Don’t let down your guard yet, but it would seem that hackers are focusing their efforts on targets with deeper pockets than you or I. Sinclair Broadcasting is the latest infrastructure victim to have their operations significantly disrupted by a ransomware attack that took dozens of televisions stations completely offline for hours in various markets across the country. As one of the largest media companies in the US, Sinclair owns and operates nearly 300 stations in the US, and according to unverified reports from inside sources at Sinclair, many of the stations are connected via a common Active Directory structure that allowed attackers to jump from station to station, encrypting servers and paralyzing the the affected station’s ability to broadcast any of its regularly scheduled programming.
What this means for you
Sinclair doesn’t own any stations local to Southern California as far as I can tell, so most of us probably went about our weekend blissfully unaware that a ransomware attack locked down an undisclosed number of stations. Though they as of yet have not released specifics, it’s possible they are the latest victims to run afoul of a new RaaS (Ransomware as a service) called BlackMatter which, perhaps not coincidentally, has also shown up in a new advisory from CISA, the FBI and the NSA that warns of threat actors using the new platform to target critical infrastructure, including two recent attacks on agricultural targets in the US. While these attacks may not impact you or I directly, infrastructure attacks are definitely worthy of our attention as they can and will cause widespread disruption to activities and services we take for granted, and in some cases like hospitals or law enforcement agencies could actually be life-threatening. And here’s something you may not have considered – each of these attacks most likely started with and individual getting tricked into giving up a password that gives the hackers a toehold, and that is all they need. Unfortunately, in this increasingly complicated technology landscape it is becoming ever more difficult to keep passwords safe, mainly because we are always being asked for them. How many times a day are you confronted with a password request that makes you question it’s legitimacy? It’s a challenge to keep up with technology on a good day, but when the hackers have you on guard 24/7, you really can’t afford to not pay close attention.
Unfortunately, there isn’t any silver bullet or magical tip I can provide to help you here. It’s most important to know where and when a service might ask for a password, and how to recognize legitimate requests based upon having more than just a passing familiarity with applications and services that require passwords that protect sensitive data or privileged access. If anything, err on the side of not entering a password if you aren’t 100% certain. Additional protection will come from using multi-factor wherever it is made available to you, and of course, using unique, hard to guess passwords for all your important services.
Those of us who have been using computers for a few decades remember the days when getting a computer virus was more of a nuisance than today’s current nightmare, but back then computers and the internet played a much lesser role in our personal and professional lives. On top of this, the past purveyors of malware had a much different agenda (if they had one at all) than today’s anonymous blackmailers and ransomers. When money is the object, you can bet some very smart and unscrupulous people are going to find ways to pollute your ‘puter for profit, and sadly, email is big, red target on everyone’s back.
Why is email targeted?
- Everyone has an email account. As of this year, over half the planet uses email meaning there are literally billions of email accounts. Email extortion schemes are extremely profitable if only a very small percentage fall for the fake link or open the bogus attachment and then follow through with a ransom payment. The profitability of a ransomware campaign relies on how wide a net can be cast, and with billions of fish in the sea, lots of nets can be cast.
- The cost to send an email is microscopic. Even campaigns that send millions of phishing emails have incredible ROI if only a tiny percentage actually hook a victim. With the right infrastructure (typically hacked servers belonging to someone else), malware teams can push out millions of emails with a few hours of investment of time and minimal hardware costs. On average, ransom demands to small companies are now upwards of $13000 per incident. You don’t even need to do the math to see why this is happening.
- It’s incredibly easy to fool someone via email. Yes, you still get a ton of poorly spelled and grammatically awkward offers to share in the inheritance of foreign princes, but mixed among all the general pollution and real emails are fakes that are becoming increasingly hard to catch. Email scammers are upping their game daily, especially since it definitely leads to more victims getting tricked.
- Each of us gets too much email. I don’t know a single adult who would say otherwise. Even those of us who are really damn good at grinding that email box down to zero each day (not me) do so at great expense of time and energy. And, like any working adult who is pressed for time, this means we are more likely to cut corners (ie. security) and make hasty decisions that leads poor outcomes.
- Email technology has not advanced to match the growing sophistication of malware. Outlook is literally 22 years old and has not changed much in how we process email. SMTP, the primary delivery mechanism for internet email was first released in 1981, and while security and encryption has been tacked on in the intervening years, the core technology is essentially unchanged. Email technology needs its equivalent of the hybrid/electric car to change the industry, and seeing as how long it’s taken those types of cars to affect meaningful change, I don’t expect a quick change on the email side either.
- We are completely dependent on email. Even if we wanted to cut email out of our lives, too much relies on this system of communication to even consider how we would function without it.
Next week: how to bolster your email security perimeter.
Image by Gerd Altmann from Pixabay
Remember when there was nothing more innocent and incorruptible as a child’s teddy bear? For all the potential good the internet can bring, there are some things that should just not get connected, at least until we can secure data properly. The latest black eye for the “Internet of Things” (IoT) comes in the form of a line of stuffed animals that can record and relay messages back and forth between parent and child. While wholesome and lovely in theory, the whole implementation is undermined by poor security and what appears to be a non-trivial amount of carelessness, all the ingredients for a disastrous internet breach. Reports vary, but anywhere from 500k-800k “users” data was exposed to an unknowable number of unauthorized eyes. This data included both identifying information as well as the actual voice messages from both adults and children.
What this means for you:
If you happened to be the (no longer) proud owner of a CloudPet, you have the unenviable responsibility of trying to explain to your child why they can’t use the thing that made this toy special. Hopefully it won’t be traumatizing. While you may be able to enjoy some schadenfreude from the possibility that the company appears well on it’s way to failure, this also means that there will be no recourse or recompense for saddling you with a toy that violated your family’s privacy. Not a CloudPet user? Regardless if you are a parent, relative or even just a friend, think twice before giving a small child an internet-connected toy. Very clearly, we, and the internet, are not ready for such a thing.
In an extremely unusual occurrence, the operators/handlers of the infamous TeslaCrypt ransomware have announced they are discontinuing operations of their highly lucrative malware campaign for undisclosed reasons. Analysts speculate it could be anything from growing law enforcement attention, redirection of resources on even more virulent malware, to the unlikely scenario that the operators have made enough money and are feeling generous. Whatever the case may be, researchers from security company ESET contacted the “retiring” operators and asked them if they would publish TeslaCrypt’s master key, and to everyone’s astonishment, they obliged. Armed with this critical piece of data, ESET and others have built apps that have the capability of decrypting data that is being held captive by any number of TeslaCrypt variants dating back as far as early 2015.
What this means for you:
For one of my clients, a distant hope for this exact scenario finally paid off. Their data has been trapped in encryption for over a year, and as they didn’t have a viable backup at the time of the infection, they walked away from nearly a decade of data that was locked away even after paying the ransom. After our initial attempts to recover the data with what seemed to be a fake key, we put the data aside in the hopes that the master key would someday be recovered, possibly through law enforcement activities. Fast forward to this past weekend: after several hours of number crunching with tools provided by the brilliant folks at BleepingComputer.com and the master key secured by ESET, I was able to successfully decrypt nearly 200,000 files in what appears to be a full recovery of the “kidnapped” data.
If you happen to be among the unfortunate few who fall into this same ransomed data, backup-bereft category, your long-odds gamble may actually pay off like it did for my client. Counting on events like this unfolding for other variants of malware is still highly irrational. Last time I checked, there were still large portions of the world beset by malicious and criminal behavior, and it may never be revealed why the TeslaCrypt operators released the master key. Even if some hackers discovered compassion for their fellow humans and gave up their black-hat ways, there are ten others ready to take their place. Cybercrime continues to be a huge moneymaker for the criminal element. For this reason alone, you should continue to reinforce your technology defenses with a strong firewall, competent anti-malware and reliable offsite backups.
Image courtesy of renjith krishnanat FreeDigitalPhotos.net
Looking back over the past few weeks I realize I’ve fallen down on my job of terrifying you with news of the latest technology boogeyman. There’s a new ransomware in town and this one gets down to business in a hurry. Dubbed Petya by security company F-Secure, this vicious piece of malware works in a similar fashion to its brethren by encrypting data and holding it for ransom, with a twist: instead of encrypting just your documents, it will “kidnap” the entire disk by encrypting the master file table, and it can do so very quickly because the MFT is just the “index” of all the files on your drive. If you were to think of your drive as a book, this is the equivalent of putting a lock on the cover and holding the key for ransom.
What this means for you:
At minimum, any virus infection is going to result in a bad day even if you have a full backup of your important data. Before your data can be restored, you need to be certain the malware hasn’t spread to other machines and is waiting to pounce the moment you get the data restored. With previous versions of ransomware, the attack would leave affected machines more or less operational as the malware only encrypted documents and usually left applications and the operating system intact. Not so with Petya which locks out the entire disk. If this malware were to attack a server, it could paralyze an entire company within seconds. If you though recovering and cleaning up a workstation took a long time, double or triple the time needed to bring a server back online, and that’s only if you had full-disk backups and not just files. A malware attack is inevitable – no amount of money, time or paranoia can provide 100% protection. Your only hope for a recovery is proper data backups managed by an experienced professional. Are you ready to test your backup plan?
Image courtesy of Zdiviv at FreeDigitalPhotos.net
In a disturbing trend that bodes ill for everyone, multiple US healthcare institutions have been victimized this past month by highly effective ransomware attacks. In each instance, the malware infection has significantly disrupted operations and, in some cases, forced administrators to actually pay out thousands of dollars in ransoms to regain control of their data and IT systems. In the case of the Hollywood Presbyterian attack, the hackers initially demanded $3.6 million in bitcoin to release the data and systems their malware had encrypted, but settled for $17k. More hospitals in California, Kentucky and Maryland have also been hit and crippled by ransomware attacks, in some cases paying the ransom to regain control of their IT systems, and in other cases recovering systems and data through established data backup platforms and security protocols. And just to keep things interesting, toy-maker Mattel was also defrauded out of $3 million after falling victim to a carefully-planned an well-executed email scheme.
What this means for you:
Though some of the hospital attacks mentioned above are thought to have come from a documented server exploit known to exist in healthcare software platforms, analysts are reporting a surge in emails carrying viral payloads including new, highly-effective variants of ransomware, probably because of the highly-publicized ransom payment made by Hollywood Presbyterian. The harsh reality of this worrying trend is this: it costs criminals virtually nothing to start malware campaigns that are resulting in hundreds of millions in damages to organizations around the world, and it’s netting those same criminals an equivalent amount of money paid by desparate victims. Despite spending millions on security, businesses and individuals around the world still fall victim to this ploy because of the humble email. Previously I had written about ways to spot fake emails (and you can still spot them if you look hard enough), but given how many emails we receive, and how clever attackers are becoming, it’s only a matter of time before any of us get duped and it’s already too late after that second mouse-click. Or is it? Though the ransomware attacks managed to disrupt operations at the hospitals mentioned above, several of them were able to get back to work once the infections were cleaned out and data restored from backups. The temporary disruptions caused by the compromised systems were kept to a minimum, as was the damage to the wallet, by a tested (and now proven) disaster response and recovery/backup plan. How long could your business afford to be disrupted by a ransomware attack? Could your business survive the loss of critical data? What about the reputation damage resulting from disclosing the attack to customers? If you thought a backup platform was expensive, consider the alternative. In the case of Hollywood Presbyterian, $17k was just the down payment on a huge hit to the wallet.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
I am increasingly encountering a dangerous misconception about data backups that could lead to some serious “facepalm” moments. On at least three separate occassions while speaking with someone about data backups, the person I was with referred to DropBox as their primary data backup platform. In case you are unfamiliar with DropBox, it’s a cloud-based platform that can be used to sync files and folders between multiple computers, while also maintaining a copy of that data in the cloud as well. This cloud component is what many folks like to believe is their “offsite backup”. It’s true – if your local hard drive were to fail and you lost files that were being synced by DropBox, you could retrieve a copy from one of your other mirrors or the copy in the cloud. However, what if you or one of your employees who has access to the DropBox repository accidentally deleted some important files? DropBox doesn’t know you (or they) didn’t mean to delete those files, but it will make sure that change is reflected across your entire DropBox repository. What if you got hit with one of those nasty ransomware viruses which encrypts files, including the files in your DropBox repository? DropBox will dutifully overwrite your data with the encrypted copies, effectively destroying your “offsite backup”.
Let me ‘splain:
DropBox’s strength lies in easily establishing a set of files and folders that can easily be synced across multiple machines and locations, and it does this through a simple mechanism which essentially looks at each endpoint (and the cloud) and says, “Make all these the same.” This same strength is a resounding weakness when it comes to proper backup methodology. In a nutshell, your backups should keep track of your data across time, in set intervals, so that you can, in theory, go back to any one of those points in time and retrieve the data as it was at that moment. The reason this is important is for the two situations mentioned above (and many other scenarios as well). In both cases, mistakes were made. Our best course of action would be to go back in time to before those mistakes were made, but seeing as we can’t actually time travel yet, we use backups to accomplish nearly the same thing with our data. Even if the mistakes weren’t noticed for a period of time, as long as you have sufficient version depth in your backup strategy, you can look back to a time interval before the deletion and retrieve the files. This is something that DropBox can’t do, and probably shouldn’t, as it’s not meant to be a data backup platform. There are hundreds of viable backup solutions that range in price and complexity, and many of them are as easy to set up as DropBox. Don’t stop short of using a real backup solution just because you’ve got a copy of your files somewhere else. A good backup solution requires some thought and determination, but can pay back huge dividends when mistakes or disaster strikes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As if the mad rush to “web-ify” everything wasn’t bad enough, McAfee’s security blog now brings us a new, shining moment in Internet history: it is now possible to visit an easy-to-use website to host your own ransomware campaign for the low, low price of free. A group of cybercriminals have put together a service that will provide you with the malware that locks up your victim’s files, as well as the means to collect the ransom via bitcoin through their consolidated platform. The service even includes a dashboard that summarizes your criminal activity: number of computers infected, number of people who paid the ransom, and how much you’ve made so far. It all sounds like something the Onion.com would dream up, but sadly, it’s real. Would-be cyber-extortionists have to pay 20% of their take to the service owners, which could amount to some serious cash. Over the course of the past few years, experts estimated that tens of millions have been made on previous ransomware campaigns. Like any good money-making model, these enterprising individuals hope to amass a fortune on the backs of aspiring cybercriminals.
What this means for you:
As I’ve said in previous blogs, cybercrime is big business now. Though McAfee’s bright light of publicity may help shut down this particular iteration of mass-market ransomware services, you can bet dozens more will follow suit, if they aren’t already up, running, and better hidden. The internet has the ability to magnify anyone’s capabilities by an incredible degree, even more so when someone with savvy and no scruples turns their sights onto the vast, largely naive internet populace. The pitch for this particular service is that “anyone” can set up their own ransomware campaign, and you can bet they’ll do a booming business until the good guys shut them down. On a more reassuring note, this particular platform only provides the means to start and run a ransomware campaign. It would still be up to the would-be extortionists to actually target and distribute the malware to their victims, a task which is surprisingly hard to do in a way that won’t get you caught. However, is it so hard to imagine someone else setting up shop right next door to the ransomware folks, where, for a “small percentage of the take” they would provide those targets? Imagine if these enterprising criminals decided to form pyramid schemes on top of these “business models”. I imagine once attaining that level of vicious cannibalism, the whole thing might collapsed in on itself under the weight of sheer backstabbing and profiteering, but in the meantime, we might drown in a crushing wave of malware. Sadly, there’s no magic bullet, but there are three things you can do to better protect yourself against the coming storm: a good firewall on your perimeter, solid anti-malware on your computer, and an up-to-date offsite backup of your data. Those things plus constant vigilance (and a little paranoia!) will go a long way towards staying safer in these more dangerous times.
The New York Times is reporting that the number of Android smartphones infected with a ransomware virus has grown to nearly one million devices in the past 30 days. Though the concept of ransomware is not new to the technology world, only minor outbreaks of this particularly nasty malware have been seen on mobile devices, and have either been quickly defeated or bypassed. Not so with this latest set of extortionware: most prolific is a trojan called ScarePackage, which, as the name suggests, locks your phone with a warning that the device has been used to commit a crime (child porn and media piracy are two of the most common tactics), and can only be unlocked by paying a fine to “law enforcement”.
What this means for you:
Up until now, the most common way Android devices were infected with malware like the above was through “sideloading” apps from questionable sources other than Google’s own “Play” store. Unfortunately, hackers seem to have perfected mobile browser drive-by infections so that they don’t even need to rely on someone bypassing the normal controls all Android phones ship with by default. It’s unclear whether Android antimalware apps (I use WebRoot’s SecureAnywhere) can protect you from drive-by infections reliably, but it does provide a layer of protection when installing apps and it will block suspicious text messages; both are a common source of malware infections. On top of installing malware protection on your mobile device, you should always be very careful surfing unknown or questionable websites, avoid installing brand-new, never-reviewed apps (sometimes trojans slip through Google’s malware screening), and always scrutinize the permissions that installed apps are requesting, especially the ones that ask for full administrative permissions or unfettered access to make mobile calls and send text messages.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As if having your Windows computer files and iPhone being held for ransom wasn’t bad enough, Android-based devices can now “enjoy” that ignominious fate as well. Security researchers are reporting that hundreds of Android devices, primarily in Russia and the Ukraine are being infected by a Trojan called “Pletor” which can do just like it’s Windows based counterparts: the victims were tricked into installing the trojan by fake websites, apps and games, and once the victim’s content is encrypted, the trojan demands a ransom of approximately $30-35 USD to unlock the data.
What this means for you:
Though it has happened before, it’s still extremely rare for a Trojan like the above to make it through the screening process that Google performs on all the apps that are available through the Google Play store, and even if one does, it’s pulled quickly. Google can even reach out retroactively to affected phones to remove the harmful app. That being said, it’s not hard to “side-load” apps on Android devices, which is primarily the way Android malware spreads. The easiest way to keep your Android devices safe: don’t side-load apps. Only install apps published through Google’s Play Store. Keep in mind, for everything not a Kindle Fire, installing apps from Amazon’s App Store is considered side-loading, and should only be done if you really know what you are doing. And if you just can’t live without side-loading apps, make sure you don’t store any important information on your device, and keep it well away from sensitive business data. The more risky your activities are on the device, the more likely it is that device will get compromised.