Digital Security Update - April 2016
Ransomware, ransomware, ransomware...
Ransomware takes centre stage again this month as one Cybercrime monitoring group warns the Ransomware epidemic could become the ‘largest crime wave in modern history.’ Source
The Ransomware model only works if individuals or businesses don’t have backups of their data. If everyone had effective backups, no-one would have to pay ransoms and the Ransomware business would not exist. DNG Technology offers a simple, secure and cost effective Cloud backup service. Take a look at DNG StoreSafe.
Before the advent of Ransomware, there wasn’t any effective business model to generate income from malware. The introduction of untraceable financial transactions using Bitcoin and the completely anonymous and encrypted Tor network have made it far easier to demand and collect payments without being tracked down by ‘the law’. Cyber criminals are beginning to collect significant payback for their efforts and some of this money is being spent improving their tools. i.e. more advanced malware.
At the same time, malware distribution is becoming less specialised. You don’t need to be an expert hacker or coder to enter the Ransomware industry, you can buy what’s effectively a ‘starter kit’, complete with an advanced exploit kit and even a performance dashboard that shows active victims and infection statistics. Some even include a period of tech support from the authors.
The result of this increased accessibility is more malware from more sources more often so…
…never open an email attachment you aren’t expecting and never click a link in an email for which you are not sure of the destination.
If you want to check if a link is safe, copy it then submit it to Virus Total (use the URL tab) here. If I’ve made you paranoid enough to not want to click on that link, search for ‘Virus Total’ using your favourite search provider.
TeslaCrypt version 4.0 has appeared with tougher to break encryption and the ability to access even more of your PCs files and data. It also recruits infected machines to its ‘bot’ army to help it infect even more machines. TeslaCrypt, like many other currently active malware, uses the Angler exploit kit as part of its distribution strategy (exploit kits are explained in our February security update). So keep your system and applications updated or you will be exposed. Further information is available from Heimdal Security.
Petya, a new form of Ransomware appeared during March. Forget your garden variety Ransomware that is particular about which files it encrypts and which it leaves in-tact so your computer can still function, Petya doesn’t care about any of that, it takes out the entire computer by encrypting critical portions of the hard drive. In Russian, Petya means ‘stone’. I wonder if this is intended as a (not so) humorous reference to the concept of ‘bricking’ a device which literally means, making it as useful as a brick!
Once infected with Petya, the drive is modified then a reboot undertaken allowing the ransomware to load before any anti-malware can spot it. The Petya loader displays a fake check disk (CHKDSK) screen but in actual fact, it’s busy encrypting or re-writing parts of the drive.
At the time of writing, a couple of security researchers have provided a means to decrypt the drive, but this opportunity may not last long as the Petya authors are likely to update their malware to ‘plug the leak’. If/when this happens, there is no way to salvage the drive without paying the ransom (currently 0.9 Bitcoin or $500 AUD).
The SamSam file encrypter is delivered to machines connected to the same network as an infected application server (JBoss Java based web application servers have been targeted). Windows machines can be infected when users of those machines access their organisations internal applications which are served by the infected JBoss server. This particular variant of Ransomware has been targeting the health care industry in the US. Further information here.
Maktub locker is being distributed through an email phishing campaign but rather than the usual generic type of content, the emails used in this campaign are likely to include your name and address details, adding to their credibility. The document being distributed claims to be a Terms of Service update and indeed it looks to be one when opened. The file extension is actually .scr which is definitely not a document extension. Delete any messages containing attachments with .scr extensions.
Our managed anti-malware product, Guardian Managed Anti-Virus, built on Bitdefender Endpoint Security, has once again scored 100% detection rate in the latest round of Windows 10 AV testing by the independent AV Test organisation. This result places it in No. 1 position. Read the full report here.
Software Vendor Security Updates
Critical updates have been released this week by Microsoft and Adobe. Ensure your computers are up to date or subscribe to our Guardian service and we’ll make sure your machines are always up to date.