Blog Archives - MonsterCloud

US charges a North Korean operative for involvement in WannaCry attack

September 19, 2018

Cyber warfare among nation-states is also one of the realities of modern times. Countries are now settling scores on cyber battlefield. For instance, news channels are still covering the issue of Russian hacking of last US presidential elections. Last year, following the devastation of WannaCry ransomware, some high US officials pointed fingers towards North Korea for sponsoring and facilitating the attack. The Justice Department along with the help of federal agencies started the investigation to find the North Korean connection to a cyber attack that resulted in unwanted costs of ransomware removal for several US entities.

On Wednesday, the department formally charged a North Koran operator Park Jin-hyok for devising and launching a comprehensive multi-year assault including infamous Sony hack of 2014 and WannaCry attack of last year. The detailed charged sheet also includes the assertion that the Park did it on the behalf of the North Korean regime. Park has been formally charged for the felonies of extortion, cyber hacking and wire frauds.

The whereabouts of Park are not known to the authorities. So, an immediate extradition is not on the cards. Experts are calling the verdict a symbolic but important proclamation from the US. The North Korean administration hasn’t made any statement on the verdict so far. It will be interesting to see how North Korea would react to the formal accusation made by the US. Whether North Korea was behind the ransomware attack or not, it is true that countries now covertly act against each other via cyber sphere.

Such attacks have taken place in the past. For instance, the cyber infiltration in Ukraine’s Power Grid was also alleged as the part of the ongoing tension between Ukraine and Russia at that point. Similarly, Iran blamed the US for a cyber attack on its nuclear reactor.

Municipal office of a small Canadian town hit by a ransomware

September 18, 2018

Midland is a small Canadian town located on Georgian Bay in Ontario. The municipal office of the town suffered a ransomware attack in the early morning of September, 1st. The attack has infected many municipal servers resulting in the disruption of many public services. Luckily, the emergency services of the town remain unscathed in the attack.

The incident is yet another addition to the growing list of ransomware attacks on municipal offices. This year, cryptovirological operators have shifted their focus on targeting digital facades of city and town administrations. From bringing down the municipal system of the entire city of Atlanta to targeting small suburban town of Midland, it is pretty clear that no local government network is safe from the shenanigans of cryptovirological operators.

The town administration has refused to pay the attacker for ransomware removal and started to resolve the issue with the help of cybersecurity experts. As teams are working on ransomware removal and restoration of the system, the town officials have also started the investigation into the attack.

According to the mayor of Midland town, they have reported the attack to the Ontario’s commissioner for Information and Privacy. Provincial law enforcement agencies have also offered their services to the town management to find out how the cryptovirological infiltration took place.

According to the press release issued by the town administration, it had acquired the cyber insurance policy before the attack. This means the cost of ransomware removal and system restoration will also be paid through insurance premiums. In addition, the IT department of the town’s municipal office was in the midst of implementing robust cybersecurity measures.

In a way, the attack has revealed the weak links in the digital network of the town’s municipal office. Now, IT experts can work on them.

Data Infiltration in ransomware attacks on healthcare facilities

September 17, 2018

In contrast to data breaches, ransomware attacks largely centered on locking down the data instead of exfiltrating it. However, there is no set rule regarding this in the guidebook used by ransomware attacks. Also, no such guidebook exists. In short, you can’t tell if ransomware attack also entails the infiltration of data.

In the healthcare sector, the digital databases comprising of confidential patients’ data remains susceptible to cyber attacks. The confidential health information and banking details of the patients stored in these databases are sold in a good deal on the black market.

Besides that, cybercriminals can effectively blackmail the targeted healthcare facility after seizing its classified databases. This usually happens in the instances of ransomware attacks where the operators demand a hefty sum of extortion money for ransomware removal to give back the access to confidential data.

During a cryptovirological activity, it is not easy to tell whether the attackers are stealthy infiltrating the comprised data as well. For that matter, it is important for the IT arms of healthcare facilities to put some measures in place. Keep in mind that ransomware removal measures can only decrypt the locked down files. They can’t help in stopping the infiltration of data.

Establishment of a robust logging mechanism

Continuously monitoring the user and network activities is critical for detecting any unauthorized infiltration of information. If a healthcare facility has a good logging and tracking system in place, then it becomes easier to detect infiltration during any ransomware attack.

Getting ransomware experts on board

To detect data infiltration during ransomware attack, it is important to have cryptovirological experts in the IT team. Aside from commencing ransomware removal activities, they know how to detect the ports and servers used to propagate the attack. They are also able to tell if an ongoing ransomware attack is being controlled by the operator’s command and control server.

Cryptovirological discovery: BadNews Ransomware

September 14, 2018

At any given time, a plethora of cryptovirological strains is riding the cyber waves. Teams hunting for malware, therefore, are used to detect a new ransomware strain every other day. Recently, a cybersecurity group has discovered a ransomware strain that goes with the name ‘BadNews’.

The delivery method of BadNews ransomware is still not known. However, there are strong chances that the operators of this strain are using email attachments to deliver the payload. Upon the completion of encryption, the affected device restarts and a ransom note appears on the screen in HTML file format. The note doesn’t specify the extortion amount BadNews operators are asking for ransomware removal. But professionals expert in dealing with cryptovirological strains suggest that the extortion demand will lie somewhere between $500 and $1,500.

BadNews uses double encryption

According to initial investigations, BadNews ransomware operators have used both AES and RSA encryption modules to lock down the files on targeted computers. It is important to note that AES and RSA modules entail symmetric and asymmetric encryption respectively. This means devising ransomware removal measure for this cryptovirological strain will be a tad difficult.

BadNews ransomware operators also offer free decryption of one affected file to guarantee the affected users that they can decrypt all the locked down files through the decrypter provided by the operators. In some cases, rookie operators messed up the cryptovirological code. And as a result, they couldn’t develop the right decryption key for ransomware removal. The attackers also warn of the targeted users to refrain from performing self-decryption because it can result in permanent loss of data.

Putting strong protection in the form of layered firewall and ransomware protection software is essential for preventing and limiting the damage of cryptovirological activity. In addition, backing up data will save you from playing into the hands of ransomware operators.

When should organizations pay the attackers for ransomware removal?

September 13, 2018

We have discussed it several times that a ransomware target must not engage with the attackers or pay them for ransomware removal. Law enforcement entities also advise the same. Ransomware operators are essentially criminals. So, there is no way you can guarantee that they will provide you the decryption key upon the payment of ransom.

Nevertheless, even after knowing this, organizations pay extortion money to cryptovirological operators. In most of the cases, they get the right decrypter from the attackers after a ransom payment. Before we move to outline the instances when extortion money should be paid to the attacker, keep in mind that it must only be exercised as the last resort.

If ransomware activity has encrypted the data not significant to critical operations, then affected organizations should focus on doing ransomware removal on their own. However, if a critical set of data with no backup has been encrypted, then organizations can think of paying the attackers.
If ransomware removal measures are taking more than usual and resulting in insufferable downtime, then the organization can mull over the option of paying the attackers for quick decryption. However, if the organization can sustain the incurred downtime, then it is better to stick with professional ransomware removal and restoration.
If the organization is not certain about 100 percent recovery from backups and there is a risk of data loss in ransomware removal measures, then organizations are not left with any other option except to contact the attackers.
In case the attack surface is of enormous in size and the targeted company is suffering from a shortage of staff, then the option of ransom payment can be exercised.

With data backup maintenance and good cybersecurity measures in place, targeted users can avoid this undesirable option of dealing with ransomware.

A New Ransomware Surfaces: CreamPie Ransomware

September 12, 2018

Getting hit by a ransomware is one of the worst predicaments that could happen to netizens. With the world’s migration to the e-space, the realization that your personal or business data is locked can be haunting for many individuals and businesses. Recently, a ransomware removal researcher was able to detect a cyberthreat lurking around in the security circles. The ransomware is known as CreamPie Ransomware. Luckily, early analysis has identified it as an underdeveloped release. Despite the inexperience displayed by its creators, the ransomware can be dangerous for your PC.

Initial Analysis

CreamPie uses malware spam for its distribution mechanism. Malware spams are those e-mails that are corrupted with malicious components. The ransomware embedded in their files cling on to the victim’s PC after an action is performed by the victims.

As the ransomware uses the victim’s naivety to enter the PC, it will then tinker with the operating system. This means that if you are using Windows OS, then CreamPie will go on to create its own processes. These processes run in the background and will change the keys of the Windows Registry.

Since, Windows Registry can configure device drivers, services, kernel and other OS components, changing its data means getting the license to control the entire PC of the victims. As a result, escaping the ransomware by just restarting the PC or network for ransomware removal is not possible.

Ransomware removal experts have concluded that the ransomware uses Advanced Encryption Standard (AES) to encrypt and lock the files. An extension of ‘[[email protected]].CreamPie’ is added to the end of the affected files.

However, unlike other ransomware, CreamPie has failed to add the ransom note that holds the detail about the ransom amount and its delivery method. Some ransomware removal experts believe that it was a rookie mistake while there are also those who fear that this may be a testing release and a more updated version may appear in the future.

.lockymap : Another variant of PyLocky ransomware

September 11, 2018

A team of cybersecurity researchers has discovered a new cryptovirological strain from the family PyLocky ransomware. This ransomware strain delivers its payload through executable files attached in phishing emails. Developers of .lockymap ransomware have used encryption algorithm ABS-256 to lock down the files on affected computers. As per encryption experts, this algorithm entails complex encryption matrices and is usually used to protect military grade gadgets.

As soon as the malicious code of .lockymap completes its encryption activity, a ransomware note in the form of text file appears on the screen. Victims are instructed in the note to download Tor browser in order to purchase the decrypter for ransomware removal. The attackers also offer the restoration of one encrypted file for free to assure the victims that they have the decryption key. The operators also threaten to double the amount of ransom in case victims don’t contact them for ransomware removal within four days after the attack.

Initial investigation suggests that the newly discovered ransomware strain might also penetrate into the Windows Registry Editor. The sub-keys of Run and RunOnce are the actual target of the strain in the Editor in order to create values for the automatic execution of ransomware whenever the victim turns on the device.

The infiltration of .lockymap ransomware in the Windows Registry also means that the strain is going to delete all the data backed up on the device. Researchers have identified the commands executed by the ransomware to delete shadow volume copies. The ransomware strain is capable of encrypting more than two dozen file extensions. Apart from encrypting a lot of files in the targeted device, the executable file of the ransomware is also stored in several system directories including Temp, AppData, Local and Roaming. Digital security researchers are still trying to work out particular ransomware removal measures for the .lockymap strain.

WannaCry variant hits iPhone chipmakers

September 10, 2018

Last month, an iPhone chipmaker in Taiwan sustained a cyber attack. The company had to stop the manufacturing process following the attack. Their security team couldn’t find out the nature of the attack at first. However, after weeks of investigation, they have termed a WannaCry variant responsible for the shutting down of the manufacturing plant.

The ransomware attack on the official chipmakers for Apple is another indication that cryptovirology can be used as a really deadly weapon by cybercriminals. It is still unclear if Apple will continue to work with the affected company. The company has completed the ransomware removal works and its production is back on its full capacity. Nevertheless, the ransomware attack has damaged the company’s reputation beyond repair.

The company hasn’t issued any public statement regarding how the attack happened and what were the demands of the attackers for ransomware removal. So, security experts can’t comment which WannaCry variant infiltrated the networks of the chipmakers and how the attack transpired.

The second advent of WannaCry

We all know how WannaCry wrecked havoc in the digital world last year by simultaneously affecting hundreds and thousands of devices. But after that colossal cryptovirological activity, it seemed like WannaCry operators had gone into hibernation.

Nevertheless, ransomware family is welcoming a new WannaCry variant. A couple of months ago, the WannaCry operators targeted Boeing operational facility in the US. Both of these WannaCry attacks are somehow linked to two of the top Fortune 500 companies.

There is no reimbursement for reputation

Companies getting affected by ransomware attacks have to face irreversible damages to their brand reputation. For them, paying the attackers for ransomware removal or doing it on their own is not a problem by any means. However, they can’t afford to get the tag of a ‘victim of a cyber attack’.

Ransomware Named After Barack Obama is Discovered

September 7, 2018

It is normal for cybersecurity experts to discover strange things on the World Wide Web. If we particularly talk about the domain of cryptovirology, then a new strain is discovered every other day. Many times these cryptovirological strains have really odd and inexplicable bearings. For instance, a team of cyber malware hunters has recently discovered a cryptovirological strain named by the operators as ‘Barack Obama ’s Everlasting Blue Blackmail Virus’. Picture of the former president appears on the screen as soon as the ransomware completes its encryption activity.

Along with the picture of Obama, a body of text also appears on the screen containing the email ID of the attackers. The note, however, doesn’t mention the amount of money demanded by the operators for ransomware removal.

The Barack Obama Virus is not an amateur attempt

Even though the name and imagery of this ransomware give off the impression that it might be an act of some rooky cryptovirological developer; that is not the case. Security experts have come to that conclusion after assessing the activity of the strain. For instance, as soon as the strain infiltrates the device, it executes multiple commands to stop different security processes run by antivirus software applications.

Apart from that, the cryptovirological strain is particularly designed to only encrypt executable files. So, files with only ‘.exe’ extension get affected by this ransomware strain. The infiltration of this ransomware strain is so deep that even the executable files in Windows folder are not spared from its encryption activity. This feature of strain can also disrupt the regular functioning of the operating system.

It is still unclear whether the attackers have developed the decryption key for ransomware removal. On the other hand, security researchers are still examining the encryption algorithm of the ransomware. It will certainly take some time to come up with the effective ransomware removal measure for the given cryptovirological strain.

Riverside Ransomware Attack Was Severe Than Initial Estimates

September 6, 2018

This year, we have seen a growing trend of cryptovirological operators to target local governments and the departments operating in the public domain. In the same flutter, Riverside Police Department sustained a ransomware attack in April, resulting in the shutting down of the department’s record management system, which is used as a platform to devise and store investigation reports.

While cybersecurity experts were dealing with ransomware removal, the department started to use databases stored on the state’s law enforcement gateway on a temporary basis. The city police used the gateway for four days until the completion of ransomware removal.

A new investigation reveals startling details

According to the public statement issued by the Chief of City Police soon after the incident, the ransomware attack left the department unable in retrieving and printing the past reports. This hiccup resulted in delaying the progress on several ongoing investigations.

But a recent investigation scoop suggests that the damage of ransomware was not only limited to the unavailability of the past record. According to the recently surfaced information, the entire digital front of the department went offline after the attack. The law enforcement personnel couldn’t file real-time reports and incidents on the department’s digital platform.

Therefore, the police had to resort to handwritten reports when security researchers were busy in disinfecting the system through ransomware removal measures. It is, in fact, a shocking revelation that the entire city department went offline. Law enforcement services were not discontinued for a single minute, all thanks to the diligent officers of Riverside Police. However, the relegation to manual reporting badly hit the day-to-day performance of the department.

The key takeaway from the episode of the Riverside attack is rather simple i.e. a cryptovirological attack has the ability to disrupt public services to entire cities and municipalities.