Hackers Change Tactics with the Kirk Ransomware

Ransomware
11
Jul 2017

ransom-noteRansomware is regularly in the news, so we’re beginning to understand it more. However, a new form of ransomware is now changing the landscape.

Bitcoin has always been the preferred payment method for releasing encrypted files following an attack, but the newly detected Kirk ransomware is not interested in Bitcoin payments. Instead, it’s demanding its ransom through the relatively new cryptocurrency known as Monero.

Now, ransomware is a troublesome piece of malware at the best of times, so if the hackers behind these attacks are changing tactics then it’s important to be aware of what’s happening. And that’s why I’ve decided to take a closer look at the Kirk ransomware to help eliminate any confusion.

Understanding Kirk

18kwxnye6wxtljpg

Kirk ransomware is a piece of malicious code which appears to be going about its business in the normal manner. Researchers believe that its preferred method of attack is to impersonate the network stress tool Low Orbital Ion Cannon (LOIC). Once the ransomware has been activated, Kirk gets to work by encrypting the user’s files – it’s currently believed that it targets a total of 625 different file types.

The target is unaware of what’s happening as all that happens is that a message box pops up which mimics the LOIC company slogan of “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0”. Meanwhile, the files are being encrypted as the victim carries on with their daily activities. However, a ransom note is soon deposited into the same folder as the ransomware; this note is then displayed in a window for the victim to learn that a number of their files have been encrypted with the .kirk filename.

The only way to decrypt the files is by paying the ransom payment to the hackers. This, it is hoped, will facilitate the purchase of the Spock decryptor – note the Star Trek reference – but researchers are yet to get their hands on this decryptor to evaluate its validity as a solution. Now, the interesting thing about Kirk is that it demands its payment in Monero which is causing a whole host of new problems.

Bitcoin is a notoriously difficult currency to lay your hands on, you can’t just go down to the bank and expect the teller to exchange your dollars for Bitcoins. Instead, you need special merchants to trade your dollars and this isn’t particularly cheap or easy. However, where Kirk differs is that it’s requesting payment from an even more obscure monetary source, so this has the potential to leave victims completely baffled.

Combatting Kirk

whatisransom

At present, the Kirk ransomware hasn’t been cracked and there is no known rescue for encrypted files aside from making the payment. Therefore, it’s crucial that you take the following steps to avoid falling victim to the Kirk ransomware:

  • Don’t activate untrusted macros that are embedded in Microsoft Office documents as this is how ransomware is usually activated.
  • The only way to truly know if an Office document is genuine is by opening it but, to minimize the risk, try installing a Microsoft Office viewer as this will allow you to view it without macros.
  • Provide annual training to your employees on malware and the many forms it can take. It’s a lack of knowledge which leads to people activating ransomware.
  • Maintain regular backups of your files as this gives you some breathing space (and saves you the cost of a ransom) if your files do become encrypted.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

6 Tips to Protect Yourself From Ransomware

Security,
30
Aug 2016

ransomware-expert-tips-featured Ransomware is a fairly new security risk, but one which is on the rise and it’s vital that you know how to protect your data from ransomware attacks.

I’ve covered ransomware attacks on this blog on a number of occasions and detailed the damage it can do to businesses. It’s a particularly nasty evolution for hacking and one which often leaves you no option but to pay the ransom to decrypt your data.

Obviously, no business wants to find itself in the position where it has to give in to the hackers’ demands, so prevention is the key. And to help you get your defenses more secure, I’m going to share 6 tips to protect yourself from ransomware.

Backup Your Data

backup_banner_resized

If your data becomes the victim of a ransomware attack then it may seem as though you have no option but to pay the attackers to release your data. However, the simplest way to reduce the damage in this instance is to ensure that your most crucial data is backed up offline. This can be as simple as backing up data to portable storage devices.

Create Strong Passwords

To cut hackers off early on in their ransomware attacks, it’s crucial that you ensure your systems are protected by strong passwords. Whilst you might think that no one is going to predict that you’ve used your mother’s maiden name, it’s relatively easy to hack this through brute force. To make this harder, you should add numbers and symbols to prevent the password being cracked.

Identify Suspicious Email Attachments

Shackleton-Phishing

The most common route for ransomware to infiltrate your systems is through seemingly harmless email attachments. And it’s important that your staff know what makes for a suspicious attachment.

In particular, emails which contain attachments from senders you don’t recognize should always be double checked. However, you need to be aware that people in your contacts list could be hacked and then used to distribute the ransomware, so vigilance is always important.

Disable Macros

Many ransomware attacks involve Microsoft Office documents which are loaded with malicious macros which allow backdoor access into networks. Thankfully, Office documents will always give you the option to enable or disable macros; if you suspect that anything about the Office document doesn’t seem right then disable the macros or, more simply, just close the document.

Install Patches ASAP!

Ransomware loves finding vulnerabilities in software and this underlines the importance of installing updates released by software publishers. It may seem a little time consuming – particularly when you need to shut down your system – but it’s essential that you install all patches immediately to provide you with maximum protection.

Shut Down Your Network

Once a piece of ransomware has breached part of your network it can spread very quickly. Therefore, the best course of action may be to simply disconnect your network. This may cause a huge disturbance to your businesses activities, but it may be less painful than compromising your data. With the spread halted, you can then investigate your options for decrypting any affected data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Ransomware Locky Holds Your Data Hostage

Security,
05
Apr 2016

Computer virus.

Reports of a rise in ransomware trojans have seen further evidence in the form of ‘Locky’ which encrypts user data and demands payment to decrypt it.

Gathering data content, be it blog articles or customer databases, is a time consuming affair, so there’s a real sense of relief when it’s finally collated and finished. However, can you imagine how frustrating it would be to have this data suddenly encrypted by a third party? And how annoyed would you be if this third party then started demanding payment to release it?

You’d be VERY frustrated and VERY annoyed!

Locky – which is being distributed by infected MS Word files – is causing all manner of trouble to businesses at present, so it’s time you learned a little more about it to avoid getting a ransom note demanding $10,000!

What is Locky?

Ransomware does exactly what is says on the tin, it’s software which demands a ransom. Locky is a relatively new form of ransomware which, when activated, converts a long list of file extensions to a seemingly locked extension type named .locky e.g. a .jpeg extension will be converted to a .locky extension.

The problem is that the only way you can decrypt these .locky files is by purchasing a ‘decryption key’ online from the perpetrators. Now, you may be thinking that an online payment surely leaves a trail to the cyber criminals behind the ransom. Unfortunately, these hackers only accept payment through bitcoin – an untraceable online currency.

Ransoms as high as $17,000 are reported to have been paid to restore access to data, so it’s crucial you know what the warning signs of Locky are.

How Do You Get Infected By Locky?

virus-infected-word-file

Hackers are taking advantage of the ubiquity of Microsoft Office in our working lives to target victims with Locky. Emails are sent containing an MS Word attachment titled “Troj/DocDL-BCF” and the chaos it releases unfolds thusly:

  • Users open the file to discover it’s full of nonsensical text and symbols
  • A prompt encourages users to enable macros if “data encoding is incorrect” which, when presented with garbled text and symbols, would seem the right thing to do
  • If macros are enabled then this runs software which saves a file to the hard drive and then executes it
  • This file then downloads a final piece of software – Locky
  • Once Locky is downloaded to the system it starts scrambling files to the .locky extension
  • Locky then changes your desktop wallpaper to one of a ransom note detailing how to pay the decryption ransom

How to Protect Yourself From Locky

 virus-protection-services-melbourne-transit-data-about-us

Naturally, the best way to avoid getting infected with ransomware like Locky is to avoid all dubious email attachments.  However, there are a couple of other tips to help protect yourself:

  • Try installing Microsoft Office viewers which allow users to view documents without actually opening them in Office applications and prevents viruses from executing
  • Always install the latest updates for Microsoft Office to ensure any back doors are patched to keep your system protected

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Are Apple Computers Immune to Viruses?

Security, ,
29
Mar 2016

fva-630-skull-and-crossbones-computer-virus-hacking-credit-shutterstock-630w Compared to Windows PCs, Apple’s Mac computers have always been relatively virus free. However, a recent security attack has proved this is no longer true.

March 2016 saw a significant attack on Mac users which involved hijacking the Transmission BitTorrent app in order to deliver ransomware to its victims. It sounds like your stereotypical Windows attack, but why is it now happening to Macs? After all, the general consensus has been that they’re immune from viruses.

Seeing as Macs are very important to a huge number of businesses, I’m going to investigate this latest attack to analyze how it occurred and what it means for Mac users.

The Nature of the Mac Ransomware

computer-viruses

The unknown attackers used ransomware in their attack against Apple users and it’s a type of cyber-attack which is becoming increasingly popular. In this instance, the hackers were able to gain access to users’ systems through the Transmission BitTorrent app. This allowed the hackers to download malicious software onto the Macs. This software literally held the Mac users to ransom by encrypting their files and demanding $400 to release them.

How Did Apple’s Guard Drop?

For a very long time, Apple users were confident that Macs were safe from cyber-attacks. And for a long time this was generally true. This, however, wasn’t down to cutting edge security technology.

The truth is that hackers didn’t have much interest in targeting an Apple Mac. The reason for this is that Apple has a much smaller share of the market than Windows PCs. Why would a hacker want to spend their time writing software which could only target a small number of users?

This fact perhaps led to a sense of complacency on Apple’s part, so they weren’t expecting vulnerabilities in their operating system to be exploited so easily. Unfortunately, Apple’s Gatekeeper security software has, itself, been shown to contain numerous back doors through which hackers can cause chaos.

One of the main routes into Apple’s system is by tricking it to accept pre-approved developer certificates which have been faked. This allows users to download software which isn’t produced by who it says it is and, therefore, can’t be trusted. And this is exactly what happened with the Transmission BitTorrent app.

The Future for Apple Security

mac-shield

This recent attack is not the first security scandal to hit Apple. In 2014, there were around  10,000  – 70,000 attacks on Mac computers per month, but this rose dramatically in 2015 and is set to multiply significantly in 2016.

These figures are very startling for Apple, so it’s crucial that they take a look at Microsoft’s approach to internet security. Due to their dominance of the computer market, Microsoft has had to ensure their PCs are resistant to attacks. Steps taken have included:

  • Working with hackers to understand how they have attacked Windows
  • Offering cash rewards to anyone who finds new security flaws in Windows

It’s essential that Apple take a long hard look at their Gatekeeper software and evaluate how it can be improved. If they don’t they stand to alienate their customers if ransomware attacks continue.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Latest Ransom Malware: TeslaCrypt

Security,
10
Jul 2015

teslacrypt1-680x400

A newly discovered ransomware called Teslacrypt is on the loose encrypting victim’s media files. Learn what it is and how to protect against it.

TeslaCrypt will lock up to 185 types of files comprising of data related to the most popular PC games played online. For instance, Assassin’s Creed, BioShock, Call of Duty, Diablo, World of Warcraft and many others are examples of games that have been affected.

The ransom

Once the files have been encrypted, the victims are prompted to pay either $1,000 through PayPal My Cash cards or $500 in Bitcoin to acquire the private encryption key to unlock their files. Criminals will prefer Bitcoin as the preferred method of payment to make them harder to track down. They’ll also use a scarcity tactic by giving those affected three days to pay the ransom.

Risk and vulnerability

According to Vadim Kotov from security firm Bromium, the vulnerability for this attack exists within Opera and Internet Explorer web browsers that visit compromised sites such as WordPress based websites. However it was Fabian Wosar from Emsisoft, an Austrian based security firm, who had discovered TeslaCrypt.

Reports show that a malicious video using Adobe Flash would play on the compromised website, which then redirects the user to a number of dodgy sites until it finally lands into its intended destination- a bundle of malware. This bundle is considered to be an exploit kit, dubbed “Angler”.

Angler plays a part towards helping computers become infected with TeslaCrypt Angler’s mission is to launch a relentless number of attacks whilst the user browses through the malicious sites with the hopes of one of them leading to its goal- to infect the system.

Once Angler gets onto a system it’ll check for two things:

  • One is to verify whether the machine is a physical or a virtual one. Virtual machines are likely to be used by security firms.
  • The second check detects the type of antivirus programs running alongside with the web browser.

adobe flash player hacked

After verifying the two checks, Angler executes attacks based on a recent Adobe Flash vulnerability (that has a patch available since last January) and a slightly older Internet Explorer exploit (security patch released in 2013).  Angler preys on those who do not regularly update and patch their software, therefore it’s crucial to stay on top of updates and patch management.

What files are affected

Teslacrypt will sweep through 185 types of computer files to encrypt them.  Files aren’t only limited to gaming files, it’ll also encrypt all iTunes music in .m4a format, as well as images, video, compressed files and office documents. Once those file are encrypted, they’ll change to  a “.ecc” file extension.

To make things worse for unsuspecting victims, TeslaCrypt then wipes out all of the Windows restore points from the target PC to prevent restoring the files that had just been encrypted from an earlier point in time.

The three most realistic options for victims are:

  • Pay the ransom, although file recovery is not guaranteed
  • Run a full scan with your antivirus to remove it and then restore the locked files from a protected backup drive.
  • A system reformat may be your only choice, counting your losses.

TeslaCrypt can also reach your PC through infected file attachments or a link sent through email. This includes the possibility of unsolicited private messages reaching users from social platforms such as gaming sites, which once executed, can also unravel the attack.

.update

How to stay protected from TeslaCrypt

Zero day vulnerabilities are an ongoing cat and mouse game making it important to have security measures in place. Unaffected backups, staying up to date, and running Anti-Malware can really help save the day with ransomware such as TeslaCrypt.

For more ways to protect your business systems, contact your local IT professionals.

Read More
1 6 7 8 9