park, which was shuttered on January 7 this year.

The office of the Privacy Commissioner said it had not been notified about any data breach involving PayMyPark.

What to do if you’re hit by ransomware

New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.

CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.

CERT director Rob Pope and Police recommend not paying a ransom for data encrypted or stolen by hackers.

There is no guarantee it will be returned. And payment often means helping to fund organised crime groups that are also involved in areas like drugs and human trafficking.

Source link

The post #comptia | #ransomware | Councils’ parking app hit by ransomware attack appeared first on National Cyber Security.

View full post on National Cyber Security

#school | #ransomware | Cybersecurity incidents at schools nearly triple in 2019

Source: National Cyber Security – Produced By Gregory Evans

Public K-12 education agencies across the nation reported 348 cybersecurity incidents during 2019—nearly three times as many incidents as were publicly disclosed during 2018.

A report from the K-12 Cybersecurity Resource Center, The State of K-12 Cybersecurity: 2019 Year in Review,  says many of these incidents caused significant problems. They resulted  in the theft of millions of  dollars, stolen identities, and the denial of access to school technology systems for weeks or longer.

Student and educator data breaches were the most commonly experienced type of incident in 2019. More than half of these were because of the actions of insiders to the school community, including edtech vendors and other third-party partners. The next most frequent type of cyber incident experienced by schools during 2019 was ransomware.

Data for the report comes from publicly disclosed incidents cataloged on the K-12 Cyber Incident Map. The map and underlying database capture detailed information about two inter-related issues:

  • publicly disclosed cybersecurity incidents affecting public K-12 schools, districts, charter schools, and other public education agencies (such as regional and state education agencies) in the 50 states and Washington, D.C.
  • the characteristics of public school districts (including charter schools) that have experienced one or more publicly disclosed cybersecurity incidents.

The 348 incidents in 2019 involved 336 education agencies across 44 states; 329 of those involved regular public school districts. Suburban districts were the more common target (44.31%), followed by rural (22.75%).

Schools from the Northeast were victimized most often (33.93%), followed by the Central region (27.08%), West (25%) and Southeast (13.99%).

Since 2016, the K-12 Cyber Incident Map has documented more than 775 publicly disclosed incidents affecting students and educators.

Although acknowledging that the odds of experiencing an incident appear to vary by school district characteristics, the report stresses that the resource center “has documented school districts of every size and type that have experienced data breaches, phishing attacks, and ransomware/malware outbreak.”

“School district leaders would do well to understand that no school district is safe from a potential incident,” the report recommends.

Source link

The post #school | #ransomware | Cybersecurity incidents at schools nearly triple in 2019 appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | The hottest topic: Ransomware | SC Media

Source: National Cyber Security – Produced By Gregory Evans

The attacks that transpired last year alone
arguably made ransomware the hot topic of the year and most likely a leading contender
for 2020, as well, but a new element that cropped up late last year – attackers
adding a layer of blackmail to the threat of locking a target’s computer system
– solidified its standing.

The evolution, if one could apply such a lofty term, to blackmail stems from companies’ recent strides in better deflecting ransomware attacks.

Although the well-known threat actor The Dark
Overlord was a pioneer, several groups have been implementing this tactic,
including Maze, Sodinokibi and Nemty, since late last year, an indicator to
many security pros that the bad guys are responding to improved security
practices on the part of their intended victims.

“The attacker threatening, or going ahead with,
disclosure of the stolen data is their way of forcing even those companies that
have backup in place to reconsider paying the ransomware,” says Ilia
Kolochenko, founder and CEO of ImmuniWeb.

Over the last several weeks Maze has wielded
Sodinokibi ransomware as a lever to try and pry millions of dollars in ransom payments
from a series of targets, most recently Medical Diagnostic Laboratories and the
Gedia Automotive Group. Maze demanded 200 bitcoins from the former and when it
refused to pay up allegedly posted stolen data to several dark web forums.
Gedia also ignored the threat and had data revealed. Previously, Pensacola,
Fla., and Travelex have also been involved in this type of attack.

Maze’s is so brazen that it has created a public
website where it’s data stolen from companies that refuse to pay up.

The possibility that sensitive data could be
released certainly preys upon the mind of most ransomware victims. In almost
every case where a company, municipality or school district was hit, one of the
first things those in charge mention is that they do not believe any data has
been removed. This was generally a safe comment to make as attackers had not
previously made a habit of stealing data prior to encrypting a system.

The addition of blackmail now removes their ability
to throw out that particular safety net nor can they hide what happened if the
stolen data is made public.

“By threatening public exposure, attackers can add
layers of pressure to their ransom demands, in addition to the potential fines
from data protection acts like GDPR,” says Alex Guirakhoo, strategy and
research analyst at Digital Shadows. “Even empty threats of exposure can be
enough to elicit payment.”

If an organization pays the ransom that does not
mean the bad guys will comply and not make further use of the stolen
information. The people behind ransomware attacks are criminals and not to be
trusted always has been one of the primary reasons law enforcement has been
against paying a ransom. It guarantees nothing.

“Stealing data simply gives them additional
leverage to extort payment and, perhaps, other options for monetization –
selling the data to other criminal groups or competitors, for example,” says
Brett Callow, a threat analyst with Emsisoft.

Moshe Elias,
director of marketing at Cymulate, notes criminals were forced to go in this direction
in order to maintain their cash flow as fewer companies were opting to pay. In
one sense these malicious actors were hoisted upon their own petard as the huge
number of ransomware attacks gained a great deal of public exposure thus
raising awareness.

“Awareness has grown and companies are employing
better protection against ransomware and better recovery methods from a
successful ransomware attack,” he says, which has led to victims not paying
despite not being able to recover their data – in some cases because they had
cyber insurance to cover any loss.

Deciding to not pay has led to another plot twist.
Over the last four months the size of the average ransom payout has
dramatically increased for those who choose to give in to the demand.

The security firm Coveware recently reported that
in the fourth quarter of 2019, the average ransom payment increased by 104
percent to $84,116, up from $41,198 in the third quarter of 2019.

The report specifically cited the ransomware groups
now known for threatening to release data as one of the drivers of this higher

“Some variants such as Ryuk and Sodinokibi have
moved into the large enterprise space and are focusing their attacks on large
companies where they can attempt to extort the organization for a seven-figure
payout,” Coveware says.

Attackers still target smaller businesses,
primarily using Dharma, Snatch and Netwalker ransomware but with demands as low
as $1,500 – compared to the six- and seven-figure fees demanded from large

As with any adversarial relationship one side
generally comes up with a new weapon or methodology and it is then countered by
the opposing side. Since the criminal element has now brought in to play a
further level of blackmail defenders must adapt. Moshe Elias, Cymulate’s
director of product marketing, points out that there are already tools
available that can inform a targeted firm that data is being exfiltrated.

“What’s most surprising about this attack (Medical Diagnostic Laboratories) is that any fully functioning Data Loss Prevention solution should assist in detecting unwanted data that’s been accessed and sent out of the organization. Such a large amount of data, such as a 100GB, should at least raise a flag if not completely kill the communication channel for exfiltration,” he says, adding, “As ransomware has shifted to exfiltrating data and then encrypting it on the customer side, it’s imperative that all network security controls are optimized at all times to avoid these type of gaps.”

Whether or not Medical Diagnostic Laboratories had the internal staff in place to handle this attack is something only the company knows, but Bret Padres, CEO, Crypsis Group, says companies that find themselves in this position can turn to what is another hot topic: Cyber insurance. Such coverage will not only help defray any financial loss, but insurance firms can also help smaller or less tech savvy firms possibly recover from an attack.

Original Source link

The post #cybersecurity | hacker | The hottest topic: Ransomware | SC Media appeared first on National Cyber Security.

View full post on National Cyber Security

#infosec | Ransomware Attack at US Power Station

Source: National Cyber Security – Produced By Gregory Evans

A Massachusetts power station hit by ransomware is refusing to meet attackers’ financial demands.

The Reading Municipal Light Department (RMLD) was targeted on Friday by cyber-criminals hoping to extort money by encrypting data in the station’s computer system. Unfortunately for them, station bosses opted to hire an outside IT consultant to help them deal with the ransomware infection instead of paying for the return of their files.

RMLD said that its IT team had been working tirelessly since Friday to identify and isolate the problem, which was believed to have been contained by yesterday afternoon. Outside help was brought in to make doubly sure that all traces of the malware had been removed.

After attackers drove the electricity provider off their website, RMLD took to Twitter earlier today to spread news of the ransomware attack.

From their account @readinglight, the company posted: “RMLD’s website, http://rmld.com, is currently unavailable due to a widespread issue our vendor is experiencing. There is no ETA for a resolution at this time. This issue is affecting multiple city and town websites in MA. Updates will be shared as they become available.”

Electricity services were not interrupted by the attack, and RMLD said that the grid remains secure.

RMLD said that there were no indications that customers’ financial data had been compromised as a result of the attack. Information regarding customers’ bank accounts and credit cards is stored in a separate system managed by third-party provider Invoice Cloud.

Online payments remained unaffected by the ransomware attack, as they are handled by Invoice Cloud. RMLD said that prompt payment discounts will be honored despite a potential delay in the carrying over of payments from Invoice Cloud to RMLD’s billing system.

Customer data that may have been exposed in the attack includes names, addresses, email addresses, and records of how much electricity an individual has accessed. 

RMLD has not confirmed how the ransomware entered their computer system, nor has the electricity provider stated how much money was requested by the attackers.    

According to records obtained by NBC10 Boston, 1 in 6 Massachusetts communities have been targeted by ransomware and at least 10 communities have used taxpayers’ money to recover encrypted data.


#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

Source link

The post #infosec | Ransomware Attack at US Power Station appeared first on National Cyber Security.

View full post on National Cyber Security

#school | #ransomware | Commentary: Cybersecurity breaches at Texas schools cost taxpayers millions

Source: National Cyber Security – Produced By Gregory Evans

According to data assembled by the K-12 Cybersecurity Resource Center, no state has experienced a greater number of publicly disclosed school cybersecurity incidents in recent years than Texas. These incidents have resulted in the theft of millions of taxpayer dollars, widespread destruction and outages of school IT systems, and large-scale identity theft.

Consider that Manor Independent School District lost $2.3 million in a targeted email phishing scam in January. In similar attacks last year, nearly $2 million was stolen from Crowley ISD, while Henderson ISD lost more than $600,000.

Malicious actors have employed other digital weapons, such as ransomware, to extort money from at least a half dozen Texas districts since 2017. The most recent incident, in Port Neches-Groves ISD, resulted in a $35,000 bitcoin payment to cybercriminals in exchange for the digital keys to restore access to the district’s IT systems. And school vendors such as Pearson have experienced large-scale breaches of student data at the same time that thousands of Texas educators and administrators have had their identities and personal bank accounts emptied by cyberthieves.

Given that schools’ reliance on technology for teaching, learning and operations will continue to grow, trustees and administrators should embrace their responsibility to safeguard their school communities from emerging digital threats.

The passage of Senate Bill 820 by the Texas Legislature encourages school districts to put in place commonsense security controls, but it falls short of guaranteeing such controls will be implemented effectively or in proportion to the threats facing districts.

If school trustees and administrators are to make real progress in managing cybersecurity risks, they will need to foster better information-sharing and cooperation across districts; make the case in their communities for spending time and resources on building cybersecurity awareness, tooling and expertise; and embrace the legislative requirement to develop meaningful cybersecurity policies and plans.

While there is variability in how school districts use and rely on technology, there are more similarities in terms of security challenges than differences. Since cybercriminals target school districts nationwide with the same scams, it is imperative IT leaders in school districts collaborate. Indeed, one of the biggest challenges in responding to these threats is the veil of secrecy surrounding school cybersecurity.

Any meaningful response to the issue will also require more money and more expertise. While state — and even federal — resources would undoubtedly help, school districts will likely have to look for other funding and sources of support. Students, parents and teachers should all be allies in this cause.

While educational technology offers exciting opportunities for students and teachers, its use introduces new risks. While the passage of SB 820 is laudable, it is only one step in a much longer journey to keep Texas school districts cybersecure. In the end, we won’t see fewer successful phishing attacks, fewer ransomware incidents or fewer data breaches until all superintendents and trustees jointly embrace their cybersecurity governance responsibilities.

Doug Levin is president and founder of the K-12 Cybersecurity Resource Center (k12cybersecure.com), which was launched in 2018 to shed light on the emerging cybersecurity risks facing public schools.

Source link

The post #school | #ransomware | Commentary: Cybersecurity breaches at Texas schools cost taxpayers millions appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security

Source: National Cyber Security – Produced By Gregory Evans

Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) today warned of ongoing ransomware attacks targeting the systems of Swiss small, medium-sized, and large companies.

According to the alert issued in collaboration with the Swiss Government Computer Emergency Response Team (GovCERT), the attackers have asked for ransoms ranging from thousands of Swiss Francs to millions — 1 million CHF is just over $1 million.

Over a dozen of such ransomware attacks that resulted in systems being encrypted and rendered unusable have been reported in recent weeks.

“The attackers made ransom demands of several tens of thousands of Swiss francs, in some cases even millions,” the alert says.

Swiss ransomware victims ignored warnings, had poor security

As MELANI and GovCERT discovered while investigating these ransomware incidents, recommended best practices such as MELANI’s information security checklist for SMEs were not implemented by the victims and previous warnings of such attacks were not taken into consideration.

The Swiss Government-funded cybersecurity body advises businesses not to pay ransoms to avoid becoming involuntary sponsors for the hackers’ ongoing campaigns.

Also, by paying them, businesses don’t have any guarantee that their data will be recoverable using decryption tools provided by the attackers.

It is important that the companies concerned contact the cantonal police immediately, file a complaint and discuss the further procedure with them. As long as there are still companies that make ransom payments, attackers will never stop blackmailing. – MELANI

MELANI also warned both SMEs and large companies that they are still at risk even after paying the ransoms and restoring their systems and data seeing that “the underlying infection from malware such as ‘Emotet’ or ‘TrickBot’ will remain active.”

“As a result, the attackers still have full access to the affected company’s network and can, for example, reinstall ransomware or steal sensitive data from it.”

MELANI said that there are examples of companies from Switzerland and other countries that were ransomed multiple times within short periods of time.

While analyzing the recently reported ransomware incidents, the Swiss cybersecurity body identified a number of weaknesses that allowed attackers to successfully breach the companies’ defenses (all of them can be mitigated by MELANI’s recommendations):

• Virus protection and warning messages: Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers).
• Remote access protection: Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter).
• Notifications from authorities: Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies.
• Offline backups and updates: Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted.
• Patch and lifecycle management: Companies often do not have a clean patch and life cycle management. As a result, operating systems or software were in use that were either outdated or no longer supported.
• No segmentation: The networks were not divided (segmented), e.g. an infection on a computer in the HR department allowed the attacker a direct attack path to the production department.
• Excessive user rights: Users were often given excessive rights, e.g. a backup user who has domain admin rights or a system administrator who has the same rights when browsing the internet as when managing the systems.

Stream of ransomware warnings

Last year, in November, a confidential report issued by the Dutch National Cyber Security Centre (NCSC) said that at least 1,800 companies from around the globe and with operations in various industry sectors were affected by ransomware attacks.

The three file-encrypting malware strains responsible for the infections — LockerGoga, MegaCortex, and Ryuk — relied on the same infrastructure and were previously spotted in attacks that targeted corporate networks and enterprises such as Norsk Hydro and Prosegur.

The Federal Bureau of Investigation (FBI) also warned private sector partners last month about Maze Ransomware operators focusing their attacks on US companies. 

This warning came less than a week after the FBI warned private industry recipients about LockerGoga and MegaCortex ransomware infecting corporate systems from the U.S. and abroad in a flash alert marked as TLP:Amber.

“Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands,” the FBI announced at the time.

“The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga.”

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations across all critical U.S. infrastructure sectors of a recent ransomware attack that hit a natural gas compression facility and took down pipeline operations for two days.

Source link

The post #nationalcybersecuritymonth | Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security appeared first on National Cyber Security.

View full post on National Cyber Security

#school | #ransomware | Ransomware Attacks And Prevention | WSHU

Source: National Cyber Security – Produced By Gregory Evans

Hackers have used viruses to infect and hold municipal and institutional computer systems hostage. It’s happened to school districts in Connecticut and on Long Island. We’ll discuss how cybersecurity experts will prepare for future ransomware attacks, while others try to pay the hackers’ price, with guests:

  • Robert Dillon, Ed.D., district superintendent, Nassau BOCES
  • Phil Boyle, New York state senator, R-Bay Shore
  • Harvey Kushner, Ph.D., chair, Department of Criminal Justice and Cybersecurity, and director, Homeland Security and Terrorism Institute, Long Island University 
  • Fred Scholl, Ph.D., cybersecurity program director and associate teaching professor of cybersecurity, Quinnipiac University
  • Arthur House, former chief cybersecurity risk officer, State of Connecticut

Source link

The post #school | #ransomware | Ransomware Attacks And Prevention | WSHU appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | Following A New Trend in Ransomware League

Source: National Cyber Security – Produced By Gregory Evans

Estimated reading time: 5 minutes

Ransomware authors keep exploring new ways to test their strengths against various malware evasion techniques. The ransomware known as “Ouroboros” is intensifying its footprint in the field by bringing more and more advancements in its behavior as it updates its version. This analysis provides the behaviour of version 6, few earlier variants of it and some insights on the recent Version 7. This Ransomware not only applies conventional methods but also adopts some new techniques making it very difficult to analyze.

Infection Vector
Ouroboros has been around from a year now and it spreads through RDP Bruteforce attacks, deceptive downloads, and through Server Message Block (SMB), which is generally used for file sharing and some administrative tasks on Windows endpoints connected over a network.

Technical Analysis
During analysis, we found that initially, it stops SQL process ( SQLWriter, SQLBrowser, MSSQLSERVER, MSSQL$CONTOSO1, MSDTC, SQLSERVERAGENT, MySQL etc ) in order to encrypt those files which are open in a database by creating process cmd.exe with “net stop” command as shown in fig below.

Fig.1 Code snippet for stopping SQL process through cmd

It also stops some other sql process like sqlserver.exe, sqlagent.exe etc but uses another method to terminate.

Fig.2 Adopting different method to stop other SQL processes

Resemblance To LockerGoga
It forms 0x40 bytes key stack consisting of 0x20 key bytes generated from CryptGenKey Crypto API and combines it with 0x20 bytes which are already present in the file. Then it performs AES operations on them similar to LockerGoga. Ouroboros and LockerGoga use crypto++ library which makes the analysis difficult. While steps for encrypting the data is same, both use different encryption modes. LockerGoga uses AES in CTR mode, while Ouroboros uses AES in CFB mode.
Both the samples are using aesenc/aesenclast instructions, which are part of the AES-NI Instruction Set introduced by Intel around 2009.

Fig.3 Instruction set used by malware

Encryption Procedure
As explained above, after making 0x40 bytes key stack, it expands the key using Rijndael key expansion from 0x20 (256 bit) to 240 bytes by performing 15 rounds of various mathematical expressions.

Fig.4 Expanded key Using Rijndael Expansion

It builds initial block cipher using the instruction set shown in (fig.3) by using expanded key and IV.

Fig.5 Initialization Vector

After forming the initial block cipher of 0x40 bytes, it is used to encrypt file data by reading bytes from a file and performing operations on them. These encrypted bytes are stored in memory and then copied to file by using WriteFile API.

Fig.6 XORing block cipher bytes with file bytes and storing them

This ransomware keeps 0x100 bytes PEM encoded RSA public key in a file. It encrypts AES key with this RSA public key and appends it at the end of the file as shown in (Fig.7).

Fig.7 Appending key at the end of file

Ransom Note
On host machine, files are encrypted with extension [original file name].Email= [*.com]ID=[XXXXXXXXX].odveta

     Fig.8 Extension Format

Fig.8 Extension Format

After encryption, it drops Unlock-Files.txt in each folder as a ransom note.

Fig.9 Ransom note

Network Analysis
Before connecting to CnC server, it performs DNS query on sfml-dev.org and makes HTTP Get Request to url /ip-provider.php and receive victim’s host/system public IP in response as shown in below figures.

Fig.10 DNS query to get the public address of sfml

Fig.11 Query to get public of host

It then initiates a connection to CnC (IP: over port 18 but may not connect due to a closed port.
“There was no response from the server when we tried to connect via telnet over port number 18, but as we were trying to connect over other ports, it gave successful response for port number 22 (SSH) .”

The network connection happens before encryption starts and in earlier versions, it was not clear what malware intends to achieve. But in version 7, we have observed that after a successful connection to CnC (though IP address is different), it sends locally generated RSA private key over CnC which might be the case of version 6.

Evoloution of Ouroboros

Analysis of Ouroboros version 7
In this version, CnC ( ) was live , so we were able to perform network analysis.

Before it establishes the connection, it checks for ids.txt, if it is already present in ProgramData then it skips the connection and does the encryption with an offline key.
But if ids.txt is not present, it connects with CnC and resolves the public address of the host, same as in version 6.

After resolving public address of the host, it generates RSA key, not using any kind of library for its generation but it has implemented the whole algorithm and has locally generated the public and private key.

Following is the part where the key gets generated.

Fig.12 Private key locally generated

After forming a private key, it sends the same to CnC and gives the response as “Active”.

Fig.13 Private key send over CnC

Ransom Note in Version 7
After encryption, it drops info.txt and uiapp.exe in C:ProgramData and deletes the pKey.exe.Uiapp.exe is the .Net file is created in order to drop the ransom note.

Fig.14 Ransom note Version 7

Quick Heal provides multilevel protection for this family. It detects and deletes it in real-time scenario as well as in behaviour base detection and ARW module.

Ransomwares are now not only using packers but also using libraries as well as different instruction set to make the analysis difficult. And noticing that other ransomwares (LockerGoga) have also used similar techniques, we can say that this trend will be followed in the future.




Subject Matter Expert
Manisha Prajapati, Pooja Birajdar | Quick Heal Security Labs

Have something to add to this story? Share it in the

Source link

The post #cybersecurity | Following A New Trend in Ransomware League appeared first on National Cyber Security.

View full post on National Cyber Security

#comptia | #ransomware | Galt Targeted By Ransomware – CBS Sacramento

Source: National Cyber Security – Produced By Gregory Evans

Wine Prices DroppingThe price of wine is expected to drop to its lowest levels in five years thanks, in part, to a surplus of California grapes.

Cab Driver Saves Elderly Woman From Being Scammed Out Of $25K In RosevilleA cab driver in Roseville knew something sounded fishy when his elderly passenger said she needed a ride to the bank to withdraw $25,000.

Active Threat TrainingFairfield police will soon be conducting training for an active threat event at the Solano town center during the next few weeks.

Evacuees To LandOnce the plane arrives at Travis AFB, the base says that Americans on the flight are going to be quarantined for 14 days.

CBS13 PM News Update – 2/16/20Here are the latest headlines from around the region.

Evening Forecast – 2/16/20Here’s your extended 7-day forecast!

NorCal Safeway Workers Threaten Strike Over Wages And HoursApproximately 14,000 union workers at Safeway stores in Northern California are threatening to go on strike.

4 Arrests, 60 Citations, 6 Cars Towed At Stockton SideshowFour people were arrested, 60 citations were issued and six vehicles towed at a sideshow in Stockton on Saturday night, police said.

Suspected DUI Driver Arrested Following Fatal Collision In ModestoA man suspected of driving under the influence of drugs is behind bars after hitting and killing a pedestrian in Modesto on Saturday night, authorities said.

Suspected DUI Driver Arrested After Head-On Crash Leaves 6 With Major Injuries In North HighlandsSix minors are in the hospital with major injuries following a head-on crash with a suspected DUI driver in North Highlands on Saturday evening, authorities said.

New Wave Of Evacuees Arriving At Travis AFBThe United States chartered plane carrying Americans who were quarantined on a cruise ship in Japan is on its way to California and is expected to arrive at Travis Air Force Base close to 11 p.m. on Sunday night, officials said.

Student Data BreachSchool officials in Lodi are investigating after student data was breached at two different schools.

Suspected DUI Driver Arrested After Head-On Crash Leaves 6 With Major Injuries In North HighlandsSix people, including five minors, are in the hospital with major injuries following a head-on crash with a suspected DUI driver in North Highlands on Saturday evening, authorities said.

Man Arrested, 440 Pounds Of Marijuana Seized At Illegal Grow In Calaveras CountyOne man was arrested and 440 pounds of pot were seized at an illegal marijuana grow in Calaveras County on Thursday, authorities said.

Roseville Coach Accused Of Having Long-Term Sexual Relationship With MinorRoseville police arrested a 38-year-old sports coach Thursday who is being accused of engaging in a long-term sexual relationship with a minor on a team he coached.

Homicide Investigation Underway After Man Found, Pronounced Dead In Modesto RoadwayA man was pronounced dead after detectives located him down in the roadway in Modesto on Friday night, authorities said.

Pilot Lands Plane Safely At SMF After Losing Power MidairA plane landed safely at Sacramento International Airport after losing power on Saturday.

Evening AppCastAfter a nice Saturday we’ll see temps cool on Sunday with more cloud cover.

CBS13 PM News Updates – 2/15/20Here are the latest headlines from around the region.

Evening Forecast – 2/15/20Here is your extended 7-day forecast!

Dry Winter May Mean No Super Blooms This SpringCalifornia’s ongoing dry winter could mean no wildflower super blooms for the springtime.

Suspected Killer Behind BarsMichael Green, the new suspect in the 1985 El Dorado Hills murder case Ricky Davis was just exonerated from, has been moved from the Placer County Jail to the El Dorado County Jail.

Coach Arrested In RosevilleRoseville police arrested a 38-year-old sports coach Thursday who is being accused of engaging in a long-term sexual relationship with a minor on a team he coached.

Police Put Brakes On SideshowsA pair of missions against sideshows in Stockton resulted in dozens of cars being towed in just one night, police say.

Source link

The post #comptia | #ransomware | Galt Targeted By Ransomware – CBS Sacramento appeared first on National Cyber Security.

View full post on National Cyber Security