Faulty ransomware makes data unrecoverable

By Cyber SecurityNo Comments

Faulty coding in a ranson program that encrypts data means anyone hit by the Power Worm virus will not be able to recover files.

Faulty coding in a ranson program that encrypts data means anyone hit by the Power Worm virus will not be able to recover filesNormally, viruses known as ransomware decrypt files and data is recoverable when victims have paid a substantial fee.

But one variant of Power Worm destroys keys that could help recover any data that it scrambled.

Power Worm infects Microsoft Word and Excel files but the latest poorly written update of it goes after many more types of data files it finds on a victim’s machine.

The news comes as hackers produce new ransomware that is aimed at websites and encrypts data sitting on servers.

Malware researcher Nathan Scott discovered the variant and uncovered the mistakes its creator made when updating it.

Mr Scott believes the errors arose when the creator tried to simplify the decryption process. They tried to make it use just one decryption key but mangled the process of generating it. As a result, there is no key created for the files it encrypts when it compromises a computer.

There is unfortunately nothing that can be done for victims of this infection. If you have been affected by this ransomware, your only option is to restore from a back up.

The one consolation is that anyone attacked by the Power Worm should not pay the 2 bitcoin- about £500, ransom it asks for because they will not get any data back.

Many ransomware gangs accept payments in bitcoins and make a lot of money from each victim as Bitcoins are not traceable.

Ransomware is proving increasingly popular with hi-tech thieves and one group has now extended its list of potential targets to web servers that run Linux.

Russian anti-virus firm Dr Web has discovered a novel ransomware variant called Linux.encoder that tries to infect sites via add-ons such as shopping systems that many of them use.

Once it lands on a server, the software encrypts any files, images, pages, scripts and stored source code it finds on the machine’s main and back-up directories. Linux.encoder leaves behind a text file detailing how victims can pay the 1 bitcoin ransom required to recover their data.

Change of cyber theft approaches

“In the volume cybercrime space, ransomware is one of the most prolific problems we face,” said Greg Day, chief security officer for Europe at Palo Alto Networks.

“Credit card theft is getting to the point where the value of each card is very low. As a result ransomware has stepped into that gap and gives a higher value for each victim.”

Research by Palo Alto Networks and industry partners suggests the well-known Crypto Wall family of ransomware has generated about £215 million for the gang behind it.

“The return is so much better,” Mr Day said. “That’s why it’s escalated to such a level.”

He said regularly backing up data would help people and companies avoid having to pay criminals if they got caught out by ransomware.

Secure email Protonmail paid a ransom after DDOS web attacks

By Cyber SecurityNo Comments

A secure email firm Protonmail, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website.

A secure email firm Protonmail, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website
The criminals behind the web attacks said the payment would stop the deluge of data hitting the site. But despite paying up, the web attacks continued, leaving Protonmail struggling to operate.

It has now launched a fund raising drive to raise cash to tackle any future attacks.

In a blogpost, Protonmail said it received an email on 3 November that contained a threat to attack its website unless it paid a ransom of 15 bitcoins (£3,640).

Protonmail did not respond to the message and, soon afterwards, was hit by what is known as a distributed denial of service (DDoS) attack. This tries to knock a server offline by bombarding it with more data than it can handle.

Protonmail is a free, web-based, encrypted email service that needs its site up and running to serve customers.

The first attack knocked out Protonmail for about 15 minutes and then stopped. A second attack the next day was much bigger and overwhelmed efforts by the email firm and its ISP to stop it.

“This co-ordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just Protonmail,” it said on the blog.

In a bid to halt the attack, Protonmail said it “grudgingly” paid the 15 bitcoin ransom.

However, it said, this did not stop the attacks which continued to cause problems for many other firms.

Eventually, Protonmail’s ISP took action to remove the company’s site from the net to stem the flow of data.

Post-attack analysis suggests Protonmail was targeted in two phases, the company said. The first aided the ransom demand but the second was “not afraid of causing massive collateral damage in order to get at us”.

Switzerland’s national Computer Emergency Response Team (Cert), which helped Protonmail cope, said the attack was carried out by a cybercrime group known as the Armada Collective. This group has also targeted many other Swiss web companies over the last few weeks, the team said.

It said anyone who received ransom email should not pay up. Instead, they should talk to their ISPs about the best way to defend themselves against attacks.

Protonmail said that despite its work to harden itself against attack, it was still vulnerable to DDoS data deluges. It said it planned to sign up with a commercial service that can defend against the attacks but this would be likely to cost it more than £66,000 a year.

“We are fighting not just for privacy, but for the future of the internet,” it said.

TalkTalk hack affected 157,000 customers

By Cyber SecurityNo Comments

TalkTalk has said nearly 157,000 of its customers’ personal details were cyber hacked on it’s website.

TalkTalk has said nearly 157,000 of its customers' personal details were cyber hacked on it's websiteMore than 15,600 bank account numbers and sort codes were stolen, the company said.

This week police released a 16-year-old boy on bail who was the fourth person arrested in connection with the hack.

Since news of the cyber-attack emerged, TalkTalk shares have lost about a third of their value.

The firm said 4% of TalkTalk customers have sensitive data at risk. It confirmed that scale of the attack was “much more limited than initially suspected”.

TalkTalk said:

  • 156,959 customers had personal details accessed
  • Of those customers, 15,656 bank account numbers and sort codes were stolen
  • 28,000 stolen credit and debit card numbers were “obscured” and “cannot be used for financial transactions”.

Customers whose financial details were stolen have been contacted, and the firm will contact other affected customers “within the coming days”.

The cyber attack on TalkTalk’s website happened on 21 October, it added.

Details that TalkTalk previously said had been stolen included names, addresses, dates of birth, telephone numbers and email addresses.

In October, the firm described the attack as “significant and sustained”, but that it was too early to say which data had been stolen.

It initially said that all of its customers may have been affected, but then restated in its estimate.

Four people have been arrested over the hack so far: a boy of 15 in Northern Ireland, a 16-year-old boy from west London, a 20-year-old Staffordshire man, and a 16-year-old boy in Norwich. All four have been released on bail.