A new strain of Ransomware called Bad Rabbit is spreading around the world. Bad Rabbit spreads via Social Engineering so here’s what to warn your users to look for.
Users receive a pop up in their browsers telling them that an update to Adobe’s Flash Player is available. There are two buttons to click; Install and Remind Later. Both do the same thing – install the malware payload on the system. Bad Rabbit then uses a list of known weak passwords and tries to access all found servers and workstations using common accounts such as Administrator, Guest, root, etc. If it gets a match, the ransomware proceeds to encrypt the files on the computer and then replaces the Master Boot Record – effectively bricking the computer. So recovery forces you to purchase two decryption keys. Price is .05 Bitcoin or about $275.
There are two takeaways. First, train and remind your users to use complex passwords and change them often. Second, have your users undergo Social Engineering security training.
Contact us if you’d like more information or assistance in keeping your network and data secure.
This is an old scam but has been updated to be more dangerous so remind your users to be on the lookout. The old version ‘just’ installed a keylogger but this new version installs ransomware on your system.
You receive an email message from ‘Voicemail Service’ with subject like ‘New voice message from <some number>. There’s a bit of standardized-looking text in the body of the message which tells you that ‘you might want to check it when you get a chance.’
There’s a compressed attachment which if you click on it will play an audio file with embedded code that will encrypt files to [original file name].crypted.
Send a reminder to all your users: Do not click on links in “voice mail” emails from someone you do not know, and certainly do not open any attachments!
And if you have an IT department, in addition to good firewall and endpoint security management, make sure they are stripping compressed attachments from all incoming email messages from whatever email vendor you use.
Cyber criminals are already exploiting some recent celebrity news. Warn your users to be on the lookout for a couple of ransomware-loaded email messages that are spreading through the Internet.
The first has a subject line claiming Chester Bennington’s Suicide Note Released (or similar). And the other is O.J. Admits Guilt in Murder of Ron and Nicole. Both messages contain a link which if clicked, activates the payload.
Remind your users to stop and think before they act. And if you don’t already have a security training program in place for your users, why not? The investment is trivial compared to what a ransomware attack can cost your organization. Contact us for more information.
All businesses have unique operational processes they rely upon to handle distinct needs. Even common tasks like shipping are handled differently from company to company. But in general, the larger a business is, the more complex its processes.
Business Process Compromise is a new type of cyber attack that recently has come into focus. It specifically targets unique systems and processes and manipulates them for the attacker’s benefit. And rather than a brash warning such as is received with ransomware, BPC attacks are typically silent and have a goal of stealthily appropriating goods and/or funds over extended periods of time.
Many BPC attacks go unnoticed because employees largely ignore the workings of these processes treating them as almost automatic.
Defending against BPC requires a multi-pronged approach.
File Integrity Monitoring should be considered for critical systems
Regularly check system operations and compare normal activity from abnormal and possibly malicious actions.
Regularly audit long-established processes looking for vulnerabilities as well as proper results from test data
Ensure that your organization has implemented cybersecurity measures to protect against identified malware exploits
A new scam has appeared where users receive an email claiming they have unpaid traffic tickets which, if not paid or disputed by clicking a link within 48 hours, will cause the individual’s drivers license to be revoked.
Clicking the links provided does one of two things. Either malware gets installed onto the user’s comptuter to track web pages visited, or more serious, the user is taken to a fake RMV website where they are prompted to reveal personal information including names, Social Security numbers, date of birth, and credit card info.
Remind your users to stop and think before responding to unusual email messages. Or even better, consider training your users to recognize and avoid phishing attacks like this. Our partner, KnowBe4, offers a free phishing test you can safely send to your users to learn how prepared they are for these sorts of attacks. Contact us to learn more.
If you’ve been following the news from last Friday and over the weekend, you’ve head about the latest Ransomware that’s spreading like wildfire around the world. The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. Whatever you call it, according to Avast security researcher Jakub Kroustek, it racked up over 57,000 victims in just a few hours last Friday.
Targets have included 40 hospital organizations across the UK and Spanish telecommunications firm Telefonica.
The ransomware targets unpatched computers and once inside an organization, it quickly spreads to other systems.
But getting infected by this ransomware was 100% avoidable if organizations did the right things – the things we keep pounding the table about in our blog and newsletters.
Back on January 3rd we blogged the following advice:
Make sure you have a good and up-to-date antivirus/anti-malware product installed
Be sure your Windows firewall is working and up to date
Don’t run old, out-of-date software. It often contains known vulnerabilities that cyber-criminals exploit
WanaCry specifically takes advantage of organizations that aren’t doing these things. But for MicroData customers with a Managed Service Plan like Business Care, Select Care, or even our value-priced Essential Care, this ransomware is a non-event. All our service plans include our ARIES Expert System that automatically applies critical patches and updates to all systems. A fix for this issue was released in March 2017.
And we always remind our customers not to continue using old, out-dated software like Windows XP which is no longer supported or updated by Microsoft.
If you’re affected by WanaCry or just aren’t sure your organization is protected, give us a call today and we’ll schedule a no-obligation assessment of your organization’s IT security profile.
A survey just published by The Business Journals has some sobering statistics. Only 28 percent of owners of small and mid sized businesses responded that they are very concerned about ‘the safety and security of their firm’s technology, email and documents.’
What makes that particularly concerning is that it runs directly counter to the potential impact for small companies should they suffer a data breach. The Insights report said 60 percent of U.S. businesses with between 1 and 499 employees that suffer a data breach shut down within six months.
As a business owner or manager, if IT security isn’t one of your highest priorities, change your thinking and get some help. Proper IT security usually isn’t hugely expensive but it does require an understanding of the issues, threats and environment, and then implementing a comprehensive plan.
If you’re not sure where to start MicroData is offering a free, no-obligation IT assessment of your business. You’ll get detailed, specific information about the security of your IT environment along with recommendations for corrective actions. And of course we can handle all aspect of implementing and managing IT security for your business. Click here to learn more.
A new strain of ransomware is making its way around the Internet and what’s so nefarious about this version is that it disguises itself as a Windows update.
What happens is that an attachment in a phishing email, when clicked, actually launches a process that brings up a prompt advising the user that an important Windows update is available. People go along with it thinking that they are doing the right thing by keeping their computer up to date.
The ransomware itself is called “Fantom” and the actual executable that starts the process is “CriticalUpdate01.exe.” Once executed it extracts “WindowsUpdate.exe,” and the screen that displays as it begins to encrypt your files looks very much like the modern blue screen that Windows 8, 8.1 and 10 users are familiar with.
But what’s actually happening is that your files are being encrypted. The next thing you’ll see is a screen telling you all your data has been encrypted:
At this point your only options will be to restore all data from a backup or pay the ransom.
So what can you do to stay safe? Here are 5 basic steps to take.
Remind all your users never to open or click on links in messages they are unsure of
Don’t run Windows in Administrative mode
Make sure you have a good and up-to-date antivirus/anti-malware product installed
Be sure your Windows firewall is working and up to date
Don’t run old, out-of-date software. It often contains known vulnerabilities that cyber-criminals exploit
The popular Microsoft Office 365 online service is now being used in a phishing scam to try and steal your personal data and information. Here’s what to look for.
You receive an email that appears to come from the ‘Microsoft Online Services Team’ with a subject of ‘Office 365 billing statement’. The body of the message looks good – there’s an Office 365 logo, no typos or obvious mistakes, and even the Microsoft logo at the bottom of the message. There’s a hyperlink inviting you to ‘Click here to view your statement’. If you do you actually download malware onto your computer.
Advise your users just to delete the message without clicking anything. And remember, with any message about an account you might have somewhere, never access it from a link in a message. Always go to the actual website by entering the address yourself, login, and then review any messages or account details. And if you’re still in doubt, pick up the phone and call the company’s customer service.
Tell your users to be on the lookout for a new email scam – the subject line is “RE: IRS Form 6642” and the apparent reply address is from a law firm.
The body simply contains Can you print this? and a link labelled “IRS Portal.” Click the link and you download and install malware on your computer that looks for and steals financial account information and passwords.
What makes this scam somewhat different is that it doesn’t threaten or attempt to scare the user to action but instead asks a simple, innocent sounding question.
Just delete the message without clicking on the link or interacting with it in any way. And remind your users to stop and think before acting.
My wife and I were out on the back roads this past weekend and saw a man with what was clearly his 6 year old daughter stopped beside the road. When we saw him holding up his iPad for the little girl we turned to each other and said ‘Pokemon Go!’
It was cute, but like every popular trend cybercriminals have found a way to use it to try and extort money from you. In this scam, you receive an email with a Pokemon Go game icon as an attachment. If you click on the attachment it installs two pieces of malware that encrypt your files and then demands (in an arabic text file it leaves on your desktop) that you respond to an email address to receive instructions for paying a ransom to decrypt your files.
We haven’t seen any confirmation as to whether or not it will encrypt network files across a LAN or VPN connection but you should assume it will. Yet another good reason not to mix personal computing with work resources!
So spread the word that if anyone receives an email messages that’s Pokemon Go related, they should just delete it.
I’ve had many frustrated people as me why cybercriminals create and distribute ransomware. The answer is money, of course. But some new data from a report by Check Point software’s researchers is helpful because it shows just how much money we’re talking about.
Check Point focused on just one product: Cerber. The Cerber platform is software created specifically to be resold to create ransomware. Aspiring cybercriminal affiliates create their own ransomware campaign using Cerber and the deal is that Cerber gets to keep 40% of whatever their customers make with their ransomware attack.
Check Point was able to determine that Cerber had more than 160 participants at current count and that the combined direct sales plus affiliate revenue was almost $200,000 just in July – and this despite a victim payment rate of only 0.3%.
Doing the math means that Cerber is on track to net 2.4 million dollars this year.
So what’s the takeaway for businesses? Ransomware is a highly profitable criminal activity and you should expect to see increases in attacks on your business.
And that means that if you haven’t yet, you should get your organization up to speed both in terms of hardware/software preparedness, but also user training.
Starting in 2011, a Chinese citizen named Su Bin who lived in Canada orchestrated an elaborate hacking operation that stole over 50TB of classified data about the F35, B2, and other highly classified U.S. weapon systems. How did he do it?
It wasn’t elaborate technical penetration of firewalls or middle-of-the-night Mission Impossible-style burglary. It was simple email phishing.
With email phishing, a message is sent to employees appearing to be from a colleague or friend. The message contains a link and when the recipient clicks on the link, they are taken to a bogus website which then infected their computers with malware to harvest passwords and data.
While your company may not have top-secret information, you are almost 100% certain to be targeted in this same way by ransomware – software that encrypts your data – both local and Cloud – and you won’t get it back unless you pay a ransom to the cybercriminals.
The takeaway? Of course you need to implement all the best-practice technical safeguards and monitoring for your network, but equally important is that you need to train your employees to recognize phishing email messages so they don’t act on them.
If you’d like to learn more, click here to download our free Executive Report; Ransomware Prevention Checklist for your Business.
The concept of the Internet of Things is appealing in many ways. It allows connectivity and interaction with devices which were not capable of being managed/monitored in the past. And when there one platform to link them all together, it gives a nice, consistent user interface and experience. But like most things in life, there’s a dark side to consider.
Consider FLocker – an Android based lock-screen ransomware. This one has been out there for a while but it’s being continuously being updated by the cybercriminals that produced it to keep it one step ahead of the firewall and antivirus companies. The latest version pretends to be from some law enforcement agency and accuses potential victims of crimes they didn’t commit. It now will also infect Smart TV’s that run the Android OS – effectively locking you out of your TV.
Consider a fully ‘smart home’ of connected devices and you can immediately see the possibility of them all getting infected and operation disrupted. Vendors haven’t thought this through yet, but they’ll need to – and soon.
With phishing email messages, the key for cybercriminals tricking you into divulging passwords and account information is to make a plausible-looking message that gets you to click on a link. Then you’re taken to a bogus website where you are asked to ‘log in’ and boom, they have full access to your account.
The latest is a fake eBay message supposedly from a user demanding to know why you haven’t sent them info about something they allegedly purchased from you. They threaten to contact the police and PayPal if you don’t respond.
Remind your users to stop and think. Note that the message isn’t personally addressed to you. A threat in a message is another giveaway as is poor grammar. Tell your users just to delete the message without clicking on anything.
From our friends at KnowBe4 comes an alert about a really nasty piece of malware which goes after Android phone users and targeted smartphone banking apps.
It works by inserting a fake login screen over the actual login screen in the app. When you log in you’ve actually just given the cyber criminals full access to your account and they promptly transfer all funds to an overseas account.
Android devices get infected by either installing an app outside of the Google Play Store (called a sideload), or by downloading a ‘Required Flash Update’ needed to view video – usually at an adult site.
So for your smartphone – iPhone or Android – follow these tips:
Don’t click on text messages you don’t recognize or expect
Keep your device updated – both the OS and apps you use
Don’t surf adult and inappropriate sites. Risk of infection is very high
I was born in Maine and had parents that clearly remembered the effects of the Great Depression. They weren’t yet born during the actual Depression but growing up, their parents who had lived through it, taught them valuable life lessons from those difficult years. And I got many of the same lessons although as the next generation, less poignantly. One central concept was Yankee-thrift, a big part of which means you don’t waste things and you don’t throw stuff away that could be re-purposed or re-used. Good advice – in most cases.
The problem is that this belief can get you into trouble with information technology. For example, we have many organizations we’ve worked with that use older versions of Microsoft Office. I’ve repeatedly heard over the years, “it works just fine and does what I need it to.” The problem is that it does some things you really don’t want it to do.
One of the biggest problems is the file format. Have you noticed how newer versions of Word save files with a .docx extension rather than the older .doc? There are many improvements that Microsoft built into the new file format, but one huge area of improvement was file security. In the new .docx format, Microsoft removed the ability for users to embed macros into the document. A macro is basically a set of self-executing instructions. Today, many variants of ransomware are being spread by macros in infected .doc and .xls files. With the older version of Word, you can just click and boom, you’ll find all your files encrypted and be looking at a ransom message and the prospect of paying hundreds or thousands of dollars to get your data decrypted.
So Yankee-thrift is a great concept, but not in business where you share files all the time. Keep your software versions current and if you’re not sure how old is ‘too old’, ask your IT professional who can guide you.
Unless you’ve been away on a small island for the last couple of years, you know about the problems presented by Ransomware and probably know of an organization that’s been hit. But as a refresher, Ransomware is software that encrypts your computer, network, and Cloud data and your only recourse to get your data back is to pay a ransom, usually in Bitcoin and typically +$1,000.
What’s really tricky about Ransomware is that it isn’t delivered like a typical virus that sneaks onto your computer and runs itself. Ransomware is usually self-inflicted. A user gets an email that looks legit such as an efax or Word document – these are called phishing attacks. The attachment is actually the code and by the user clicking on it, the ransomware application gets started.
While there are many steps your organization can take to protect yourself, at a minimum you want a good quality antivirus/antimalware application on each user’s computer, and you want to make sure this antivirus solution does email content filtering. This is a basic but effective line of defense to stop a large percentage of these phishing messages from getting in to your organization.
Symantec, McAfee, Kaspersky, Sophos, F-Secure, and Vipre do not perform content filtering. Trend Micro’s Worry Free Business Security Advanced does provide content filtering which is why we recommend this solution.
If you haven’t looked at the capabilities of your organization’s Endpoint Protection software lately, with ransomware infections growing each month, now might be a good time.
Ransomware is nasty stuff. Covert software gets onto your computer, encrypts all your files (and network files) with what’s effectively an unbreakable code, then extorts the user into paying a ransom – usually in untraceable bitcoins – to get the data back.
The cybercriminals that develop ransomware have traditionally gone after the Windows market as it’s large and predominately used in business, but now they’ve specifically started targeting Mac users.
This past weekend Palo Alto Networks wrote that they had found the ‘KeRanger’ ransomware app wrapped inside Transmission, which is a free and reputable Mac BitTorrent client. To make it worse, the infected version of the app was signed with a legitimate Apple developer’s certificate.
It’s not know how the hackers were able to upload an infected version of Transmission to the app’s website, but it worked. BTW, if you use Transmission the bad version was 2.90 and you should immediately upgrade to 2.12. This particular variant of malware waits for 3 days after being installed then does its deed.
And to make matters worse, it appears that this ransomware will try to encrypt files on Apple’s consumer cloud backup service, Time Machine. So an infected user could be looking at losing all their local and backed up data.
The ransom? 1 bitcoin or currently about $404.
The lesson? It doesn’t matter what kind of computer or operating system you have. Cybercriminals will target any group that seems profitable to them and they have the expertise and resources to be successful.
If you have any Dell computers, here’s a scam you want to be sure to alert your users about.
Users receive a call claiming to be from Dell support. They even have the service tag from your computer and potentially other personal information. The caller then tries to get you to provide them with remote access to ‘fix the problem’. If they get access they will then infect the computer with ransomware and also potentially ask for a credit card for a ‘required service charge’.
At this point it’s not clear where the bad guys have got the Dell service tag information, but with that in hand they have an extra degree of credibility, so make sure your users don’t fall for it.
This scam is sneaky because the cybercriminals are using the exact same phrase that PayPal uses when monthly invoices are sent out. Users receive an email with the subject line of ‘Your PayPal Invoice is Ready’ and the body of the message asks you to ‘Please open the attached file to view invoice’. The attachment is a .zip archive which, if opened, executes code that will encrypt your hard drive files (and files on any mapped hard drive) requiring you to pay a ransom in Bitcoin to get your files back. Short of a complete restore of the affected system(s), there’s no other way to avoid paying the ransom.
Aside from training your users not to fall for these types of messages, what else can you do to try and protect your company? Here are a few suggestions.
Block all .zip type of attachments in your email system
Pre-clean your email by running it through a filtering services such as MicroData’s hosted Barracuda service
Install better quality antivirus software that specifically looks for these types of threats. We recommend Trend’s Worry Free Business Security Advanced
As always, we’re glad to help organizations with issues like this. You can learn more or contact us anytime.
The bad guys are relentless in trying to steal your information. The latest is a email with a subject line of “You have received a new secure message.” The body of the message has some graphics and prompts you to open the attachment which is a Word file named ‘Secure Message.doc’ (or similar).
Opening the file on a system that’s missing Microsoft Office security updates infects your system via a macro that exploits the unpatched vulnerabilities.
What can you do to help keep your organization safe? From a corporate perspective, make sure you have a good firewall installed, properly configured, and regularly updated. Also make sure that all user endpoints – Mac or PC – have installed, configured, and current antivirus software. And consider using an email filtering device or service to ‘pre-clean’ much of the junk like this scam.
Remind all your users to stop and think before they act on an email message they receive. Everyone stay safe out there!
Tell your users to be on the alert for an email message with a subject line containing ‘Tiket alert’. It has a .zip attachment with a filename of tiket_number.zip that, if opened, infects the system with malware. Users should just delete the entire email.
In a nasty new twist, CryptoWall v2 now uses infected ads on dozens of popular sites like Yahoo, AOL, and Match.com to infect computers. The worst part is you don’t even need to click on the ads to become infected. Simply visiting the page with outdated software on your computer can infect your system.
For those of you not familiar with CryptoWall and similar ‘ransomware’ viruses, they work by infecting your computer and then encrypting all your data so you can no longer access it. Then it demands a ransom – $500 in Bitcoin in this case – in order to decrypt it. There is no practical way to decrypt it yourself. You either restore everything from a backup or pay the money.
In this particular case, the ads are infecting computers that have an outdated version of Adobe Flash installed that has a known vulnerability. Flash is used to allow many websites to broadcast video content through Web browsers. This vulnerability is exploited by code in the ads which causes your computer to download and install the virus. This is what we in the industry call a ‘drive-by-download’.
What should you do?
If you have Adobe Flash installed and you’re running Google Chrome or Internet Explorer on Windows 8 or newer, you’re probably OK as Flash automatically updates itself so it has already been patched against this exploit. You should still check to make sure you have the latest version as some website restrict software from being automatically installed.
A new type of ransomware is appearing – mostly in Australia and the UK for now – that targets iPhones and iPads. The attack exploits the ‘Find My Phone’ feature to launch the attack and the bad guys have somehow got access to iCloud account info that’s used to lock the devices.
What happens is that suddenly your iPhone or iPad will lock itself and then you receive a message that you’ve been hacked by Oleg Pliss and you have to pay $100 US/EUR via PayPal to get the device unlocked.
Your best defense? Change your Apple ID credentials now.
Researchers at Malwarebytes, a leading security firm, recently reported that they have found a strain of ransomware targeting Safari users. When users visit a website that’s been infected with the malicious code, their browsers are hijacked and they receive a message claiming to come from the FBI.
The message tries to scare the user with an official looking format saying that their ‘browser has been blocked’ because their computer was used to violate copyright laws, view porn, or it had tried to hack into some system illegally. In some cases it’s being reported that the system is infected with malware and users are being coerced into paying a fee to remove the threat.
The scam demands $300 from the victim that can be paid through Green Dot MoneyPack by purchasing a pre-paid card and then transferring it to the scammers.
According to Malwarebytes, if you get hit by this threat don’t try to do a ‘force quit’ on the page – Safari will auto-restore the page when it comes back up. Instead, click on the “Safari’ tab on the navigation bar and choose ‘Reset Safari’ ensuring all the boxes are checked. Then hit ‘Reset’.