NotPetya Ransomware Attack Spread Rapidly Across World

A new worldwide ransomware attack has hit hard just a little over a month after the WannaCry attack. The attack appeared to start in Ukraine and the spread across Europe but has made its way to the US in the past 24 hours, taking down systems at US pharma company Merck & Co.

Worldwide advertising agency WPP, Dutch shipping company AP Moller-Maersk, Russia’s main oil producer Rosneft, a Cadbury Chocolate factory, and the Ukrainian National Bank are just a handful of the notable companies affected by the new attack.

Victims of the ransomware are being asked to pay $300 in Bitcoin cryptocurrency to unlock their systems.

The Petya Ransomware Variant

Differing from other ransomware families, that encrypt specific files, the Petya variant of ransomware does not attack the individual files. Instead Petya encrypts the master file table (MFT) and renders the computer’s master boot record (MBR) inoperable. In plain English, what Petya does is seize the record about where on the physical hard drive the operating system is located and then denies access to it. The MBR is then replaced with a ransom note that displays a message stating:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service”.

NotPetya Is Fooling Anti-Virus and Infecting Patched Systems

The new variant of Petya, called Petwrap, is particularly nasty as it has been able to fool many anti-virus tools and has been able to successfully infect systems that have been patched against the EternalBlue vulnerability that allowed WannaCry to spread rapidly.

If for some reason, a business has not applied the critical Windows SMB patches for EternalBlue (MS17-010), the business needs to disable the SMBv1 protocol now rather than later to prevent infection.

System admins are also encouraged to disable WMIC (Windows Management Instrumentation Command-Line) which is being used to spread the infection across patched systems.

A vaccine of sorts has been discovered by security researchers and can prevent companies from becoming infected by creating a file in their systems that the ransomware looks for before encryption takes place. Detailed instructions can be found at BleepingComputer.

Victims May Have Nowhere To Turn

After demanding the ransom, hackers told victims to send an email to a Posteo email account with the infection ID and the victim’s Bitcoin wallet hash. Posteo quickly shut downthe email account stating that “We do not tolerate any misuse of our platform: The intermittent blocking of abused mailboxes is a normal procedure of providers in such cases.” which has left victims stuck with no way to contact the hackers behind the attack should they decide to pay.

Additionally, as researchers continue to look into NotPetya, it has been discovered that it was not a true ransomware but instead what is known as a wiper malware. Ransomware’s intent is to make money where wiper malware seeks to create havoc by destroying systems. Victims of NotPetya not only had no where to turn for making ransom payments but they also would not be able to recover their files even if they had been provided a decryption key.

Massive Ransomware Attack Makes the World Wanna Cry

Massive Ransomware Attack Makes the World Wanna Cry

The massive ransomware attack on 100 countries worldwide left the world reeling from the scale of the cyber-attack and pretty much every cyber-security expert saying “told you so“. With a record 126,000 infections, the perpetrators behind the attack reportedly made $26,000 in a 24-hour period.

So how did the hackers manage to infect so many computers all at once? The self-propagating malware used a tool called EternalBlue that exploited a vulnerability in Microsoft operating systems that allegedly was created by the NSA, stolen by TheShadowBrokers, and released to the public in April. Microsoft released a patch for the vulnerability in March but many older systems still in use today remained vulnerable and many organizations do not enable automated updates that would have protected them from this attack. Once a computer on a network was infected, the worm was able to continue spreading through the network from vulnerable computer to vulnerable computer which could account for how quickly the malware spread.

The attack was inadvertently halted on Friday by a security researcher who goes by the name MalwareTech. While analyzing the code, MalwareTech identified an unregistered domain name being referenced and as part of his research into the behavior of the malware, he registered the domain. This action appeared to have acted as a kill-switch for the ransomware, at least temporarily. After directing the domain’s traffic to a server, the server immediately started seeing traffic of 5,000-7,000 hits per second. Unfortunately, there are already new variations of the malware that does not look to the unregistered domain name so it’s vitally important that organizations patch their systems sooner rather than later.

How can you protect against ransomware? This is a question asked all the time and there are some simple things that both individuals and organizations can do to prevent a ransomware attack. First and one of the easiest things to do is to keep your firewalls, operating systems, and anti-virus up-to-date. Whenever possible, enable automatic updates because the time from a vulnerability being discovered by hackers and the time until you patch is your risk factor for being breached/attacked (and one of the core reasons why Axiom developed its SecureAmerica Automated Threat Defense Platform!)

And of course, be wary of unsolicited emails that contain links and attachments. Hackers are getting more clever and finding devious ways to hide their ransomware infections. They are embedding files within files to infect businesses. All it takes is one click of a link or the opening of a file for you to lose access to your vital data.

Physical Repercussions of a Ransomware Attack

Physical Repercussions of a Ransomware Attack

Ransomware is a threat that has been growing steadily for the past two decades, evolving from a mail scam conducted from a P.O. box in Panama to an advanced cyber threat that is so common, it has become a major concern for individuals, governments, and businesses across every sector around the globe.

The number of ransomware attacks quadrupled from 2015 to 2016, and researchers believe that this number will double during 2017. In addition to the threat itself growing daily, the way in which ransomware affects its victims has evolved as well; whereas it used to be that the only consequences of an attack were online, there are now real-life, physical threats as a result of ransomware; there are two recent instances that are of considerable note.

Austrian Hotel Key Lock System

In early January of this year, four-star Austrian Hotel, Romantik Seehotel Jägerwirt, was infected with a ransomware attack that hit the hotel’s computer that was managing multiple systems including its reservation system, cash desk system, and most notably, the electronic key locking system.

The potential danger from hijacking this major system is guest safety; guests’ keys were not functional, meaning that they could have potentially been locked in or out of their rooms. Thankfully, fire code regulations globally mandate that electronic key locks open manually from the inside, so this threat was never realized. However, the hotel was unable to issue new room keys after the cyber attack, causing incoming guests to have to relocate to another hotel. This instance has been eye-opening for the hotel’s owner, who has since decided to switch back to ‘classic locks’ from the complex, modern ‘smart locks.’  Though this will not prevent further attack, it will prevent the new key card issuance problem from happening in the future.

Whereas this particular attack primarily impacted the business’s operations, an even more recent attack on the U.S. capital had potentially deadly consequences for the public.

Washington, D.C. Security Cameras

One week before the 2017 Presidential Inauguration of 45th President of the United States, Donald Trump, there was a ransomware attack on 66% of Washington, D.C. security surveillance cameras. Though the Metropolitan Police Department never saw any indication of a serious threat to the public, there was much concern over the attack. The infection lasted three days, keeping police from retrieving any surveillance footage during that time. This means that any activity that took place over this time span could not be reviewed if there was a security threat suspected. With events such as the Inauguration and the Marches for multiple causes in the days following, any actor with malicious intentions could have hidden something or done something that would have caused harm to those millions of people. National or global events often draw in much attention, including cyber crime and terrorism; a tech-savvy attacker could have hijacked the specific cameras that he/she did, in order to make it easier for an attack to take place. Not only this, but general public safety, regardless of upcoming events, was put in jeopardy by such a significant number of security cameras being out of working order.

This cyber threat was not only advanced in that it could have had potentially dangerous physical repercussions, but it also followed the modern trend of using IoT devices to deliver an attack. In the past few months, hackers have used Internet-connected devices such as digital cameras and DVR players to carry out DDoS attacks, and they have obviously evolved to be used in ransomware attacks.

Protect against these real world threats

Though thankfully neither of these two cases experienced the potentially dangerous, real-life threats they could have, lack of cyber defenses left people with serious digital and physical risk. Because of this, precautions must be taken in order to protect against similar attacks in the future which may have different and deadly outcomes.

  • Educate employees– Computers involved in ransomware attacks are usually infected because of employees clicking on malicious phishing emails from hackers. Though neither of the cases above have discovered exactly how their systems were infected, 91% of cyber attacks are caused initially by a phishing email. Teach employees how to recognize these emails in order to prevent ransomware from coming into your company in this way.
  • Have a recovery plan– The biggest issue for the Austrian hotel was that they had no clue what they would do if something like what occurred with their electronic key lock system happened. Having a backup plan is one of the key aspects of cybersecurity, as it is almost impossible to avoid every single threat that is out there. The phrase ‘expect the unexpected’ comes to mind in this case, where companies need a way to continue their major operations, even in the event of something like an unexpected cyber attack.
  • Secure your IoT devices– Cameras in Washington, D.C. were not properly secured from attack, similar to the way digital cameras and DVR players were left unsecured and then consequently used in recent DDoS attacks. Prevent your smart devices from getting infected by ransomware by turning off remote access to devices when not in use, changing device default usernames/passwords, and keeping an updated system.

Hailey R. Carlson | Axiom Cyber Solutions | 02/06/2017

“Name Brand” Malware: Malware Variants You Should Know

“Name Brand” Malware: Malware Variants You Should Know

Malware, short for ‘malicious software,’ is a type of software meant to harm computers and computer networks. We hear about different types of malware, such as botnet malware and ransomware, and different variants of those types of malware as well; but do we know enough about those malware currently threatening us? Here, we take an in-depth look at three of the most talked about malware of 2016.

Mirai Botnet Malware

Mirai is the Japanese word for the future, fitting, in that this is one of the most advanced types of malware yet. This malware, created in August 2016, turns any Internet of Things (IoT) device running Linux into a remotely controlled bot, or application that performs automated tasks, such as setting an alarm, that can be combined with other bots and used as part of a botnet in large-scale network attacks. Though these bots are meant to make our lives easier, they are often not properly secured and can consequently be used in malicious attacks. The most notable use of Mirai botnet malware in an attack happened in October of this year in a Distributed Denial of Service (DDoS) attack against domain name service (DNS) provider, Dyn.

Dyn, the DNS provider for major websites including Twitter, Netflix, Reddit, and Spotify, was attacked by one of the largest DDoS attacks to date, an attack that was fueled by Mirai-infected IoT devices including Internet-enabled DVRs, surveillance cameras, and other Internet-enabled devices. Because of all of the popular websites it affected, this Mirari botnet attack is considered the attack that ‘shook the Internet.’

Mirai easily infects its victims because IoT devices are some of the least protected things out there. The only way as of right now to combat this malware is to secure your IoT devices in various ways.

Locky Ransomware

Scanning the news online with just the search term ‘ransomware,’ delivers a whole host of recent ransomware variants that are threatening our files. One of the variants that is most common among these search results is ‘Locky’ ransomware. This strain of ransomware is titled as such because it renames all of your important files so that they have the extension .locky.

The most common way that Locky infects your computer is via email. What happens is that the victim receives an email containing an attached document (Troj/DocDl-BCF) that is an illegible mess of odd symbols. The document then advises you to enable macros if the ‘encoding is incorrect.’ Seeing that the message on the document file is indiscernible to the reader, he or she will likely enable these macros, resulting in infection. If the macros are enabled, the text encoding is not actually corrected, instead, code inside of the document is run which then saves a file to disk and runs it. The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks, which could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW); Locky then scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Once a computer has been infected with Locky Ransomware, the victim’s desktop screensaver is changed to display the ransom payment instructions. These instructions lead the victim to the dark web, where they can pay the ransom. Unfortunately there is not much that can be done other than paying this ransom, which is why it is important to take preventative measures, such as those listed at the end of this article.

Popcorn Time Ransomware

Of all of the current, popular malware out there, ransomware variant, ‘Popcorn Time,’ is among the newest and most evil of them all. This form of ransomware is named after, but not related to, the torrenting site of the same name and it is believed that this malware was created by a team of Computer Science students from Syria.

This variant takes its cue from movies like The Box and the Saw movie series in that it forces its victims to make a detrimental choice: infection of their own files, or their friends’. Once hit with the cyber-attack, the victim has seven days to determine whether her or she will pay the 1 bitcoin ransom, equivalent to about $780 currently, or pass it along to two ‘friends’ instead. If the victim decides to give up his or her comrades’ information, the malware is allegedly deleted from the initial computer entirely and it moves on to ask for payment from its new victims. Once the ransom has been paid by either the initial or secondary victim(s), they will get a decryption code; the victim has four tries to type in the code before his or her computer files are all deleted.

This ‘pass the buck’ payment method is what makes this malware variant so unique. It prompts victims with a moral question that might turn up surprising results when their backs are against the wall.

How to Avoid These Major Malware Threats

  • Avoid suspicious downloadsMalware infects computers primarily through the user clicking on a malicious link in an email or via a suspicious download. If you do not know the validity of a link, you should not click on it. This is a simple step that can go a long way when it comes to protecting your files.
  • Back up your filesIf you are unfortunate enough to be the victim of a malicious ransomware attack, you can avoid paying the criminals if all of your data is backed up to an external hard drive or some other source. The FBI advises victims of this crime to not pay the ransom, so as to discourage the hackers from doing the same thing again; they instead recommend that victims of the cyber-crime report the incident to the government agency so that they can hopefully track down these people.
  • Secure your IoT devicesWhen it comes to Mirai botnet malware in particular, it is important to secure your Internet-connected devices. Many of these devices come with a default password which you should change in order to make it harder for cyber-criminals to get to your data. Also, when at all possible, turn off remote access to your IoT devices. By leaving a device active while not in use leaves it extremely vulnerable to use in an attack similar to that against Dyn DNS.
  • Don’t enable macros in documents received via emailMicrosoft itself turned off auto-execution of macros by default many years ago as a security measure. Many malware infections rely on persuading you to turn macros back on, so don’t avoid them by not enabling macros.
  • Keep your anti-virus & anti-malware updatedWhile backing up your data and avoiding sneaky sites or links is effective, preventing these malware from getting onto your computer in the first place is a key preventative measure in fighting malware. Keeping your computer’s anti-virus and anti-malware up-to-date is something simple you can do to protect against malware, and most even allow you to set automatic updates, so you rarely need to think about it at all.

Hailey R. Carlson | Axiom Cyber Solutions | 12/14/2016

All Aboard the Ransomware Express

All Aboard the Ransomware Express

Ransomware

Ransomware, an attack that has been around in some form or another since 1989, is one of the biggest cyber-crimes of 2016. Instances of this attack have quadrupled in number during 2016 from the same time period last year, and while some are hopeful that these rates will decrease in the coming year, ransomware has expanded its grasp to reach almost every industry out there. It’s latest target? Transportation networks. More precisely, San Francisco’s Municipal Transportation Agency.

The San Francisco Fiasco

San Francisco’s Municipal Transportation Agency (SFMTA), was hit last Saturday with ransomware. The attack actually began the night prior as SFMTA reported that agents’ computer screens displayed the message “You Hacked, ALL Data Encrypted.” These broken English displays and emails, received from a Yandex address, a Russian email provider, led the company to believe this attack was carried out by foreign hackers, however, they are not certain about that at this time. Whoever these hackers might have been, they requested payment of 100 bitcoin, equal to approximately $70,000, as ransom for the safe return of these encrypted files. However, the transportation agency took the FBI’s recent advice to those hit with ransomware and did not pay the ransom. Paul Rose, a SFMTA spokesman said, “We never considered paying the ransom. We have an IT team on staff who can fully restore all systems.”

 

Rose also stated that after investigating further, it has been determined that the hackers didn’t steal any financial records or other potentially damaging information about their customers or employees. This was extremely lucky for the transit system, as ransomware is often used to steal highly sensitive data from its victims. While there were disruptions to the system operations, in an attempt to avoid mass chaos, SFMTA decided to run their buses and light rail vehicles regardless, an added gift to riders of the ‘Muni Metro’ light rail as their fares were waived during this time. These free rides are, thankfully, the only major cost to the transit agency from this attack, and as of Monday, SFMTA was still trying to determine the magnitude of this financial damage.

Though San Francisco’s Municipal Transortation Agency was rather lucky despite having been hit by ransomware, this attack should be a wake up call for all transportation networks to amplify their cybersecurity measures.

Transportation Network Vulnerability

While San Francisco was fortunate in that this attack did not result in any disruption of their services, other transportation networks have not been so lucky. In 2008, a Polish hacker succeeded in derailing four vehicles after hacking into his local town’s transit system, injuring a dozen people, though thankfully killing no one. While not many cases of cyber-attack exist within the transportation world yet, the transportation industry is highly susceptible to attack, as is clear below in PhishMe’s 2016 Phishing Susceptibility and Resiliency report.

While cybersecurity can be an intimidating hurdle for any industry, it is especially important for companies like railways, whose entire operations would be derailed without the use of technology, to be strong in this area. As is true of every sector, there is no silver bullet to enhanced cybersecurity; multiple steps need to be taken in order to be strong against attack. By taking these simple steps, among others, transportation networks can be strong against cyber-criminals.

  • Educate employees– Computers were infected in the San Francisco ransomware attack because of employees clicking on malicious emails from hackers. Had the internal IT team who was able to recover the files on their own focused more of their efforts on preventative measures, such as educating the Agency’s employees on what factors indicate a phishing email, they would not have had to worry about the recovery aspect of this cyber crime at all. It may have even been avoided.
  • Have a recovery plan– Though all companies want to prevent an attack, having a backup plan is key in those cases where the cyber-crooks get through the cracks. As with overall cybersecurity, there is not one solution which will work every time for every company, but by speculating potential threats and developing customized plans of attack for each, companies can be prepared on the back end to recover data and get back to regular business operations as quickly and smoothly as possible.
  • Install and/or update hardware & software– You can never be too protected against attack, and it is important to protect your computers and their networks in as many ways as possible. By keeping up-to-date on softwares such as anti-viruses, as well as installing firewalls with Next-generation software, you can further protect both your employee and customer information.

By combining multiple, simple steps, cybersecurity becomes less threatening and much more manageable for companies across all industries. Implementing these tips as well as others and learning from similar networks’ security errors will result in transportation networks decreasing their vulnerability against attacks, such as ransomware.

Hailey R. Carlson | Axiom Cyber Solutions | 12/02/2016

SFMTA Image

The FBI’s New Stance on Ransomware

The FBI’s New Stance on Ransomware

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money, or ransom, is paid. Though now primarily known by this definition as a cybercrime, ransomware has been around since before the internet gained its popularity. The first instance of the threat occurring in 1989 was actually via postal mail and it was known as AIDs Trojan. This original variant spread via floppy disks and involved sending $189 to a post office box in Panama as payment for the ransom. Since then, the threat has grown drastically with the flourishing of the internet, not only in its complexity but in its reach as well.

Ransomware has attacked millions of victims across a multitude of industries with education, healthcare, and government among some of the most highly targeted sectors. Instances of the cyber-threat have increased by over 53% in the past 12 months, with projections set to rise even more significantly by the end of 2016. Not only have ransomware scam artists been able to infect millions of people’s computers and hold their files for ransom, often after encrypting them, but they have made a lot of money doing so. Last year alone, the cyber threat brought in upwards of $325 million for cybercriminals, and it appears as though their paydays are growing in number and in ransom amount paid. Evolving from the checks sent to that P.O. box in Panama to difficult-to-trace bitcoin transactions that are so predominant in ransomware today, the threat and its multiple different creators are getting harder and harder to stop.

Throughout the years, there have been varying opinions on how to handle this cyber-crime. Of course you don’t want to fund cybercriminals’ vacations by paying the ransom, but you also need to regain access to your precious files that mean so much to your business. What do you do in this case? Well the FBI has come out with a clear stance on what they think needs to be done in order to stop, or at least slow down, ransomware in its tracks.

Contradictory to their opinion last year where they encouraged companies to just pay the ransom in order to regain access to important files that were encrypted by ransomware variants including Cryptolocker, Cryptowall and other malware, the FBI now says that you should not pay the ransom and you should report any instance of the cybercrime to them directly. This change of heart on the matter was not made lightly. The FBI’s goal in all of this is to be able to better assess the magnitude of the threat that ransomware poses. In a public service announcement on September 15th, 2016, the FBI explains why they are asking for ransomware victims’ help:

“Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.”

While reporting an incident will help the FBI be able to keep track of the number of ransomware attacks out there, they are looking for some specific data that will be of extreme help in finding these ransomware scam artists. Here are some specifics that the FBI is looking for:

  1. Date of Infection
  2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  3. Victim Company Information (industry type, business size, etc.)
  4. How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  5. Requested Ransom Amount
  6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  7. Ransom Amount Paid (if any)
  8. Overall Losses Associated with a Ransomware Infection (including the ransom amount, if paid)
  9. Victim Impact Statement

While the FBI is eager to receive all of these reports in an attempt to stop the cyber-crime, in its September 15th PSA, the FBI also stresses the importance of strong cyber-defenses in order to avoid the threat in the first place. A few common key elements to this security include the installation of a secure firewall and regularly backing up data. If you find that you are the victim of ransomware, please contact the FBI immediately and provide them with as much of the information above as possible. If you would like to prepare your defenses against such an attack, please contact Axiom Cyber Solutions to learn more about how to get and stay protected. Our patented ransomware algorithm and team of managed cybersecurity experts will make sure you and your business are taken care of.

Hailey Carlson | Axiom Cyber Solutions | 9/30/2016

The Anatomy of a Ransomware Attack

The Anatomy of a Ransomware Attack

“Ransomware attacks are increasing dramatically.” As threats from cyber-criminals become part of the reality of doing business, that statement is becoming all too familiar and personal for small businesses.  By the end of this year, it’s projected that ransomware attacks alone will net cyber-criminals more than $1 billion made possible in part because small businesses are easy targets and have little option other than to pay ransoms or risk closing their doors.

So you probably know that a “ransomware attack” is used to extort money from you by literally holding your data and computer systems hostage.  But, what does this attack look like and what can you do to defend your business from them?

First, let’s take a look at how a ransomware attack progresses:

1)      Though ransomware attacks can be initiated by visiting an infected website, most businesses will find that attacks are going to be launched on them through an increase of emails which contain attachments. The messages usually evoke a sense of urgency to open the attachment (such as with an unpaid invoice, a “Final Notice,” or a package delivery notification). The file may appear to be just a Word document or PDF file.

2)      After clicking on the attachment, the user is prompted to “enable content” or possibly decompress a zip file. Once that message is clicked on, the malware is activated and released into your system.

3)      Depending on the file type, an icon may appear on your desktop, but only for a brief time before disappearing. It is at this point the malware sends a message to a computer system outside of your network for an encryption key to use on your computer system.

4)      Once that key is communicated back, the ransomware begins encrypting your files and programs. Since encryption is a time consuming and resource intensive process you may notice that your computer system slows down or starts acting “quirky.” However, you may not notice any outward sign of infection.

5)      Depending on the amount of information being encrypted it could take several hours for all files on your computers and attached or networked drives to be encrypted. So just because it doesn’t happen quickly doesn’t mean you have nothing to worry about.

6)      While all of this is happening, you may notice that you are still able to access some files, but other files are not accessible. File names will change. You may receive messages that the “file is corrupt” or has an “unknown extension.” Ultimately, files you had been able to access become inaccessible. Depending on the attack, entire programs may become unusable.

7)      Finally, the background on your screen will change and a message will display explaining that your files have been encrypted along with a demand that you must pay within a set amount of time or else your data will be lost. These demands are usually for payment in the form of Bitcoin (which is a process of and by itself that most Americans are not familiar with).

8)      Once the ransom is paid, the victim is supposed to receive an alpha-numeric key for decrypting the files. However, because these hackers are criminals, there is no real guarantee that a key will be sent, or if one is, that they won’t simply attack again later. It isn’t unusual that a victim is repeatedly attacked once they have proven they are easy targets and willing to pay.

Because these hackers are criminals, there is no real guarantee that a key will be sent, or if one is, that they won’t simply attack again later.

So what is a business supposed to do to avoid these attacks?  If you look at the points above you will see where different points of failure exist. Here’s what you can do about them:

  1. Be sure your employees understand the threats posed and tactics used by these criminals. Reinforce the need to be cautious when clicking on attachments in emails from people whom they are not expecting anything. Help them recognize that emails that use urgency as a tactic to get them to open attachments are suspect. And attachments that require an additional step of “unzipping” or “enabling content” need to be scrutinized carefully before doing so.
  2. It’s crucial to invest in the right kind of security solutions like a robust next generation firewall so that ransomware doesn’t infiltrate systems to begin with and cause irreparable damage.  If you are using an older firewall or one that isn’t updated daily, you are leaving yourself open to attacks.  Also, be sure you are using powerful and updated virus and malware scanning software.
  3. Always, always, always keep your operating systems and software updated with the most recent patches and hotfixes.
  4. Have a good backup strategy, which includes monitoring your backup status and testing your restore process to ensure that restored files are usable. A backup process without testing may not be worth much.
  5. Take this threat seriously! It’s real and it’s growing.

If you have been a victim of a ransomware attack, Axiom Cyber Solutions may be able to help. Give us a call at 800-519-5070, or drop me an email (without any attachments – we won’t open them) at info@axiomcyber.com.

Ransomware is the biggest emerging cyber threat for 2016. Get protected now before it’s too late.

Ransomware is the biggest emerging cyber threat for 2016. Get protected now before it’s too late.

Ransomware has become a household word recently. With the attacks on American Healthcare facilities, large school districts and America’s core businesses, we have all unfortunately learned that ransomware is dangerous and lucrative to the criminals. These hackers are gaining millions of dollars every month from locking up unsuspecting victim’s files.

Just today, in a group that I am a member of on LinkedIn, there was a post looking for help after files had been encrypted. Once the files are encrypted IT IS TOO LATE. Even the FBI has said that the SHA-256 encryption is too good to crack and that you should pay to get your files back.

Businesses must act BEFORE an infection. This is a definite case of “preparation is key”. I talk to more than 3 businesses each week that have been affected. They all didn’t believe they were a target for hackers. They all say the same thing “I didn’t think this could happen to me.” Most are small business owners who generally have a false sense of security or have taken the “head in the sand” approach.

There are three key things you can do to protect yourself from Ransomware. I recommend you act today to implement these three key strategies.

  1. Backups. This is kryptonite to the ransomware epidemic. If a business has up to date backups of their data, there is no need to pay to get it unlocked. A simple restore from the latest backup will have your files back in working condition in no time. The drawback is: When was your last backup? Is it an hour, a day or longer? You can only recover to the latest backup so make sure you are running them on a schedule that makes sense for your business model. You must also ensure that the ransomware is completely removed from enterprise systems and every endpoint. Just like a virus, it spreads polymorphically (changing and evolving) across the network infecting as many machines as it can. You have to have a removal strategy once infected. This includes segmenting affected computers, running in-depth malware, virus and rootkit scans to ensure the infection won’t come back.
  2. Antivirus. You must have up to date antivirus running on every endpoint in the enterprise. From the point of sale system to back of house, every PC, Mac, server, and storage device must be running up-to-date antivirus. It is a good idea to have an antivirus monitor that tells you when machines are out of date or are not updating appropriately. There are some inexpensive antivirus monitoring tools out there that allow you to inventory your devices and also alert you to antivirus status. The drawback to antivirus protection against ransomware is that hackers are changing their algorithms every day to get around antivirus. Antivirus is signature based and it compares each file with known malware, viruses and ransomware. If you are unlucky enough to get a new variant, such as Locky, that is polymorphic or that is not known to your antivirus client, it still gets through. Due to the millions of infections each month, it is safe to say that not all antivirus is keeping up. With that being said, having up to date antivirus across the enterprise is one of the cornerstones of a solid cybersecurity strategy.
  3. Firewall Protection. Firewalls are much different from antivirus because they inspect all traffic coming into the business. Depending on the firewall brand, such as Axiom, the firewall will have deep packet inspection and some other key features that will scan packets for threats. One thing at Axiom that we have found is the specific protocol level communication that happens when a ransomware is activated on your network. Ransomware must obtain a Private Key to complete the encryption process. Without the private key, ransomware simply doesn’t work. We have been able to identify that exact communication and we block it at the firewall. By doing egress monitoring (which is doing deep packet inspection on traffic leaving the business) we can empirically stop ransomware from encrypting your files.

All of Axiom’s firewalls do egress monitoring, deep packet inspection, SSL DPI, and many other enterprise features. Our business model allows us to send out a fully configured firewall for your business. It is plug and play to install, such as plugging in a wireless router. We then manage it, monitor it and keep you up to date every single day with the new emerging threat definitions. There is no upfront cost for the device, just a monthly subscription for the monitoring and updating. You can save thousands over the cost of other firewalls, installation, configuration and maintenance from our competitors.

Most small businesses can’t afford a full-time IT staff, much less a cybersecurity expert on staff to keep the business protected. Call us today for a free consultation that is specific for your business. Our cybersecurity experts research the latest emerging threats and we update our firewalls each day to keep our clients on the cutting edge of protection. Our firewalls are unique in the fact that they don’t have to be restarted to be updated. Our firewalls are one of small group of security appliances that inspect traffic in both directions, going into and leaving the business.

Call us today for your free consultation.
1-800-519-5070 | www.axiomcyber.com

Ransomware – The Cyber Bully on the Block

While ransomware is the new buzz word in cybersecurity, would you believe it that ransomware has been in existence since the 1980’s? The first known ransomware occurred when a man named Dr. Popp sent Trojan-infected diskettes to attendees of the World Health Organization conference and demanded the payment of $189 be sent to a PO Box in Panama. Of course, Dr. Popp was caught and brought to trial…later being declared unfit to stand trial due to the cardboard box he wore to protect himself from radiation.

Ransomware became more mainstream through the years as cyber-criminals realized that it’s easy to monetize and spread ransomware by sending infected email attachments that would encrypt the victims files. But it wasn’t until Q1 of 2015 that cyber-criminals went really big more than quadrupling the amount of ransomware from the previous quarter in 2014. 2016 has been declared the Year of Ransomware by numerous security vendors and as we near the end of Q1 2016, there are no signs that cyber-criminals are going to slow down the attacks.

Now-a-days, it’s hard to read the news without seeing a story about a business, schools, or hospitals being hit with ransomware. One of the more notable recent stories is Hollywood Presbyterian Medical Center that had to pay $17,000 in ransom in February 2016 to gain access to their computer systems. But just earlier this week, another three hospitals were hit in a new string of ransomware attacks that thankfully did not disrupt the operations of those hospitals, most likely due to a good backup strategy.

But for organizations that don’t have good backups, once ransomware is activated even the FBI does not have much hope that the encryption can be cracked.

“The ransomware is that good…

To be honest, we often advise people to just pay the ransom.”

Joseph Bonavolonta

Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program, Boston office

While it has been recommended that the payment of ransomware should be illegal, that does not offer much help to businesses that are suffering downtime due to a successful attack. Even the FBI does not explicitly tell companies what they should do but rather tells them what options are available and lets the individual businesses decide what is the best way to proceed. So if a business is ransomed, what are the options?

  • Restore a backup of the computer or server – Perfect solution if you actively backup but statistically, only 25% of organizations/people actually do
  • Pay the ransom – Not ideal because it funds cyber-criminals
  • Start over from scratch – Go Gone with the Wind, say “Frankly My Dear…” and start rebuilding your computer/server which is time-consuming and you won’t have any historical data

But before it gets to that point of doom & gloom for the business, there are certain things that business can do to minimize the risk and/or impact of ransomware. And it’s always better to be safe, than sorry!

Tips on how to protect your business from ransomware

  • Educate your employees on how to deal with suspicious emails and procedures for opening email attachments
  • Don’t open unsolicited emails, don’t click on the links, and don’t open the attachments
  • Don’t enable macros on attachments received by email or downloaded
  • Use anti-virus & malware protection – and keep them up-to-date!
  • Keep your operating systems and browsers up-to-date
  • Use a pop-up blocker
  • Download only from trusted websites
  • Click the Window Close Button – don’t click the big, convenient close button in the pop-up window
  • Get Firewall Protection

How Can We Help?

If you’ve been the victim of a ransomware attack, Axiom Cyber Solutions is here to help. Call us at 1-800-519-5070 for expert advice and assistance.

Axiom Cyber Solutions is offering a Managed Firewall, Cyber-Security Protection for Small Business starting as low as $199 per month. Our firewalls contain proprietary ransomware protection to stop ransomware from activating on your network. Call us for more information.  #FightBackWithAxiom

Owning a Computer Means You’re at Risk for Ransomware

Owning a Computer Means You’re at Risk for Ransomware

On February 8th, 2016, Horry County Public School District, located in South Carolina, realized they had fallen victim to ransomware. Over 100 of their servers and systems were shut down to keep the ransomware virus from spreading. The hackers demanded that Horry County Public Schools pay them approximately $8,500, otherwise the school district would lose their data forever.

What is ransomware? If you are unfamiliar with this term, now is the time to become familiar with it. Ransomware is a form of computer virus that discreetly corrupts files, and, as the name indicates, demands that a target pay for those files to be restored. Ransomware can have different disguises but the two main types of ransomware are locker ransomware (computer locker) and crypto ransomware (data locker).

Locker ransomware denies access to the computer or device. Crypto ransomware prevents access to files or data and does not necessarily have to use encryption to stop users from accessing their data, although the majority of it does. Ransomware is a 445 billion dollar industry and cyber criminals have no plans to stop anytime soon.

The only way the Horry County School District could recover their data was to pay the ransom so they could receive the encryption keys to unlock their data. However, the hackers requested for the ransom to be paid in Bitcoin (BTC). BTC is a decentralized peer-to-peer payment network that is powered by its users with no middlemen. It is very much like cash for the Internet. Since Horry County Schools were not at all familiar with BTC, they they reached out to Troy Wilkinson, current CEO and Co Founder of Axiom Cyber Solutions, for help. Troy stated that,

“Unfortunately, ransomware is only becoming more and more of a problem. These cyber criminals are banking on the fact that most people do not back up their data and are willing to pay dearly for that data back. We at Axiom feel so strongly about ransomware that we currently have patent pending prevention. Our technology empirically detects and stop ransomware once it’s activated on a network.”

Axiom Cyber Solutions was able to get the 22 BTC (approx $8,500) and paid the hackers. Horry County School Systems have had all their data restored and things are back to normal. Unfortunately, all organizations such as schools, universities, hospitals, and more will continue to be hit with ransomware. Even the FBI is encouraging people to pay up, if they want their data back.

Recently, during the 2015 Boston Cyber Security Summit, Joseph Bonavolonta, an assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program in the Boston office stated,

“The easiest thing may be to just pay the ransom. The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

Simply having antivirus protection does not stop ransomware. The FBI recommends the following tips to help avoid ransomware.

1. Make sure you have updated antivirus software on your computer.
2.Enable automated patches for your operating system and web browser.
3. Have strong passwords, and don’t use the same passwords for everything.
4. Use a pop-up blocker.
5. Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
6. Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.
7. Use the same precautions on your mobile phone as you would on your computer when using the Internet.
8. To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.

Axiom Cyber Solutions offers the Axiom Sentinel, an enterprise firewall and security appliance, to help with ransomware by making sure that criminals have no way to call home. Sentinel makes malware and ransomware communication out of your network impossible, rendering these applications ineffective and unable to encrypt your data. We have identified key transactions in the TCP/IP stack that must occur when a ransomware is executed. This allows us to block ransomware communication in real time.

Ransomware infections will continue to rise and will evolve with new social and technological attack vectors. It’s important for any organization or individual with sensitive data to exercise caution and deploy best practices in securing your network.

Axiom’s solutions come in different sizes and all of our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom