Threat Lab

Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan service, it’s easier than ever. The idea is to use this web portal to contract threat actors to create new ransomware samples for distribution via the desired attack vector. This allows any potential cybercriminal, regardless of their skill or coding knowledge, to upgrade to an encrypting ransomware business model.

Those who join the program have a number of viewing options in the portal. The Account panel shows various stats, including how much money has been made, infection count, current share percentage, etc.

All a criminal needs to do is enter a few simple pieces of information to generate brand new malware that’s ready to infect victims. Note that the portal author specifically requests downloaded samples not be shared with VirusTotal, decreasing the likelihood that security vendors will have encountered the variant.

Since the darknet web portal creator takes a 30% cut of all ransoms, it’s in his best interests to make sure as many victims are infected as possible. He provides a guide with step-by-steps instructions on how to deploy malware using obfuscation techniques to avoid detection.

The author also advertises his web portal on underground forums, and explains the payload and the payout scheme. After all, affiliates’ success means he gets a bigger cut.

Although Webroot will catch this specific variant of ransomware as a service in real time before any encryption takes place, don’t forget that the best protection in your anti-ransomware arsenal is a good backup solution. You can use a cloud service or offline external storage, but keeping it up to date is crucial for business continuity.

For best practices for securing your environment against encrypting ransomware, see our community post.

“Highest average score for ease of use, quality of support, and […] requirements in endpoint protection.” That’s how Marty Duffy, Director of Research at G2 Crowd, describes Webroot after seeing the results of this year’s G2 Crowd survey on Best Software for IT Teams 2017. We’d be lying if we said we weren’t over the moon.

Webroot Endpoint Protection’s users consistently commended the product in 2016. Mid-market users recognized the tool as a stand-out product to be used by IT teams. It received the highest average score for ease of use, quality of support, and meets requirements in endpoint protection (mid-market). – Marty Duffy, Director of Research, G2 Crowd

G2 Crowd is a peer-to-peer business software review platform. Since 2014, they’ve recognized the best software products based on reviews by professionals across numerous markets. Their awards are supported exclusively by actual user satisfaction ratings, not obscure testing methodologies or paid industry reviewers. This is important to us for a couple of reasons.

Integrity and Customer Focus

At Webroot, two of our core company values are integrity and customer focus. We believe in respect, honoring our commitments, and measuring our success by our customers’ success. Our strength as a company is defined by the people who trust us to protect their businesses, clients, homes, and families. We’re proud to repay their trust by giving them the best possible service.

Real-time Protection

Cybersecurity continues to be a topic that gets more groans than cheers. Most users, both at home and at work, consider cybersecurity to be a kind of necessary evil. Sure, it keeps you safe from malware and other attacks, but it can also slow down your computer and get in the way of your activities. But we’re in the business of changing people’s minds on the subject. We devised a smarter way to protect businesses and individuals in the connected world. Our cloud-based protection and threat intelligence stop threats using behavior and contextual data, without draining system resources. We eliminated the hassle of system-intensive updates. And when any Webroot-protected device encounters a new threat, every device connected to our advanced threat intelligence platform is protected in real time.

Being recognized for this award serves to underscore our commitments as we continue to grow and innovate throughout the coming year. And, hot on the heels of being named Most Customer Friendly Company of the Year, we’ve only got one more thing to say: Thank you!

See for yourself what all the fuss is about. Take a free 30-day trial of Webroot SecureAnywhere® Business Endpoint Protection today. It won’t conflict with your existing security, and only takes a few seconds to install.

While a lot of the hype around ransomware paints it as daunting and virtually impossible to combat, there are several very straightforward steps for managed service providers to dramatically reduce the risk that their clients’ will fall victim to ransomware.

1. Proven endpoint security backed by industry-leading threat intelligence.

   Security shouldn’t just spot and quarantine threats that have already infiltrated a system. It should prevent threats from infecting the endpoint in the first place. Be sure to select a solution that protects web browsing in real time, secures system settings, controls outbound traffic, provides proactive anti-phishing, and continuously monitors and reports on individual endpoints.

2. Get your house in order with backup and business continuity.

   If any of your clients do become ransomware victims, the only real course of action is to restore their data as quickly as possible to minimize business downtime. These days, there are a fair number of automated, on-premises and cloud-based business continuity solutions that will back up data and get your clients’ business back on track after a breach.

3. Implement strong Windows policies. 

   As part of your ransomware defense strategy, you can use Windows policies to block certain paths and file extensions from running. If you need varying levels of access, you can set up policies in groups. Some useful policies include blocking executables in temp or temp+appdata and the creation of startup entries. For instance, .SCR, .PIF, and .CPL file types should not be run in the following in users’ temp, program data, or desktop directories.

4. Block volume shadow copy service. 

   Windows uses the VSS copy service to create local copies of files. CryptoLocker and other ransomware variants will encrypt this area because it holds VSS copies for the local (C:) drive. By setting Windows policies to block access to the service, you can help stop ransomware like CryptoLocker from erasing local drive file backups. Make sure that policies point to the VSSAdmin executable. Attempts to access or stop the service will be blocked.

5. Get rid of macros and autorun. 

   Numerous kinds of ransomware use macros to infect systems, but you can easily disable them in the Trust Center of every version of Microsoft Office. You can also enable individual macros, if they’re necessary for a particular task, while disabling all others. Additionally, autorun might be a handy feature, but many types of malware use it to propagate. As an example, a USB stick uses autorun, but so do Visual Basic Script (VBS) malware and worms. As a general rule, we recommend disabling autorun.

6. Keep clients in the know about ransomware. 

   It’s no secret that human error is a large part of successful cybercrime. As long as staff members remain relatively unaware and undereducated about the risks of the internet, malware will continue to be a viable business. Make sure clients understand the basics and what to watch out for so they stay safe both at home and in the office.

The first step to securing endpoints against ransomware is deploying a next-generation security solution. Take a free 30-day Webroot trial, no risk, no obligation to buy. In less than five minutes you can install Webroot SecureAnywhere® Business Endpoint Protection with Global Site Manager and see first-hand how it delivers superior malware protection while lowering your costs and boosting your bottom line—without conflicting with your existing security.

FireCrypt Ransomware Builder Found in Wild

Researchers have discovered a new ransomware variant that uses “.firecrypt” as its amended extension once encryption has taken place. FireCrypt is compiled using a command line builder software that allows varying inputs and outputs to be determined by the author for a unique hash, as this allows for better disguise by enabling the author to change the icon and executable name. Along with the usual encryption, FireCrypt also connects to the Pakistan Telecom Authority website and begins downloading all of the available content, thus filling the victims hard drive with thousands of junk files.

Los Angeles College Hit with Cyberattack

While many students are preparing to return to classes after their winter break, employees at Los Angeles Valley College are working to determine the severity of a cyberattack. It is still unclear how the systems were breached or to what extent any sensitive information has been access, though officials are working with law enforcement.

Philippine Army Website Vandalized By Hackers

In the past week, the official Philippine Army website was compromised by a hacker going by the alias, Shin0bi H4x0r. The site itself displayed several messages to any visitors, boasting about the weak security and taunting the site admins. Though the site has since been taken offline, it is still undecided how the site was breached.

Experts Doubtful of Russia’s Part in Recent Hacking

With so many recent stories surrounding Russia’s involvement with the recent utility grid breach in Vermont and the implied connection to the hacks that took place during the election, many security researchers are unsure how involved Russia actually is. Flaws found in the US utility services are not a secret, and officials have been working to resolve them for quite some time. While public outcry over Russia hacking the election has been very pro-America, it stands as a bit hypocritical, as the US is assuredly involved in similar tactics all across the globe.

Malicious Super Mario Run Apps Found on Android

While Super Mario Run was released for iOS in the early part of December, it has yet to hit the official Android app store for sale. Due to the release gap, many cybercriminals have been cashing in by creating at least 9,000 known malicious versions of the app and distributing them through third-party app stores. Users are warned to avoid downloading any Super Mario Run-related apps until the official version has been released by Nintendo on the Google Play Store.

By now, everybody has probably heard of CryptoLocker. It makes sense that CryptoLocker would get a fair amount of media attention, since it’s been involved in several high-profile hacks, but there are a number of other players on the ransomware stage that deserve a place of distinction among the list of players. Managed service providers (MSPs) like you know the value of staying up to date on the variety of different types of threats—in addition to their individual stats and characteristics—to keep clients safe.

Cast of Ransomare Players

1. CryptoWall 4.0 

   A bit like the Barrymores, the Sheens, the Coppolas, (the Kardashians?), the CryptoWall family gets more media coverage with every generation. Following in the family tradition, CryptoWall 4.0 uses phishing emails for distribution. This is hardly a surprise, since phishing is still the single most effective way to drop a malware payload. But CryptoWall 4.0 marches to the beat of its own drum; not only are the victim’s files encrypted, this ransomware randomizes the filenames so the victim can no longer tell which file is which. By fanning the flames to create confusion around how much file damage there actually is, the new CryptoWall increases its chances that victims will pay up.

   Additionally, CryptoWall 4.0 includes a free decrypt video to convince victims that the decryption steps they need to get their files back is effortless, and that handing over the ransom will get them their files back.

   • Phishing email attachment is source of payload
   • Randomizes victim’s filenames to create confusion
   • Offers free decrypt demo to add credibility

2. PadCrypt 

   Rather than hiding out and concealing its plans, what makes PadCrypt different from its contemporaries is its willingness to interact with the public. Embedded into the “product”, PadCrypt includes a chat interface. The ransom process of setting up a Bitcoin wallet, filling it with bitcoins, and sending payment can be complicated. By offering this chat feature, PadCrypt lends a more human support element to the ransomware process, providing so-called support to its victims. (How sweet!)

   • First ransomware with chat support
   • Communicates via Darknet to avoid being traced
   • “Helps” even less savvy victims pay up

3. TeslaCrypt 

   Because it targeted gamers specifically and encrypted the files they need for their games, TeslaCrypt is more of what you’d call a cult fave. The files it takes hostage included saves, mods, and profiles. But since TeslaCrypt was being sold by non-authors on the Darknet, the original authors leaked the master decryption key to the public to permanently diffuse the threat. While it’s laying low for now, we wouldn’t be surprised if TeslaCrypt showed up again next season.

   • Accounted for ~11% of distributed ransomware
   • Attacked over 200 extensions on newer variants
   • Targeted gamers (Valve, Bethesda, Unreal Engine files)
   • Circumvented 3rd party defense to deliver polymorphic payloads at root level

4. RaaS (Ransomware-as-a-Service) 

   Not an actor, per se, but RaaS is more like a local theater company that encourages audience participation. Created for criminals by criminals, it opens up the ransomware stage to hackers of all skill levels. Thanks to RaaS, almost anyone can distribute encrypting ransomware payloads of their own design. In return, hackers pay for the service by sharing a cut of their spoils with the original author.

   • Enables almost anyone to make ransomware
   • Portal for malware generation is exclusively in Darknet (typically invite-only)
   • Intended for less-skilled cybercriminals who rent botnets
   • The malware author who created the portal takes a commission

 Conclusion

Even though the number of ransomware stars keeps growing, and their methods keep getting more diverse and advanced, managed service providers (MSPs) can take steps to maximize defense and help clients stay ahead. Keeping yourself and your customers in the know about the latest tactics and types of exploits favored by today’s ransomware is vital—as well as putting together an all-star cast with next-generation endpoint protection that utilizes collective threat intelligence to proactively protect against the rising stars of malware.

Next Steps: Want to find out if Webroot has what it takes to protect your customers? See for yourself with a no-risk FREE trial. You don’t even have to uninstall existing security. Want to learn more about how Webroot partners with MSPs to delight customers, lower costs, and boost profits? Learn more.

Ransomware “Star” Shines on LG Smart TV

As ransomware continues to steal the malware stage, its authors have widened their target audience to include smart devices, such as TVs. Since a number of smart TVs use Android® operating systems, they can be susceptible to the same Android malware that usually strikes mobile devices. Recently, owners of an older LG TV model were presented with a ransomware lock screen after installing a third-party streaming app for movies. The good news for current customers, however, is that many TV manufacturers have taken steps to help prevent these types of attacks by adopting a Linux-based OS.

Facebook Vulnerability May Reveal Private Email Addresses

Bug bounty programs are rewards that many websites offer to encourage “white hat” individuals to report bugs, exploits, and vulnerabilities in their code. They’ve been around for years, and can offer big money to people who can successfully verify a vulnerability in a website or application. One such payout occurred recently when a researcher found a Facebook bug that let him access the private email addresses of any user through the Facebook Group notification function. After sending group invitations, he noticed the page URL showed the recipient’s email address in plain text. Fortunately, thanks to this intrepid bounty hunter, the vulnerability has been addressed.

Ransomworm: The Newest Contender in the Ransomware Ring

A good cybercriminal—that is, one who is good at their trade—is always on the lookout for the latest ways to exploit internet usage habits and vulnerabilities. According to researchers on the subject, the next evolution of highly lucrative ransomware campaigns will likely incorporate network worm capabilities. By adding the functionality of a network worm, ransomware could more easily spread across entire networks, causing exponentially more devastation to its victims. While early variants of a Ransomworm have already been seen in the form of USB propagating infector ZCryptor, it won’t be long before we see wider spread variants in the wild.

Airline Booking Systems Rival TSA for Worst Security Nightmare

“Booking travel.” That’s all I had to say before you groaned, right? Planning a trip already has the potential to be extremely stressful. A lot of the frustration is (at least partially) due to ancient systems that have been in place across the world for decades; and, although they facilitate various necessities for air travel, they don’t always do so quickly or efficiently. More importantly, because many of these systems are over 30 years old, they aren’t up to today’s security standards, and they can be insanely difficult to retrofit—leaving customers’ information vulnerable.

Music Pirate May Walk the Plank

You might think music piracy is sooo early 2000s, but P2P programs that allow users to “share” their music libraries are still alive and well, and authorities confirm that piracy is still thriving. Recently, a UK man was arrested for distributing singles from the country’s Top 40 list across multiple torrent sites and causing untold commercial loss to record companies and artists.

As 2016 comes to a close, it’s time to reflect back on the largest/most significant security news stories that left an impact on the world.

Mirai Botnet

Being hailed as the largest attack of its kind in history, the DDoS attack launched by the Mirai botnet encompassed over 100,000 unique endpoints and hit a peak of 1.2 Tbps, all through the unauthorized use of IoT devices. During the attack, many highly-trafficked sites were brought to a halt along with several critical Internet infrastructure points based on the Dyn server architecture which supports the majority of the Internet’s DNS pathways.

Panama Papers Leak

Early in 2016, it was announced that a confirmed data breach had taken place within Mossack Fonseca, one of the largest offshore law firms in the world. In the breach are over 11 million files with financial documents for thousands of prominent individuals, from actors to politicians to entire corporations.

Adult Dating Sites’ Users Exposed

While several adult dating sites were targeted by hackers in 2016, the farthest reaching was the FriendFinder Network breach that affected over 400 million active customer accounts. Even worse for the victims, the majority of user passwords were stored in plaintext, or without any encryption in place.

Hospital Succumbs to Ransom Demand

With more and more healthcare facilities coming under attack from ransomware, it’s no surprise to see at least one fail to have the proper backups and are forced to pay the ransom to regain their systems. Early in the year, Hollywood Presbyterian medical center was forced to pay a $17,000 ransom to ensure they could continue normal operations, which set an example for attacks in the coming months, for potential targets to properly defend against such attacks.

FBI vs. Apple Encryption Debate

As data privacy concerns continue to grow, the dispute between the FBI and Apple regarding a phone used by a suspect in the San Bernadino shootings being unlocked possible evidence in the case. The issue ended up going to court with Apple defending its customers rights by declining to assist with bypassing the encryption, as the workaround could be used limitlessly once created. The case was eventually dropped as the FBI was able to gain access to the device without Apples’ assistance.

Did we get you to click? That’s how the bad guys get you, too. One little click on the wrong link and your clients’ businesses could be up the proverbial creek.

Theft only comprises one aspect of the activities cybercriminals undertake, but it’s a sizeable chunk of their enterprise. What’s worth noting is what the thieves are stealing. The majority of cybercrime is focused on stealing data with the intent of selling it for profit to a third party, but what keeps one little malware family in the headlines is how differently it plays the game. In a recent conversation between Webroot Chief Technical Officer and rocket scientist Hal Lonas and Penton Technology Market Analyst Ryan Morris, we can see how ransomware is rewriting all the rules.

During the discussion, Lonas noted, “the bad guys used to want your data because it was valuable to them. If [they] could get your credit card number or your identity or a secret from your company, [they] could go sell that.”

When Morris asked what makes ransomware different, Lonas had this to say: “The interesting thing about ransomware is that criminals are now saying, ‘Your data is valuable not to me, the bad guy, but to you. How much is your data worth to you?’ They’re betting that you don’t have any backup and protection in place, so their angle is to take your data and hold it for ransom until you decide what the value is, and then you pay them.” So, while conventional security threats may steal information to sell down the line, what sets ransomware apart is that it seeks to extort money from the victimized company itself.

Morris responded that he’s heard about modern companies with robust security operations run by professional in-house InfoSec teams who, as recently as this year, have paid ransoms. “That blew my mind,” he stated. “I, perhaps naively, thought we’d solved these types of problems.”

Layered Security is the Game Changer in Fighting Ransomware

The question is: if even large businesses with high-powered, fully-staffed dedicated IT departments are having a hard time with these threats, what hope do smaller businesses and the managed service providers (MSPs) they trust to secure them have to fight back against ransomware?

Morris raised the questions, “How can we win the battle in the ransomware universe? What preventive steps should we take, and what ongoing measures should MSPs and end users implement to protect themselves from ransomware threats?”

Lonas cited these key strategies for a solid cybersecurity defense:

“Investing in backups and data security is of paramount importance. That’s hardly new advice. It applies to everything from business security to homeowner’s insurance. But, with a threat like ransomware on the loose, it’s more crucial than ever to make sure our data is securely backed up and that we can recover it quickly, easily and in its entirety. We also have to test the backups; spend a little extra time and money verifying that the recovery systems are going to work.

“From there, we need to make sure we have a multi-level security approach in place. We’ve talked about this for years—the layered security approach—to ensure that malware and other types of breaches don’t get through, and each new attack vector can mean a new layer. Sometimes this causes redundancy, but as long as the various layers work in harmony, they provide comprehensive security that can prevent breaches. Firewalls, next-generation firewalls, web filtering, proxies, VPNs… we have to ensure all of those protection layers are deployed.”

As he continued, Lonas made sure to emphasize the importance of endpoint security. “We have to have world-class endpoint security on all of our machines: the Windows machines, the Apple machines, and the mobile devices, including bring-your-own-device.” According to Lonas, every device that could conceivably connect to a network needs protection so that it doesn’t become the gateway for cybercriminals to infiltrate an organization.

The More Your Clients Know…

Finally, user education is critical. Lonas concluded his recommendations by stating that users need to be aware of the types of threats they’re going to face, the various kinds of phishing attacks, fake messages, emails, and even phone calls they might get from people claiming to be tech support personnel who just need a password to make a quick update. “Bad guys are always figuring out new ways to get to us,” he warns. “The combination of layered security that covers all potential threat vectors, solid backup and recovery strategies, and user education is the only way companies can protect themselves, their employees, and their customers from ransomware.” Existing Webroot MSPs can take advantage of the tools and content available in the ChannelEdge Toolkit and use it educate and inform their clients on threat protection and industry best practices.

Get Ready, Get Set, Take Action

Adopt a next-generation endpoint security solution that uses advanced behavioral technology and real-time detection to keep users safe. Take a 30-day FREE trial of Webroot SecureAnywhere® Business Endpoint Protection—no risk, no obligation to buy. You don’t even have to uninstall existing security.

Credit card fraud and email scams aren’t the only thing you have to worry about this holiday season. Criminals in the UK are stepping up their game by using radio frequencies to steal cars.

Ransomware Uses Credit Card Emails with Infected Attachments

A new ransomware variant of Cerber is using fake credit card reports to entice users into opening infected email attachments. By tricking users with fake fraudulent charges for items they never purchased, the malware authors hope the victim will open the malicious document to review and cancel the charge. Fortunately, the emails are poorly-worded and contain several spelling mistakes to make them easier to spot.

Another Yahoo Hack…

Many of you have heard of the fairly large hack that affected Yahoo users in the last few years, and have (hopefully) taken steps to protect yourselves from fraudulent activity. But Yahoo recently came forward to reveal a much larger hack that could affect over 1 billion users and their account information. Although Yahoo was able to identify the infiltration point, the information—both encrypted and unencrypted—had been compromised for at least a year before they discovered the breach.

Enterprising Car Thieves Use Radio Waves to Keep Doors From Locking

Criminals are jamming the radio signals that lock and unlock vehicles, leaving unattended cars open and ready to steal. While the majority of recent thefts have taken place in the UK, this could easily become a global concern. As vehicle technology continues to advance, it’s no surprise that car thieves are keeping up with the times.

Health Service Providers Stuck on Old OS

A recent study on UK National Health Service trusts found that over 90% of healthcare providers were running their networks on Windows XP. Microsoft themselves stopped supporting this outdated operating system over a year ago and, as such, it’s full of vulnerabilities. Unfortunately, many providers around the world use outdated software with known security issues, which can put sensitive patient information at risk.

Evernote Changes Tune After Privacy Concerns

In the past few days, Evernote, the popular note-taking app, announced they would begin allowing select employees to view snippets of user data to better enhance their machine learning algorithms. The program was launched as an opt-out, but the issue of privacy erupted almost immediately. After just one day’s worth of outcry, the company changed the policy to opt-in and sent an apology to their 200 million users.

Managed service providers are tasked with serving a broad range of markets, from construction to healthcare; accounting to legal; staffing firms to manufacturing; media and advertising to technology. But the day-to-day MSP challenges, even across so many diverse verticals, remain the same. Let’s break it down: modern technology changes fast and keeps gaining momentum, so how do you stay current and relevant? Providing quality goods and services gets complicated and pricey fast; how do you give your customers the value they expect without your own margins taking a hit? As the managed services sector continues to grow, how do you differentiate yourself from the competition?

Let’s switch gears a little and talk about cybersecurity. It’s no surprise that MSPs often think of endpoint protection as a “necessary evil.” MSPs have to supply endpoint cybersecurity services that satisfy their clients’ demands, but most solutions involve time-consuming infection remediation, awful system performance, mountains of malware-related downtime, not to mention the resulting customer frustration.

Staying Relevant and Seizing Opportunity

Because SMBs typically lack the internal resources needed to effectively manage complex systems, cybersecurity is an ideal avenue for putting the managed services model to use. Faced with modern threats and the hassles of traditional endpoint protection products, most users feel overwhelmed by security awareness and management, so offering next-generation protection that’s easy to manage, won’t conflict with other software, and won’t slow users down as it keeps them safe is an excellent way to stay relevant and build customer loyalty.

The High Cost of Living

As you well know, providing services isn’t sustainable if your solutions don’t amplify your profitability. But you can drive down operational costs by selecting an endpoint cybersecurity vendor that uses a cloud-based architecture and requires no infrastructure investment, thereby enabling faster deployment and less intensive management. If the vendor offers highly responsive support, automatic remediation, and low resource usage, you can improve customer satisfaction while reducing time spent repairing systems—without having to skimp on quality.

Looking to the Future

When choosing a cybersecurity partnership, be sure to look for a vendor whose solutions foster predictable, recurring revenue to help quantify future revenue for business decisions, and who provides marketing resources and sales enablement to boost MSP margins. And keep your options open—find a partner who offers flexible billing to lower your overhead and enable easy scalability (and won’t lock you into a contract you’re unhappy with in the long run.) Finally, pick a partner with a strong reputation, so you can leverage their proven protection to increase your customer loyalty and generate more referrals.

Proving the Point

Ultimately, these tips are just hearsay. Until you can properly vet a solution in a real-world environment, it’s hard to determine what will and won’t work for your business. Try to find solutions you can trial easily, and look to industry experts and your peers for their experiences and advice.

Read this case study to find out how SWAT Systems, an MSP managing over 3,300 endpoints, drastically improved their customer satisfaction, reduced time spent remediating infections by 75%, and increased profitability an average of 10-20%—just by switching cybersecurity vendors.

Or, take a free, no-risk, no-conflict 30-day trial of Webroot SecureAnywhere Business Endpoint Protection with the Global Site Manager to see the solution SWAT Systems chose in action.

Personal computers and devices aren’t the only targets for ransomware authors. Their methods have evolved to target government offices and profitable organizations, forcing them to rethink their cybersecurity mitigation plans.

Blackheart Records Data Left Exposed Online

Recently, it has been discovered that a large, unsecured database containing sensitive information on several prominent recording artists from Blackheart Records was left publicly available for an undetermined amount of time. The data that was found included passport scans, banking information, and other sensitive login information for Joan Jett and several of her bandmates. While the database has since been taken offline, the researchers state that there are still hundreds of servers and private machines that use Rsync as a backup, which leaves the server vulnerable.

GoldenEye Ransomware, New Petya Variant

In the past week, a new variant of the Petya ransomware has been discovered in the wild. Going by the name ‘GoldenEye‘, the variant runs the file encryption prior to gaining administrative privileges to modify the MBR (Master Boot Record), unlike Petya which would attempt the MBR modification first. While encrypting the hard drive, ‘GoldenEye’ displays a fake ChkDsk screen to placate the user until the process is complete. Currently, it’s main targets appear to be German-speaking users and is primarily spread through spam email campaigns.

Stegano Embeds Malicious Code in Banner Ads

In the past few months, researchers have been seeing a steady rise in the malicious ad campaign dubbed ‘Stegano’, which places malicious code into the parameters controlling transparency for pop-up banner ads. This recent campaign could potentially lead to millions of end-users becoming infected, as the altered ads have been found on many high-traffic news sites that typically have higher levels of security. Once the code ensures the system is running Internet Explorer, it begins redirecting the victim to sites hosting Adobe Flash exploits and attempts to infect and gather sensitive data. Fortunately for many users, several of the Flash exploits have already been resolved, which will lead to fewer infections.

Pennsylvania Prosecutor’s Office Pays Ransom

While the Avalanche Network was being dismantled by cooperating government agencies last week, the prosecutor’s office in Pennsylvania was recovering from a cyber attack which demanded a $1,400 bitcoin ransom payment. The attack was linked to a 2015 employee breach, but the after effects are still being seen after they decided to pay the ransom. In the six-year span that the Avalanche group operated, they are credited with infecting over half a million computers across nearly 200 countries.

Indiana County Out $200,000 After Ransomware Attack

Recently, it was announced that Madison County, Indiana spent a total of $200,000 in the wake of a ransomware attack on several county offices. With a ransom of $21,000 being paid out to the attackers, the additional expenditures were to recover their infected systems and provide better long-term security, including a backup solution for their data. Even with a high ransom, it’s not surprising to see the costs continue to rise as the victims scramble to rebuild and begin the hard task of creating and implementing a cybersecurity mitigation plan.

Between a handful of high profile network hacks and the steady stream of ransomware attacks, the last week of November didn’t pull any punches in the constant sparring match that is cybersecurity. In the wake of headlines about a US Navy breach, large scale network outages across Germany, and more, internet users across the globe must stay watchful and wary of their next click.

US Navy Sees Massive System Compromise

Officials in the US Navy have been notified of a security breach stemming from a Hewlett Packard Enterprise contractor whose laptop had been compromised. Currently, the Navy is contacting those who may be a part of the nearly 140,000 names and social security numbers that were affected, though it is still unclear on exactly how the breach occurred. With the steady rise in cyberattacks, the stress on IT departments of all sizes is mounting to defend against future attacks.

Tech Support Scammers Using Ransomware to Boost Income

Researchers have discovered an unsettling evolution to the traditional cold-calling tech support scams: executing ransomware on their victims’ computers to ensure payment for their “cleaning services”. While typical scammers will attempt nearly anything to get personal information, the use of ransomware takes the threat one step further by maliciously forcing payment regardless of any services rendered. Even worse for victims of VindowsLocker—as the ransomware is dubbed–the authors failed to properly setup the ransom transactions and thus, users may be unable to regain their files even if the ransom is paid.

UK National Lottery User Accounts Hacked

Major website hacks are occurring regularly due to reused login credentials, and it’s still a shock when a large site operator has to begin notifying tens of thousands of users about a possible data breach. Now we’re adding the UK National Lottery to the list. Only a small fraction of the National Lottery’s users were compromised, but Camelot, the operator for the lottery, has been forcing password resets for any potentially compromised individuals. While password re-use is the likely cause of the breach, it is still uncertain why the Lottery didn’t offer any additional authentication prior to the user accounts that were taken over.

San Francisco Train System Brought Down By Ransomware

In recent days, it has been discovered that the San Francisco Municipal Transit Agency was taken offline with only a poorly worded ransom message displaying for customers and employees alike. The attack led to the SFMTA providing free rides to customers while the issue was being resolved. In a surprising stance, the excessive ransom demanded–100 bitcoins totaling over $70,000 USD—was not paid to the attackers. For many public utilities and services, having the capability to promptly return to normal functions after such an attack is extremely important, and fortunately the SFMTA have announced that no customer information was compromised.

German Telecom Provider Hit with Mirai Variant

There is no doubt the world is now more attentive after the last Mirai botnet attack that took down several prominent sites. Yet, a similar variant has been deployed keeping DSL customers in Germany disconnected. Recently, nearly 900,000 telecom customers have been unable to access anything reliant on their DSL routers, which have been under attack for several days. By scanning for commonly open ports on routers, the attackers are able to remotely execute code resulting in a widespread DDoS attack.