UK organisations are still not taking ransomware seriously enough

UK organisations are still not taking ransomware seriously enough, and continue to fall prey to this method of low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough

Businesses still get caught by ransomware, even though straightforward avoidance methods exist.The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Another factor promoting the popularity of ransomware among attackers, is that unlike many other forms of malware, ransomware does not require any special user rights.

“If your system gets infected by a keylogger, it has to escalate privileges to become an administrator on the system so it can survive a reboot, but all ransomware needs is access to the files the infected user can access,” said chief research officer at F-Secure Mikko Hypponen.

“This makes them a unique problem because you can’t fight ransomware by locking down systems, restricting user access or removing administrator privileges from users.

“I fully support this approach to security. Only give users access to what they need, take away admin privileges, but none of these things will protect against ransomware.”

The most effective way to counter ransomware, said Hypponen, is to backup all critical data, but many organisations are failing in this.

“They may be backing up data, but they are typically not doing it often enough. They are not backing up all the information they really need because files are not being saved to the right folders, and they are not testing their backups regularly. Even if they have backed up the information, they are often unable to restore it to a usable form,” he said.

“In addition to regularly tested backups, organisations should also ensure they would be able to detect and respond to a live ransomware Trojan on their network before it has succeeded in locking up all the data,” said Hypponen.

One way of approaching this is to plant dummy “canary” files throughout the network. These should never be touched by legitimate users and act as alarms. If these files are touched, it points to malicious activity on the network.

Ransomware is also popular, he said, because its developers are able to outsource the risk to partners whose role is infect computers in return for a share in the money extorted from victims.

In addition to ransomware, another new business model for cyber criminals is circumventing the fingerprint locks on iPhones.

“Once fingerprint readers were added to iPhones, users were able to lock and unlock them quickly and easily. This meant that if the phone was stolen, it was useless and could be only sold for spares, which did not yield very much,” said Hypponen.

But researchers are now starting to see criminal organisations that are able to trick victims of mobile phone theft into revealing their iCloud credentials.

“Victims typically receive an email message a few days after their phone is stolen to say it has been located using the ‘track my iPhone’ facility, telling them to click the link embedded in the message,” said Hypponen.

“But the link takes them to a phishing site that asks them to log into their iCloud account, and once they have done that, the criminals have the information to reset the stolen phone and sell it as a fully working device.”

The second lesson learned in 25 years of cyber security, said Hypponen, is that people will never learn, and that user education is a waste of time.

“It doesn’t matter how many times you tell them, they will always double click on every executable. They will always follow every link, they will always type their password and credit card number into any online form that asks for that information, and they will always post their credit card picture and even CVV numbers on Twitter,” he said.

Admitting this may be overly pessimistic, Hypponen said that instead of trying to “patch” people by educating them, the responsibility should be shifted to those better equipped to handle it.

“We should be thinking about where we really want the responsibility to be,” he added. “Do we really want people to be responsible for security when most of them can’t handle it, or should we be thinking about taking the responsibility away from the user and giving it to operating system developers, security companies, and internet service providers and mobile operating firms that provide the connectivity that causes the problems in the first place?”

No final fix for cyber security

There really is no final fix solution endgame when it comes to cyber security.

There really is no final fix solution endgame when it comes to cyber security, according to security industry veteran and chief research officer at F-Secure Mikko Hypponen.The claim was made by security industry veteran and chief research officer at F-Secure Mikko Hypponen and two of the most valuable lessons in cyber security are to know your enemy and not to rely on users to be secure.

“We will always have cyber security problems because we will always have bad people, which means job security in security is likely to continue for ever,” he told the Wired Security conference in London.

Cyber attackers are continually evolving their techniques and capabilities to steal and monetise data in new ways, which means the goalposts are continually moving.

“If we were still fighting the enemy of 10 years ago, we would be in great shape,” he said, alluding to the security tools that have been developed since then, as well as the security improvements in software.

“Attackers will always have the upper hand because they have the luxury of time to study our defences, while defenders do not have that luxury, so it is an unfair contest – a never-ending race.”

Reflecting on lessons learned over his 25 year career in information security, Hypponen said the most important thing is to understand the adversary.

However, he said the days of being able to do that easily are long gone, with most organisations finding themselves faced with a whole range of attackers.

They are all looking to gain something, said Hypponen, whether they are hacktivists supporting a cause, nation state actors or criminals.

“But for most organisations, criminals are the most likely to be attacking them,” he said, noting that of the 350,000 to 450,000 new malware samples that F-Secure sees on a daily basis, 95% comes from organised cyber crime groups.

“It is different when you get targeted by foreign intelligence agencies, because they are really bad, but most organisations are not targeted by foreign spies because most organisations are of no interest to them,” he said.

Although these cyber criminals like to portray themselves as Mafiosi, Hypponen said most are just “geeks” looking to make money from selling things such as hacked PayPal accounts and credit card details along with step-by-step guides on how to use them to make money.

Ransomware most popular form of cyber crime

Ransomware that encrypts victims’ data and demands payment in return for restoring it is fast becoming the most popular way for cyber criminals to make money.

“This is a simple business model based on the principle of selling data to the highest bidder, which is often the person or organisation that owns the data in the first place,” said Hypponen.

F-Security is currently tracking more than 110 different ransomware groups operating around the world and competing for market share.

“Ransomware has become very competitive, with the result of some groups seeking to expand into new markets by translating ransomware campaigns into 26 different languages,” said Hypponen.

Another evolution of ransomware attacks is the shift away from consumers to target enterprises.

“As soon as an infected computer is connected to the corporate network, the attackers enumerate and mount all the file shares the user can access and dynamically set the ransom based on how many files they manage to encrypt on the network,” said Hypponen.

The biggest concern about ransomware for enterprises is that it will stop business operations. With continuity in mind, some enterprises are even setting up bitcoin wallets to be able to pay ransoms quickly and minimise the impact on business continuity.

“This idea of continuity is really backwards, because it does not address the problem,” said Hypponen. “The more enterprises pay these ransoms, the greater and more entrenched this problem will become.”

UK organisations not taking ransomware seriously

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.

The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.

Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.

Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.

The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.

Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.

A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.

In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.

While ransomware writers were sometimes careless in the past so there was often a way to retrieve files,  that is seldom the case now, making preparation even more important.

Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.

Here are a list of best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:

  • Backup regularly and keep a recent backup copy off-site
  • Do not enable macros in document attachments received via email
  • Be cautious about unsolicited attachments
  • Do not give users more login power than they need
  • Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
  • Patch early, patch often because ransomware often relies on security bugs in popular applications
  • Keep informed about new security features added to your business applications
  • Open .JS files with Notepad by default to protect against JavaScript borne malware
  • Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them

Cyber attacks via SWIFT on three Asian banks shared malware links

Cyber attacks on banks vai the Swift payments system in Bangladesh, Vietnam and the Philippines used the same malware, reports Symantec.

Cyber attacks on banks vai the Swift payments system in Bangladesh, Vietnam and the Philippines used the same malware, reports SymantecJust two weeks ago the Society for Worldwide Interbank Financial Telecommunication (Swift) warned of a highly adaptive campaign targeting banks.

Swift has since acknowledged that the heist involved altering Swift software to hide evidence of fraudulent transfers, but it said its core messaging system was not harmed.

Swift is a global member-owned co-operative that provides secure financial messaging services that connect more than 11,000 financial services organisations in more than 200 countries and territories.

Commenting on the incidents Swift said he attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at the banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.

Swift said the cyber criminals had used malware to manipulate PDF document reports confirming the messages to hide their tracks.

In the earlier cases, Swift said it appeared that insiders or cyber attackers had obtained user credentials and submitted fraudulent money transfer requests.

In addition to this, Symantec said some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus.

Symantec believes the attacks on the banks are linked and were possibly carried out by the same group.

They believe this because of similarities in distinctive wiping code between Trojan.Banswift used in the Bangladesh attack and early variants of Backdoor.Contopee, which has been used in limited targeted attacks against the financial industry in south-east Asia.

Symantec believes distinctive code shared between families – and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region – means these tools can be attributed to the same group.

Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.

The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment.

The group was the target of a cross-industry initiative known as Operation Blockbuster earlier in 2016, which involved major security suppliers sharing intelligence and resources to assist commercial and government organisations in protecting themselves against Lazarus.

As part of the initiative, security firms are circulating malware signatures and other useful intelligence related to these attackers, but Symantec said the discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region.

While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant, Symantec said.

Ransomware increasingly dangerous cyber security threat

Ransomware attacks now account for around a quarter of cyber security threats targeting internet users in the UK- according to Eset.

Ransomware attacks now account for around a quarter of cyber security threats targeting internet users in the UK- according to Eset.Eset’s LiveGrid telemetry shows an increase in detections of the JS/Danger.ScriptAttachment malicious code, which tries to download and install various malware variants to the intended victims’ machines.

The majority of the code consists of crypto-ransomware, including some well known groupings, such as Teslacrypt.

The most recent wave of attacks has been focused on victims in the UK, where it accounted for roughly every fourth threat in the third week of April 2016, said the security firm.

“To reach as many potential victims as possible, attackers are spamming inboxes in various parts of the world,” said Ondrej Kubovič, security specialist at Eset. “Therefore, users should be very cautious about which messages they open.”

Meanwhile, the latest Verizon Data Breach Investigations Report (DBIR) also warns that ransomware attacks are steadily increasing.

Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions, said: “Ransomware is going crazy. It is everywhere. As an incident response team we are dealing with ransomware attacks all the time.”

Eset’s Kubovič recommends that companies should train their employees to report incidents to their internal security departments.

“Users should keep their operating systems and software up to date, as well as install a reliable security suite offering multiple layers of protection and regular updates,” he added.

“Last but not least, users need to back up all their important and valuable data, allowing for its recovery in case of ransomware infection,” he said.

While ransomware is becoming an increasing problem for businesses, a recent spate of attacks on hospitals in the past few months – mainly in the US, but also in Canada, Germany and New Zealand – has underlined the potentially life-threatening impact of ransomware, which works by encrypting data and demanding a ransom to be paid for its release.

The dangers of the IoT

A report by Institute for Critical Infrastructure Technology (ICIT) has also highlighted the fact that internet of things (IoT) devices offer a potential growth opportunity to any ransomware operation, given the devices are interconnected by design and many lack any form of security.

According to the report, while a lot of traditional malware will be too large to ever run on many IoT devices, ransomware (predominantly consisting of a few commands and an encryption algorithm) is much lighter.

Many medical devices, such as insulin pumps and other medication dispersion systems, are internet- or Bluetooth-enabled, the report pointed out, and warned that ransomware could used to open connections to infect the IoT device.

Part of the problem with the security of IoT communications is that the designers are more concerned by the ease of connectivity than the safety of their users.

New ransomware threat- with your address

A new email ransomware that quotes people’s postal addresses is a costly new cyber security threat.

A new email ransomware that quotes people's postal addresses is a costly new cyber security threatAndrew Brandt, of US firm Blue Coat, contacted the BBC after hearing an episode of BBC Radio 4’s You and Yours that discussed the phishing scam.

Mr Brandt discovered that the emails linked to ransomware called Maktub. The malware encrypts victims’ files and demands a ransom be paid before they can be unlocked.

The phishing emails told recipients they owed hundreds of pounds to UK businesses and that they could print an invoice by clicking on a link – but that leads to malware, as Mr Brandt explained.

Maktub doesn’t just demand a ransom, it increases the fee – which is to be paid in bitcoins – as time elapses.

A website associated with the malware explains that during the first three days, the fee stands at 1.4 bitcoins, or approximately £400. This rises to 1.9 bitcoins, or £550, after the third day.

The phishing emails tell recipients that they owe money to British businesses and charities when they do not.

One remarkable feature of the scam emails was the fact that they included not just the victim’s name, but also their postal address.

Many have noted that the addresses are generally highly accurate.

According to Dr Steven Murdoch, a cybersecurity expert at the University of London, it’s still not clear how scammers were able to gather people’s addresses and link them to names and emails.

The data could have come from a number of leaked or stolen databases for example, making it hard to track down the source.

Several people contacted the You and Yours team to say that they were concerned data might have been taken from their eBay accounts, as their postal addresses had been stored there in the same format as they appeared in the phishing emails.

The UK’s national fraud and cybercrime reporting centre has been flooded with queries from people targeted by the scam.

“We have been inundated with this,” said deputy head Steve Proffitt. “At Action Fraud on Monday we received an additional 600 calls and from then onwards we’ve received 500 calls to our contact centre a day,” he added.

Mr Proffitt advised people who had received the phishing emails to under no circumstances click on the link, but instead delete the message from their system and inform Action Fraud.

Referring specifically to Maktub and the approach taken by the phishers, Dr Murdoch said he believed the scam was “significant” in more ways than one.

“It also appears to be quite widespread – I’ve heard about it from multiple sources so it seems like they were fairly successful getting a lot of these sent out,” he told the BBC.

He added that it was hard to know how to advise people who were unfortunate enough to have their files encrypted by ransomware.

For some individuals without backups, paying the ransom might be the only way to retrieve their data.

“However, every person that does that makes the business more valuable for the criminal and the world worse for everyone,” he said.

From:  http://www.bbc.co.uk/news/technology-35996408#sa-ns_mchannel=rss&ns_source=PublicRSS20-sa

Ransomware targets Apple Mac computers

Security researchers have found malware to encrypt Apple Mac computers and demand ransom to unlock them.

Security researchers have found malware to encrypt Apple Mac computers and demand ransom to unlock them
Mac computers tend to be regarded as relatively safe from attack, but the migration of so-called ransomware targeting the Microsoft Windows operating system to Apple’s Mac OS X is yet another indicator that things are changing.

Mac users need to be more vigilant and aware of the risks, while cyber security professionals need to equip themselves to identify and quickly respond to this new malware threat, especially in having a pragmatic approach in place for managing extortion-style threats, say security industry pundits.

“As Apple computers and devices become more popular with corporate IT departments, there’s a recognition by attackers that valuable data and resources are available by targeting Mac users,” said Vann Abernethy, chief technology officer at security firm NSFOCUS IB.

“These types of attacks will become increasingly common as the platform gains acceptance within the enterprise world, just as Microsoft Windows is targeted for similar reasons,” he said.

Ransomware is currently one of the most popular ways for cyber criminals to extort money from individuals and organisations in the form of the unregulated bitcoin cryptocurrency.

According to the UK National Crime Agency, ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services.

The newly discovered KeRanger ransomware targeting Mac was discovered hidden in a version of the Transmission BitTorrent client by researchers from security firm Palo Alto Networks.

Businesses are still getting caught by ransomware, despite the fact that there are fairly straightforward methods to avoid it.

Like its Windows counterparts, KeRanger encrypts files on infected computers with a strong encryption algorithm and contains a payment process enabling the victim to purchase decryption for 1 bitcoin- currently worth around £290.

A special feature of KeRanger is a three day delay after infection, which researchers believe was aimed at getting as many users to download the infected version of the Transmission client before its hidden payload was revealed.

By hiding the ransomware in the Transmission client for downloading and sharing BitTorrent files, attackers were attempting to bypass Mac OS security because the Transmission software is signed with a valid developer certificate, causing the Mac operating system to consider it safe and allow installation.

The discovery of Keranger is a sign that Mac users need to be educated on basic information security practices, just like Windows users have been over the past 10 to15 years.

Small business risks cyber attack damage

Small businesses are underestimating the impact a cyber attack would have on their reputation and must take steps to protect themselves.

Small businesses are underestimating the impact a cyber attack would have on their reputation and must take steps to protect themselvesThe warnings come as a result of research published according to the findings of the Small Business Reputation and the Cyber Risk report, by the Government’s Cyber Streetwise campaign and KPMG.

Less than a quarter of small businesses cite cyber security as a top concern, but it’s of vital importance to consumers and within the supply chain.

The impact of a cyber attackbreach can be huge and long lasting, affecting brand, client retention and ability to win new business.

In the past few years there has been a rapid expansion in the development and adoption of new communications technologies which continue to transform Government, business and the ways in which we interact with each other. Cyber crime undermines confidence in our communications technology and online economy.

There were an estimated 5.1 million incidents of fraud and 2.5 million incidents falling under the Computer Misuse Act recorded last year (ONS, 2015). Add in recent high profile hacking cases and the issue of cyber security is now more important than ever.

Cyber Streetwise and KPMG surveyed 1,000 small businesses and 1,000 consumers across the UK to assess how small businesses feel about cyber security, how they are protecting themselves and the impact of a cyber breach on their reputation.

Key cyber security research findings:

  • Cyber security was cited as one of the top concerns by less than a quarter of small businesses (23%), yet it is fast becoming the only way to do business:
  • 83% of consumers surveyed are concerned about which businesses have access to their data and 58% said that a breach would discourage them from using a business in the future.

Recently published KPMG Supply Chain research supports this; 94% of procurement managers say that cyber security standards are important when awarding a project to an SME supplier and 86% would consider removing a supplier from their roster due to a breach.

UK small businesses value their reputation as one of their key assets. Yet they are hugely underestimating the likelihood of a cyber breach happening to them and its long term impact:

60% of small businesses surveyed have experienced a cyber breach, but only 29% of those who haven’t experienced a breach cited potential reputational damage as an ‘important’ consideration.

The impact of a cyber breach can be huge and long lasting. 89% of the small businesses surveyed who have experienced a breach said it impacted on their reputation.  Those who experienced a breach said the attack led to:
Brand damage (31%)
Loss of clients (30%)
Ability to win new business (29%)

Quality of service is also a risk. Those surveyed who experienced a cyber breach found it caused customer delays (26%) and impacted the business’ ability to operate (93%).

The full report was published at: https://home.kpmg.com/uk/en/home/insights/2016/02/small-business-reputation-and-the-cyber-risk.html

Cyber criminal activity by UK teens grows

More than 10% of UK teens say they know someone who has engaged in an illegal cyber activity, a survey has revealed.

More than 10% of UK teens say they know someone who has engaged in an illegal cyber activity, a survey has revealed.The survey was commissioned and published by security firm Kaspersky Lab to mark Safer Internet Day 2016 yesterday- which aims to promote the safe, responsible and positive use of digital technology for children and young people.

The survey also found that just over one third of respondents would be impressed if a friend hacked a bank’s website and replaced the homepage with a cartoon, and one in 10 would be impressed if a friend hacked the air traffic control systems of a local airport.

When asked how they would feel if a friend found their way into a celebrity’s online email account and discovered lots of private pictures, 18% said they would be impressed, and 17% would be impressed if a friend managed to obtain all the names and addresses of people who had bought adult films online.

More than a quarter of respondents said they knew how to hide their IP address, 41% said they knew about malware, 44% knew about phishing, 24% knew about distributed denial of service (DDoS) attacks, 17% knew about ransomware, and 13% knew about crypto-malware.

Recent research by the National Crime Agency (NCA) revealed the average age of a cyber criminal is now just 17, raising concern that youngsters are increasingly becoming involved in cyber crime, many of them unwittingly.

In the light of this finding, public awareness and understanding of the online behaviour of young people is vital, said David Emm, principal security researcher, Kaspersky Lab.

“It’s frighteningly easy for teenagers to find their way into the dark corners of the internet today as they explore and experiment or take their first steps towards making some easy money online by searching for tools and advice,” he said.

Once lured in, youngsters are vulnerable to exploitation by cyber criminals who use them to distribute and create malicious software or help launder funds from cyber crime, said Emm.

UK based criminals were the second highest originators of cyber crime attacks after the US in the second quarter, according to ThreatMetrix. Rising cyber crime suggests criminal law does not deter criminals and that a better legal solution is required to prevent further rises.

The survey also revealed misguided loyalty among teenagers. When asked what they would do if a friend was doing things online that could be illegal, more than half said they would tell the friend to stop, but would not tell anyone else.

One third said they would not get involved, 22% said they would ask about it but not join in, and only 21% said they would report it to the police.

The NCA recently launched a campaign aimed at preventing young people from becoming involved in cyber crime.

The Safer Internet Day 2016 campaign website provides guidance for parents and teachers on how to recognise signs of cyber criminal involvement and ways of encouraging the positive use of cyber skills.

SME’s poor security practices targeted by ransomware

SME’s poor security knowledge and practices are being targeted by ransomware.

SME's poor security knowledge and practices are being targetted by ransomware.It is important not to underestimate the scale of ransomware attacks or to believe that you are safe if you are not a Microsoft user, as the first attacks on Android devices were identified in 2011.

According to one industry report, the number of cyber ransomware attacks increased in 2014 by more than 4,000%, with small to medium sized enterprises (SMEs) being the main target due to poor security practices.

On the technical side, we can have spam, malware and bad URL detection engines or services that can be installed in networks – generally as part of an internet security appliance or firewall – rather than individual boxes installed in front of email servers.

The reason we would want such protection as part of the general internet connection is to provide protection for email, browsing and other internet related operations such as file transfer and remote access.

There are also a number of very good commercial cloud based email spam, malware and URL detection services available. These are well worth a look for smaller enterprises that must consider costs of ownership, support and overall effectiveness.

Even with the best spam, malware and URL detection services, some emails that could form the start of a ransomware attack may get through. These emails contain a URL link that, when clicked, will take the user’s web browser to a website that will attempt to download the ransomware.

These emails could not have been detected as malicious for a number of reasons, such as the URL being too new to have been identified as malicious; the patching or updating of an onsite box being out of date; or the URL pointing to a perfectly legitimate website that has been compromised in preparation for a watering hole attack.

The rise in legitimate websites being compromised for the purposes of executing watering hole attacks as a way of delivering malware – including ransomware – means enterprises need to add malware detection to web browsing activities.

Protecting against a ransomware attack

Having got the technical side sorted according an enterprise’s risk appetite and budget, what else can be done to help protect against a successful ransomware attack?

Staff awareness training and regular follow up initiatives are key. It is important to make staff aware that unexpected emails – even from known sources – are suspicious, particularly those that require a URL link to be activated.

If all else fails and a ransomware attack is successful, then having access to good, well-tested backups with at least one copy that is held off network will be vital in service restoration. Note that the off network backup itself should not be used as is, but copied. The copy should then be used to bring the network back, which will protect the good backup from being compromised.