Posts

Locky Gets Updated to ‘Ykcol’, Part of Rapid-Fire Spam Campaigns

Cybercriminals behind the Locky ransomware have revamped the malware’s code three times in 30-day period and blasted out massive spam campaigns.

According to researchers at Trustwave, the latest variant of Locky ransomware is called Ykcol (that’s Locky spelled backwards) and was part of a Sept. 19 spam blast targeting 3 million inboxes within a three-hour period. Messages were sent from the notorious Necurs botnet.

That campaign dovetails recent campaigns that pushed out Locky variants Lukitus and Diablo during the same 30-day period between Aug. 14 and Sept. 19. The Lukitus campaign started at the end of August and lasted more than a week, sending 15 million to 20 million emails.

“The behavior is the same, but the extensions used to encrypt the files and the malware binaries are constantly changing,” said Karl Sigler, threat intelligence manager for SpiderLabs at Trustwave. With Ykcol, encrypted files use the extension .ykcol. Sigler said Locky authors also “tweak” the malware’s binaries, only slightly changing code such as variable names or internal logic.

“They are constantly updating the malware to evade detection,” Sigler said.

As with a previous Lukitus version of the Locky, the Ykcol ransomware follows the same convention and is packed with Game of Thrones references. References in the malware’s Visual Basic script include “Aria,” “HoldTheDoor,” “SansaStark,” “Throne,”  and the misspelled “JohnSnow,”  and “RobertBaration.”

“What is most interesting with Ykcol is how it has changed its strategy when it comes to getting onto the victim’s system,” Sigler said.

Where Diablo used fake invoices and Lukitus tried everything under the sun from malicious URLs, Office docs and compressed script files (java or .vbs), Ykcol’s strategy is to send “vague” invoices that show up blank.

“With Ykcol they appear to limit the campaign to a fake invoice with minimal information. The attachment is a 7zipped VBScript that downloads Locky,” he said.  With 7zipped files, some A/V scanners may have trouble inspecting it since Zip and RAR are more typical compression methods.

If the malicious attachment is engaged a JS downloader uses either a XMLHttpRequest object (that can be used to request data from a web server) or PowerShell commands to download the binary files. Additionally, the attachment’s macro script is also responsible for executing the downloaded binaries.

“It’s about options. Local endpoint protection may have heuristics looking for scripts to invoke Powershell or the XMLHTTP methods of downloading. By using both, one or the other may be able to bypass those protections,” Sigler said.

He added, from Diablo to Ykcol the cost of ransom dropped from .5 bitcoins to .25 bitcoins or fr $2000-$2500 to $1000-$1250.  He also noted, while there is a free decryption key for older versions of Locky, it won’t work on the newer versions.

Over the past two years, 35 unique ransomware strains earned cybercriminals $25 million, with Locky and its many variants being the most profitable, according to a study released in July by Google, Chainalysis, UC San Diego, and the NYU Tandom School of Engineering. Locky has pulled in $7 million in ransomware payments since 2016.

“These behaviors reveal a constantly evolving bag of tricks, where the campaigns change daily, yet deliver the same ultimate payload,” wrote Trustwave in an upcoming blog post outlining the research.

Trustwave said it suspects Ykcol has run its course and that cybercriminals behind the Locky ransomware are already working on an updated variant.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

,

Cyber-fraud or future currency? All about Bitcoin.

The crypto-currency, Bitcoin, has risen to fame in recent years, and become especially prevalent due to the recent media coverage linked to the WannaCry ransomware attack. Bitcoins have the advantage of anonymity for criminals and cyber-fraud, but could this currency become a mainstream method of payment in the future?

What is a crypto-currency?

For those that are unfamiliar with bitcoins, and other forms of crypto-currency, they are simply a form of digital currency. This currency is underpinned by a technology called blockchain, and can be traded from one person’s ‘wallet’ to another. These bitcoins possess value, and can be traded as if they were any other type of currency. Once the bitcoin software has been downloaded, an individual is connected to other bitcoin users over the internet, and a set of unique keys are generated that enable the transfer of bitcoins to other users. One key is kept private and the other is public, but it is almost impossible to work out an individual’s private key is from their public key. These keys can then be used to transfer bitcoins between users.

History of Bitcoin and cyber-fraud

First created in 2009, Bitcoins became famous between 2011 and 2013 when traders rapidly inflated their value through purchasing millions of dollars of Bitcoins. This allowed these criminal traders to be able to move money outside the control and watch of law enforcers. Bitcoins offer criminals the dual advantages of having a decentralized currency that can be traded without a middle man, combined with the additional advantage of high anonymity. Perfect for executing cyber-fraud. The value of bitcoins has risen so rapidly that in March 2017 the value actually surpassed that of an ounce of gold.

The use of bitcoins is seen as controversial for a number of reasons. The major issue with this currency is that it operates outside the control of the central bank and government. This means that tracking the movement of this currency becomes more complicated. This has made bitcoins an attractive option for the illegal market and for cyber-fraud.

Bitcoins are also changing the way in which personal wealth is stored and managed. The control of personal wealth has been restored to the individual through this crypto-currency, removing the power formerly held by banks. However, unlike traditional transactions, bitcoin transfers are final and wealth is subject to no form of insurance, making this a risky method of storing wealth.

Are crypto-currencies the future?

Despite its affiliations with the illegal economy, and the association with cyber-fraud, major banks and companies across the world are in talks to adopt digital currencies such as Bitcoins. Already Bitcoins can be used to purchase certain items including Dell laptops and vouchers to be used at major shops. A recent survey completed by Cambridge University estimates that over 6 million people across the world possess a bitcoin ‘wallet’. This suggests that there is a possibility of mass adoption of this currency.

Although the greatest level of attention is given to bitcoins use in the shadow economy, the greatest use is actually in the legal economy. Many believe that the technology blockchain underpinning bitcoin transactions could be used for other things. One suggested use is for the government to be able to track international aid money, for tracking the origins of raw materials in supply chains and for online voting.

In addition, if people lose trust in traditional currencies crypto-currencies may increase in importance. Governments are able to print money in order to finance government debt, which essentially works as an inflation tax. The use of Bitcoins prevents this from happening as there is a mathematical limit on the amount of Bitcoins that can be created. The future of Bitcoins is uncertain but many are excited about the potential this technology has to revolutionise markets.

For those that are interested in cyber-fraud, there are additional blog posts you can read on the subjects of cyber-security and cyber-fraud.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

US Government Site Was Hosting Ransomware

US .gov site was hosting a .zip archive containing JavaScript that with obfuscated PowerShell, downloading a gif file which is a Cerber executable.

, , , ,

Ransomware Backup Protection | 2 of 2

Part One | Part Two

Ransomware Backup Protection: There is nothing quite like an incident infecting hundreds of thousands of computers globally to bring a problem into rather sharp focus. Ransomware has been with us for many years. We’ve seen a number of customer cases that prove it’s possible to survive these attacks. Without having to pay. in 2017 there have been two major ransomware attacks, WannaCry and NotPetya. As the ransomware threat continues, it’s imperative to understand how you can protect your business against ransomware. Having a strategy is a really good start.

Get a Ransomware Backup Protection Strategy

A ransomware protection strategy requires at least three elements, education, patching, and backup.

  • Educate: Education of your users and your Administrators is essential to protect your business from ransomware. It’s critical that your staff and stakeholders understand what ransomware is and the significant threat it poses. Provide your teams with examples of suspicious emails. Empower them with clear instructions on what to do if they encounter a potential ransomware lure. For example, don’t open attachments, if you see something, say something about it. Conduct quarterly formal training to inform staff about the risk of ransomware and other cyber security threats.
  • Patch: Antivirus software is essential for any business to protect against ransomware and other cyber risks. Ensure your security software, and all critical software elements, such as operating systems,  are up to date. Keep all business applications patched and updated to minimise vulnerabilities.
  • Backup: Snapshot-based incremental backups, as frequently as every five minutes, to create a series of recovery points are a feature of modern total data protection solutions. If you suffer a ransomware attack, this allows you to roll-back your data to a point-in-time before the attack. The benefit of this is two-fold. First, you don’t need to pay the ransom to get your data back. Second, since you are restoring to a point-in-time before your systems were infected, you can be certain everything is clean and the malware can not be triggered again.

Ransomware Backup Protection for Business Continuity

Survival requires preparation before an attack. Data protection technology, and ransomware backup protection best practices, are critical for mitigating the damage that ransomware attacks can inflict the Business Continuity of organisations. The possibility of getting ‘hit’ by ransomware are really rather high. And it’s not getting any better. It’s obvious backup is one line of defence against ransomware.

Most Government organisations recommend backing up frequently as a way to beat ransomware. The UK National Cyber Security Centre recommends you verify the integrity of backups and secure the backups. Ransomware backup protection is best when they are maintained offline from the production environments, because the ransomware viruses can corrupt backup copies, as well. Snapshots and replication can be vulnerable to time-delayed ransomware attacks.

The National Cyber Security Centre has recently updated it’s advice regarding backup in NCSC: Backing up your Data. It is reasonable guidance, which hopefully the NCSC will expand upon in the future. In broad terms:

  • Identify what data you need to back up
  • Keep your backup separate
  • Consider the cloud
  • Read our cloud security guidance
  • Make backing-up part of your everyday business

Ransomware Backup Protection with the Cloud

Data protection vendors, such as Datto, have been adding features that will protect against ransomware. Storage vendors are also providing reporting tools that can help protect against ransomware by alerting users of anomalies occurring within files. The use of pattern detection on data and files alert administrators of unusual encryption levels, so they can intervene and limit the damage.

Serviceteam IT  use a number or vendors and solutions in order to protect customer data, not only for the last line of defence against ransomware, but also to provide seamless Business Continuity. Our primary solution recommendation for small businesses is the Datto ALTO. Datto ALTO is the only continuity solution designed specifically for small business. Using image-based backup, and a hybrid cloud model, ALTO delivers enterprise-grade functionality at a small business price. The ALTO easily protects any physical, virtual and cloud infrastructure running on Windows, Mac or Linux. Spin up lost servers in seconds without the need for additional tools.

Backup automatically on schedule to a local device, and replicate backups to the Datto Cloud. Recover granular data quickly from multiple points in time, and use Datto Cloud virtualisation to get back to business in minutes. Get more than just one server back up and running; virtualize your entire Infrastructure with the click of a few buttons. Be back up and running as fast as the images can boot in Datto’s Cloud. Once the crisis is past, ALTO makes it easy to get back to normal operations. Say goodbye to business down time, and hello to fast and easy business continuity all in one product.

In 2016, Datto released the first ransomware backup detection in the industry, as part of its Total Data Protection solution. Ransomware, like most illicit software, leaves an identifiable footprint as it takes over a server, PC or laptop. Datto devices actively monitor backups, and when a ransomware footprint is detected, it notifies admins that they have a likely ransomware attack on their hands. From there, recovery is simply a matter of restoring from a previous backup. Stop worrying about ransomware and get back to business fast with Datto Ransomware Backup Protection.

To learn more about what you can to do avoid losing your data, check out our brochure: Business Continuity.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

New Locky Variant Strikes Again

Locky is notorious for its effectiveness and profitability. In the last two years, Locky has extorted almost $7.8 million from victims, according to a recent study by Google.