Category : Spyware/Malware

Bank Accounts Targeted by Silent Malware

hybrid-banking-trojan-goznym-steals-4m-showcase_image-2-a-9049

 

Another level of sophisticated malware has hit the online banking platform in the form of a virus called “GozNym”. GozNym has already helped hackers steal over $4 million from banks in the United States, Canada, and Europe, according to IBM Security’s executive adviser Etay Maor, who also led forces in discovering the malicious software.

GozNym is a high alert and extremely dangerous malware due to a few contributing factors. One of which being the combination malware. Initial malware infects the machine, installing itself and a second form of malware onto the device. This second form waits in the background until the user decides to visit the web interface of a financial institution, storing the user’s username and password. The encryption level of the malware in this case has been doubled, making it even more difficult to analyze and research. The process is time consuming and often presents little answers as to how to alleviate the machine from the infection.

In addition, GozNym has been shown to be especially more difficult for anti-virus software to detect. Most well informed people aware of the sensitivity of their data, or simply value the life and protection of their computer, already have a noteworthy anti-virus software installed on their machine. Heeding to the advice of information technology professionals. However, if the anti-virus cannot detect the malware then your machine is basically waving it’s hands in the air, asking for trouble. An infection could arise without the user ever being aware of the installation, and all it takes is one visit to their bank’s web portal and the rest is history.

“There might be a million malware strains, but there are only a few families that are active and dangerous and those principal malware families are owned by organized crime, so this could cause very heavy losses in online banking fraud.”

 Don’t use the same password for everything. If hackers can silently get the password to one of your bank accounts without you knowing it, don’t give them more to work with by making that same password the golden key to all of your logins. Password managers are becoming increasingly popular due to the need for multiple passwords for everything. Although this method cannot be called bulletproof, it is a significantly better way to stay safe. The GozNym malware is sophisticated enough to show full bank account balances even after criminals have drained accounts. Try to stay conscious of how you are accessing your banking information. Paper statements for the time being, might be the best practice until a solution is found.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Dangerous New Malware Targets Online Bank Accounts

Kansas Heart Hospital- Paying the ransom still wasn’t enough

bitcoin, ransomware

The Kansas Heart Hospital in Wichita, recently found themselves at the mercy of a ransomware nightmare. Seeing as the demands were not unattainable or extremely high, the hospital decided to simply pay the Bitcoin, thinking that would be the end. Not quite. After the hospital paid the Bitcoin, the hackers decided that the hospital was a willing target for even more money! The hackers received payment and decided to hold back some of the data they had encrypted and proceeded to demand more money from the Kansas Hospital.

To my surprise, the Kansas Heart Hospital didn’t end up giving any more funds to the hackers. We aren’t sure if they decided the data was not of importance, or if the hospital employed some tech support from a trusted source. Whichever the case, I appreciate the hospital standing firm in their decision to not pay anymore Bitcoin. As many have been urged to not pay absurd ransomware demands, it can be terrifying when the circumstance comes about. Helpless, I’m sure is how many ransomware victims feel.

Nevertheless, it is important to be aware of malware and ransomware threats. Nearly half the hospitals in the United States have been attacked by some variable of malware/ransomware. An official at the Kansas Heart Hospital even told reporters that they “were aware of the ransomware threat and had a plan in place to deal with it”. Better make sure you have a plan B too.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Hospital pays ransom, ransomware demands more money

Ransomware like scam – Windows Product Key is “Invalid”

 

Now that ransomware is on the brain, a few crooks posing as tech support are tailoring their skills to work the system. A lock screen appears on your PC and claims that a users Windows license has expired and to simply call the tech support number provided in order to quickly and effortlessly solve the problem. A fake Microsoft technician answers the line and is more than happy to help, if you are willing to pay the price.

Users will see a lock screen appear on their machine that truly resembles a genuine Microsoft program. After the program installs it waits patiently for the user to restart the PC. After the restart the program activates and sequentially takes over the desktop and displays a highly sophisticated Windows Update screen. Unrecognizable to the naked eye that this is in fact ransomware.

ransomware-like-tech-support-scam-100661683-large.idge

After the program activation, the infected PC will display a screen that tells the user the desktop has been made effectively disabled because of an expired license key, with the computer name being taken from the victims actual PC. Now that the PC is locked, the user thinks they are doing the right thing by calling the number provided and talking to who they think is a tech support working for Microsoft.

Malwarebytes called the number, and a fake Microsoft technician revealed a hidden functionality. Hitting Ctrl+Shift+T would bring up a built-in installer for TeamViewer. The tech support scammer on the other end of the call refused to give much more information without the $250 to unlock the PC, which of course, Malwarebytes did not pay.

If a user refused to pay the fee requested, they would have little resources to fix the machine on their own. Fortunately, security researchers have found a small loop hole. Discovered by  @TheWack0lian, Ctrl+Shift+S will allow users to kill the winlocker without touching the contents of their machine. The hardcoded values “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” can be entered as the product key. These may work to unlock the machine, but is not a fix across the board as they will not work for all versions of the lockers.

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Ransomware-like tech support scam locks screen, labels Windows product key as invalid

What to do if you suspect Malware? We have the answers

Most often one does not know that they are infected with Malware until it is indefinitely too late. A few signs can lead you too believe you might be infected, such as incredibly slow PC performance, browser pop-ups when no browser is open, and security warnings from security programs that have never been installed on your computer, can make you feel uneasy about your machine. Try these tools to kick Malware in the butt. malware-microsoft

Update Antivirus

The software IDs within antivirus software identify existing malware based on what has come before and the latest updates available. Make sure your antivirus software is current, with all of the latest installs. Having software that is even one day out of date leaves your machine at risk for encryption. Antivirus vendors offer updates based on viruses they encounter both in the lab and in the field.

Find Safe Mode

Most malware, when designed correctly, is ready to evade System Restore points set in Windows. Perhaps this might be enough to fix the problem, but say that its not, as it most likely won’t be, try running a program designed to kill any known malware process in progress, such as RKill. The other option in this case is to boot Windows in a way that will not allow malware to get started, aka Safe Mode. By first restarting your PC (Windows 8 or 10), hold down the shift key during the boot sequence, and choose Safe Mode within the troubleshooting options.

Delete Hiding Places

You should then delete all temp files that could hide malware. To delete temp files, open the Start menu, type Disk Cleanup into the search bar and it will check the C:drive for all temp files that can be safely deleted. The software IDs within antivirus software identify existing malware based on what has come before and the latest updates available. Make sure your antivirus software is current, with all of the latest installs. Having software that is even one day out of date leaves your machine at risk for encryption. Antivirus vendors offer updates based on viruses they encounter both in the lab and in the field. After this process it is advised that you run an antivirus on-demand scanner, such as Malwarebytes Anti-Malware. This program is a great line of second defense against malware because it often comes to the rescue if your initial antivirus fails.

No Connection

A RAT, means that someone is remotely accessing your PC. Your first step in this case is to get off the internet. Turn off the Wi-Fi, remove the Ethernet cable, turn off the router, whatever needs to be done in order to detach from the internet. Now, being disconnected from the internet ensures that you are no longer able to be controlled, but it makes it a great deal harder to receive the latest antivirus without access to the internet. The latest software will need to be retrieved from a third party PC, at a different location preferably, then transferred to the RAT PC via USB flash drive. Another option would be to reboot the computer with a CD. Running a full anti-malware utility, these CDs are sometimes called “rescue CD” and can be used without internet connection. Of course, in order to use this option, a CD player will be necessary.

Portable Help

If all other options have failed, it may be the Operating System that has already been infected, making it impossible to even download the newest antivirus software. In order avoid the OS and let the antivirus do its job, you will need to utilize portable apps through a USB flash drive. These portable apps do not require a direct installation. Apps like this consist of Microsoft Safety Scanner, CLamWin, McAfee Stinger, or Kaspersky Security Scan. You can also try a mix of many portable apps since they will not conflict as you have to run each scan individually. There are also other software options such as Spybot and Symantec’s Norton Power Eraser that specifically target a type of malware called crimeware, that run scams. Although this is measure is aggressive, and often times deletes files that might not be malware, all in the effort of safety of course.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: How to Remove Malware From Your PC

ATM’s – The Next Target For Hackers

Use of outdated operating systems like Windows XP and lack of security means it’s still possible to crack ATM security, warn researchers.

As one of the millions of people who frequent their banks ATM at least once a week, the last thing on my mind is usually the security of the operating system. But when you think about the foundation of the machine taking your card and spitting back cash, you’ll realize this machine is just a PC running on old software. Easily susceptible to malware. Not comforting.

There was a 15 percent jump in ATM fraud activity between 2014 and 2015 and researchers believe statistics will only increase. Within this time cyber criminals were able to get their hands on more than $150 million. Researchers credit security vulnerabilities to the use of outdated platforms that no longer receive patches and fixes such as Windows XP.

“If we think of a modern ATM as a MS Windows PC with a money box attached to it that’s controlled through software, it is easy to see how it becomes an attractive target for any malware writer,” Sancho and Huq said.

Trend Micro and Europol’s European Cybercrime Center (EC3) discovered two main malware threats that either provide hackers with the card details of the user, or give the hacker privileges to dispensed cash. Most worrisome is the lack of extreme measures hackers have to employ in order to infect ATMS. Simply put all hackers have to do is install malware onto the machines via a USB or the CD- drive.

At the moment, malware ATM fraud has only been reported in international cases, Eastern Europe and South America. Despite little activity in the United States, authorities are aware of increasing malware ATM concerns and are monitoring cyber criminal forums for activity.1447059385670243


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: A Windows PC with a money box attached: Why hacking ATMs is big business for criminals

Ransomware Attacked My Mom’s Computer

04CYBERWALL-facebookJumbo
How My Mom Got Hacked, a real life story about Brooklyn artist who receives a panicked phone call from her mom one day complaining her personal computer has been taken over by some sort of strange encryption. The story unravels the journey Alina Simone and her mom Inna endure in order to restore the files back from the hackers. After the initial shock of the situation sets in the two research their options and realize, as many do, that there is little to no answer as to how to get the files back without paying the hefty $500 ransom fee.

“I thought it was a typical mom rant about hr hardware crashing and having to pay the repair people $500 because her computer crashed.” Like many of us do when our parents call us after a long days work, Alina didnt take her mom seriously. Seeing as it was Thanksgiving weekend, a major snowstorm had just hit, and the ransom deadline was already decreasing to less than a 24 hour bracket, Alina and her mother were frantic. Her mother didn’t make the deadline, and according the the hackers the ransom would double due to this. Inna pleaded with the hackers and they let her off with $500 ransom and all her files. Luckily.

Others, such as the case of the Hollywood Presbyterian Medical Center that was hacked in early February and had to pay a whooping 40 bitcoin, $17,000 ransom, in order to get their system back on track.

“The value of my personal files and pictures caps off somewhere. But [if] I encrypt the back-end of your corporate system and prevent you from processing payments, that has a tremendous value. And if the hacker can recognize the value of what he has, the ransom can be more dynamically set based on the content of the data.”explains Grayson Milbourne, Security Intelligence Director for Internet security firm Webroot.

From personal to corporate, ransomware is most certainly an eye opening experience to security vulnerabilities.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: The Growing Threat of Ransomware

Who’s in Charge of Your Cybersecurity?

 

The first step in successful cyber-security is getting every employee on board. It is pretty obvious that some hardware goes into creating a security shield around important data. As an Information Technology company ourselves, we already know the value Firewall, and anti virus software have on making your network more secure. However, in order to adopt a more proactive protection policy, the groundwork needs to be laid, starting with company culture and communication. It is increasingly important to enforce awareness and education in order to save a lot of headache later down the line.

The CEO of the company needs to take interest in cyber-security before any of the employees can get on board. Simple risk analysis is a great start. Buying products online is not sufficient. A knowledgeable IT professional should be on hand. You need someone who is going to leverage the right equipment as well as set security measures that fit your establishment.

“The cyber threat cannot be solved by buying products” says Tim Holman, president of the Information Systems Security Association in the UK. Holman has the right idea, if your company is not equipped with the right skills to manage these products they are basically junk. It is important to attack cyber-security the way a hacker does. Common sense leads us to find that reducing the amount of sensitive data stored will always be a great measure. Restricting access to information and getting cyber liability cover is another way to lessen the probability of attack.

As information continues to flow in and out of your business remember that with any exchange over the internet comes a great deal of risk. Ensure your company professionals understand how to practice good security efforts. Never open an attachment that is unfamiliar, back up data in two separate places, and utilize solid Firewall and anti-virus software. Keep all platforms up to date with the latest patches and security fixes. Top to bottom, cyber-security is the responsibility of all.bva_withninja_teal-centered

 


 

 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: The CISO, the CIO, the CEO, or you: Who is really responsible for cybersecurity?

Ransomware seeks victims via TeamViewer

Download-TeamViewerAnyone use Teamviewer? If so, sorry to say,  you may have been hacked.

A new ransomware has been discovered appending the .surprise extension to encrypt important files. Further research into the extension revealed the loader had EDA2 ransomware from memory, and was only attacking those who also had TeamViewer installed. The victim logs showed that TeamViewer had been utilized as a means to reach computers. Someone connected via TeamViewer and proceeded to download the encrypted surprise files onto the unsuspecting desktop.

The two TeamViewer IDs used by the attackers were  479441239 and 479440875.

This surprise ransomware is unique in that it has successfully bypassed AV signature definitions as well as behavior detection. Rather than containing the more typical encryption functions seen in ransomware, this surprise ransomware encompassed an encrypted BASE64 encoded string. This string is loaded into memory and functions from there.

The ransomware scans all fixed disks on the computer for files that contain a particular file extension. When it finds a matching file, it will encrypt it with the AES encryption key and append the .surprise extention to it. The targeted file extensions are a hefty list. It will skip any files containing the $ symbol or contain the c:/windows and c:/program strings in the filename.

Bleeping Computer discovered the 3 files the ransomware creates are as follows:

  • %Desktop%\DECRYPTION_HOWTO.Notepad ransom note.
  • %Desktop%\surprise.bat, which executes the vssadmin.exe Delete Shadows /All /Quiet to remove Shadow Volume Copies.
  • %Desktop%\Encrypted_Files.Notepad file that contains a list of encrypted files

Sadly for those encrypted there is no alternative method to gain access to the files at this time without paying the ransom.

If you would like to educate yourself in greater detail about the material presented in this blog post please visit:

http://www.bleepingcomputer.com/news/security/surprise-ransomware-installed-via-teamviewer-and-executes-from-memory/

New on our radar…ads spreading crypto ransomware

Crypto Ransomware disguised within ads on big time sites

Ads featured on sites such as The New York Times, the BBC, MSN and AOL have exposed thousands of users to crypto ransomware. Angler, a toolkit that sells exploits for Adobe Flash, started the wave of encrypted ads last week pushing laced ads through a compromised network, according to researchers at Ars Technica.

 

The ads contained a JSON-based file with more than 12,000 lines of obscure codes. Angler attacks unsuspecting users with Bedep Trojan and the TeslaCrypt ransomware, a nasty combination. The three suspicious domains to be aware of are trackmytraffic[c],biz, talk915[.]pw and brentsmedia[.]com. The hacking has spread to answers.com, zerohedge.com, as well as infolinks.com. In addition, affected networks consist of those owned by big names such as Google, AppNexis, AOL, and Rubicon.

 

The best thing users can do at this point is enforce safe browsing. Decreasing the probability of attacks means decreasing the attack surface. Uninstall third-party extensions such as Adobe Flash and Microsoft Silverlight unless necessary. In addition to this, keep installations up to date by following updates as soon as they are made available. Using the 64-bit version of Chrome for browsing is one of the safer ways to browse. Microsoft users should work with Windows 10 and Microsoft’s Enhanced Mitigation Experience Toolkit.

Transmission BitTorrent App Infects OS X with First Ransomware…

If you recently installed the Transmission BitTorrent App, most likely you are one unhappy user.

WP15The recently released version of Transmission BitTorrent for OS X contained the embedded KeRanger ransomware, the debilitating program designed to lock and encrypt files in order to extort money from consumers. In case you didn’t read our previous post about ransomware, this malware is extremely debilitating to consumers and business owners alike. It locks files and infiltrates all external hard drives and shared networks, making external hard drive back up prevention useless in protecting sensitive data.

The March 4th version 2.90 of the application contained the malware. The Transmission’s website is encouraging all users who have downloaded this version to upgrade to version 2.91 or at a bare minimum delete the 2.90 version from their computers. If you would rather, wiping and restoring your system to an earlier time period is also an option. Make sure if you utilize this option, that you restore your device to a period before the Transmission 2.90 installation.

Now if you find yourself infected, resist paying the $400 asked to restore your files. There is no guarantee that paying this fee will result in any data retrieval and could possibly be a complete waste of your money. If you decide to do nothing, at least remove the malware installed. Leaving the installation only allows the ransomware more opportunity to further exploit your system.WP14

If you would like to do a little investigating of your own, a new blog post from Palo Alto Networks’ threat intelligence team lists the steps for finding out if you have been infected with the KeRanger ransomware.

If you would like to educate yourself in more detail about material presented in this blog post please visit:

http://www.pcmag.com/article2/0,2817,2500391,00.asp?mailing_id=1587787&mailing=DailyNews&mailingID=510C4584BD5C3E3CDD5A15D97D2B87C0