August 2018 - MonsterCloud

Ryuk Ransomware Collects $640,000 in Ransomware Attacks

August 31, 2018

Ransomware removal experts have found a new enemy circling the security space. The ransomware has been identified as the Ryuk Ransomware. The cybercriminal team behind Ryuk has so far extorted $640,000 from its victims. The ransomware was first found in mid-August. Due to its newness, analysis and investigations are carried out to find its modus operandi as well as any link to other cyber threats.

The general viewpoint shared by ransomware removal experts is that cybercriminals associated with ransomware distributed through proper planning set their eyes on a single target. The targeted company then faces malicious phishing campaigns. Other infection strategies include exploitation of weak Remote Desktop Protocol in the victims’ systems.

A ransomware removal expert Mark Lechtik agreed with this analysis and gave his opinion on the ransomware. He explained that the ransomware requires administrator’s privileges to get the complete control of the affected systems. However, the ransomware itself is not capable to do it. Hence, it needs a tool that can help in the exploitation of the privilege. However, Mr. Lechtik has not been able to pinpoint this tool that has helped the team behind Ryuk Ransomware to succeed in their nefarious plans.

It is also reported that the ransomware terminates various services and processes of the infected systems. A ransomware removal expert from Check Point said that the ransomware closes down about 180 services and 40 processes.

Unfortunately, ransomware removal experts have not been able to devise a counter-attack tool to decrypt files affected by ransomware. The ransomware utilizes the cryptographic algorithms RSA (Rivest, Shamir, & Adleman) and AES (Advanced Encryption Standard) and combines them to form a formidable combination that cannot be decrypted. Security experts are continuously trying to find a flaw in the code and design of the ransomware in order to create decryption software.

How Data Management Can Help Deal with a Ransomware Attack

August 30, 2018

No matter how good the ransomware removal and recovery measures that are employed by the company affected by a cryptovirological infiltration, there is no way to avoid downtime. This is particularly true when important data gets encrypted in the attack with no backup available. This is why backups and data management applications have become an essential toolkit for organizations to deal with ransomware attacks. While ransomware removal measures are getting more streamlined with time, developers are also working on making effective data management applications to neutralize the threat of ransomware and other cyber attacks.

Recently a cloud data management company has developed an application that provides a holistic response plan against any instance of a ransomware attack. The application is called Radar and contains several layers of defense mechanisms against cyber mischief.

Constant Monitoring of the Digital Environment

The application constantly monitors the digital environment of your organization to pick up anomalies. The machine learning ability of this application makes this monitoring more effective. It enables the application to detect the activity of a ransomware variant if it has stumbled upon a strain built on a similar encryption platform earlier.

Quick Analysis of the Threat

As soon as the application detects an anomaly, it is quick to run an analysis of the nature and impact of the possible threat. It will help the businesses to devise the pertinent ransomware recovery and removal measures.

Also Offers Recovery Options

Radar also offers data recovery options that can avert complete business disruption for the affected entities.

As demonstrated, this data management application provides a comprehensive mechanism to deal with malicious cyber infiltrations. With this application and professional ransomware removal measures in place, companies can devise a winning plan against any cyber threat.

GandCrab’s Entry in Vietnam

August 29, 2018

No one is untouchable in the ransomware industry. Cybercriminals have the audacity to strike major conglomerates and government institutions around the world. Even ransomware removal experts in the world’s IT center, Silicon Valley are unable to counter this particular niche of malware. A statistics report published facts and figures in early 2018 that have singled-out the ballooning ransomware menace in the Asian country Vietnam. Industries that were considered the most susceptible to such infiltrations were the trade and finance businesses. A Vietnamese cybersecurity company Bkav reported that the malware attacks have already cost $540 million in damages to the Vietnamese citizens.

A Familiar Foe

The situation has further been complicated with the latest reports signaling the arrival of a notorious ransomware campaign into the Vietnamese IT circles. Ransomware removal reporters learned that the Vietnam Computer Emergency Response Team (VNCERT) has notified organizational and government sector of a digital pandemic; GandCrab Ransomware is wrecking the cybersecurity space in Vietnam. The amount of ransom that users were coerced to pay for ransomware removal and recovery ranges from $400 to $1000.

VNCERT categorized the international ransomware’s infection as ‘extremely dangerous’. Ransomware removal reporters failed to get the estimated damages as well as the costs that were incurred in the Vietnamese business industry in the aftermath of the ransomware’s explosive entry.

Recommended Security Measures

In order to escape GandCrab, VNCERT has published a few ‘Dos and Don’ts’. Clicking on links that arouse even a hint of suspicion is discouraged, while emails that are attached with files need to be viewed carefully. Moreover, VNCERT has specifically cautioned organizations to monitor the traffic coming into their systems and reform their cybersecurity with appropriate security measures that can include the updating of firewalls. In case a ransomware still bypasses the security of an organization; quick isolation of servers is advised.

CryptoConsole 3.0 Ransomware

August 27, 2018

Writers of CryptoConsole ransomware are continuously developing new variants of the strain. Security researchers have detected the latest version of CryptoConsole 3.0 a couple of days ago. The preliminary findings suggest that like the previous versions, it also locks down the screen and drops a ransom note on the display in the form of a screenshot of a text file. Researchers have noted that the operators have changed their contact IDs this time.

Operators are asking for a nominal ransom amount

The operators of CryptoConsole are playing with the psyche of affected users by demanding minimal extortion money ($50 dollars) for providing the decryption key. They also offer a free decryption of a single file of up to 10 MB to prove their authenticity as the orchestrators of the attack.

The small ransom amount will confound many people on how to deal with the situation. Either to pay the operators for providing the decryption key or to go for professional ransomware removal services, it will surely be difficult to choose.

To force people into not contacting professional ransomware removal services, the operators have mentioned in the ransom note that they will delete the files in case the user tries to decrypt the affected files on his own. We want to inform our readers that it’s just a scare tactic and nothing else. You must avail professional ransomware removal and recovery services after such attacks.

Compromised websites are used as the payload droppers for CryptoConsole 3.0

Instead of phishing, the operators of CryptoConsole 3 are using compromised web addresses to drop the payload on the users’ device. People with poor network security will become an easy target for CryptoConsole operators. File-sharing servers can also be used by the ransomware operators to deliver the cryptovirological code. So, make sure you don’t download any file from an unsecured web location and address.

Ransomware Attack Tricks Man into Admitting his Child Pornography Habit

August 24, 2018

In an interesting turn of events in Indiana, a 22-year old man turned himself into the local police station, admitting he viewed child pornography. According to the Porter County prosecutor, Joseph T. Hanvey drove to Valparaiso police station after his phone was locked down during an attempt to download a pornographic video.

Ransomware Operators Fear Tactic Tricks Hanvey

When Hanvey was trying to download pornography on his cell phone, his device went blank and started to show a notification that his device was being monitored by the FBI. The notification got Hanvey extremely scared. He thought his phone got locked down as a result of accessing child porn and therefore he drove to the local police station to explain the situation.

In reality, the note was fake and used by ransomware operators to scare Harvey in order to scare him into submitting to their extortion demand for ransomware removal. Posing as a law enforcement entity is an old scare tactic used by ransomware operators to successfully get the ransom money from individuals accessing compromised and illegitimate websites. In most cases, people guilty of doing something unlawful pay the operators without notifying anyone.

However, the case of Hanvey turned out to be an exception because he admitted to watching child porn. He has also told authorities that he is aware of his problematic habit and wants to address it. Investigators have concluded that Hanvey’s device was affected by a lock screen malware, which can easily be neutralized by a simple ransomware removal measure.

Viewing and possessing child porn is a punishable offense in the US. So, Hanvey has been charged by the county prosecutor according to pertinent penal code. There are strong chances that he will be given rehabilitation treatment instead of prison time.

San Francisco Radio Station Still Crippled Due to Ransomware Attack

August 23, 2018

Ransomware removal reporters have found that the radio station in San Francisco, KQED is still recovering from the aftermath of the cyber invasion. The attack originally occurred on 15 June 2018. However, a month has passed and several systems of the radio station are still not operational.

An air of skepticism has surrounded the station as a senior editor in the radio station was quoted as saying “It’s like we’ve been bombed back to 20 years ago, technology-wise.”

After the early days of the attack, the station was in dire straits as ransomware removal analysts believe the scope of the damage to be of major proportions. The attack ranged from the deletion of the prerecorded segments to the shutting down of the email server in the station. Moreover, the online broadcast was unable to air for more than half the day’s duration. Fortunately, the FM broadcast could not be affected. However, the station’s Wi-Fi system was inoperable for a few days.

While the station was working on the systems’ ransomware removal and restoration, the staff was a victim of the circumstances. The staff had to indulge in manual processes for the distribution of scripts and thus productivity decreased. The station’s broadcasters were forced to utilize stopwatches to deal with the timing of their segments and have sorely missed the functionalities of their offline content management systems.

The cybercriminal group associated with the ransomware was difficult to communicate with. The ransom asked for the individually encrypted files is said to be in thousands of dollars. Hence, the total ransom for the ransomware was estimated to be in the millions. Recent reports indicate that the station’s management has so far refused the demands of the cybercriminal groups.

For the time being, the office’s personnel have been tasked to work alongside the affected PCs. The exact name of the ransomware has not been revealed yet, however it has been confirmed that it is not the Petya Ransomware.

Maersk and COSCO Ransomware Attacks Hit The Transportation Industry

August 21, 2018

Ransomware removal analysts have warned the threat of ransomware creeping into the transportation industry. With shipping giants like COSCO and A.P Moller Maersk crippled with ransomware offensive, anyone can expect an unauthorized access through a ransomware.

Early in the year, Maersk Chairman Jim Hagemann Snabe uncovered new information concerning their entanglement with the ransomware attack. An assessment detailed the company’s losses escalating around $300 million. These losses include ransomware removal and recovery processes that consisted of IT services on 4,000 servers, 45,000 PCs and 2,500 applications in the span of 10 days.

It may be argued that the IT network in individual American transportation businesses may differ from Maersk, depending upon an organization’s requirements. However, ransomware removal professionals believe that there are certain resemblances shared by each of these businesses. These semblances can be related to a company’s IT systems for supply chain and logistical processes.

These attacks have forced countless professionals in the industry to reflect upon their IT security. One of them was Robert Loya. Mr. Loya who is working as a director of operations at CMI Transportation, stated that other transporters did not take the ransomware threats seriously before these attacks.

Mr. Ron Godine, the vice president of TMW Systems has a different point of view. Mr. Ron believes that ransomware attacks may have attacked a bigger number of carriers but the affected victims may not have made the details of the infiltration public.

Ransomware removal experts think that the reason behind this mindset is to save the image of the organization. When news headlines associate an organization dealing with a ransomware infiltration, it causes both the organization’s clientele and partners to lose faith.

Therefore, the best solution for transportation companies is to adopt the latest IT security measures that can tackle issues related to ransomware removal, recovery, backups and other critical security issues.

Vulnerable CPU Chips May Lead to More Ransomware Attacks

August 16, 2018

In the past, cybersecurity against ransomware meant a number of anti-malware tools cross-checking a virus through their databases. The database contained information related to common malware that were static and always attacked with the same stale tactics. However, with today’s advanced technologies especially breakthroughs in AI, ransomware removal analysts believe that ransomware attacks can be countered better.

A ransomware removal report indicated that ransom notes have seen an increase of 6,000 percent since the last year. A worrying scenario was the exposition of security vulnerabilities in CPU chips, Spectre and Meltdown, manufacture by major hardware vendors Intel AMD and ARM.

The most astonishing realization was the fact that some of these vulnerabilities existed for more than 20 years in Intel’s chips. Since Intel powered billions of computing devices around the world in the last two decades, it is disturbing to realize the number of computers that belonged to enterprises, institutions and governments, vulnerable to cyberthreats like ransomware and other malware.

As these companies rush to fix their flaws, cybercriminals have been given an opportunity to disrupt the world with an onslaught of ransomware campaigns. The problem with Spectre is that it interferes with the isolation barrier that exists between computing applications. This creates an opening for cybercriminals to enter into computer programs which are then connected to the ransomware’s malicious components.

In Meltdown, the isolation mechanism between the OS and computing applications is affected which grants cybercriminals to tinker with the memory and information stored in the system. Thus, ransomware manages to block access to users’ data and systems.

Ransomware removal experts fear that after this news, ransomware attacks will only worsen. However, they are confident that with the advent of AI, ransomware can be tackled more effectively as intelligent systems will be able to catch them even when they evolve and become more invasive.

233 Victims Paid Ransom to SamSam Ransomware

August 14, 2018

The recent SamSam Ransomware report by Sophos sheds light on the victims of the ransomware. According to ransomware removal reporters, a minimum of 233 users complied with the demands of the cybercriminal group associated with the ransomware and settled with a ransom demand.

Ransomware removal reporters also noted that 86 of the victims publicly announced their ransom payments. Sophos has gathered data from these users and incorporated it as part of its research on SamSam Ransomware. Sophos also monitored and followed the Bitcoin wallet addresses of the hacked users for the research.

The figures in the report illustrated the fact that that North American and European countries were attacked, with victims from the US, UK, Belgium, and Canada forming almost 90 percent of the total attacks. The report also briefed about the types of companies that paid the ransom. Private sector businesses accounted for half the number of victims that paid the ransom. Worryingly the report stated that 25 percent of the attacks were directed at the healthcare industry, a fact which can be corroborated by the recent attacks in Missouri, Alaska and other American states.

Governmental institutions came at third with 13 percent of the ransomware attacks compromising sensitive data, especially in smaller towns and municipalities. Educational institutions were also affected as 11 percents of such institutions were found to be dealing with ransomware removal and recovery.

The report also claimed that the Sophos team manages to locate the Bitcoin wallet addresses of more than 150 wallets that were receiving the ransom. A certain segment of users was also singled out for not paying the ransom. This segment consisted of 88 users.

Sophos asserted that generally one victim was targeted with the ransom in a day while a quarter of those affected paid money for ransomware removal. The most profitable ransom eked out for the cybercriminals was $64,000.

Ransomware Assault on DC Surveillance Cameras Part of a More Devious Plan

August 13, 2018

Last year, a few days before the swearing-in ceremony of President Donald Trump, over 100 surveillance cameras in Washington DC went offline. The administration responded quickly to find out that a ransomware strain had penetrated the surveillance system. Surveillance cameras were reverted to their normal operations in a couple of days after concluding ransomware removal measures.

But ransomware activity was not just confined to the live feed. Four storage devices containing surveillance footage were also encrypted by the ransomware. The operators demanded $60,000 worth of Bitcoin for ransomware removal. However, the officials got back the access to the locked-down surveillance footage through their own ransomware removal protocols. In the following days, federal agencies extensively worked on nabbing the culprits behind the attack.

Law enforcement officials arrested a Romanian couple in connection with this ransomware assault. In December 2017, the federal prosecutors formally charged the couple for the crime after finding out their personal email accounts were accessed through affected police computers.

It is also important to note that the intentions of the charged cybercriminals were far more devious than what was initially believed. The files retrieved by law enforcement personnel suggest that they had a plan to target hundreds and thousands of other computers by sending out ransomware payloads through phishing emails. The couple owned a list of more than 170,000 email addresses. Investigators think that they might have purchased this information from the black market.

It has also been found out that they were running a shady business on Amazon to scam people. Luckily, the couple was arrested in Romania last year. Otherwise, there would have been more victims trying to disinfect their computers through ransomware removal measures. The couple is now facing cybercrime charges both in the US and Romania.