Tag Archives: Graham Cluley

Ransomware targeting schools

Action Fraud warns that:

Fraudsters are posing [as] government officials in order to trick people into installing ransomware which encrypts files on victim’s computers [by] …cold calling education establishments claiming to be from the “Department of Education”. They then ask to be given the personal email and/or phone number of the head teacher/financial administrator.*

They claim that they need to email guidance to the person in authority because of sensitive comment. However, the attachment contains ransomware.

* Contains public sector information licensed under the Open Government Licence v3.0.

Commentary by Graham Cluley for BitDefender: Schools warned about cold-calling ransomware attacks

David Harley

 

Support scammer targeting TalkTalk customer (again)

There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.

I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…

Brand new TalkTalk customer is targeted by phone scammer – A problem at TalkTalk? Say it ain’t so.

David Harley

Reporting cybercrime

I haven’t checked the links yet, but Yasin Soliman’s article for Graham Cluley’s site looks really useful. How to report a cybercrime – Who you gonna call? includes a table with contact points in the US appropriate to several categories: I’m guessing that followers of this blog will find the links for ‘Internet fraud and SPAM’ particularly relevant. There are also links to agencies in other parts of the world.

The trouble with compiling such lists of links (which I’ve done many times over the years, in a variety of contexts) is that the links change over time, not only because web pages get changed around, but because agencies (like security companies) are renamed or replaced, or disappear altogether. Right now, though, this looks like an excellent resource.

David Harley

Ransomware and a rumoured Apple ID breach

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

David Harley

FLocker: Android Ransomware meets IoT

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

If cited this before, but it’s worth doing again. Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

… if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

David Harley

Ransomware updates (1)

I can’t say that the ransomware landscape hasn’t been busy for the past week or two, but so have I, on entirely different issues. I have been adding links etc. to resources pages, and they’re not all referenced here, but here’s an update on some stuff I’ve added today.

(1) Cylance’s analysis of AlphaLocker. (HT to Artem Baranov for drawing my attention to it.) Useful stuff, despite the customary AV-knocking.

(2) Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14%. Points made in the article include these:

  • The (sub)title refers to 2,896 modifications made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • According to Kaspersky, the ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Kaspersky also reports that mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

(3) Graham Cluley, for ESET, quotes the FBI: No, you shouldn’t pay ransomware extortionists. Encouragingly, the agency seems to have modified its previous stance in its more recent advisory. The agency also offers a series of tips on reducing the risk of succumbing to a ransomware attack. Basic advice, but it will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I was mildly amused, though, to read in the FBI tips:

– Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

It’s a bit tricky to back up data without connecting to the system used for primary storage. I think what the FBI probably meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted.

The tips include a link to an FBI brochure that unequivocally discourages victims from paying the ransom, as well as expanding on its advice. And it is clearer on the risk to backups:

 Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

David Harley

Petya – cracking the encryption for free

A flaw in Petya – the current version, at least – has allowed an unidentified researcher to create a key generator to crack the encryption without paying 0.9 bitcoin to the criminals. BBC story: Petya ransomware encryption system cracked. Commentary by David Bisson for Graham Cluley’s blog: Infected by Petya ransomware? Use this tool to unlock your files… for nowThank goodness ransomware sometimes contains bugs too… And the website set up to help people with the generation: unfortunately, the average victim will have problems getting the information necessary to kickstart the process.

Confirmed by Lawrence Abrams of Bleeping Computer.

David Harley

Is Vaccination Long-Term Protection?

Bitdefender recently offered ‘a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families by exploiting flaws in their spreading methods.’ Combination Crypto-Ransomware Vaccine Released. Bitdefender also offers a Cryptowall vaccine.

Graham Cluley discusses the new vaccine as well as the generic Cryptostalker tool. He rightly points out in his article Vaccine for future versions of Locky, Teslacrypt, and CTB-Locker ransomware released that:

‘Prevention is better than cure… especially when cures may be impossible’

Bitdefender’s Bogdan Botezatu makes it clear in an article by Lucian Constantin that the vaccine is meant to complement other security measures, not replace them. 

‘Vaccine’ programs have been around pretty much as long as malware, though the type of program to which the label is attached may vary widely. However, the term is often applied to programs that take advantage of malware that inserts a recognition marker into a compromised program or system, for example as a registry entry, so that it knows that the system has been compromised. Vaccination inserts the same marker to fool the malware into thinking that compromise has taken place.

Such techniques have their place, but their useful lifespan is likely to be limited as malware authors realize that they are being used, and change their markers or their approach to recognition marking accordingly.

The problem for the end user is that that their system may be threatened after the recognition marker has been changed and before the vaccination tool has been updated. If, indeed, it is updated. Mainstream security companies do try to maintain such free tools consistently (but not necessarily promptly enough to avoid the problem). However, there have been instances of freeware from other sources that may have been effective initially, but when support and maintenance ceased, they became a danger to their users simply because those users were made vulnerable by a false sense of security.

All credit to Bitdefender for adding to the protective options available for end users. I’m just worried that some users of similar tools will place all their faith in them without taking all the other precautions that can help to keep them safe (or at least safer) from ransomware.

David Harley

Recovering from (and preventing) Ransomware

Graham Cluley reports for Hot for Security that Only 38% of businesses believe they will recover from a ransomware attack. He cites a study by Tripwire – Survey: 62% of Companies Lack Confidence in Ability to Confront Ransomware Threat – based on the responses of security professionals at RSA 2016.

Interestingly, Tripwire also ran a Twitter poll asking ‘What is the most important step users can take to prevent ransomware infections?’

The options and responses were:

  • 47% said ‘Don’t click suspect links’
  • 37% said ‘Back up your data often’
  • 11% said ‘Install software patches’
  • 5% said ‘Use an AV solution’

I won’t complain about the low ranking of AV here: after all, no-one is suggesting, presumably, that all those options are mutually exclusive, and in fact they’re all steps people should be taking. But I can’t help wondering who these people are who click on a link even though it’s suspicious. Isn’t the point that so many people have such an unformed view of what ‘suspicious’ really means?

David Harley