Tag Archives: Ransomware

Adobe Releases Flash Security Update Due To New Exploit

Yesterday Adobe released an emergency security update for Flash Player that they had previously announced earlier this week. This update was released ahead of the next Update Tuesday since the Magnitude Exploit kit(defined) is exploiting a zero-day vulnerability (defined) in order to infect devices/systems with ransomware (defined) specifically the Cerber and Locky variants.

The update address 24 critical security vulnerabilities (more formally known as CVEs (defined) one of which (as mentioned above) is currently being exploited and has been since at least the 31st of March according to the security firm Proofpoint.

=======================
Update: 13th April 2016:

Microsoft issued their security update for Windows 8.1 (Internet Explorer) and Windows 10 users (Microsoft Edge and Internet Explorer, respectively). Further details are available in their security bulletin.

Thank you.
=======================

(Please see update above): At the time of writing Microsoft had not yet made available the relevant updates for Microsoft Edge or Internet Explorer. They now do so by releasing a separate security bulletin. The full list of security bulletins is available from this page. Google reacted quickly releasing version 49.0.2623.112 of Chrome which includes the updated Flash Player v21.0.0.213.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). As explained by Sophos the automatic updater of Flash Player updates systems in phases in order to avoid too much congestion on Adobe’s servers.

As always I would recommend that if you have Flash Player installed to install the necessary update as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Blog Post Shout Out: Further Tips To Prevent Ransomware

With growing numbers of organizations, companies and individuals being affected by ransomware we need to take precautions before we are affected so that if the worse should happen we can recover.

For the second time this month I wish to provide a respectful shout-out to the following blog post that provides further tips on preventing ransomware that were not present in previous posts.

For example, using the principle of least privilege (not using a privileged user account on your device when you don’t have to e.g. for everyday general use), security awareness (being aware/having knowledge of current computer security trends and knowing what to avoid/which warning signs to look out for) as well as a new security feature developed by Microsoft for Office 2016 in an effort to prevent the spread of ransomware. I hope that you will find the post linked to below useful:

8 tips for preventing ransomware by John Zorabedian (Sophos Security)

Further practical advice on preventing ransomware is provided in a previous blog post.

Thank you.

First Apple Mac Ransomware Poses Serious Risk

The prevalence of ransomware continues to increase this time affecting Apple Mac OS X devices. Earlier this month users of the Trasnmission BitTorrent client (specifically the version for Mac OS X) were at risk of having their data stolen since the downloadable version of the client had extra code added to it by attackers seeking to obtain a ransom to recover your data after stealing it from you.

Why Should This Issue Be Considered Important?
If you had downloaded and installed version 2.90 of the Transmission app after 3 days, it would have encrypted your personal data and demanded 1 bitcoin (approx. USD $400) in order to retrieve it. This would have not only been a huge inconvenience but also could possibly lead to you being unable to carry out routine tasks or your job if you are small business owner using your personal Mac system for business.

The fact that the malicious code included with the hijacked Transmission app would have encrypted your data only after 3 days since you installed it would have made narrowing down the source of the malware infection much more difficult.

An analysis of the malware by Palo Alto showed that malware had partial support for encrypting the data stored within Apple’s Time Machine backup software which if it had been operational would have caused far more data loss.

As discussed below, while this particular malware infection has now been resolved by the combined efforts of Apple, Transmission, Palo Alto and other security companies; the ramifications for future malware to be made available using similar techniques to steal data will be present from now on.

How Can I Protect Myself from This Issue?
As per Transmission’s recommendation, if you use their BitTorrent client on your Mac OS X system, please update it to version 2.92 or later. If you have anti-malware/anti-virus software installed, please run a full system scan and remove any traces of the malware that may be present. Alternatively, easy to follow manual instructions to remove the malware are provided here.

As mentioned in previous ransomware blog posts, please back up your critical data and ensure to have at least one full copy that is not connected to your computer. This will ensure that it is not available to the ransomware for it to be encrypted too. Recommendations for using Apple’s Time Machine backup software are provided here.

Separately Apple revoked the fake app development certificate (when Palo Alto Networks informed them of it’s misuse) that allowed the malware to bypass it’s Apple’s Gatekeeper security feature. They also updated their XProtect malware protection software to detect and remove the malware.

Meanwhile Transmission updated their software to version 2.92 to remove the malware from the app and to remove any existing malware traces that may have been present on a Mac system after installing version 2.90. All of the mentioned companies/teams should be applauded for their thorough and swift response to this threat.

Thank you.

=======================
Further References:
ComputerWorld: First Mac ransomware had sights on encrypting backups, too
The Safe Mac: First Mac ransomware spotted

Blog Post Shout Out March 2016

With the growing prevalence of ransomware; it’s prudent to take steps to avoid becoming infected with this malware and losing your data as well as being able to recover quickly without paying the ransom.

For these reasons I wanted to provide a respectful shout-out to the following blog posts that provide practical advice to businesses and consumers/personal users on how to protect yourself from ransomware and the “Locky” variant of ransomware:

The Simple Way to Stop your Business from Being Extorted by Ransomware by Graham Cluley (writing for Bitdefender)

“Locky” ransomware – what you need to know by Paul Ducklin (Sophos Security)

Update: 12th March 2016:
Got ransomware? What are your options? by Paul Ducklin (Sophos Security)

Massive Volume of Ransomware by Rodel Mendrez (SpiderLabs) : Details how to defend against the Locky ransomware being spread using JavaScript within spam messages.

Further information/discussion on ransomware is provided in a previous blog post. I hope that you find the above posts useful. Thank you.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

JavaScript Ransomware Poses Increased Risk of Data Loss

On January the 1st this year, security software vendor Emsisoft presented an analysis of a new variant of ransomware (defined in a previous post of mine) that demonstrates a concerning evolution in this type of malware. This type of ransomware is available for purchase by those with malicious intent following the growing popularity of the Software as a Service (SaaS)(defined) model.

Why Should I Be Concerned About This Malware?
This new variant is written in JavaScript (defined) but uses the NW.js framework to allow JavaScript apps to be installed and run (execute/carry out their purpose) just like traditional desktop applications (that you use every day) on your computer. This flexibility is also what makes this malware of particular concern since the NW.js framework is a portable framework it has the potential to enable this malware to spread to Linux and Apple OS X computers (however as noted by Emsisoft so far no such malware has been seen “in the wild” (namely being present on computing devices used by the general public in their professional and personal lives)).

Initially the number of anti-malware signatures for this variant was very low (3) but has since increased significantly to 32 (out of a possible 57) anti-malware vendors on the Virustotal website (at the time of writing).

Moreover, this malware arrives within spam email which begins the download of the complete malware package. Once the malware has encrypted your files you will be unable to retrieve them since the encryption is well-implemented (i.e. has no implementation flaws). Recovering the files from a backup is the best option. Paying the ransom doesn’t necessarily mean you will be able to retrieve your files.

How Can I Protect Myself From This Malware?
The advice within my previous posts on ransomware still applies. Emsisoft again emphasized the importance of backing up your files to avoid the loss of your data from these kind of infections. Their advice of how to access/use your backup after it’s been created may also be of assistance to you.

I hope that you find the above information useful in preventing infection from this malware and/or recovering from an infection.

Thank you.

Preventing A CryptoWall v4 Ransomware Infection

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it

Thank you.

=======================
Original Post:
=======================
Early last week the technical support website BleepingComputer announced the discovery of a new version of the well-known CryptoWall ransomware.

Why Should I Be Concerned About This Malware?
As was previously mentioned in my post concerning ransomware, such malware infections encrypt your important files usually making them irretrievable. However, this new version of ransomware also encrypts the files names of the files that it encrypts making it hard to tell just what files you have lost since the names are now replaced with random characters. This also means that you will be unable to carry out a forensic data recovery of the encrypted files.

This means that you will be unable to recover any files that have been encrypted unless the ransom is paid (which I do not recommend doing, for the reasons given in my previous ransomware blog post). Some strains of ransomware had implementation in their encryption methods. This version of CrypytoWall doesn’t.

How Can I Protect Myself From This Malware?
As well as following the advice in my previous post on ransomware to prevent an infection, for this version of CryptoWall the most important action that I would recommend taking is a full backup of your most critical data (business and/or personal) and at least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.

Moreover, be very cautious of any attachment received within an email from people you know or from a company (well known or otherwise) stating that they have a delivery confirmation, a business document or an invoice for you to view. This malware can be installed when such documents are viewed. Furthermore ransomware infections can originate from phishing (defined) emails.

Finally, this thread on the BleepingComputer website can be used to discuss this infection or to receive support if you have been affected by it.

Thank you.