Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Threat Recap: Week of August 22nd

Aug 26, 2016 | Industry Intel

This week’s Threat Recap covers everything from, ‘Fantom’, the new ransomware that disguises itself as a Windows update, to hackers using Facebook photos to trick facial-recognition logins.

Decryption Keys Released for Wildfire Ransomware

Recently, researchers have announced the public availability of decryption keys for users affected by the Wildfire ransomware variant. This particular variant did focused on mainly Dutch email domains and infected over 5,300 systems in the last month alone. Infected users were demanded a ransom of 1.5 bitcoins after opening a fake delivery form via email attachment.

Android Botnet Receiving Commands from Twitter

A new Android app called Android/Twitoor has been used as a backdoor to spread malware onto smartphones. By having the malware check several Twitter accounts periodically, the app is able to receive updates without the malware authors having a need to maintain their own command and control servers. Windows-based Twitter botnets have been in use for several years now, but Android-based version is a much newer practice, as many users rely more and more on mobile devices for everyday banking, communication, etc.

Fantom – New Ransomware Disguised as Windows Update

A new ransomware variant has been discovered in the wild called Fantom. The ransomware disguises itself as an important windows update while it begins encrypting the victim’s files. Once executed, the malware runs a file called WindowsUpdate.exe and displays a locked splash screen showing the update currently in progress. Once encryption is complete, the user is left with an ominous wallpaper and their files showing the added ‘.fantom’ extension.

iOS Vulnerabilities Used to Target Foreign Activist

It has been discovered that three previously unknown vulnerabilities in Apple’s iOS were used to spy on human rights activist, Ahmed Mansoor. It is believed Ahmed received an SMS message that contained a malicious link that was used to infect the smartphone with data-stealing software. Apple has since patched the vulnerabilities that were exploited, though it is still unknown how the attackers gained access to the vulnerabilities, as they would be highly valuable.

Hackers Use Facebook Photos to Fool Facial-Recognition Logins

Biometrics becoming a more implemented form of security, and it was only a matter of time before criminals found a workaround. Using some simple Internet searching and software that creates a 3D facial model, researchers were able to bypass 80% of facial-recognition authenticators they tested. Even more worrisome, by using the 3D rendering software, they were able to simulate movement of certain facial features, in order to pass some of the “liveness” checks that were made.

Threat Recap: Week of August 15th

Aug 19, 2016 | Industry Intel

This week’s Threat Recap is filled with everything from the latest retailer succumbing to malware infection to a possible hack on the NSA. Read up on five of the latest threat happenings to stay informed and up-to-date.

Eddie Bauer Stores Compromised

It is reported that point of sale systems at several Eddie Bauer stores across North America have been compromised. Eddie Bauer states nearly all of its 350 stores may be affected. In their official statement, the company ensured customers that only in-store purchases were at risk and that those shopping through their website weren’t impacted.

Hospitals Remain a Prime Target for Ransomware

The big score for cyber criminals is usually international corporations; however, hospitals are quickly becoming the most commonly targeted organizations for ransomware attacks. Reliance on outdated security measures makes health care facilities tempting to target. The latest in these attacks are coming from email phishing campaigns that employ macro-based malware that is launched by having macros enabled in Office 2007 applications.

Possible NSA Hack Reveals Zero-day Vulnerabilities

Claims of an NSA hack surfaced this week and several of their exploit tools have been publicly released. That’s in addition to information on several zero-day bugs found in Cisco and Juniper Networks’ software. Both companies have begun patching these vulnerabilities that may have been active for years, yet unknown to all but the NSA. This is not the first time the NSA has held onto zero-day exploits to keep them from being resolved for their own purposes. However, it does leave a question of how many more do they still have?

SMS Scam Target Empathetic Users

Many cellular users in the UK have been victims of a new SMS scam. The scam SMS pretends to be an acquaintance involved in a serious accident and needs a text reply back. Some victims claim it showed a message from their child and sternly requests a text reply to an unknown number. Those falling for the scam have been charged £20 for replying, in hopes of helping their injured friend.

Student Loan Phishing Scheme Ready for New School Year

The Student Loans Company, based in the UK, issued warnings to its customers about fake emails being sent out requesting both personal and financial information. The fake emails seem to be easy to spot, as they tend to have spelling errors and address their victims vaguely, rather than using their names.

Nemucod Ransomware Analysis

Aug 16, 2016 | Industry Intel, Threat Lab

Today, we’ll look at yet another variant in the massive crop of malware that takes users’ files hostage: Nemucod ransomware.

Nemucod is a ransomware which changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one constant has remained the same – it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.

January 2016: Nemucod changes file names to “.crypted” but does not actually encrypt them
March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file
April 2016: 7-Zip used instead which created an archive to password protect files
April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file
May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes
June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file

Email Example:

After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a “.doc”. The file appears to be a .doc for users with the folder option setting “hide extensions for known file types” enabled.

Javascript Analysis:

Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection

After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php – 5th file downloaded) the ability to run.

Analysis of a.php:

We at first saw several samples of a.php written in plain text without obfuscation, but the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of Obfuscated ransomware variants:

chr()

To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.

Array()

To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:

;echo implode($f,”); ?>

De-obfuscated:

The PHP script first uses “set_time_limit(0);” to keep the interpreter running.

A recursive Tree function is used with preg_match to match folders:

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check if the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable “$fp” and a new variable is made “$x” which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base 64 string) to encrypt the files.

If you have found yourself a victim of this ransomware, please submit a support ticket.

Ransomware for Thermostats

Aug 8, 2016 | Industry Intel, Threat Lab

We all know that Internet of Things (IoT) is the future and that everything from your refrigerator to your toaster may eventually connect to the internet. With that being the case, it’s important to remember that these connected devices need to be designed with security in mind. On Saturday at the Def Con hacking conference in Las Vegas, Andrew Tierney and Ken Munro showcased a ‘smart’ thermostat hack, in which they were able to install encrypting ransomware onto the device, fortunately just as a proof of concept. Check it out:

The hacked thermostat (displayed in the screenshot above) runs a Linux operating system and has an SD card slot for owners to load custom settings and wallpapers. The researchers found that the thermostat didn’t check what files were being loaded or executed. Theoretically, this would allow hackers to hide malware into an application that looks just like a picture and fool users into transferring it onto their thermostat, which would then allow it to run automatically. At that point, hackers would have full control of the device and could lock the owner out. “It actually works, it locks the thermostat,” Munro said. This achieves the predictions of others in the security industry.

Despite the above tweet, Tierney and Munro declined to confirm the brand of this particular thermostat that they hacked. Because this test was so new, despite the vulnerability being showcased, the reserachers haven’t yet disclosed the vulnerability to the manufacturer, but the plan is to disclose the bug today. They also said that the fix should be easy to deploy. While this ransomware isn’t an immediate threat to anyone using smart devices in their homes today, the point has been proven that it’s very possible to create ransomware for these new and emerging IoT devices. “You’re not just buying [Internet of Things] gear,” Tierney warned, “You’re inviting people on your network and you have no idea what these things do.”

Threat Recap: Week of August 1st

Aug 5, 2016 | Industry Intel

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Banner Health Warns Patients Over Cyber Attack

Recently, Banner Health has begun notifying nearly 4 million of its patients about a possible data breach that occurred around the start of July. Along with patient information, the credit card processing systems were affected at refreshment outlets located in three Tucson facilities. Officials claim that not all of their 29 locations were targeted, however. Patients of the affected sites are being notified by mail.

http://tucson.com/news/local/banner-health-notifying-million-people-of-cyber-attack/article_81861b1e-59b9-11e6-87fe-b3263dd6bd7d.html

Apple Uses Bug Patch To Cease Jailbreaking of iOS

With the most recent update of iOS (9.3.4), Apple resolved a vulnerability that could allow for unauthorized code execution. The bug was found by Team Pangu, a prominent figure in the jailbreaking community. The patch also means that current jailbreaking tools may no longer work in the new version of iOS, but this likely won’t slow down the developers that are updating their jailbreaking tools just as quickly.

http://arstechnica.com/apple/2016/08/apple-thwarts-jailbreakers-with-ios-9-3-4-update/

iPhone Phishing Emails Getting More Convincing

Attempts at email phishing are starting to look ever more convincing, and Apple users are the latest target. Recently, users have been seeing email order confirmations for new iPhones, but with incorrect shipping addresses and accompanied with a single clickable link for those wanting to ‘claim’ they didn’t authorize the purchase. By simply using a fake shipping address, many victims would likely look past the rest of the email in an effort to stop the transaction from occurring. Unfortunately for those who click the hyperlink, they are brought to a fake Apple Login page that requests payment information to “cancel” the order.

https://www.helpnetsecurity.com/2016/08/05/fake-iphone-order-dispatch/

Iris Scanning For Mobile Hits The Market

Samsung has recently announced its new Galaxy Note 7, which has a feature that is meant to replace passwords for mobile devices and PCs in the near future: iris scanning. With a simple infrared scanner located on the front of the device, users are able to scan their way into accessing their Galaxy phones. While Samsung is not the first company to offer iris scanning, it is projected to be soon available from other manufacturers, including Microsoft who will be looking to use it with their Windows 10 operating system.

http://www.csoonline.com/article/3103516/security/kill-a-smartphone-password-with-a-scan-of-your-eye.html

Brazilians Target of Latest Zeus Variant

With the Rio 2016 Olympic games a mere day away, more bad news is plaguing Brazilians and visitors alike. A recent variant of the Zeus Trojan, labeled Panda Banker, has its sights set on many of the largest Brazilian banks and other local services. Like many others trojans, this particular variant is spread through spam email and exploit kits, but operates using account takeover in real-time by holding the victim in a loop of pop-up windows while the account is compromised.

https://www.helpnetsecurity.com/2016/08/05/zeus-panda-steals-everything/

Chimera Keys Leaked From Rival Ransomware Author

Jul 29, 2016 | Industry Intel, Threat Lab

Encrypting ransomware is so popular now that competitors will sabotage one another to get the upper hand. This is refreshing for victims, however, as they reap the benefit of these potential clashes between cybercriminals. ‘Chimera Ransomware’ has just had its keys leaked to the public, which is fantastic news for anyone who has been a victim of this ransomware.

@JanusSecretary (presumed author of Mischa and Petya) was quick to tweet the news:

The keys are linked here which is a zip of the text file with over 3,500 keys. Below is a summary of the leak, where it is explained that Mischa used Chimera sourcecode. While the authors of Mischa and Chimera are not affiliated, they did get access to big parts of Chimera’s development system.

This allowed access to the decryption keys that have now been released. With these keys now released, it shouldn’t be too much longer before a decryption tool is created for all the victims of Chimera.

Also included is a shameless plug for his RaaS (Ransomware As A Service) portal, where anyone can create new ransomware payloads.

For any successful ransoms that result in payment, a cut will be taken by Janus based on how successful the ransoms are. For a complete rundown on RaaS variants check our our blogs on Ransom32 and Encryptor RaaS samples.

Threat Recap: Week of July 25th

Jul 29, 2016 | Industry Intel

Wireless Keyboards Found To Be Vulnerable To Radio Hack

In a recent study, it was shown that a large number of wireless keyboards use no encryption when sending data to a corresponding computer, leaving the keystrokes of users accessible to anyone with the right equipment. Among the offenders, the biggest vulnerability was a lack of Bluetooth functionality for connecting to the computer. Instead, the keyboards are using more generic methods, which don’t offer the same security measures.

https://www.wired.com/2016/07/radio-hack-steals-keystrokes-millions-wireless-keyboards/

Researchers Net $22,000 From Pornhub’s Bug Bounty Program

The adult site, which averages over 60 million daily views and nearly 4 million registered accounts, is a lucrative target for cyber criminals. With the offer of a large monetary reward, two researchers set out to break into Pornhub’s main site with the goal of performing remote code execution. By exploiting several vulnerabilities in PHP, they gained the capability to dump the entire Pornhub database to a remote server, which earned them the bounties offered by Hackerone and Pornhub itself.

http://www.infosecurity-magazine.com/news/pornhub-hacked-to-access-billions/

CryptXXX Thriving With Neutrino Exploit Kit

After the widely-used Angler exploit kit died off back in June, many believed that CryptXXX would also see a decline in use (as it utilized Angler), though the opposite has come to be true instead. By making the switch to the Neutrino exploit kit, CryptXXX has been able to extend it’s reach even further to allow WordPress exploitation as well as the typical Flash Player and Java vulnerabilities. After clicking the infected link, the ransomware payload is dropped and a ransom note with instructions for payment are displayed to the users, along with a warning that the ransom amount will double after 5 days.

https://www.webroot.com/blog/2016/07/22/cryptxxx-utilizes-new-exploit-kit/

Windows 10 Vulnerability Allows for Bypass of User Account Control

Recently, researchers have discovered a method for allowing malicious DLLs on a Windows 10 machine, while bypassing the User Account Control pop-up warning about the heightened privilege access. By replacing one of the DLLs that is launched by the ‘diskcleanup’ application with a malicious version of the same name, the malicious code was executed with administrator privileges and no user input or verification was needed.

https://www.helpnetsecurity.com/2016/07/26/user-account-control-bypass/

Turkish Gas Provider Targetted by Anonymous

In their latest hacktivist attack, OpTurkey, Anonymous has taken aim at a Turkish gas company’s website in protest of local government officials activities as well as their relationship with the company’s top executives. The attackers were able to access the personal and financial records of nearly 500 individuals, the contents of which were subsequently posted online.

http://www.scmagazineuk.com/anonymous-breaches-turkish-natural-gas-company/article/512101/

Threat Recap: Week of July 18th

Jul 22, 2016 | Industry Intel

Rio Olympics: A Cyberthreat Goldmine

With the 2016 Olympic games right around the corner, it’s already being anticipated as a highly targeted event for cyber criminals. With lax cyber-crime laws in Brazil coupled with hackers that are well versed in banking data theft, visitors to Rio should be cautious of any suspicious emails they might receive and of the many ATMs and card-reading machines that could contain malware. Additionally, mobile users should be wary of accessing unsecured WiFi networks as there is no way to tell who else may be monitoring the traffic being sent through.

http://www.csoonline.com/article/3098305/security/hackers-are-targeting-the-rio-olympics-so-watch-out-for-these-cyberthreats.html

Pokémon Go Spawn Locations Revealed

In the weeks since Pokémon Go’s release, the game has brought a sweeping wave of change over the world, providing players the incentive to explore the world around them and to interact with others also playing the game. However, some users have taken the hunt for Pokémon a step further – by monitoring the data traffic being sent to and from the Pokémon Go servers and producing a Google Maps layout showing all local Pokémon that are currently spawned. While this does breach Niatic’s terms of service, the users in question believe it to be more of a service to other players, rather than for personal gain.

http://arstechnica.com/gaming/2016/07/how-hackers-are-revealing-the-hidden-pokemon-go-monsters-all-around-you/

Two-Factor Authenticated Calls Exploited for Major Profits

Many service providers offer VoIP calls, but one researcher found a method to make hundreds of calls to a premium-rate number that he owned at a profit nearing $750,000 before the process would be terminated. By exploiting this bug from Google, Microsoft, and Instagram, the researcher could have turned an annual profit well into the millions. Fortunately, he was able to contact the bug bounty programs for each company and ensure the vulnerabilities were patched before any hacker exploited them.

http://www.theregister.co.uk/2016/07/18/researcher_hacks_twofactor_flaws/?utm_content=bufferc6697&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Ransomware ‘Customer Service’ Willing to Haggle

Thousands of users become the victims of ransomware annually, and while law enforcement agencies argue both for and against paying the ransom, the fact is that customer support for these criminals has improved immensely. This increase likely stems from the malware authors knowing they can still make money, although the amount may be less than their initial ransom, if they are willing to work with their victims to pay it. In a recent study, 3 out of 5 ransomware variants’ ‘customer support’ agents (aka employed cybercriminals) were willing to negotiate a lower ransom if the victim remained firm against paying a high amount in order to get something rather than nothing.

http://www.darkreading.com/attacks-breaches/ransomware-victims-rarely-pay-the-full-ransom-price/d/d-id/1326304?

Oracle Patches Record Number of Bugs

In what might be their biggest patch update ever, Oracle has pushed a critical patch that covers 276 different bugs found across hundreds of their products. Many of the vulnerabilities were remotely exploitable and could have been extremely damaging had they been discovered in the wild. While some of the updates are based around non-network connected applications, Oracle still advises to push the updates quickly to ensure against any unauthorized access.

https://www.helpnetsecurity.com/2016/07/20/oracle-squashes-276-bugs/

CryptXXX now looking to Neutrino for exploit support

Jul 22, 2016 | Industry Intel, Threat Lab

When it comes to drive-by attacks, CryptXXX is king. In fact, out of all the exploit kits dropping payloads on victims, 80% result in CryptXXX. The creators attacked vulnerabilities in Flash Player, Java and Silver Light through using the Angler exploit kit, with malvertising helping boost their success. The malware authors were able to generate $3 Million per month almost exclusively from ransomware.

But how exactly does malingering work? In a nutshell, cyber criminals submit booby trapped advertisements to ad networks for a real-time bidding process. Malicious ads then rotate in with normal ads on legitimate, highly reputable sites. Users then visit these site and click on an infected ad. An invisible iframe injection then redirects the user to the exploit landing page, where a payload is then dropped. Here’s an example:

Since Angler was shut down earlier last month, CryptXXX was presumed to also die with it. However, it’s taken new life with the Neutrino exploit kit, and can now exploit out of plugins like WordPress. Here’s how this looks:

Once a user is unlucky enough to click an infected ad, a ransomware payload is dropped and they become the victim. Here are the instructions that are presented to victims. Pictured below, they are presented the form of a desktop background:

Once a user’s files are encrypted, the steps are the same as most ransomware – install a layered tor browser, then pay the ransom using bitcoins. This variant specifically only asks for 1.2 bitcoins ($800), which is the most ‘mild’ demand of recent ransomware variants, but the amount will double after 5 days if the ransom isn’t paid. It is worth noting that other sites have offered free decryptors for this malware, but they seldom last longer than a few days before the malware authors change it up yet again.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new and updated ransomware threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 analyzed

75EF6891AE7214AD17679CB88DC3B795

7BB58C27B807D0DE43DE40178CA30154

05825F3C10CE814CE5ED4AE8A74E91A2

Cerber Ransomware: The Facts

Jul 22, 2016 | Industry Intel, Threat Lab

Cerber is yet another newer ransomware that has been gaining some traction over the past couple months, so we’re providing a breakdown of this new variant. First, here is how it looks:

Unlike some other ransomware variants, Cerber is certainly not going for aesthetics. It also lacks any type of GUI. However, it does change your background to an awful pixelated image of static that’s not comfortable to look at, but it achieves its goal of getting the victims’ attention.

The ransom text is quite extensive and attempts to answer as many questions as the victims might have. The end goal is to get the user to follow directions to install a layered tor browser so they can access the dark net and pay the ransom with Bitcoins. This is what the ransom portal looks like:

This Cerber variant specifically wants 2 BTC, which is a huge sum of money (around $1,300) compared to variants seen in the past. As with older types, there is a ‘late fee’ that doubles the ransom if it isn’t paid in the original time frame. It appears that this trend of charging more money is new and is continuing to catch on. Also included with Cerber are “freebies”, which means that you get one free decrypt of a file. This was introduced by coinvault in 2014 to great success, so now almost all ransomware types include it.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed:

c3cd90c3e406981bece559a43fe64414

383803a90293408e36063809319f5982

065033243f30b1e54241a932c5e706fd

CryptoMix Ransomware: What You Should Know

Jul 22, 2016 | Industry Intel, Threat Lab

CrytpoMix has been gaining some traction over the past few months, so it’s a good idea that we provide a rundown of this variant in the ransomware family.

This is ‘barebones ransomware’, so victims aren’t presented with a GUI or a desktop background change. All that is presented is a text file and webpage showing the same text.

This is one of the FEW ransomware variant that doesn’t have some payment portal in the darknet. There is no need to download any tor browser, as they don’t provide any onion links.

With this variant, victims literally have to email and wait around 12 hours for a response and those responses are encrypted and password protected (to protect the bitcoin wallet address the cybercriminals want payment to be made to).

Example response:

While CryptoMix isn’t fancy, it’s price sure is. 5 BTC (Bitcoin) is an insane amount of money (>$3000), and it wasn’t a few months ago that ransom increases to $700 were all the rage. Also, these criminals even claim that you’ll receive free tech support and all your ransom money goes to a child charity. Please do not be fooled.

Registry Entries added

» HKLM\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
» HKLM\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader UpdateSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Adobe Reader Update32
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFlashPlayerSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*AdobeFlashPlayers32
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeFirstVersionSoftWare
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeLicensionSoftWare

MD5 hashes analyzed :

b778bda5b97228c6e362c9c4ae004a19

a0fed8de59e6f6ce77da7788faef5489

Webroot will catch this specific ransomware in real time before any encryption takes place. We’re always on the lookout for more types of threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files (up to ten previous copies). Please see our community post on best practices for securing your environment against encrypting ransomware.

Threat Recap: Week of July 11th

Jul 15, 2016 | Industry Intel

HSBC Sites Downed Briefly After Cyber Attack

Earlier this week, it was reported that HSBC had been the victim of a cyber attack and both it’s US and UK sites had been taken offline. The messages remaining on both sites announced that an organization called OurMine had found a vulnerability and would only stop the attack once an HSBC employee contacted them. Seemingly as promised, the attack ceased and the sites were brought back online early Wednesday morning.

http://www.dailystar.co.uk/news/latest-news/529814/HSBC-suffers-major-security-breach-as-hackers-launch-cyber-attack-on-bank-s-servers

Malicious Pokemon Go Look-alike Apps On the Rise

With the recent popularity of the Pokemon Go app, it comes as no surprise that a massive influx of third-party apps claiming to be related have hit the appstore. While many of these are seemingly harmless, some offer cheats and other Pokemon-related info to attract users and then require permission to view personal information stored on the phones. With nearly 200 unofficial apps found so far, it is likely that more will replace the ones that are being removed.

http://www.csoonline.com/article/3095706/security/a-surge-of-pokemon-go-related-apps-is-out-to-steal-your-data.html

Ransomware’s Latest Scam Skips Encryption

Recently, researchers have discovered a new variant of ransomware that operates with significantly less sophistication than normally seen. Ranscam, the variant in question, lives up to it’s name by simply deleting the files once the ransom message is displayed, while stating the usual encryption and bitcoin payment instructions. Regardless of the victims payment status, the files are completely removed, leaving nothing to decrypt if/when a payment is made.

https://threatpost.com/ranscam-ransomware-deletes-victims-files-outright/119197/

Omni Hotels Face Data Breach

This week, Omni Hotels & Resorts made a statement that they had suffered a security breach over the past 6 months on it’s point-of-sale systems. The attack follows the long string of hotel security infractions that have occurred in the last year, as they make for highly profitable targets in an industry with out-of-date cyber protection. Fortunately for Omni, their recently appointed CIO has already begun implementing new solutions to protect against similar attacks in the future.

http://www.csoonline.com/article/3094997/data-breach/omni-hotels-new-cio-shores-up-cybersecurity-amid-data-breach.html

Stampado Ransomware Available On Dark Web For Low Price

In an unusual move by malware authors, the creators of the Stampado ransomware variant have released a lifetime license for a measly $39 USD. The variant itself is similar to Cryptolocker, but with the additional function of not requiring administrator privileges when launching. While it’s currently not widespread, the price point removes a major barrier for cyber criminals who may be deterred by a high upfront cost.

http://www.infosecurity-magazine.com/news/brand-new-stampado-ransomware/