No Platform Immune from Ransomware, According to SophosLabs 2018 Malware Forecast

• Ransomware ravaged Windows, but attacks on Android, Linux and MacOS systems also increased in 2017
• Just two strains of ransomware were responsible for 89.5 percent of all attacks intercepted on Sophos customer computers worldwide

OXFORD, U.K. – Nov. 2, 2017 – Sophos (LSE: SOPH), a global leader in network and endpoint security, today announced its SophosLabs 2018 Malware Forecast, a report that recaps ransomware and other cybersecurity trends based on data collected from Sophos customer computers worldwide during April 1 to Oct. 3, 2017. One key finding shows that while ransomware predominately attacked Windows systems in the last six months, Android, Linux and MacOS platforms were not immune.

“Ransomware has become platform-agnostic. Ransomware mostly targets Windows computers, but this year, SophosLabs saw an increased amount of crypto-attacks on different devices and operating systems used by our customers worldwide,” said Dorka Palotay, SophosLabs security researcher and contributor to the ransomware analysis in the SophosLabs 2018 Malware Forecast.

The report also tracks ransomware growth patterns, indicating that WannaCry, unleashed in May 2017, was the number one ransomware intercepted from customer computers, dethroning longtime ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3 percent of all ransomware tracked through SophosLabs with Cerber accounting for 44.2 percent.

“For the first time we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of a known Windows vulnerability to infect and spread to computers, making it hard to control,” said Palotay. “Even though our customers are protected against it and WannaCry has tapered off, we still see the threat because of its inherent nature to keep scanning and attacking computers. We’re expecting cyber criminals to build upon this ability to replicate seen in WannaCry and NotPetya, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya.” 

The SophosLabs 2018 Malware Forecast reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact. It was able to spread via the EternalBlue exploit, just like WannaCry, but because WannaCry had already infected most exposed machines there were few left unpatched and vulnerable. The motive behind NotPetya is still unclear because there were many missteps, cracks and faults with this attack. For instance, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data, according to Palotay.

“NotPetya spiked fast and furiously, and did hurt businesses because it permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started,” said Palotay. “We suspect the cyber criminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practicesinstead, including backing up data and keeping patches up to date.”

Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat. The creators of Cerber continuously update the code and they charge a percentage of the ransom that the “middle-men” attackers receive from victims. Regular new features make Cerber not only an effective attack tool, but perennially available to cyber criminals. “This Dark Web business model is unfortunately working and similar to a legitimate company is likely funding the ongoing development of Cerber. We can assume the profits are motivating the authors to maintain the code,” said Palotay.

Android ransomware is also attracting cyber criminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.

“In September alone, 30.4 percent of malicious Android malware processed by SophosLabs was ransomware. We’re expecting this to jump to approximately 45 percent in October,”said Rowland Yu, a SophosLabs security researcher and contributor to the SophosLabs 2018 Malware Forecast. “One reason we believe ransomware on Android is taking off is because it’s an easy way for cyber criminals to make money instead of stealing contacts and SMS, popping ups ads or bank phishing which requires sophisticated hacking techniques. It’s important to note that Android ransomware is mainly discovered in non-Google Play markets – another reason for users to be very cautious about where and what kinds of apps they download.”  

The SophosLabs report further indicates two types of Android attack methods emerged: locking the phone without encrypting data, and locking the phone while encrypting the data. Most ransomware on Android doesn’t encrypt user data, but the sheer act of locking a screen in exchange for money is enough to cause people grief, especially considering how many times in a single day information is accessed on a personal device.“Sophos recommends backing up phones on a regular schedule, similar to a computer, to preserve data and avoid paying ransom just to regain access. We expect ransomware for Android to continue to increase and dominate as the leading type of malware on this mobile platform in the coming year,” said Yu.

For access to the full SophosLabs 2018 Malware Forecast and Ransomware Infographic, go to here.

via comparethecloud

Read more »

Shadow Brokers Release Windows Malware that can Steal Keystrokes and Record Audio to its Paid Subscriber

Paid subscribers of Shadow Brokers’ monthly subscription can now gain complete access to your PC/laptop and steal your passwords and chats



The hacking group named SHADOW BROKERS, which was responsible for the NSA leaks earlier. is back with another NSA hacker kit. This time however, the leak is only available for the users with its “monthly subscription”.

In their latest release, SHADOW BROKERS have released a malware dubbed UNITEDRAKE. It is a remote access and control tool with “plug-ins” that can target WINDOWS based systems enabling the hacker with full control over their victim's system.

UNITEDRAKE is compatible with systems running on Microsoft Windows XP, Vista, 7, 8 up to Windows Server 2012. It first came to light in 2014 as a part of NSA's classified documents leaked by its former contractor Edward Snowden.

The Snowden documents suggested the agency used the tool alongside other pieces of malware, including GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT

The malware's modules including FOGGYBOTTOM and GROK can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, impersonating users, stealing diagnostics information and self-destructing once tasks are completed.

These tools were allegedly developed and used by the US National Security Agency (NSA) to perform mass surveillance and bulk hacking worldwide.

Ankush Johar, director at HumanFirewall.io, said: "Remote Administration and surveillance tools are not a new thing in the global cyberspace. These have existed since the beginning of the internet. Although, criminal grade pro malware like these are extremely dangerous as, even the inexperienced chaps now can use them to carry out nation-wide cyber crimes.

"It’s not too difficult to avoid the basic malware. Being aware and staying cautious is the key to your security. Consumers are suggested to make sure that the following points are always kept in mind before hovering around the tech."

* Keep a genuine anti-virus installed and updated.
* Do not click on click on unknown links. Verify the links completely before opening them.
* Never download attachments from untrusted sources.
* Never download pirated software/cracks as they contain malware or backdoors that can give complete access of your system to the hacker.
* Install all software and OS updates available on your device whenever prompted to do so.
* Avoid plugging in unknown USB devices, whether at home or office.

via BusinessWorld

Read more »

Ransomware Attacks Hit LG Electronics’ Service Centers

South Korean electronics giant LG Electronics has been the latest company to fall prey to ransomware attacks after some of its self-service centers have been hit with malicious code that locks up computer files in exchange for ransom money. According to a new report by The Korea Herald, LG Electronics initially detected an issue with gaining access to the self-service kiosks earlier this week and alerted the Korea Internet & Security Agency that the problem occurred. Kiosk operations were quickly put on hold following the incident, and LG Electronics said it had managed to successfully protect files from being encrypted, which is a typical method of ransomware attackers in order to force their victims to pay for the key to unlock targeted computers.

 

State-run KISA found that the ransomware used in an attempt to encrypt LG Electronics’ service centers bears a resemblance to the WannaCry ransomware, which caused a major compromise to hundreds of thousands of computers in more than 99 countries over the course of 24 hours this May. The ransomware attack is allegedly an offshoot of the hacking tools supposedly built by the United States National Security Agency that were leaked by hacking collective Shadow Brokers in April of this year. The WannaCry incident compromised computers running the Windows operating system. Hackers reportedly carried out the global attacks using a modified variant of the WannaCry ransomware strain, which security experts say is taking advantage of a certain Windows bug. During the same month, Samsung was reported to have joined forces with the South Korean government in a bid to beef up security for mobile devices following the WannaCry attack, though it remains unknown how the two organizations plan to deal with the issue.

It now appears that some strain of the WannaCry ransomware is still alive despite various efforts to contain the malware, as KISA believes that some of LG Electronics’ self-service kiosks have been targeted by the same malicious code that hit several countries in May. The South Korean security agency added that it needs to conduct further investigation on the incident to identify the root cause of the problem. The good news is that the company has now updated the security system in those kiosks, which have since returned to business as usual.

Join Prime Student FREE Two-Day Shipping for College Students

via android headlines

Read more »

PayThink 'Self-protection' can shield banks from new Android BankBot card malware

Recently, the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware.

While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American institutions as well. More specifically BankBot now targets over 420 leading institutions in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

BankBot is a banking Trojan horse that poses as an apparently benign consumer banking application. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised and BankBot attempts to steal the customer’s credentials (e.g., username and PIN) and debit or credit card information.

Bloomberg News

BankBot tries to steal banking credentials by using a well-known technique called overlay. The malware creates a window that mimics the look and feel of the targeted mobile banking app, and it aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. Because the fraudulent overlay window is created to look exactly like the target app, the user usually believes they are interacting with their institution’s genuine mobile banking app.

The BankBot malware comes with a list of names of mobile banking apps that it targets, and it compares names in this target list against the names of apps running on the Android device of the user. When BankBot detects that a running app is present in its target list, it generates the overlay window and positions it on top of the target app to deceive the device’s owner.

Technologists reviewing the following code snippet of BankBot can see exactly how the malware checks whether any of the processes running on the Android device are present in the target list, and how the malware launches the overlay injection routine. The comments in the code have been added by threat analyst Ernesto Corral to simplify reading.

The overlay itself consists of a customized WebView, which is an Android component that can be used to show a web page within an app. The content of the WebView is downloaded on the fly from the C2 server.

Can runtime application self-protection (RASP) offer protection? An analysis of a test shows RASP successfully defends mobile banking apps targeted by BankBot against overlay attacks. As a result, we can safely say that all of the more than 420 apps targeted by BankBot are protected, if so equipped. This is crucial because virtually all currently known malware families use the same deceptive overlay technique as BankBot. A good example of another malware family using this technique is Marcher, one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016.

Moreover, RASP’s generic overlay protection mechanism ensures “future-proofing”: Any new mobile banking apps that are targeted by BankBot in the future using the same overlay technique, will also be protected.

Even if a banking Trojan should manage to steal a user’s banking credentials (his or her PIN, for instance), the user’s credentials would be of little value to a fraudster, if the app is protected with two-factor authentication, as were apps and devices in this test.

Apps protected in this way use two authentication elements: something the user knows (for example, the PIN) and something the user has (e.g., a cryptographic key stored on the mobile device), which is used to generate one-time passwords. While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

Analysts at the threat research labs used in this study analyzed the internals of malware such as Bankbot and Marcher. Findings show that at this point, many or most Android mobile banking malware families use the same approach to create fraudulent overlay windows that deceive users.

Based on lab testing, I and the threat research lab team are confident that RASP technology can, if properly developed and with sufficient security features to detect and prevent application-level intrusions, offer protection against all malware families that use this approach. Furthermore, two-factor authentication functionality can ensure that even successful overlay attacks can be thwarted.

via PaymentSource

Read more »

Petya: Wiper or Ransomware & How to Protect Yourself

Learn the facts about the recent Petya attack that crippled many organizations worldwide. 

- Is it your regular run-of-the-mill ransomware or a wiper? 
- Who is a target? Why did it spread so quickly?
- How can organizations better protect themselves against similar attacks?

Read more »

Sophos continues to work at protecting customers from the WannaCry ransomware attack – here’s what you need to know.

Sophos continues working to protect customers from the WannaCry ransomware attack. That effort has been successful, but we continue to receive many questions about how this attack happened, what we must do to defend our organizations, and, of course, what’s next?

This article is designed to answer those questions.

What happened?

A fast-spreading piece of ransomware called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) held computer systems hostage around the globe Friday. National Health Service hospitals (NHS) in the UK was hit hard, with its phone lines and IT systems being held hostage. From there, the attack spilled across the globe.

It encrypted victim’s files and changed the extensions to: .wnry, .wcry, .wncry and .wncrypt. It then presented a window to the user with a ransom demand:

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers’ APT EternalBlue Exploit (CC-1353). It also uses strong encryption on files such as documents, images, and videos.

This was different from past ransomware attacks. Why?

There were some unique aspects to the WannaCry attack. Typical ransomware infections happen after the victim clicks on a malicious email attachment or link. In this attack the malware was able to exploit a remote code execution (RCE) vulnerability that allowed it to infect unpatched machines without users having to do anything.

Because of that, this was able to spread in the same rapid fashion as the worm outbreaks common a decade ago, such as Slammer and Conficker.

Specifically, WannaCry exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Organizations running older, no-longer-supporter versions of Windows were particularly hard hit. In fact, Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement:

We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.

Is this over?

Unlikely. With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them. We also expect aftershocks Monday as employees at affected company’s who weren’t there Friday return to work and fire up their computers.

What is Sophos doing to protect customers?

Sophos continues to update protections against the threat. Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.

Is there anything I need to do?

You’ll want to ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks. As noted above, Microsoft has made the decision to make the Security Update for platforms in custom support only — Windows XP, Windows 8, and Windows Server 2003 — broadly available for download:

Windows Server 2003 SP2 x64	Windows Server 2003 SP2 x86
Windows 8 x64	Windows 8 x86
Windows XP SP2 x64	Windows XP SP3 x86	Windows XP Embedded SP3 x86

As we always say, patching is critical. For Sophos customers, keep checking the Wana Decrypt0r 2.0 Ransomware Knowledge Base where we’ll be issuing updates.

via sophos

Read more »