Zero-Day Attacks in Ransomware Industry

August 6, 2018

Due to the increasingly high demand for software applications, solutions, and products, many IT teams are forced to release applications in a short period of time. With deadlines approaching, many developers cannot focus properly on the loopholes in the source code. Thus, ransomware removal analysts note that these flaws are exploited by cybercriminals in several types of cyber-attacks. One of them that have gained notoriety is the zero-day attack.

Zero-day attack manufactures an opening through which the systems of an institution or organization get an unauthorized access by the cybercriminals. Ransomware removal experts note that this is possible because of the lack of signatures or patches that can deal with the ransomware removal.

It is expected that these attacks will increase with the passage of time and may form a worrying dilemma in the cybersecurity circles by 2021.

So the question is how to deal with this cyber-threat? Truth be told, these types of attacks are extremely strong and organizations are finding it hard to protect themselves against this onslaught. However, there are a number of security measures that can put you in a better place.

A wide majority of organizations’ security departments do not work on the recovery part. After a ransomware attack, many organizations do not have any contingency plan to recover their files. Thus, ransomware removal experts believe that an organization can profit from the use of backups that can be utilized after the successful infiltration of ransomware and its subsequent encryption.

The faster an organization is able to resist against a zero-day attack, the lesser damage will be caused to the stored data, financials and reputation of the organization.

Hence, an organization should increase its cyber defense strategy to detect and respond to a ransomware utilizing zero-day attack. Not only that but it should also focus on the restoration and resumption of their systems in the wake of a ransomware attack.

Report on the Wasaga Beach Ransomware Attack

August 2, 2018

Ransomware removal experts found a report on the early 2018 ransomware attack on Canadian town Wasaga Beach that released on July 26, 2018. According to ransomware removal experts, the report focuses on the damages, costs, and expenses incurred in the ransomware attack that caused quite a rampage in the town and affected the municipality departments’ IT assets.

The report was formulated by the town’s treasurer Jocelyn Lee. Ms. Lee’s report has confirmed that the cyber attack was a ransomware attack in which cybercriminals were interested to extort money in exchange for the locked data of the town.

Moreover, Ms. Lee’s report stated that services were acquired from three reputable consulting firms for ransomware removal and recovery processes. The financial costs required to restore the data have been estimated at almost $35,000 while the services acquired by the consulting firms and individuals is greater than $37,000.

The report focused on expenses related to ransom amount, IT consultants, physical security vendors, IT purchase, third-party software vendors and the overtime of internal personnel. Additionally, there were other costs too especially related to productivity as the staff was unable to work due to the inoperability of the systems.

Another Wasaga Beach Report in the Making

Ms. Lee also informed that another report is in being created through the assistance of Hexigent Consultants which will be displayed to the town’s Coordinated Committee on 20 August 2018.

This report will focus more on the technicalities of the attack which can assist authorities to understand how the ransomware was able to enter the town’s system as well as its damaging strategies to the computer’s system and application software.

Ms. Lee report concluded with the statement that the ransomware attack manages to be a huge liability for the town. Moreover, the town realized the need of bigger investment in its IT budget in order to protect itself from the increasingly dangerous wave of cyber attack, especially ransomware.

Fairbanks Views on the Golden Heart Attack

August 1, 2018

Ransomware removal reporters were able to gain insights from Fairbanks North Star Borough on the recent ransomware attack on one of their partner companies, Golden Heart Administrative Professionals (GHAP). The ransomware attack was not only successful in its infection but also managed to threaten the integrity of sensitive patients’ data as health information of more than 40,000 individuals has been estimated to be compromised.

Fairbanks stated that its partner GHAP was an unfortunate victim of a ransomware campaign that managed to employ cryptographic algorithms and encrypt sensitive information stored in Golden Heart’s servers.

Input from Firms

Moreover, ransomware removal reporters were also provided with the fact that forensics and cybersecurity firms have been analyzing and working on the cyber-invasion’s after-effects including ransomware removal and recovery processes.

The firms concluded that cybercriminals got access to the entire data stored in Golden Heart’s IT assets. It was also observed that other malicious third-parties lurking in the cybersecurity space can also pose as a cyber risk and enter into the GHAP’s systems. The information compromised consists of various personal and sensitive details including names, birth information, residential addresses, SSN, financial details, medical diagnosis, and treatment.

Late Reporting

Fairbanks disclosed the date of ransomware attack to ransomware removal reporters as 14 April 2018 and also reported that the attack was found out on the same day when the systems were breached. However, Golden Heart was reluctant to report it to the relevant law enforcement authorities and it took a month for them to finally report it on 25 May 2018. Furthermore, the complete details of the attack were only passed to the authorities by 20 June 2018.

GHAP also revealed the attack details to credit reporting companies including Experian, TransUnion, and Equifax. For further information related to the attack, a helpline has been offered by Fairbanks that is functional on weekdays from 5:00 a.m. and 5:00 p.m.

Ransomware Attack in Long Beach

July 31, 2018

Ransomware attacks have been occurring in various spaces as evident from ransomware removal experts finding them operating in a number of industries. Recently, the target was the supply chain industry as a ransomware managed to hit the China Ocean Shipping Co. Terminal at the Port of Long Beach.

An official from the company confirmed the news on Tuesday, July 24th, 2018. Ransomware removal experts noted the company’s website as well as its contact information to be non-functional with no one picking up the phone during the afternoon hours.

Long Beach’s representative Lee Peterson stated that they have been examining the attack as well as the repercussions it might bring to the company. Moreover, Mr. Peterson spoke on behalf of the operations crew of COSCO and clarified that the processes and procedures belonging to the company’s logistics have not been compromised by the ransomware.

This is contradictory to reports from Journal of Commerce which, while referring to COSCO’s Vice President Howard Finkel, revealed that the attack did manage to harm some systems as the transmission between the clients and the company’s US operations were affected. As a result, ransomware removal experts notice a considerable drop in the speed of communications that was faced by the clients. Additionally, while telephone was used as a communication medium, electronic transmissions were inoperable.

A representative from the International Longshore & Warehouse Union, Craig Merrilees was uninformed about the precise impact of the ransomware attack.

According to ransomware removal experts, the situation does not seem as grim as experienced by one of the largest brands in the supply chain industry, AP-Moller Maersk in mid-2017. Maersk is a Danish corporation that was hit by a ransomware attack which rendered its operations non-functional for at least three days in the Port of Los Angeles. The damages incurred from the attack were estimated to be at least $300 million.

Ransom-miner: The Multi-Purpose Cyberthreat

July 30, 2018

As incidences of ransomware and cryptocurrency mining threat i.e. cryptojacking continue to increase in 2018, a cybercriminal group has managed to combine them to extort maximum money from enterprises. Recently, ransomware removal experts from Seqrite were able to discover a highly-advanced form of Trojan. This cyberthreat is able to infect businesses with both ransomware as well as cryptocurrency mining malware.

Dual Purpose

Some ransomware removal experts have given it the name of ‘ransom-miner’ as it was noticed by high-quality anti-malware tools. According to ransomware removal experts, this malware infects systems with the notorious GandCrab ransomware along with a mining malware through which hackers are able to mine the popular cryptocurrency Monero. As the computing resources of businesses and individuals are hogged, Monero is mined and sent to the remote locations of the hackers.

Additionally, the malware also attempts to link the Command and Control servers of enterprises. Security analysts refer it to be the latest cyber threats in a calculated and coordinated campaign that aims to target businesses and individuals with a plethora of malicious strategies.

Working

Ransomware removal experts found the Trojan distinct as they observed it to be too complex and sophisticated in its operation. It is launched with the assistance of a PE32 .exe file in Microsoft’s Windows and its code is initially encrypted.

After the affected file is loaded into the victim’s computer, the virus will then decrypts its code. Subsequently, the newly-encrypted code works for the decompression of the PE exe file and modifies the memory of the system’s process. The PE file will then take control and kick-start the next activities of the virus.

It was also noted that the virus is able to cross-check at least 16 processes in the system to find any sign of a virtual environment like VirtualBox, VMware and other virtualization environments.

Golden Heart Attacked: Another Ransomware Attack in the Healthcare Industry

July 27, 2018

Recently cybercriminals attacked Golden Heart Administrative Professionals. Golden Heart is a company based in Fairbanks, Alaska that partnered with several healthcare institutions in the state of Alaska and is primarily a billing company.

Golden Heart notified more than 40,000 of its clients about their Protected Health Information (PHI) falling into the dirty hands of hackers who were involved in a ransomware attack.

Ransomware removal stated that the ransomware made its way to the systems through a download in the servers of Golden Heart. The affected server was storage and processing system for PHI. An official statement by Golden Heart confirmed that the data of its clients was compromised.

According to ransomware removal experts, law enforcement agencies have received the news of the breach and are collaborating to restore the files. Ransomware removal analysts believe this attack to be the biggest of its magnitude in the month of July while they also noted that this was the second reported instance of an organization in the healthcare industry to be attacked in Alaska.

Other Attacks in the Healthcare Industry

Previously in the beginning of July, the Alaska Department of Health and Social Services was the unfortunate victim of a cyber attack as their systems were affected by a malware. Ransomware removal experts explained that a trojan by the name of Zeus attacked their PCs and got a hold of protected health information of at least 500 people. These attacks raise a question mark on the reports that were claiming ransomware attacks to be decreasing.

Other victims in the healthcare industry include LabCorp Diagnostics which was ravaged by the notorious SamSam Ransomware. It was estimated that millions of patients’ data was compromised in the attack.

Similarly, Cass Regional Medical Center was also affected by a ransomware as its communications and patient record system was compromised. As a result ambulances had to be diverted to different locations.

Was LabCorp Hit By SamSam Ransomware?

July 26, 2018

Recently, ransomware removal experts found an organization in the medical testing industry LabCorp to be hit by a ranswomware. However, the organization has not made the attack’s details public while also not disclosing any details related to the number of servers that were affected.

LabCorp had to close down its network on 15th July, when ransomware removal analysts found the signs of an attack. As a result, its business operations came to a halt. It was rumored that the ransomware involved in the case was the notorious SamSam ransomware. LabCorp officials were reluctant to clarify this detail amidst continuous attempts by the reporters to gain further insight on the attack.

The official statement published by LabCorp constitutes of the date of the attack as well as terms like ‘a new variant of ransomware’ and ‘suspicious activity’ which makes it eerily similar to their statement that was filed with SEC after Sunday.

CSO Report and SamSam Ransomware

CSO’s reported earlier that more than 1000 of LabCorp’s servers had been compromised due to a ransomware attack. Some ransomware removal experts were pointing their fingers at SamSam as the culprit again.

Additionally, the report validated the official statement of LabCorp and corroborated that no information of patients were compromised as LabCorp monitored and analyzed the traffic of its system. This is an important detail according to ransomware removal experts as it resembles the work of SamSam Ransomware. The owners of SamSam are also disinterested in the contents of the hostage data and only hit servers with the intent of expanding their ransomware and extort money.

SamSam Ransomware’s modus operandi is to utilize Brute Force Remote Desktop Protocol attacks in the infiltration and proliferation of the systems. Moreover, it is only expected to harm systems that run on Windows Operating System.

LabCorp has now focused all its efforts in the disaster recovery process which may take a few more days.

Missouri Hospital Ransomware

July 25, 2018

According to ransomware removal experts, this year marked a continuous rise in news related to ransomware attacks on medical institutions and hospitals. However, this time cybercriminals were involved in an attack against a hospital in Missouri that affected many patients and their families.

Details of the Attack

Cass Regional Medical Center (Missouri) was the one that was attacked with a ransomware. Cybercriminals managed to infect their systems at 11 am on July 9th which prompted the authorities to shut down EHR as a preventive measure. Spokesperson from Cass were confident and stated that patients’ data was not affected. Moreover, almost 90 percent of the disaster recovery was complete within the first few days.

Hospital authorities collaborated with a forensic firm, in order to decrypt and remove ransomware from the affected data. EHR was initially shutdown but reinstated after the initial investigation was completed.

The attack affected the entire enterprise IT infrastructure of Cass, which consisted of electronic health records. These included more than 30 inpatient beds. As a result of the attack, Cass had to divert its ambulances that were carrying patients dealing with stroke and trauma to different locations.

The Elephant in the Room

The attack acts as a reminder against the ferocity and dangerousness of ransomware attacks, which can put lives of patients in jeopardy. According to ransomware removal experts, this incident can be viewed as a learning experience against the impact of cyber attacks in the healthcare industry. Moreover, doctors, nurses and other hospital figures have also realized the severity of the situation and have been supporting the inclusion of stronger cybersecurity measures in hospitals and medical institutions.

According to ransomware removal experts, it is important to note that Cass is just a part of a long list of healthcare institutions that have been ravaged by ransomware attacks in the recent memory. Similar attacks have been reported in the U.S. as well as other countries since cybercriminals are find it easier to breach the weak digital security of hospitals.

Sophos Introduces Deep Learning into Its Email Solution

July 19, 2018

Many companies are trying to engineer a breakthrough in their cybersecurity strategies to combat malware and ransomware attacks. Among these companies, ransomware removal experts are relying on network security provider, Sophos, to develop an email protection solution that can help to fight against advanced malware and ransomware attacks.

Inspiration behind the Solution

According to ransomware removal experts, the email solution has been made powerful through the use of deep learning algorithms. Deep Learning is one of the latest subfields of machine learning that helps computers to learn and predict future outcomes.

Email continues to be the leading distribution strategy that is used by hackers to proliferate their ransomware and malware campaigns. Sophos’ email tools compute more than 10 million emails daily. Its research found majority of the organizations in the world to be attacked by a ransomware attack in the last year. Moreover, they found more than 75 percent of their spam emails to be comprised of malicious viruses.

How Does The Solution Work?

Sophos email solution employs the use of neural networks. Neutral networks are one of the algorithms of deep learning that helps the computer to think like a human brain. Neural networks are trained with a dataset that helps them to think dynamically to handle an unfamiliar situation without the need of human interference.

Neural networks’ integration in Sophos email solution helps to counter unfamiliar threats by going over the attached files in an email before a user opens or downloads them. The solution will analyze and predict quickly whether the email is corrupted with a malicious payload or not.

Moreover, Sophos email also helps to verify the legitimacy of links provided in emails. According to ransomware removal experts, hackers either add a file attachment in their emails or try to add tempting links with click-bait potential. Sophos solution scans any hyperlink present in an email and notifies the presence of any dangerous malware or ransomware in time.

Furthermore, other advance features include multiple policy support and outbound scanning. This means that when an individual or organization’s email account is infected with a ransomware or malware, the solution will limit it from spreading to other organizations or individuals.

How Ransomware Are Trying to Expand Their Tactics in Order to Challenge the Latest Security Measures in 2018

July 17, 2018

As ransomware attacks have begun to rise in the last few years, organizations have improved their computer security through various measures and practices. These practices were hoped to stall the juggernaut of ransomware. However, according to ransomware removal experts, cybercriminals should not be taken lightly as they are trying to extend their domination through advanced strategies in 2018.

Shifting Code

Organizations use several anti-malware and anti-ransomware tools to detect and remove ransomware. These tools analyze the common patterns and code of a ransomware to easily identify them.

However, there are some latest ransomware that are continuously changing their internal code and mechanisms which makes it harder for anti-ransomware tools to identify them. This type of ransomware redesigns itself every time before it attacks a new user and thus it is hard for ransomware removal experts to find similarities in the codes.

Latest Operating Systems Are Not Targeted

According to ransomware removal experts, many ransomware attacks in this year were possible because organizations and individuals were using older versions of operating systems, particularly Windows’ users. The Maharashtra ransomware attack this year is a prominent example of this.

Older operating systems are not equipped with the necessary security measures that can tackle the most advanced ransomware. However, latest operating systems of Windows and other OS vendors consist of powerful cybersecurity components that provide a bigger resistance against ransomware infection. Hence, cybercriminals are not as much interested to attack through modern OS.

Hard Drive Woes

When a ransomware generally infects a system, it mainly tries to damage the system software, application software and personal files of the user. However, recent ransomware are so sophisticated that they are directly tampering with the code of the hard disks of a system and making it inaccessible to its user. This effectively shifts the control of the hard disk to a cybercriminal in a remote location who does not have to worry about decrypting all of the user’s files.

With such advancements and evolution of ransomware, organizations and individuals need to give their best shots in order to strengthen the security of their sensitive data.