WannaCry Ransomware – Don’t Submit to the Amateurs!

I am sure by now most of you have heard of Ransomware, the malicious software that holds your data hostage and demands a sum of money for its return. In 2015, even the FBI agreed ransomware is here to stay. This time, it wouldn’t stop with home computers, but it will spread to infect:

“Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information.”

 

  There are two types of ransomware in circulation:

  Encryptors incorporate advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can de-crypt the blocked content.

  Lockers lock the victim out of the operating system, making it impossible to access the desktop and any applications or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.

  Some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen.

  Crypto-ransomware, as encryptors are usually known, are the most widespread ones. Some other characteristics of ransomware include, but are not limited to:

  • The ransomware may scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom.
  • It may add a different extension to your files, to sometimes signal a specific type of ransomware strain.
  • It will display an image or a message that lets you know your data has been encrypted and that you must pay a specific sum of money to get it back.
  • It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies.
  • Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed forever.
  • It uses a complex set of evasion techniques to go undetected by traditional antivirus (please visit the link below to find out why your antivirus is not protecting you.)
  • It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks.
  • It can spread to other PCs connected to a local network, creating further damage.
  • It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals; encrypting files isn’t always the endgame, especially where financial institutions are concerned.

   I want to focus for a moment on the ransomware known as WannaCry. WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.

  EternalBlue is an exploit generally believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on 14 April 2017. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

   The standard Windows security update on 14 March 2017 resolved the issue via security update MS17-010 , for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

  Many Windows users had not installed MS17-010 when, two months later on 12 May 2017, the WannaCry attack used the EternalBlue vulnerability to spread itself.

  The creators of the ransomware WannaCry made some amateurish mistakes, including an easy-to-find kill switch and the unsophisticated way the attackers are demanding bitcoin from their victims.

  There are kits sold on the dark web that already pre-build in anonymity of the perpetrators, this is what experts think they’re seeing with WannaCry. It appears that some Script Kiddies are using software tools created by somebody else. The “killswitch” is an URL included in the code, which was used to stop the malware’s spread. The kill switch allowed people to prevent the infection chain fairly quickly.

  Sophisticated ransomware usually has an automated way to accept payments from victims who want to unlock their computers, but WannaCry’s system seems to be manual — the scammers have to send each victim a code. This doesn’t seem practical for an infection involving thousands and thousands of computers.

  The scammers have collected payments from fewer than 200 victims. We know this, because they’re demanding bitcoin — and bitcoin transactions are public. We don’t know the scammers’ names, but we know the bitcoin addresses they’re using to receive payment — just three addresses. Again, more sophisticated ransomware would have the ability to generate a unique bitcoin address for each victim. So far, the attackers have collected about $60,000 worth of bitcoins which are just sitting there untouched, according to Jonathan Levin, co-founder of Chainalysis, a company that analyzes bitcoin usage to identify money-laundering. He’s been watching the bitcoins accumulating at WannaCry’s three addresses.

  “It might be that they don’t have a good idea yet about how to launder the bitcoin,” he said. “Perhaps they’re not really set up to take advantage of the success of their campaign so far.” Scammers sometimes have safe-zones — usually their home country — where their malware doesn’t do any damage. If the malware detects native language on the computer, it will not execute, sometimes deleting itself. WannaCry doesn’t do that either. Levin says if the perpetrators actually live in one of the countries hit hard by this attack — say, Russia — that would be, as he puts it, “an incredibly bad life choice.”

 

  Often, people are lulled into a false sense of security because they believe they are protected because they have an antivirus. This is just not true.  Click here to find out why.

  Preventative maintenance is always the best way to go. Here’s what you can do to prevent being extorted by ransomware:

Locally, on the PC

Don’t store important data only on your computer, have 2 backups of data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.

The Dropbox/Google Drive/OneDrive/etc. application on your computer should not be turned on by default. Only open them once a day, to sync data, and close them once this is done.

Keep your operating system and the software you use up to date, including the latest security updates.

For daily use, don’t use an administrator account on your computer. Use a guest account with limited privileges.

Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.

Microsoft has released a Windows security patch MS17-010 for Windows
machines. This needs to be applied immediately and urgently.

Remove Windows NT4, Windows 2000 and Windows XP-2003 from production
environments.

Block ports 139, 445 and 3389 in firewall.

SMB is enabled by default on Windows. Disable smb service on the
machine by going to Settings > uncheck the settings > OK

In the browser

Remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely must use them, set the browser to ask to activate these plugins when needed.

Adjust your browsers’ security and privacy settings for increased protection. (Instructions for FirefoxSafariInternet Explorer or Google Chrome.)

Remove outdated plugins and add-ons from browsers. Only keep the ones used on a daily basis and keep them updated to the latest version.

Use an ad-blocker to avoid the threat of potentially malicious ads.

Online behavior

Never open spam emails or emails from unknown senders.

Never download attachments from spam emails or suspicious emails.

Never click links in spam emails or suspicious emails.

Anti-ransomware security tools

Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.

Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.

 

  You can find a more extensive Ransomware protection plan here.

  Brought to you by the same security company is a list of ransomware decryption tools you can use to avoid paying the criminals. Keep in mind that they may become obsolete as the malware is likely to change frequently as time goes on.

  There also a few decryption tools available for some versions of Windows that have been affected with WannaCry.

 

 

  Also, this, from the logicboxes helpdesk:

What are we doing on our Windows shared servers?

We are already in the phase of applying Windows updates on all our
shared hosting Windows servers. However we need to reboot servers
in-order to apply those security patches. We shall announce the
schedule for server reboot in this thread shortly.

What you need to do in case of our Windows dedicated servers?

You need to patch the Windows dedicated server immediately using the
steps mentioned in the link : https://goo.gl/PYIEis

In-addition to this, please block the IP addresses, domains and file
names mentioned in this link : https://goo.gl/JsSo0v

You can also refer to the following links to apply the necessary fix.

https://technet.microsoft.com/library/security/MS17-010

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://support.microsoft.com/en-in/help/4013389/title

For dedicated servers, once you have applied necessary changes, you
need to reboot the server.

Please feel free to contact our support desk if you have any questions.

LogicBoxes Helpdesk?

If you follow these protocols to keep your data protected there is no need to fear ransomware.

 

Ensight security alerts and recommendations is a free service of EnCirca, the most secure domain name Registrar.

Have a question or suggestion about an EnSight article? Please contact Ensight@encirca.com

Preventing Data Breaches with EnCirca’s Multi-factor Authentication and SSL Certificates

 

  As security threats continue to evolve, EnCirca stays ahead of the game by providing our customers with enhanced security features. Our customers trust us to protect their privacy and sensitive data and we take that very seriously.

EnCirca Two-Factor Authentication Service

 

 What is two-factor authentication (2FA)?

 

2FA, sometimes known as Multi-factor authentication (MFA), requires an additional security step to conduct certain operations. At EnCirca, if your account is enabled for 2FA, it will impact the following operations for all domains in your account:

1. Updating your customer record
2. Changing a domain’s Name servers
3. Updating Whois contact data
4. Updating Name servers info

*.BANK and .INSURANCE customers are required to use 2FA 
 

How does it work?

   EnCirca uses a third-party software app called AUTHY to implement its 2FA service. This app may be downloaded and installed on nearly any mobile device, including: Android, Apple, Blackberry, OSX, Windows and Linux. 
 

EnCirca’s SSL

 

  Part of protecting your domain means purchasing and installing an SSL Certificate.

It is up to you to evaluate risk and put security measures in place to mitigate those risks.

  Thieves steal data if left unchecked. Business competitors infiltrate websites and alter files or disrupt services if left unprotected. More and more we are seeing Distributed Denial-of-Service (DDoS) and other cyber-attacks with the intention of crippling or destroying services.
  The foundation of trusted point-to-point communications are Secure Socket Link (SSL) certificates, an encryption technology installed on Web servers that permits transmission of sensitive data through an encrypted connection. Using a public-key infrastructure (PKI), SSL certificates authenticate the end-use website and the endpoint server, making it difficult for those sites to be imitated or forged. SSL certificates are purchased from companies known as certificate authorities (CAs).

  To get started, you need to decide what type of SSL Certificate is right for your business. 
 

Under the Safeguards Rule, financial institutions must protect the consumer information they collect.

 

  Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.
  The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. But safeguarding customer information isn’t just the law. It also makes good business sense. When you show customers you care about the security of their personal information, you increase their confidence in your company. The Rule is available at ftc.gov
  Selecting the right SSL Certificate depends on a variety of factors including security level, trust level, and visibility to the web visitor.
Encrypting every page and domain is recommended for a few reasons. One, your site visitors will know that their browsing activity is encrypted, (the customer will see that extra security in the form of a “green bar” that tells them the site is secure) and another is that encrypting every page now helps your pages rank better in Google’s search engine algorithm.
  EnCirca recommends Extended Validation Certificates. EV Certificates are superior because the EV certificate is the most stringent verification process in SSL certificate issuance. A customer visiting an EV-protected website can be assured that they are not visiting a phishing site.
To fully meet your needs, we offer the following different types of certificates:

Standard SSL Certificates – require the certificate issuer to independently verify the information concerning the applicant’s business.
Extended Validated (EV) Certificates – the applicant’s business credentials are validated more extensively to help ensure that the applicant isn’t a phisher, spoofer, or other type of online criminal.
Wildcard Certificates – protect multiple options of the same base domain (i.e. www.sample.bank and directory.sample.bank)
SAN Certificates – protect multiple, different domains (i.e. www.sample.bank and sample.com)
  Several steps are required to make SSL certificates functional. The website administrator needs to generate a Certificate Signing Request (CSR) for the server where the certificate will be installed. The domain needs to be validated, and finally, the certificate is then installed.
Please visit us at EnCirca’s SSL page for assistance in securing the appropriate SSL certificates for your business.
It is necessary to implement tighter security. EnCirca makes it easy.  

 Resources:

Symantec

Ftc.gov

‘EnSight’

Security Alerts and Recommendations from

 

Mitigating Security Risks to Financial Institutions

Banks will need to make online security presence a high priority for 2017 in order to keep up with competitors and fight for business and investment. Customers and investors want assurance and confidence that they are dealing with a secure bank and will divert their funds accordingly. In addition, banks need to be able to continue normal business operations with fewer breakages and system failures. When banks take these market factors fully on board, they can better understand the true value of investing proper amounts of time and money into cybersecurity efforts. This will lead to overall enhanced profitability and stability for the individual bank as well as for the banking industry.
The crucial factor that senior banking executives need to take on board is understanding that these risks stem from a wide range of external sources. It is a common misconception for banking executives to believe there are a limited number of threat sources – which is leading to unidentified sources of risk.

Most commonly the attackers are seeking to acquire capital as well as confidential data and sensitive information. EnCirca offers several services to help you secure your domain and keep your data safe.

 

Compromised emails and websites pose a serious and preventable risk.

 

Why DMARC?

  Financial Institutions are among the most spoofed and phished brands. Imagine if you could give your customers the peace of mind that all email they receive from your domain is legitimate?

Utilizing EnCirca’s DMARC service will go a long way to protecting your institution to the fullest extent possible at this time. Achieving DMARC Alignment helps prevent these attacks.

 

What is DMARC?

  Domain-based Message Authentication, Reporting and Conformance (DMARC) is a requirement that involves the email addresses used by a customer to send out email. DMARC is a way to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spam and phishing messages, and keep them out of customers’ inboxes.

DMARC provides domain-owners with control, and the ability to block domain-based spoofing. Used correctly, DMARC also provides domain-owners with intelligence, by giving domain owners aggregate and forensic data on emails. However, DMARC implementation is complicated and has traditionally been too costly for most small businesses.

DMARC Migration Process

  By default, domain names have DMARC records set to “Reject”. This means the domain is not being used to send out email. Customers are free to keep this setting for as long as they wish to. When a customer decides they want to start using their domain name to send out email, the DMARC record is temporarily set to “None”. This allows a designated email address to review reports from various email service providers, such as Google, Yahoo, Comcast, Microsoft, etc. regarding emails that are claiming to be from the customer’s domain name. All authorized email senders are then inventoried and white-listed in a SPF record (A less-common approach using digital signatures is called DKIM). Once either of these records are correctly configured, the DMARC setting is switched back to “reject” so that the email service providers do not deliver unauthorized email. 
 

The DMARC Solution

  EnCirca’s partnership with Proofpoint, a founding member of DMARC, provides a one-stop shop for customers, helping them comply with the registry’s security requirements as quickly as possible. Our DMARC Monitoring Service is a cost-effective email authentication service appropriate for organizations to help make the promise of a secure site a reality. Our base package includes Email authentication for all of your existing website domains.

SecureDNS

  The runner up to phishing is a newer scam: pharming. Unlike phishing, which requires victims to voluntarily visit a criminal’s website, pharming simply redirects victims to fraudulent websites without assistance. This clandestine activity can go undetected for ages, allowing the attack to siphon huge chunks of sensitive information, including all Passwords and Usernames. Pharming subverts a basic service of the Internet known as the ‘Domain Name Service’ or ‘DNS.’ Each machine connected to the Internet knows the location of one or more DNS servers. This service translates a human-friendly URL name such as www.yourwebsitehere.com into an IP address, which is a unique number that has been assigned to each web server on the Internet.
At a high level, DNSsec (sec for security) is similar to HTTPS for websites to encrypt communication using cryptography keys behind the scenes. fTLD is requiring .Bank registrants to support DNSsec for hosted e-mail systems, content delivery networks, and security fraud systems by January 1, 2018. This is a security standard that allows the Domain owners to physically monitor traffic to their domain. The owners are able to register their Domains’ zones, enabling DNS resolvers to verify the authenticity of all DNS responses.

Successful exploitation could possibly allow a malicious attacker to create a denial of service disrupting websites and backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system.

EnCirca’s new DNS service is ISO 27001-certified and provides the “Carrier-Grade” technical stability, performance and high-availability demanded by security-conscious organizations today. A highly redundant and scalable Anycast network helps fight against Distributed Denial of Service (DDOS) attacks. The service also includes enhanced security tools to help companies fight phishing and other email-related fraud. 
 

Our SecureDNS technology includes:

Anycast network

18 Global DNS sites covering every major continent

Simplified on-boarding

ISO27001

Numerous redundancy measures

Services delivered over IPV4 & IPV6

  Join us at EnSight next week as we go over how to prevent data breaches using multi-factor authentication and the appropriate SSL certificates.

Dangerous Trojan Steals Banking Credentials

‘EnSight’

Security Alerts and Recommendations from EnCirca

 

Today’s Quick-Read

Threat – Malware delivered via email

Target – Online banking credentials

Target Application – Microsoft Word

Best fix – Apply the patch from Microsoft


A new zero day flaw has been discovered in the wild that exploits unpatched Microsoft Word applications (even on a fully patched computer) and is being used to spread the Dridex banking Trojan. Dridex is currently one of the most dangerous banking Trojans on the Internet that exhibits the typical behavior of monitoring traffic to bank sites by infiltrating your computer and stealing your online banking credentials and financial data.

 

According to researchers, this attack is severe as it gives the attackers the power to bypass most exploit mitigations developed by Microsoft, and unlike past Microsoft Word exploits seen in the wild, it does not require you to have Macros enabled. This attack works on all Windows operating systems, even against Windows 10.

 

How it works

 

The attack utilizes OLE2link object(s) (Windows Object Linking and Embedding) that are attached to a simple email. Upon opening the email, the malicious code executes and makes a connection to a remote server controlled by the attacker, where it then downloads a malicious HTML application file (HTA) that’s disguised as a document created in Microsoft’s RTF (Rich Text Format). The HTA file then automatically executes giving the attacker full code execution capabilities on your machine, and downloading additional payloads from other well known malware families in order to take over your computer, then closing the compromised Word file. In the time it takes you to open and close the Word file, the malware has already been installed in the background on your system.

 

How to protect yourself

 

  • Do not open or download any suspicious Word files that arrive in an e-mail, even if you know the sender until you have installed the patch from Microsoft.

  • Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.

  • Always keep your system and antivirus up-to-date.

  • Regularly backup your files in an external hard-drive.

  • Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.

  • Always beware of phishing emails, spams, and clicking the malicious attachment.

  • Apply the patch from Microsoft that was released on 4/11/2017

 

Resources: Hacker News  DRIDEX – By Symantec

 

Ensight security alerts and recommendations is a free service of EnCirca, the most secure domain name Registrar. Comments or questions may be directed to Ensight@encirca.com