Simeon, Author at MonsterCloud

13 posts, 0 comments

Ransomware Delivery through Phishing Campaigns

January 25, 2019

A single biological virus strain from a single point of origin can infect hundreds and thousands of people. Ransomware infection also spreads like a medical virus. Ransomware delivery on a single device can affect numerous devices connected to the same server.

In other words, the success of a ransomware attack largely depends on how it is delivered to the targeted digital environment. Cryptovirological operators use several techniques to deliver the payload of ransomware to the intended targets, and phishing campaigns is one of them.

Phishing emails were initially used to steal confidential information and login credentials of the affected users. However, cybercriminals have upgraded and extended the use of phishing emails. Now, they are also used for the delivery of malware scripts including ransomware.

Why Cryptovirological Operators Use Phishing Campaigns?

By devising a phishing campaign, ransomware operators are able to target hundreds and thousands of users in a single go. This mass distribution actually ensures that more people become a victim of the malware, which in turn increases the chances for the attacker to rack more money in the name of ransomware removal.

Different Ransomware Distribution Methods through Phishing Mails

There are two definite ways in which ransomware can be distributed through phishing campaigns.

Malicious Attachments

Ransomware operators often use malicious attachments of zip files embedded with a cryptovirological script. As users download them out of curiosity, the malware payload is delivered on the device.

Infected URLs

Some phishing emails contain infected URLs and urge users to click them through several social engineering tactics. These URLs are already infected with ransomware. Upon clicking the link, the cryptovirological infection is automatically downloaded on the device.

If you don’t want to pay heavy extortion amounts for ransomware removal, make it certain that you are not clicking any link or attachment of a mail sent by an unknown user.

GandCrab Ransomware Operators Might have Racked 300 Million from Victims this Year

January 21, 2019

Like the preceding years, 2018 also saw the development of dangerous new ransomware strains. And it won’t be wrong to say that GandCrab ransomware might have won the race in inflicting the maximum amount of losses. A digital security company has analyzed the activity of GandCrab ransomware all through the year to come up with this assertion.

GandCrab operators have primarily focused on targeting large companies in the anticipation of big ransomware payouts. For instance, in one attack, the operators demanded extortion amount of whopping 0.7 million dollars to provide the ransomware removal key. The security firm has also reported that half of the reported victims resorted to ransom payment. According to the number of users affected by GandCrab ransomware, even the payment of least demanded ransom amount ($600) has made $300 million for its operators this year.

A solution for GandCrab Encryption is now Available

After months of malicious activity of GandCrab ransomware, Europol along with cybersecurity companies have come up with its ransomware removal decrypter. The solution is available for free. According to the numbers established by the Europol, GandCrab affected users have avoided paying nearly one million ransom amount because of its free decrypter.

Unreported Attacks are Not Taken into Account

There are always a large number of cyber attacks that go unreported. Many commercial entities don’t report such incidents because it can irreversibly damage their business reputation. The same can be said about the activity of GandCrab. The figure of $300 million only entails reported attacks. We still don’t know how all the unreported victims of GandCrab dealt with its encryption.

All things considered, the collective tangible losses caused by GandCrab can be way over half a billion dollar. Such immense monetary losses definitely make GandCrab one of the deadliest ransomware strains of the year 2018.

Ryuk Ransomware Activity Halts Printing and Delivery of Several US Newspapers

January 18, 2019

Ransomware attacks have been frequently happening in the last couple of years. The majority of attacks involve targeting corporate and public-sector entities. However, a unique ransomware activity happened over this weekend when one of the largest US newspaper publishers came under cryptovirological attack.

Tribune Publishing has experienced a major cyberattack over the weekend, which affected the publication of several of its newspapers in different states. It has been reported that the attack delayed the delivery of newspapers in many regions this Saturday and Sunday. Moreover, some of the affected newspapers also had to slash their regular number of pages.

Now, the report is coming in that the cyber attack on Tribune publishing was actually the infiltration of the Ryuk ransomware. An anonymous source from within the organization has told LA times that Ryuk ransomware was used to lock down the devices of Tribune Publishing.

The source couldn’t tell anything else about the attack. It is still not known whether the company has completed ransomware removal and recovery activities. Moreover, we still don’t know about the perpetrators behind the attack and what they demanded the ransomware removal key.

The attack has revealed another dangerous opportunity regarding the use of ransomware for disruption of services. A more severe ransomware infiltration could have actually turned into a complete publication blackout. Such ransomware prospects can be exploited in state-sponsored cyber warfare.

Ryuk Ransomware

Ryuk ransomware was first detected by security experts in the month of August. The code of Ryuk ransomware is pretty similar to that of Hermes ransomware. It also uses the combination of AES and RSA encryption to render regular ransomware removal efforts useless.

During the spurt of Ryuk ransomware activity in August and following months, its operators would ask for 0.5 Bitcoin to provide decrypter for ransomware removal.

Devising Initial Response to a Ransomware Attack

January 15, 2019

Ransomware has become a buzzword in cybersecurity quarters over the last two years and rightly so. If you have suffered a cryptovirological attack, then how you deal with it at the onset will decide the extent of damages and subsequent ransomware removal and recovery measures. In this piece, we will try to discuss how one should devise their initial response to mitigate cryptovirological damages.

Stop the Lateral Movement

The majority of ransomware strains try to spread across the network to affect as many as devices as possible. For that matter, it is crucial to isolate the infection. The simplest way to do this is by disconnecting each and every device from the central network. Apart from disconnecting them physically, also check wireless connections (Wi-Fi, Bluetooth and near-field communication etc) and close them off. It is the least that you can do upon the detection of the cryptovirological script in your network to stop it from further proliferation.

Source Identification

Identifying the point of entry of the ransomware can eliminate half of your work, which entails the tracking down of the infection across the whole network. Subsequently, it will also help you to focus your ransomware removal measures in the right direction which will reduce the extended downtime. To detect the entry points, do this:

Check alerts on anti-malware and intrusion detection software
Look for suspicious email reports
Check web browsers (some cryptovirological payload are dropped through compromised websites)
Also, directly ask people since many times these attacks go unreported and undetected

Classification of ransomware

The third step of your initial response should be the classification of the cryptovirological script used in the attack. Find out what distribution technique and encryption module has been used to lock down the files. The expertise of ransomware removal experts can also come in handy here.

Security Think Tank: Focus on Malicious Use of AI in 2019

January 13, 2019

In the end of 2018, Security Think Tank was asked three fundamental questions that will paint a clearer picture of the malware landscape of 2019. What was the one thing that was predicted for 2018 but didn’t happen? What was the one thing that wasn’t predicted but did happen? And what the one thing that should happen in 2019, but probably will not?

Predicted, but Didn’t Happen

As ransomware removal problems had surfaced in 2017, it had been predicted that there will be an explosion of ransomware in 2018. Well, ransomware removal remained a huge problem in 2018, and even small to medium sized businesses struggled a lot. Even though this was the case, researches signified that 2017 saw 62% respondents experiencing attacks in 2017 and 45% respondents experiencing one in 2018.

Hardly an explosion, is it? These stats were so because of the fact that 73% of these people had ransomware removal strategies in place in 2018 – as opposed to a smaller 53% in 2017.

Happened, but Wasn’t Predicted

Even though the explosion of ransomware was predicted, another form of malware had been seen taking the throne for causing chaos – crypto mining.

Predicted, but Probably Won’t in 2019

Many experts in the field of AI had thought about the possible dangers of technology in terms of malware. This is because, given the speed at how this technology is progressing, Security Think Tank believes that this threat is not going to be a problem in 2019.

Don’t get us wrong though – it will happen. It won’t be possible anytime soon, but once it does become a reality, corporations should be geared enough to handle a whole new level of ruckus!

Ransomware: What is it? What are its Different Kinds?

January 11, 2019

Nearly everyone in today’s age knows what is inside a mobile phone or a personal computer. Now we’re entering into a time where people are learning about what ransomware removal really is. Imagine if someone steals whatever is inside your mobile phone or personal computer and demand a ransom.

Security has always been a concern among companies that provide cybersecurity. Ransomware removal, on the other hand, is a completely new level of security. This is exactly why cybersecurity firms have one thing among their minds nowadays – ransomware removal.

Ransomware signifies a type of software that encrypts all the documents of the computer it enters. The victims of this threat can only regain access to their personal data once they have paid the ransom asked for by the cybercriminals.

Ransomware had made its way to the surface somewhere in 2017, but by an approximate growth of 748%, ransomware has now come to be known as a global issue. Let’s have a brief look at some of the basic kinds of ransomware.

1. Bad Rabbit

Bad Rabbit was seen in Eastern Europe and Russia and was spread via a fake update for Adobe Flash.

2. Crysis

Crysis targeted the network and removable or fixed drives when they were connected to the infected computer.

3. Cerber

Cerber targeted users of the Office 365 cloud and millions of people had been affected.

4. CryptoLocker

This aptly named ransomware works in a manner of using algorithms to search for files to encrypt in terms of priority.

5. CryptoWall

CryptoWall spreads via exploit kits or spam, and it works in the same manner as the CryptoLocker variants

6. Jigsaw

Jigsaw, which was named after a villain from a movie series, continues to delete files until the respective ransom isn’t paid.

Well, all of this doesn’t sound scary enough for those who don’t rely too much on technologies. For those who do, however, it’s an absolute nightmare!

Malwarebytes: Fileless Ransomware an Emerging Threat for the US

January 11, 2019

Malwarebytes has brought forward a report which has introduced a whole new problem for ransomware removal companies. ‘Sorebrect’ has come forward as ransomware that is completely fileless and Malwarebytes says it is the very first of its kind.

Malwarebytes’ report named ‘Under the Radar: The Future of Undetected Malware, observes four major ransomware attacks in 2018 that were completely fileless. These include SamSam, TrickBot, Emotet, and now Sorebrect. These attacks have accounted for about 35% of all of the attacks in 2018 and were also known to be 10 times more successful than the traditional form – in terms of ransomware removal.

The director of Malware Intelligence, Adam Kujawa said that GandCrab was the most popular kind of ransomware because of its capabilities, but Sorebrect was a completely new evolution of malware. The main way it infects victims is via exploited scripts or MS Office documents. It then resides into the memory of the device in question and hangs around long enough to encrypt everything.

The director also said that as ransomware removal methods for this threat aren’t full proof as yet, enterprises should adopt behavioral detection and move beyond their signature-based detection methods. Other than this, Malwarebytes also went on to suggest that these corporations should focus their strengths on email messages with the help of security products that disable threats and remove them entirely from the system.

All of this should be done before this form of malware makes any advances. Adam Kujawa was quoted to have said that we are still lucky that this form of malware hasn’t spread as yet, which means that cybercriminals out there haven’t started forming copycats of Sorebrect as yet and bigger splashes from these can be expected soon enough.

Gear up people!

WannaCry is Far from Dead – What You Need to Know?

January 4, 2019

Nearly one and a half years ago, the world experienced probably the biggest cyberattack in its history. The attack was carried out through a ransomware script called WannaCry. The ransomware infiltration spread like the Biblical plague. Within a week, WannaCry affected millions of computers in more than 140 countries. There are no exact figures to corroborate this claim, but it is said that billions of dollars have been spent on ransomware removal and for the recuperation of the all the tangible and intangible losses inflicted by the ransomware.

There is a perception among many users that WannaCry was sen into oblivion after this unprecedented wide-scale attack. However, that’s not quite true. According to the developer of a killswitch at Kryptos Logic, WannaCry is still thriving in the cyberspace. The kill switch was particularly developed to neutralize the encryption component of WannaCry. This means users with the Killswitch on their devices won’t lose their data even if they get affected by a WannaCry ransomware attack.

Nevertheless, the Killswitch can’t entirely wipe out the cryptovirological strain. So, professional ransomware removal services are still required. WannaCry keeps on running in the background and continuously tries to connect with a Killswitch to see whether it is still active.

Kryptos Logic’s head of security and threat intelligence, Jamie Hankins, has recently revealed the figures regarding the Killswitch activity. Those numbers clearly indicate that WannaCry is still alive and kicking.

As per Hankins, their kill switch domain for WannaCry still detects over 17 million connections within a week. It was also found that these beacons are coming from over 600 different IP addresses from all corners of the world. This stat only shows the activity of WannaCry on devices with kill switch domains. The actual figure of its attempts is definitely way more than that.

Vulnerability Assessment for Ransomware Attacks

May 30, 2018

Ransomware attacks have taken a form of an epidemic in last two years. Organizations and individual users are affected by the cryptovirological menace alike. Therefore, it is important for every user to evaluate their vulnerability against ransomware attacks. With assessment, you can devise a better strategy to deter cryptovirological attacks and to prevent consequent ransomware removal activities. Vulnerability assessment for ransomware attacks can be carried out by asking the following questions.

Are Employees Aware of Phishing Techniques?

Phishing is at the forefront of ransomware attacks. More than 80 percent cryptovirological attacks were carried out by delivering the payload through phishing mail. For that matter, it is important for any organization to educate their people regarding social engineering tactics that are used to devise a different type of phishing attacks. It is also important to note that organizations have to spend millions of dollars on ransomware removal measures because of the lack of awareness of employees regarding phishing.

Is Data Being Backed Up Regularly?

Reports suggest that the majority of businesses working in the digital realm are still not maintaining regular data backups. With the regular routine of data backups, you can significantly reduce ransomware removal cost and also the incurred downtime.

Is the Network Secure?

Ransomware operators also use Remote Desktop Services (RDS) to infiltrate organizational networks. If you are using RDS without taking care of its security, then keep in mind that your network is not protected. Similarly, if unauthorized devices are connected to the network, then it remains vulnerable to the instances of ransomware infiltrations.

Is Patch Management a Regular Practice?

Developers of cryptovirological strains frequently take advantage of the vulnerabilities of different vital software applications (MS Office, Window Scripting Files, and JavaScript etc.) to infiltrate and infect the devices with encryption.

By timely updating the devices with latest patches introduced by the developers, you can reduce the vulnerability of software. It will be interesting to mention that WannaCry ransomware, which wrecked havoc on digital users last year, used vulnerabilities of Windows system files to infiltrate the devices. A significant amount of resources were exhausted in ransomware removal activities following WannaCry epidemic.

Ransomware Basics: Common Methods Employed for a Ransomware Infiltration

April 20, 2018

This is the second blog in the series where we are touching upon some of the fundamental knowledge about ransomware attacks. The purpose of this series is to ensure that our readers remain fully familiar with this contemporary cyber threat and can timely employ preventive measures. Moreover, this information will also help them in picking the right ransomware repair services.

Here, we will discuss different methods or vectors that are used by ransomware operators to deliver cryptovirological codes to the devices of targeted users.

Email

Email is the most commonly used delivery method in many of the ransomware campaigns.

Attachments

Malicious email attachments are used by ransomware operators to transfer cryptographic codes. Social engineering is at full demonstration while crafting the mails that contain these malicious attachments. In most of the cases, these attachments are word files, Java scripts or any other portable executable extension. Victims download these attachments as they are instructed in the mail. However, instead of downloading any useful piece of information, they inadvertently download the payload of a ransomware strain.

This type of delivery method is effectively used by ransomware operators to infect organizational networks by exploiting the technological unawareness of employee.

Web Links

Emails through social engineering tactics is also used to redirect the users to the web links that directly transfer the payload of a ransomware to the targeted devices.

Exploit Kits

As the name suggests, these are the hidden software kits responsible to run malicious web pages. These web pages asses and exploit vulnerabilities of the targeted user’s device. Exploit kits start to run as soon as a user visits a compromised web address. If the kit succeeds in finding out the vulnerabilities of the device, a payload of the ransomware strain infiltrates into the device by a drive-by download.

As soon as the payload of a ransomware strain is transferred to the targeted device, encryption activity starts which results into the lockdown of the stored data. The affected victims then need professional ransomware repair services to get back the access to their locked down files.

For assistance on file recovery, please contact MonsterCloud Cyber Security experts for a professional ransomware removal.