fbpx
Examples of Ransomware: 7 Cyber Security Trends To Fight Back

Examples of Ransomware: 7 Cyber Security Trends To Fight Back

by | Jul 18, 2022

Cybersecurity threats continue to increase in sophistication and frequency. As a CIO, it is important to be aware of the latest trends, common ransomware viruses, and how to best protect your organization from these threats. Here are seven cybersecurity trends and ransomware attack examples that you should make sure to keep top of your mind in 2022.

What is Ransomware?

Ransomware is a type of malware that encrypts a victim’s files and then demands a ransom be paid to decrypt them. This type of malware is particularly dangerous because it can cause irreparable damage to a victim’s computer. Once a file has been encrypted, it can be very difficult (if not impossible) to decrypt it.

What is special about ransomware? Ransomware is a type of malware that encrypts your files and holds them hostage until you pay the ransom. This can be a very costly and stressful experience, as you may lose important work or personal files if you don’t have a backup. There are many different types of ransomware, so it’s important to be aware of the dangers and know how to protect yourself.

How Does Ransomware Work?

ransomware, cyber, crime,

Ransomware usually spreads through phishing emails or by exploit kits that exploit vulnerabilities in websites. Once a victim’s computer is infected with the ransomware, it will encrypt their files and then display a message demanding a ransom be paid to decrypt them. The ransom is usually paid in Bitcoin, as it is very difficult to trace.

Understand Ransomware Attacks

Ransomware is a type of malicious software (malware) that can lock, encrypt or delete files on an affected computer. It typically infects computers through phishing campaigns, malicious websites or exploit kits. Ransomware attackers demand payment from the victim in exchange for unlocking the encrypted or locked content or restoring access to the computer. It’s important to remember that paying the ransom does not guarantee that the files will be unlocked or restored and can also lead to further attacks, so it is best to avoid paying ransom whenever possible.

The best way to protect against ransomware attacks is by implementing security measures such as regularly updating software and applications, backing up data, and deploying endpoint protection tools. It is also important to educate employees about the risks associated with ransomware and how to identify potential threats. Finally, organizations should develop an incident response plan in case of a successful attack. By taking these proactive steps, you can better protect your organization from the threat of ransomware attacks.

Examples of ransomware

Cyberattacks caused by ransomware groups have been making headlines recently. This type of malware encrypts a victim’s files with malicious software and then demands a ransom be paid to decrypt them.

Crypto ransomware is the newest trend in ransomware. While paying the ransom does not guarantee that the files will be decrypted, many organizations have no choice but to comply to regain access to their critical data.

Ransomware Attacks Becoming More Sophisticated

ransomware, virus, malware

Interestingly, ransomware is not a new threat. It has been around for years but has only become more prevalent in recent years as cybercriminals have become more sophisticated in their attacks.

The increase in knowledge has caused significant ransomware attacks. Working with an MSSP like Cybriant will help your organization avoid devastating ransomware attacks that will destroy your computer systems.

There are many different types of ransomware variants and ransomware techniques, but some of the more common ones include:

AIDS Trojan:

The first known ransomware was the AIDS Trojan, which was created in the early 1990s. This trojan claimed to be a program that would find and delete all copies of the AIDS virus from a victim’s computer. However, once it was executed, it would encrypt all of the files on the victim’s hard drive and then display a message demanding a $189 ransom be paid to decrypt the files.

While the AIDS Trojan was largely a hoax, it demonstrated the potential of ransomware and laid the groundwork for future cyber criminals to build upon. The first ransomware attack began a long history of ransomware attacks.

Bad Rabbit:

In October of 2017, ransomware called Bad Rabbit began spreading through Russia and Ukraine. This ransomware was spread through fake Flash Player updates that were hosted on compromised websites. Once a victim downloaded and executed the update, their computer would be infected with the Bad Rabbit ransomware.

This ransomware would then encrypt the victim’s files and display a message demanding a ransom be paid to decrypt the files. Interestingly, Bad Rabbit was designed to spread quickly, similar to the WannaCry ransomware.

WannaCry:

In May of 2017, the WannaCry ransomware began spreading around the world, causing widespread damage. The biggest ransomware attack in history, this ransomware was spread through a vulnerability in the Windows Server Message Block (SMB) protocol. Once a victim’s computer was infected with the WannaCry ransomware, it would encrypt their files and then display a message demanding a ransom be paid to decrypt them.

Interestingly, the WannaCry ransomware could spread itself to other computers on the same network. This helped it to cause widespread damage, as it quickly spread through corporate networks.

Petya/NotPetya:

phishing, credentials, data

In June of 2017, ransomware called Petya began spreading around the world. This ransomware was spread through a vulnerability in Ukraine’s tax software. Once a victim’s computer was infected with the Petya ransomware, it would encrypt their hard drive, making it impossible to boot up the computer. It would then display a message demanding a ransom be paid to decrypt the hard drive.

Interestingly, Petya was designed to spread quickly, similar to the WannaCry ransomware. However, it did not have the same ability to spread itself to other computers on the same network.

CryptoLocker:

CryptoLocker is an example of ransomware that was first seen in 2013. This ransomware is typically spread through phishing emails. Once a victim’s computer is infected with the CryptoLocker ransomware, it will encrypt their files and then display a message demanding a ransom be paid to decrypt them.

Interestingly, the CryptoLocker ransomware will often use a public key to encrypt the files. This means that even the cybercriminals who created the ransomware will not be able to decrypt the files without the victim’s private key.

Locky:

Locky is a type of ransomware that was first seen in 2016. This ransomware is typically spread through phishing emails. Once a victim’s computer is infected with the Locky ransomware, it will encrypt their files and then display a message demanding a ransom be paid to decrypt them.

Locky is notable for its use of encryption, which makes it very difficult to remove. Even if a victim pays the ransom, there is no guarantee that their files will be decrypted.

These are just a few of the more common types of ransomware that have been seen in recent years. As you can see, ransomware is a serious threat that can cause significant damage. If you suspect that your computer has been infected with ransomware, it is important to seek professional help immediately.

TeslaCrypt:

TeslaCrypt is a type of ransomware that was first seen in 2015. This ransomware is typically spread through phishing emails or by downloading infected files from the internet. Once a victim’s computer is infected with the TeslaCrypt ransomware, it will encrypt their files and then display a message demanding a ransom be paid to decrypt them.

TeslaCrypt is notable for its use of strong encryption, which makes it very difficult to remove. Even if a victim pays the ransom, there is no guarantee that their files will be decrypted.

Jigsaw, Bitcoin Blackmailer

Jigsaw is a ransomware program that gained notoriety for its unique approach to extorting payment from victims. Unlike most ransomware programs, which simply encrypt a victim’s files and demand a ransom for the decryption key, Jigsaw includes a timer that counts down and deletes files if the ransom is not paid in time.

This unique approach has made Jigsaw one of the most effective ransomware programs in operation today. However, Jigsaw is not without its flaws. One of the most notable is its reliance on Bitcoin for payments. While this allows Jigsaw to operate relatively anonymously, it also makes it difficult for victims to track down and prosecute those responsible for the ransomware attack.

Cerber:

Cerber is a ransomware-as-a-service that has been targeting Office 365 users. The ransomware is delivered via email attachments and once opened, will encrypt the user’s files. The user is then presented with a ransom demand to regain access to their files. Cerber has been evolving since it was first released in 2016 and is now one of the most prevalent ransomware strains.

Ryuk Ransomware:

Ryuk is cybercrime ransomware that has been used in attacks against high-profile organizations and individuals. The ransomware was first identified in 2018, and it is believed to be operated by a cybercrime group known as Grim Spider.

Ryuk is typically spread through phishing emails or malicious attachments, and it uses strong encryption to lock users out of their files. Once encrypted, the ransomware displays a message demanding a ransom payment in Bitcoin. Ryuk has been used in attacks against several high-profile organizations, including the City of New Orleans and the San Francisco Municipal Transportation Agency.

In 2019, the U.S. Department of Justice indicted two members of the cybercrime group responsible for operating Ryuk, and they have been arrested. However, the group is still believed to be active, and Ryuk remains a threat to organizations and individuals around the world.

Zcryptor

Zcryptor ransomware is a type of cybercrime that has been increasingly used by nation states in recent years. The ransomware works by encrypting a victim’s files and then demanding a ransom be paid to decrypt the files. Zcryptor has been used in attacks against both individuals and organizations, and it is believed to be highly effective.

In addition, Zcryptor is unique in that it uses an advanced form of encryption that makes it very difficult to decrypt the files without the ransom being paid. As a result, victims of Zcryptor ransomware attacks often have no choice but to pay the ransom to regain access to their files. Unfortunately, this cybercrime is becoming increasingly common, and individuals and organizations need to be aware of the risks.

More Examples of Ransomware

  • Reveton
  • GandCrab
  • Troldesh
  • SimpleLocker
  • Spora
  • Samas
  • KeRanger
  • Hatzee

Cybersecurity professionals and law enforcement agencies have their work cut out for them when it comes to ransomware operators. To protect your organization from ransomware, it is important to have a comprehensive cybersecurity solution in place. More examples.

If you think your organization may be at risk for a ransomware attack, or if you have already been attacked, it is important to seek professional help immediately. Especially if attackers demand a reward so you can receive the encryption key, it’s vital to find an incident response professional. A qualified cybersecurity professional can help you assess the situation and take steps to protect your data.

Security Issues Examples

Security issues can take many forms, from data breaches to malicious code scripts. Some of the most common security issues include:

1. Phishing attacks – A type of social engineering attack in which attackers fool victims into revealing sensitive information such as passwords or credit card numbers.

2. Malware – Short for “malicious software”, malware is designed to damage or gain access to a computer system without the user’s permission. Examples of malware include viruses, worms, and Trojan horses.

3. Data breaches – Unauthorized access to sensitive data stored on a company’s computers or networks. This can be caused by both malicious and non-malicious actors.

4. Distributed Denial of Service (DDoS) attacks – A type of attack that floods a server or network with requests, preventing users from accessing the system or service.

5. SQL injection attacks – An attack that takes advantage of weaknesses in web applications by injecting malicious code into a database.

6. Man-in-the-middle attacks – A type of attack in which the attacker intercepts communications between two parties and can modify or steal data as it passes through the connection.

7. Cross-site scripting (XSS) attacks – An attack that takes advantage of vulnerabilities in websites to inject malicious code that is then executed by the user’s browser.

8. Password attacks – A type of attack in which an attacker attempts to gain access to a system or service using guessable passwords. This includes a dictionary, brute force, and rainbow table attacks.

9. Social engineering – A type of attack in which an attacker attempts to gain access to a system by exploiting the trust relationship between users. Examples of social engineering attacks include phishing, pretexting, and baiting.

10. Wireless network security vulnerabilities – Weaknesses in wireless networks that allow attackers to gain unauthorized access or control over the system. Examples include weak encryption methods, unencrypted traffic, and open access points.

These are just a few of the most common security issues faced by organizations today. By staying aware of these threats, you can take steps to protect your data and systems from potential attacks.

Cyber Ransomware Removal

Cyber ransomware removal can be a tricky business.

The security firm Symantec reports on a new ransomware-type virus called.777, which is file-encrypting ransomware. This example of malware encrypts files using asymmetric encryption. .777 ransomware generates two keys: public and private (public to encrypt files, private to decrypt). It’s worth noting that without this key, file recovery is impossible.

Ransomware Decrypt Tools

Ransomware decrypt tools can sometimes be found online for free. However, it’s important to note that these only work sometimes – and there’s no guarantee that they will work for .777 ransomware.

The best way to protect yourself from ransomware is to have a good backup strategy in place. This way, if your files do get encrypted, you can simply restore them from backup.

There are a few different ways to backup your data. One popular method is to use an online backup service, such as Carbonite or Mozy. These services automatically back up your files to their servers, so even if your computer is infected with ransomware, you can still access your backed-up files.

Another option is to use a portable hard drive or USB flash drive. You can manually copy your files to these devices, or you can set up automatic backups. One advantage of using portable storage devices is that you can unplug them and store them in a safe place (such as a safety deposit box) when you’re not using them, so even if your

What messenger service does ransomware use? There is no one messenger service that all ransomware uses. However, some of the more common ones include WhatsApp, Facebook Messenger, and Telegram.

Malware vs Ransomware

Cyber security experts define ransomware as a type of malicious software designed to extort money from victims by blocking access to systems or encrypting data.

Ransomware can be spread as a link or attachment in emails, as an advertisement, or via other malicious websites, and is usually written with various coding languages. To create ransomware, attackers may need programming knowledge, experience using encryption protocols, and an understanding of basic techniques such as obfuscation or reverse engineering to help hide source code from the anti-malware scanner.

Ransomware should not be confused with malware which is designed only to disrupt functions or steal information without asking for payment in return. As software developers continue to refine their detection methods for both malware and ransomware, it is important for businesses and individuals to maintain effective security practices in order to remain safe online.

Ransomware-As-A-Service

ransomware, cyber crime, security

Ransomware attacks have become increasingly common in recent years, as criminals have grown more sophisticated in their use of malware. In a ransomware attack, criminals encrypt a victim’s files and demand a ransom to decrypt them. These attacks can be extremely costly, as victims may be unable to access their critical data. Ransomware-as-a-service (RaaS) platforms have made it easy for even amateur hackers to launch these attacks, as they provide tools and support for launching and managing an attack.

Managed security services can help organizations to protect themselves against ransomware attacks by continuously monitoring for threats and quickly responding to incidents. By investing in managed security services, organizations can reduce their risk of becoming a victim of ransomware attacks.

Typical Ransomware Timeline

The typical ransomware timeline looks like this:

  1. A victim’s computer is infected with ransomware. This can be done in a variety of ways including phishing emails, downloading infected files from the internet, or through a malicious website.
  2. The ransomware begins to encrypt the victim’s files. Be aware that if your organization uses an AI-based threat detection program, security analysts will be able to stop the threat before it can do any damage and may use decryption tools to deactivate the computer virus.
  3. Once the files are encrypted, the ransomware will display a message demanding a ransom be paid to decrypt them. The amount of the ransom varies depending on the type of ransomware but can range from a few hundred dollars to several thousand.
  4. If the ransom is not paid within the specified time frame, the ransomware will often delete the encryption key, making it impossible to decrypt the files. In some cases, the ransomware will also delete the files themselves.
  5. If the ransom is paid, there is no guarantee that the victim will get their files back. Many victims that provide ransom payments never receive their decryption key even after paying the ransom.

Evolution of Ransomware

Ransomware has evolved significantly since it first appeared on the internet in 1989 and has caused some of the most devastating ransomware attacks in history. Early versions of ransomware were relatively simple and easy to remove. However, newer versions are much more sophisticated and can be very difficult to remove.

One of the biggest changes is in the way that ransomware is spread. In the early days, ransomware was typically spread through floppy disks or CDs. However, today it is most often spread through phishing emails or malicious websites.

Another change is the way that ransomware is delivered. In the early days, ransomware would typically encrypt a victim’s hard drive, making it impossible to boot up the computer. Today, ransomware will often only encrypt specific files, making it possible to still use the computer.

Finally, the ransom itself has changed over time. In the early days, ransomware would typically demand a few hundred dollars to decrypt the files. Today, ransomware will often demand several millions of dollars or cryptocurrency.

2022 Cyber Security Trends

security, cyber, internet

As cybercriminals become more sophisticated in their attacks, organizations must also become more sophisticated in their defenses. Here are seven cybersecurity trends that you should make sure to keep top of mind in 2022 to protect your critical infrastructure:

#1. Artificial intelligence (AI) and Machine Learning

Organizations are increasingly using AI and machine learning to detect and respond to cybersecurity threats. These technologies can be used to automatically identify malicious activity and then take action to mitigate the threat.

AI and machine learning are becoming increasingly important in cybersecurity. They can be used to automatically identify malicious activity and then take action to mitigate the threat. AI and machine learning can also be used to improve security posture by identifying vulnerable areas and recommending solutions.

#2. XDR

Extended Data-Recovery (XDR) is a technology that can be used to protect files from ransomware and other types of malware. XDR can be used to create a backup of all of the files on a computer, making it possible to restore them if they are encrypted by ransomware.

XDR can also be used to detect ransomware before it encrypts files. This is done by analyzing the behavior of the ransomware and looking for signs that it is about to encrypt files.

#3. Endpoint Security

With more and more devices being connected to the internet, it is important to make sure that each one is properly secured. Endpoint security refers to the practice of securing all of the devices that are connected to a network.

Some examples of endpoint security include next-generation firewalls, intrusion detection systems, EPP, and EDR. Endpoint detection and response (EDR) is a technology that can be used to detect and respond to ransomware and other types of malware. EDR can be used to monitor all of the devices that are connected to a network for signs of malicious activity.

#4. SOAR

SOAR is an acronym for Security Orchestration, Automation, and Response. SOAR is a technology that can be used to help organizations respond to cyber threats. It can be used to automate the process of identifying and responding to threats. This can help to speed up the process of mitigating a threat and reduce the amount of time that it takes to resolve an incident.

#5. User Behavior Analytics

User behavior analytics (UBA) is a technology that is used to detect anomalous behavior by users. This can be used to identify malicious activity, such as ransomware attacks. UBA works by analyzing the behavior of users and looking for patterns that are indicative of malicious activity.

User behavior analytics is used to detect anomalous behavior by users. This can be used to identify malicious activity, such as ransomware attacks. UBA works by analyzing the behavior of users and looking for patterns that are indicative of malicious activity.

#6. Cyber Insurance

Organizations are increasingly purchasing cyber insurance to financially protect themselves in the event of a successful cyberattack.

Typical cyber insurance programs provide coverage for a wide range of cyber risks, including ransomware attacks. The program also includes coverage for the costs of investigating and responding to a cyberattack.

#7. Multi-factor authentication

Organizations are using multi-factor authentication to make it more difficult for cybercriminals to gain access to sensitive data. This is because it requires the use of multiple factors, such as a password and a security token, to authenticate a user.

Multi-factor authentication is a security protocol that requires the user to provide multiple pieces of information to authenticate. This can include a password, a security token, and a biometric identifier. Multi-factor authentication makes it more difficult for cybercriminals to gain access to sensitive data.

Data recovery tool from locky ransomware

If you have been infected with the Locky ransomware, you may be wondering how you can go about recovering your files. Unfortunately, there is no guaranteed way to do this, as the encryption used by Locky is very strong. However, there are a few things that you can try that may be successful.

First, if you have a backup of your files, you may be able to restore them from that. This is the best-case scenario, as it will allow you to avoid paying the ransom and losing your files altogether.

If you don’t have a backup, you can try using a data recovery tool. These tools are designed to scan your hard drive for traces of deleted files and attempt to recover them. They may not be successful in all cases, but it’s worth a try if you don’t have any other options.

Finally, you can try contacting the ransomware creators and see if they are willing to provide you with a decryption key. This is often unsuccessful, but it’s worth a try if you have no other options.

If you are unable to recover your files, the best thing to do is to ensure that you have a backup going forward. This way, if you are ever infected with ransomware again, you will be able to restore your files without having to pay the ransom.

There are a few different ransomware decrypt tools that are available, but not all of them may be effective against the Locky ransomware.

You may have to try a few different decryptors before you find one that is able to successfully decrypt your files. It is also important to note that even if you are able to decrypt your files, they may be damaged and may not be able to be opened. For this reason, it is always best to have a backup of your files before attempting to decrypt them.

Cybersecurity Threats, Malware trends, and Strategies

Cybersecurity threats are on the rise, and ransomware schemes are becoming increasingly difficult to detect and protect against. With malware trends continually evolving, organizations must be proactive in protecting their networks from malicious attacks. A multi-layered approach is needed for an effective cybersecurity strategy that includes antivirus protection, updated software, and employee training on how to recognize a potential threat. Additionally, web filtering should be implemented to help keep malicious websites and ads at bay. Companies should also consider backup solutions to ensure data continuity and integrity in the event of any breach. Taking these steps will ensure thorough protection against ransomware schemes, viruses, phishing scams, malware, and other cyber-attacks.

Ransomware Schemes

Ransomware schemes are particularly difficult to detect and prevent due to the sophisticated tactics used by criminals. Ransomware attacks involve malicious software that encrypts data on a computer, making it inaccessible until payment is made. It’s important for organizations to have secure backup solutions in place so they can quickly restore data if their systems become compromised. Additionally, antivirus software should be kept up to date and users should be trained on how to recognize potential threats.

How to Prevent Locky Ransomware Attacks

Locky ransomware is one of the most common and dangerous ransomware variants. Locky encrypts files on the infected computer and typically requires a payment in the form of cryptocurrency to unlock them. Companies should take steps to protect themselves against Locky ransomware by implementing antivirus software with real-time scanning, restricting user access to sensitive data, setting up proper firewalls, and creating backup solutions. Additionally, web filtering should be used to block malicious websites and ads.

How Fast Does Ransomware Work?

Ransomware is one of the most concerning forms of malicious software today. It’s a particularly powerful type of attack because, once a ransomware group has gained access to stolen data, the process works very quickly.

Usually, within a matter of minutes, the stolen data is encrypted and held for ransom by the attackers. Keeping security measures up to date is essential for reducing potential damage from ransomware. Doing so can help protect against ransomware groups breaching stolen data, and ultimately guard against irreparable harm and financial loss caused by their fast-working attacks.

Conclusion

While ransomware and other cyber security threats are on the rise, there are ways to protect your business by fighting ransomware. Managed Security Services can help you stay ahead of these threats and keep your data safe, and even ransomware strains protection. If you’re not sure where to start or want more information about how our team can help, contact us today. We would be happy to discuss your specific needs and how we can work together to protect your business from cybercrime.

Top Cyber Security Websites of 2022

FBI Reports Rise in PYSA Ransomware Attacks

FBI Reports Rise in PYSA Ransomware Attacks

by | May 26, 2021

In a bulletin posted in March of 2021 on its ic3.gov website, the Federal Bureau of Investigation warned of an increase in the number of PYSA ransomware attacks being perpetrated against K-12 schools, seminaries, and universities in the U. S. and the United Kingdom.

 

What is PYSA Ransomware?

PYSA, also known as Mespinoza, is a type of malware composed of tools used to scan networks, then exfiltrate and encrypt their targets’ critical data. Attackers then demand payment to restore their victims’ access to the information. PYSA attacks have also been used to target governmental agencies, private industry, and healthcare providers. The FBI first became aware of this ransomware variant in March of 2020.

Attack methodology

Attackers typically use social engineering, particularly phishing, as well as other tactics to obtain Remote Desktop (RDP) credentials they then leverage to access their targets’ systems. Once inside a victim’s network, they analyze the environment using port scanning and open source tools including Advanced Port Scanner, Mimikatz, Koadic, and PowerShell Empire.

These applications allow the attackers to find open ports they can use to access servers, identify programs, stage their malicious payloads, capture passwords from volatile memory, run scripts, and perform other operations in preparation for data exfiltration and encryption. They may also run commands to deactivate malware protection on their victims’ networks.

Once the prep work is completed, the cybercriminals will use the secure file transfer application component of the PYSA malware package, WinSCP in many cases, to exfiltrate copies of the critical files they’ve identified, then use an encryption algorithm to encrypt the original data on the victims’ systems.

Next, the malware will cause ransom demand messages to be displayed on victims’ login/lock screens. These messages may be very detailed, even including frequently asked questions sections. The messages will provide email addresses victims’ can use to contact the attackers along with specific ransom demands that, if met, will supposedly result in restoration of access to the encrypted files. The messages usually include threats to sell the exfiltrated data on the dark web if ransom demands are not met. Anonymous, encrypted email accounts, most obtained from ProtonMail.com and OnionMail.org, are used by the perpetrators of these attacks, thus concealing their identities and making it more difficult to track them down.

Forensic investigations of these attacks have revealed that the PYSA malware package is typically placed in a user folder on the C: drive of compromised systems. The malware file is sometimes given a name like svchost.exe, the name used for generic Windows processes, in an attempt to disguise it. Attackers sometimes remove the malware installation files after the applications are deployed. After encryption, the victims’ files typically have a .pysa file extension.

Types of data and systems typically targeted

The FBI bulletin does not indicate why the number of these attacks targeting educational institutions is on the rise, but it does provide information about the type of data attackers are targeting. They typically look for applications not accessible to average users, thus indicating to attackers that the data being accessed by these applications is sensitive or confidential. They also seek out backup files and databases where high-value data is stored. Per the FBI, attackers have focused on employment records and other files containing personally identifiable information (PII), payroll tax files, and anything else that, if stolen or rendered inaccessible, could provide victims with a great deal of incentive to pay a ransom.

Payment of ransoms is not recommended

In general, the FBI does not recommend that victims of ransomware attacks pay their attackers. In some cases, the attackers simply disappear with the ransom without restoring their victims’ access to the encrypted data. Additionally, an organization’s willingness to pay may identify it as an easy mark for future attacks by the same or other cybercriminals. Although not recommended, the payment of ransoms is also not prohibited. Organizational managers must evaluate each situation and make the decision regarding payment based on operational continuity, what is best for their employees and shareholders, and other pertinent factors relating to that particular attack.

Basic security measures help ward off PYSA attacks and mitigate their impacts

Many of the same security controls used to protect against other attacks and malware also work to prevent PYSA attacks from succeeding or at least mitigate the resulting damages.

Antivirus and anti-malware applications should be installed and regularly updated. Installing operating system and application security patches and updates as soon as possible to ensure any known vulnerabilities are eliminated is recommended. Configuring email systems to disable hyperlinks and include a warning banner on messages received from external senders will reduce the possibility that employees will inadvertently download malware from malicious sites or be taken in by phishing attempts (often the first step in PYSA attacks).

Multi-factor authentication should be implemented wherever available. Requiring strong passwords and regular mandatory password resets for all users is a must. Password sharing and reuse should be prohibited and user account privileges need to be regularly reviewed. Role-based access privileges should be applied, thus ensuring that users have only the minimum level of access required to perform their duties.

Because PYSA attackers routinely utilize Remote Desktop Protocol to access targeted systems, disabling RDP wherever possible is recommended. Any unnecessary remote access ports should be disabled as well. Remote access logs should be monitored to identify and investigate any suspicious activity.

Segmenting networks to the extent possible will make it more difficult for attackers to freely traverse the environment if access is gained. Regular data backups are recommended, as is storing backups on air-gapped storage systems separated from the rest of the environment.

Because phishing and other forms of social engineering are often used in these attacks, user training is critical. Simulation and role-playing are effective training methods because they require user participation. Consider utilizing a service that can actually send simulated phishing emails to users and track their responses.

Finally, if all else fails, organizations should have an enterprise continuity and recovery plan in place to aid in the recovery from a successful attack. The plan needs to be tested regularly and updated when necessary to ensure that it is continuously improved and remains current.

Recommendation

The number one way to mitigate the damage from any attack to your system is to prevent it from happening in the first place. It’s vital to protect your organization from all points of entry, and ensure that organizations are aware of all the points of entry that are being utilized by employees.

With CybriantXDR, you will have increased visibility along with the right technology, and security analysts watching that technology around the clock. With machine learning and artificial intelligence, our team is able to stop any bad actors before they execute.

Learn more about CybriantXDR here. 

Conclusion

Foreign and domestic cybercriminals are, according to the FBI, responsible for a growing number of PYSA ransomware attacks targeting educational institutions in the U.S. and U.K. These attacks have also been directed at governmental agencies, the healthcare sector, and private companies. Because they often begin with phishing and other forms of social engineering, training your organization’s user community to recognize the signs of a potential attack is critical. Beyond that, implementing many of the same technical controls used to prevent other forms of attack will also help to prevent PYSA attacks from being successful. Placing special emphasis on running regular backups and isolating and protecting backup files along with implementing continuity and recovery plans could significantly mitigate the impacts should a successful attack occur.

The FBI requests that any suspected or verified attacks be reported via their site at ic3.gov or by contacting a local FBI office.

FBI Warning: Recent Ransomware Attacks

FBI Warning: Recent Ransomware Attacks

by | Oct 8, 2019

The FBI released a warning about recent ransomware attacks. Find out more about those attacks and how to prevent them from happening to you. 

 

The FBI recently released the following warning:

HIGH-IMPACT RANSOMWARE ATTACKS THREATEN U.S. BUSINESSES AND ORGANIZATIONS

Ransomware is a form of malware that encrypts files on a victim’s computer or server, making them unusable. Cybercriminals demand a ransom in exchange for providing a key to decrypt the victim’s files.

Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.

Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted healthcare organizations, industrial companies, and the transportation sector.

Read the full warning here.

Recent Ransomware Attacks

Alabama-based DCH Health System 

According to Tuscaloosa News, “The DCH Health System has made a payment to the hackers responsible for the crippling attack on its computer system that’s impacted operations at its three hospitals since early Tuesday morning.

Hospital officials haven’t revealed how much was paid, but said in a statement Saturday that teams are working around the clock to restore normal hospital operations.

“We worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interests of our patients and alignment with our health system’s mission,” system spokesman Brad Fisher said Saturday morning. “This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety. For ongoing security reasons, we will be kept confidential specific details about the investigation and our coordination with the attacker.”

There has been no evidence that patient or employee data was affected, he said.”

Read the full story here. 

The recent ransomware attacks have caused The DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center to use emergency procedures by closing all three hospitals. They continued serving the most critical patients that were currently admitted.

Cyber Defense Best Practices

According to the FBI’s Warning, these are the best practices that could prevent these recent ransomware attacks:

  • Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.
  • Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered and trained on information security principles and techniques.
  • Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
  • Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Configure access controls with the least privilege in mind.
  • Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
  • Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
  • Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
  • Implement application whitelisting. Only allow systems to execute programs known and permitted by the security policy.
  • Use virtualized environments to execute operating system environments or specific programs.
  • Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.
  • Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.

Conclusion

To avoid being a victim similar to these recent ransomware attack victims, you need to have a cybersecurity strategy in place. Not sure where to start? A risk assessment will help you discover any potential security gaps. We have helped hundreds of clients improve their security positioning with a risk assessment.

 

Protect Your Business with Cybriant’s IT Security Best Practices Checklist

SamSam Strikes Again

SamSam Strikes Again

by | Mar 26, 2018

SamSam, a ransomware that hackers use in targeted attacks, strikes again –  this time shutting down the City of Atlanta. Hackers using SamSam usually scan the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or boot them off their network.

SamSam has been busy in 2018 so far. Several medical organizations including MedStar, Hancock Health Hospital, Adams Memorial Hospital and Allscripts so far. Hackers seem to be focusing in on cities and municipalities now.

On February 22, SamSam hit the Colorado Department of Transportation computers and encrypted files. City officials shut down more than 2,000 computers while they investigated the attack.

The group behind SamSam has made over $850,000 since December 2017. 

SamSam hits City of Atlanta

March 22, 2018 – The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection and said the infection took root at around 5:40 AM, local time.

Mayor Keisha Lance Bottoms expects city departments to open tomorrow, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said “We can’t speak to that right now. We will be looking for guidance from specifically our federal partners.”

Not all IT infrastructure were affected because the city was in the process of moving some systems to cloud services, and those were not affected.

How did this happen? 

According to experts, the cause was likely a port that should not have been open. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption and asks for a Bitcoin to be sent to a Bitcoin wallet. The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.

What next? 

Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:

  • Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network.
  • Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
  • Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
  • Have robust credentials. Weak credentials make a break-in easier and faster.
  • Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network.

We would like to add a few more suggestions:

  • Check for Vulnerabilities
  • Patch, Patch, Patch
  • Train Your HUMAN firewall!

As of today, some of the City of Atlanta’s computer systems are still shut down.  The hackers are demanding $51,000 to unlock the system. City officials are still trying to determine the full extent of the attack. We haven’t heard much from the City of Atlanta, which makes it even more concerning. 

Avoid Ransomware

Ask Us How
Using Machine Learning to Improve Endpoint Security

Using Machine Learning to Improve Endpoint Security

by | Dec 6, 2017

The threat landscape is as dangerous as ever. Machine learning, and endpoint security will help improve the security of the most vulnerable devices, endpoints. Learn more about how Machine learning tools can help improve your endpoint security.

What Is Meant By Endpoint Security?

Endpoint Security is the approach that organizations take to protect their network when accessed by endpoint devices. Endpoints can be laptops, desktops, and even smartphones. Today’s digital resources combined with the increase of remote workers open a multitude of entry points for hackers to be able to access your corporate network. This is why endpoint security is a vital piece of network security in your security strategy.

Machine learning endpoint security is a software tool that organizations use to monitor their endpoints. Managed detection and response is the outsourced service where security analysts monitor your endpoints on a 24/7 basis.

What is the Difference Between Endpoint Security and Antivirus?

Traditional antivirus programs are more simplistic and limited in scope compared to machine learning endpoint security, like Managed Detection and Response.  Antivirus can be perceived as a part of an MDR system.

Antivirus is generally a single program that serves basic purposes like scanning, detecting, and removing viruses and different types of malware.

Endpoint security systems, on the other hand, serve a much larger role. Endpoint Security contains many security tools like firewalls, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats. It usually runs on the client-server model and protects the various endpoints of an enterprise’s digital network and keeps the endpoints secure.

Hence, Machine learning endpoint security solutions are more suited for the modern-day enterprise as the traditional antivirus has become an obsolete security tool to provide total security.

Read more at Traditional Antivirus vs. EDR (Endpoint Detection and Response)

What is Machine Learning in Security?

Machine learning is the use of statistics to find patterns in large amounts of data. Many platforms are using machine learning and artificial intelligence to improve their algorithms which will improve the overall user experience. Machine learning endpoint security helps find unusual patterns in user behavior to detect potential malware attacks.

According to SentinelOne, there are two main approaches for AI-based malware detection on the endpoint right now: looking at files and monitoring behaviors. The former approach uses static features — the actual bytes of the file and information collected by parsing file structures. Static features are things like PE section count, file entropy, opcode histograms, function imports and exports, and so on. These features are similar to what an analyst might look at to see what a file is capable of.

With enough data, the learning algorithm can generalize or “learn” how to distinguish between good and bad files. This means a well-built model can detect malware that wasn’t in the training set. This makes sense because you’re “teaching” software to do the job of a malware analyst. Traditional, signature-based detection, by contrast, generally requires getting a copy of the malware file and creating signatures, which users would then need to download, sometimes several times a day, to be protected.

The other type of AI-based approach is training a model on how programs behave. The real trick here is how you define and capture behavior. Monitoring behavior is a tricky, complex problem, and you want to feed your algorithm robust, informative, context-rich data which captures the essence of a program’s execution. To do this, you need to monitor the operating system at a very low level and, most importantly, link individual behaviors together to create full “storylines”. For example, if a program executes another program, or uses the operating system to schedule itself to execute on boot up, you don’t want to consider these different, isolated executions, but a single story.

Training AI models on behavioral data are similar to training static models, but with the added complexity of the time dimension. In other words, instead of evaluating all features at once, you need to consider cumulative behaviors up to various points in time. Interestingly, if you have good enough data, you don’t need an AI model to convict an execution as malicious. For example, if the program starts executing but has no user interaction, then it tries to register itself to start when the machine is booted, then it starts listening to keystrokes, you could say it’s very likely a keylogger and should be stopped. These types of expressive “heuristics” are only possible with a robust behavioral engine.

How Do You Evaluate AI Solutions?

This question comes up a lot, and understandably so. I’ve written about this before in What Matters with Machine Learning. Essentially, since AI is so new, people don’t know the right questions to ask, and there’s a lot of marketing hype distorting what’s truly important.

The important thing to remember is that AI is essentially teaching a machine, so you shouldn’t care how it was taught. Instead, you should only care how well it has learned. For example, instead of asking what training algorithm was used (e.g. neural network, SVM, etc), ask how the performance was tested and how well it did. They should probably be using k-fold cross-validation to know if they’re overfitting the model and generalizing well, and they should optimize for precision to avoid false positives. Of course, raw model performance won’t be an indicator of how well the product works because the model is probably just one component in a suite of detection mechanisms.

Another important consideration is training data quality. Consider for example two people trying to learn advanced calculus. The first person practices by solving 1,000,000 highly similar problems from the first chapter of the book. The second person practices by only solving 100 problems, but made sure that those 100 problems were similar to and more difficult than questions on practice tests. Which person do you think will learn calculus better? Likewise for AI, you shouldn’t bother asking how many features or training samples are used. Instead, ask how data quality is measured and how informative the features are. With machine learning, it’s garbage in, garbage out, and it’s important to ensure training data are highly varied, unbiased, and similar to what’s seen in the wild.

Can Attackers Hide from AI Detection?

Since static and dynamic AI are both very different, adversaries must use different evasion techniques for each one. However, it should be noted that since AI is still fairly new, many attackers have not fully adapted and are not actively seeking to evade AI solutions specifically. They still rely heavily on traditional evasion techniques such as packing, obfuscation, droppers & payloads, process injection, and tampering with the detection products directly.

If attackers want to avoid static AI detection, they essentially must change how their compiled binary looks, and since it’s impossible to know how they should change it a priori, they’ll have to try a bunch of variations of source code modification, compilation options, and obfuscation techniques until they find one that isn’t detected. This is a lot of work, and it scales up with the number of products they’re trying to avoid.

What is Next-Generation Endpoint Security?

It was once believed that antivirus was enough to protect your endpoints. Endpoint security has taken over as the better technology to protect your endpoints. Endpoint Detection and Response (EDR) was formerly known as Endpoint Threat Detection and Response (ETDR) and is sometimes referred to as Next-Generation Anti-Virus (NG AV). Source

The industry vernacular then moved to Managed Detection and Response or MDR. At Cybriant, we call our MDR service Managed Detection and Remediation because our team will walk you through the remediation process, which is a valuable step in prevention. The next step in endpoint security is XDR. The X in XDR stands for multiple data sources that will help prevention and detection.

Data Loss Prevention DLP Solutions: Everything You Need to Know

endpoint security solutions

 

Prevent Cyberattacks with Artificial Intelligence

Find out how