July 2018 - MonsterCloud

Ransomware Attack in Long Beach

July 31, 2018

Ransomware attacks have been occurring in various spaces as evident from ransomware removal experts finding them operating in a number of industries. Recently, the target was the supply chain industry as a ransomware managed to hit the China Ocean Shipping Co. Terminal at the Port of Long Beach.

An official from the company confirmed the news on Tuesday, July 24th, 2018. Ransomware removal experts noted the company’s website as well as its contact information to be non-functional with no one picking up the phone during the afternoon hours.

Long Beach’s representative Lee Peterson stated that they have been examining the attack as well as the repercussions it might bring to the company. Moreover, Mr. Peterson spoke on behalf of the operations crew of COSCO and clarified that the processes and procedures belonging to the company’s logistics have not been compromised by the ransomware.

This is contradictory to reports from Journal of Commerce which, while referring to COSCO’s Vice President Howard Finkel, revealed that the attack did manage to harm some systems as the transmission between the clients and the company’s US operations were affected. As a result, ransomware removal experts notice a considerable drop in the speed of communications that was faced by the clients. Additionally, while telephone was used as a communication medium, electronic transmissions were inoperable.

A representative from the International Longshore & Warehouse Union, Craig Merrilees was uninformed about the precise impact of the ransomware attack.

According to ransomware removal experts, the situation does not seem as grim as experienced by one of the largest brands in the supply chain industry, AP-Moller Maersk in mid-2017. Maersk is a Danish corporation that was hit by a ransomware attack which rendered its operations non-functional for at least three days in the Port of Los Angeles. The damages incurred from the attack were estimated to be at least $300 million.

Ransom-miner: The Multi-Purpose Cyberthreat

July 30, 2018

As incidences of ransomware and cryptocurrency mining threat i.e. cryptojacking continue to increase in 2018, a cybercriminal group has managed to combine them to extort maximum money from enterprises. Recently, ransomware removal experts from Seqrite were able to discover a highly-advanced form of Trojan. This cyberthreat is able to infect businesses with both ransomware as well as cryptocurrency mining malware.

Dual Purpose

Some ransomware removal experts have given it the name of ‘ransom-miner’ as it was noticed by high-quality anti-malware tools. According to ransomware removal experts, this malware infects systems with the notorious GandCrab ransomware along with a mining malware through which hackers are able to mine the popular cryptocurrency Monero. As the computing resources of businesses and individuals are hogged, Monero is mined and sent to the remote locations of the hackers.

Additionally, the malware also attempts to link the Command and Control servers of enterprises. Security analysts refer it to be the latest cyber threats in a calculated and coordinated campaign that aims to target businesses and individuals with a plethora of malicious strategies.

Working

Ransomware removal experts found the Trojan distinct as they observed it to be too complex and sophisticated in its operation. It is launched with the assistance of a PE32 .exe file in Microsoft’s Windows and its code is initially encrypted.

After the affected file is loaded into the victim’s computer, the virus will then decrypts its code. Subsequently, the newly-encrypted code works for the decompression of the PE exe file and modifies the memory of the system’s process. The PE file will then take control and kick-start the next activities of the virus.

It was also noted that the virus is able to cross-check at least 16 processes in the system to find any sign of a virtual environment like VirtualBox, VMware and other virtualization environments.

Golden Heart Attacked: Another Ransomware Attack in the Healthcare Industry

July 27, 2018

Recently cybercriminals attacked Golden Heart Administrative Professionals. Golden Heart is a company based in Fairbanks, Alaska that partnered with several healthcare institutions in the state of Alaska and is primarily a billing company.

Golden Heart notified more than 40,000 of its clients about their Protected Health Information (PHI) falling into the dirty hands of hackers who were involved in a ransomware attack.

Ransomware removal stated that the ransomware made its way to the systems through a download in the servers of Golden Heart. The affected server was storage and processing system for PHI. An official statement by Golden Heart confirmed that the data of its clients was compromised.

According to ransomware removal experts, law enforcement agencies have received the news of the breach and are collaborating to restore the files. Ransomware removal analysts believe this attack to be the biggest of its magnitude in the month of July while they also noted that this was the second reported instance of an organization in the healthcare industry to be attacked in Alaska.

Other Attacks in the Healthcare Industry

Previously in the beginning of July, the Alaska Department of Health and Social Services was the unfortunate victim of a cyber attack as their systems were affected by a malware. Ransomware removal experts explained that a trojan by the name of Zeus attacked their PCs and got a hold of protected health information of at least 500 people. These attacks raise a question mark on the reports that were claiming ransomware attacks to be decreasing.

Other victims in the healthcare industry include LabCorp Diagnostics which was ravaged by the notorious SamSam Ransomware. It was estimated that millions of patients’ data was compromised in the attack.

Similarly, Cass Regional Medical Center was also affected by a ransomware as its communications and patient record system was compromised. As a result ambulances had to be diverted to different locations.

Was LabCorp Hit By SamSam Ransomware?

July 26, 2018

Recently, ransomware removal experts found an organization in the medical testing industry LabCorp to be hit by a ranswomware. However, the organization has not made the attack’s details public while also not disclosing any details related to the number of servers that were affected.

LabCorp had to close down its network on 15th July, when ransomware removal analysts found the signs of an attack. As a result, its business operations came to a halt. It was rumored that the ransomware involved in the case was the notorious SamSam ransomware. LabCorp officials were reluctant to clarify this detail amidst continuous attempts by the reporters to gain further insight on the attack.

The official statement published by LabCorp constitutes of the date of the attack as well as terms like ‘a new variant of ransomware’ and ‘suspicious activity’ which makes it eerily similar to their statement that was filed with SEC after Sunday.

CSO Report and SamSam Ransomware

CSO’s reported earlier that more than 1000 of LabCorp’s servers had been compromised due to a ransomware attack. Some ransomware removal experts were pointing their fingers at SamSam as the culprit again.

Additionally, the report validated the official statement of LabCorp and corroborated that no information of patients were compromised as LabCorp monitored and analyzed the traffic of its system. This is an important detail according to ransomware removal experts as it resembles the work of SamSam Ransomware. The owners of SamSam are also disinterested in the contents of the hostage data and only hit servers with the intent of expanding their ransomware and extort money.

SamSam Ransomware’s modus operandi is to utilize Brute Force Remote Desktop Protocol attacks in the infiltration and proliferation of the systems. Moreover, it is only expected to harm systems that run on Windows Operating System.

LabCorp has now focused all its efforts in the disaster recovery process which may take a few more days.

Missouri Hospital Ransomware

July 25, 2018

According to ransomware removal experts, this year marked a continuous rise in news related to ransomware attacks on medical institutions and hospitals. However, this time cybercriminals were involved in an attack against a hospital in Missouri that affected many patients and their families.

Details of the Attack

Cass Regional Medical Center (Missouri) was the one that was attacked with a ransomware. Cybercriminals managed to infect their systems at 11 am on July 9th which prompted the authorities to shut down EHR as a preventive measure. Spokesperson from Cass were confident and stated that patients’ data was not affected. Moreover, almost 90 percent of the disaster recovery was complete within the first few days.

Hospital authorities collaborated with a forensic firm, in order to decrypt and remove ransomware from the affected data. EHR was initially shutdown but reinstated after the initial investigation was completed.

The attack affected the entire enterprise IT infrastructure of Cass, which consisted of electronic health records. These included more than 30 inpatient beds. As a result of the attack, Cass had to divert its ambulances that were carrying patients dealing with stroke and trauma to different locations.

The Elephant in the Room

The attack acts as a reminder against the ferocity and dangerousness of ransomware attacks, which can put lives of patients in jeopardy. According to ransomware removal experts, this incident can be viewed as a learning experience against the impact of cyber attacks in the healthcare industry. Moreover, doctors, nurses and other hospital figures have also realized the severity of the situation and have been supporting the inclusion of stronger cybersecurity measures in hospitals and medical institutions.

According to ransomware removal experts, it is important to note that Cass is just a part of a long list of healthcare institutions that have been ravaged by ransomware attacks in the recent memory. Similar attacks have been reported in the U.S. as well as other countries since cybercriminals are find it easier to breach the weak digital security of hospitals.

Sophos Introduces Deep Learning into Its Email Solution

July 19, 2018

Many companies are trying to engineer a breakthrough in their cybersecurity strategies to combat malware and ransomware attacks. Among these companies, ransomware removal experts are relying on network security provider, Sophos, to develop an email protection solution that can help to fight against advanced malware and ransomware attacks.

Inspiration behind the Solution

According to ransomware removal experts, the email solution has been made powerful through the use of deep learning algorithms. Deep Learning is one of the latest subfields of machine learning that helps computers to learn and predict future outcomes.

Email continues to be the leading distribution strategy that is used by hackers to proliferate their ransomware and malware campaigns. Sophos’ email tools compute more than 10 million emails daily. Its research found majority of the organizations in the world to be attacked by a ransomware attack in the last year. Moreover, they found more than 75 percent of their spam emails to be comprised of malicious viruses.

How Does The Solution Work?

Sophos email solution employs the use of neural networks. Neutral networks are one of the algorithms of deep learning that helps the computer to think like a human brain. Neural networks are trained with a dataset that helps them to think dynamically to handle an unfamiliar situation without the need of human interference.

Neural networks’ integration in Sophos email solution helps to counter unfamiliar threats by going over the attached files in an email before a user opens or downloads them. The solution will analyze and predict quickly whether the email is corrupted with a malicious payload or not.

Moreover, Sophos email also helps to verify the legitimacy of links provided in emails. According to ransomware removal experts, hackers either add a file attachment in their emails or try to add tempting links with click-bait potential. Sophos solution scans any hyperlink present in an email and notifies the presence of any dangerous malware or ransomware in time.

Furthermore, other advance features include multiple policy support and outbound scanning. This means that when an individual or organization’s email account is infected with a ransomware or malware, the solution will limit it from spreading to other organizations or individuals.

How Ransomware Are Trying to Expand Their Tactics in Order to Challenge the Latest Security Measures in 2018

July 17, 2018

As ransomware attacks have begun to rise in the last few years, organizations have improved their computer security through various measures and practices. These practices were hoped to stall the juggernaut of ransomware. However, according to ransomware removal experts, cybercriminals should not be taken lightly as they are trying to extend their domination through advanced strategies in 2018.

Shifting Code

Organizations use several anti-malware and anti-ransomware tools to detect and remove ransomware. These tools analyze the common patterns and code of a ransomware to easily identify them.

However, there are some latest ransomware that are continuously changing their internal code and mechanisms which makes it harder for anti-ransomware tools to identify them. This type of ransomware redesigns itself every time before it attacks a new user and thus it is hard for ransomware removal experts to find similarities in the codes.

Latest Operating Systems Are Not Targeted

According to ransomware removal experts, many ransomware attacks in this year were possible because organizations and individuals were using older versions of operating systems, particularly Windows’ users. The Maharashtra ransomware attack this year is a prominent example of this.

Older operating systems are not equipped with the necessary security measures that can tackle the most advanced ransomware. However, latest operating systems of Windows and other OS vendors consist of powerful cybersecurity components that provide a bigger resistance against ransomware infection. Hence, cybercriminals are not as much interested to attack through modern OS.

Hard Drive Woes

When a ransomware generally infects a system, it mainly tries to damage the system software, application software and personal files of the user. However, recent ransomware are so sophisticated that they are directly tampering with the code of the hard disks of a system and making it inaccessible to its user. This effectively shifts the control of the hard disk to a cybercriminal in a remote location who does not have to worry about decrypting all of the user’s files.

With such advancements and evolution of ransomware, organizations and individuals need to give their best shots in order to strengthen the security of their sensitive data.

Nozelesn Ransomware

July 16, 2018

Ransomware removal experts have found a new ransomware gatehring speed on the horizon. The breach was found on July 1st, when Nozelesn Ransomware was found to be affecting users in Poland. Nozelesn is similar to other ransomwares like Leen, Omerta and others. These ransomwares are developed by different hackers but their basic function and motives are the same.

Since this ransomware is new, hence there is no exact number of the people known to have been attacked by it. However, ransomware removal experts think that the ransomware may have attacked a substantial number of individual users and companies already.

What is Nozelesn Ransomware?

Nozelesn is spread through spam campaigns where mass emails are distributed to several users on the internet. Nozelesn works similarly to other ransomware as it silently enters a computer system and encrypts’ computer’s files. Nozelesn Ransomware makes modifications in the Windows Registry to achieve control of the Windows Operating System. This is done so the user cannot try to remove ransomware by tinkering with the OS.

Afterwards, the ransomware focuses on the encryption process. After encryption; the files are unable to be accessed by the victims. Moreover, the extension of these files are modified and changed to “.nozelesn”. After encryption, a file of the format for HTML is added into the folders of the computer. This HTML file is the ransom note.

The HTML file states that the files of the users are encrypted and they will have to pay money in return for the access of their files. The ransom details include the procedures required to access TOR browser and pay the attackers.

Additionally, the ransom file also contains a password that can help the users to login in TOR. The ransom is priced at 0.10 Bitcoin. Time duration of 10 days is provided to the victims to pay ransom. Delay in ransom is threatened with the permanent loss of data.

So what to do if you are affected by Nozelesn Ransomware? Since it is a new ransomware, hence not much is known about it. However, as a general rule of thumb, avoid paying any ransom to the attackers as generally these cybercriminals are not to be trusted.

How is Ransomware Faring in Hawaii?

July 12, 2018

Ransomware attacks continue to increase with some ferocity. The security infrastructure of public offices in different states and cities are constantly under threat and trying to block, detect and remove ransomware.

Cyberattacks in Hawaii

Hawaii faces more than 10,000 cyberattacks daily. Last week, computer systems in Oahu, Hawaii were halted midway through operations and were unable to function. There were suspicions of a ransomware attack, but it was soon cleared that this was due to a maintenance problem.

According to Mark Wong, Director for the City and County of Honolulu’s Department of Information Technology, they had been extremely lucky to evade cybersecurity attacks despite cybercriminals trying continuously to infect governmental, public and private computers with malware and ransomware on a daily basis.

Moreover, he said that the numbers of these attacks are between 40 to 45 million as their security departments have been able to detect them in time and remove ransomware and other dangerous malwares.

A majority of the computer systems are able to succeed in evading cyber threats due to the presence of anti malware and anti ransomware tools. However, not all attacks can be contained through the use of these tools.

Phishing

Additionally, according to Mr.Wong, currently most of their investigative proceedings are related to attacks that involve phishing campaigns. Cybercriminals encourage people to type their login details and use these details to corrupt their PCs with malware and ransomware.

Mr. Wong’s department has countered this threat by testing people with fake phishing campaigns. This, way people can be educated about these attacks and learn how to deal with them in future when a real hacker tries to attack.

Security Measures

Employees in the department of the City and County of Honolulu do not have access to internet. Instead a proxy is used which helps to negate the infection of a cyberattack significantly. Moreover, all the systems of states’ departments have been separated. Thus, if a cyberattack manages to attack one department, then it will not succeed in proliferation of other departments.

According to ransomware removal experts, unluckily, not everyone had the same success with ransomware attacks as Hawaii. There are some towns in the country whose public data was compromised and hence they were forced to pay a great amount of money to cybercriminals.

Sigrun Ransomware: A Jingoistic Offering by Russian Operators

July 11, 2018

Aside from committing for monetary gains or to build a clout, cybercrimes has now also become a part of the cold war between nation-states. In last two years, the issue of Russian hackers manipulating the results of US presidential elections has been a regular item of headlines.

Besides, every so often we come to know about a malicious cyber activity allegedly instigated by state actors. For instance, last year, WannaCry ransomware attack jolted the users all around the year. The attacks affected hundreds and thousands of users in more than 140 countries. The US authorities blamed North Korea to harbor this damaging cyber attack resulting in ransomware removal and recovery activities of millions of dollars.

What we are trying to establish here is that there are some ransomware activities where nationalism also enter into the equation. For instance, in the first week of June, cybersecurity researchers came to know about a ransomware strain that goes with the name Sigrun. The operators of this cryptovirological strain only demands ransomware removal extortion money from non-Russian users.

Sigrun Operators Avoid to Target Russian Users

The researchers have found out that the operators of Sigrun deliberately avoid targeting Russian users. They have added a feature in the script of the ransomware to detect keyboard layout of the targeted computer. If it detects Russian layout, then the strain doesn’t initiate its encryption process and deletes itself.

However, not all Russian users are using that layout. So, there are chances that a Russian can be affected by the cryptovirological activity of Sigrun. For all those ‘wrongly targeted’ users, the operators come off as accommodating individuals and offer them free ransomware removal. It is worth noting that the same operators are asking for $2,500 in cryptocurrency from non-Russian victims.

The encryption process of Sigrun ransomware is quite similar to most of the cryptovirological strains. It appends every encrypted file with the extension ‘.Sigrun’ and leave an HTML and text files as ransom notes on the desktop. Barring few extensions, nearly every file is vulnerable to the activity of Sigrun. This means extensive ransomware removal activities will be required to disinfect the affected device.