Tag Archives: Ransomware

Posted on Author Atlantic Computer Services Categories Blog

Malware Called Phorpiex Delivers Ransomware With Old School Tactics

If you’re involved with internet security on any level, then you’re probably already familiar with the name Phorpiex. The malicious botnet has been around for years, and the people who control it have taken steps to keep it relevant.

They’re finding new ways to deliver ransomware and other threats, and sometimes, by moving in the other direction and going decidedly Old School. Recently, this has included the use of worm-like functionality to replicate itself far and wide.

Of interest, Phorpiex itself came under attack back in the early part of 2020, when an unknown attacker hijacked it on the back end and started uninstalling the modules that allowed the botnet to spam copies of its malicious payload.

According to the security firm Check Point, one of the more common payloads associated with Phorpiex is the Avaddon ransomware, which is widely used because it’s a “ransomware as a service,” which means it gets rented out to other hackers, allowing it to infect an even wider range of targets.

As Check Point analysts note:

“Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams.”

In recent months, the botnet has found its way onto Microsoft’s radar. Its controllers have tweaked it so that it modifies Windows registry keys in order to disable antivirus and firewall popups and override browser settings, which makes it more difficult to detect and stop.

Enterprise clients have the ability to circumvent these shenanigans by enabling Tamper Protection in Microsoft Defender for Endpoint, but home users aren’t so lucky.

Based on Check Point’s statistics, Phorpiex is currently the largest botnet in existence. Since law enforcement recently defanged the dreaded Emotet botnet, and researchers have tracked its activities across more than 160 different countries, giving it a truly global reach. Stay alert for this one. It’s a legitimate threat that can hit you no matter where you are, or where you do business.

0
Posted on Author Atlantic Computer Services Categories Blog

Hackers Seeking Big Ransomware Payday By Attacking Acer Computers

Taiwanese tech giant Acer is the latest company to fall victim to relentless hackers. What makes the Acer breach especially noteworthy is the fact that the group behind the attack is demanding a fifty-million-dollar ransom, which is the highest figure any group has ever demanded. The only thing that even comes close was another REvil attack, this one against a Dairy Farm, where the hackers demanded a hefty thirty million dollar ransom.

The company was struck with the REvil ransomware. It is increasingly common among these types of attacks that prior to encrypting the company’s files, the group makes off with a wide range of sensitive company data. As proof of their misdeeds, they published a small fraction of it and threatened to release the rest if their demands aren’t met. Based on the sample, it appears that the group made off with a variety of financial spreadsheets, bank balance information and assorted banking communications.

In addition to the sheer size of the ransom, another point of interest where this attack is concerned is that the group behind it seems to have exploited recently reported Microsoft Exchange Server vulnerabilities to execute the attack and successfully breach Acer’s defenses. If indeed this proves to be the case, it marks the first time one of the “big game-hunting” ransomware groups has utilized that particular exploit.

Acer’s formal response to the incident, which is still under investigation, reads as follows:

Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.

We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.”

Dark days for Acer, and it should put everyone in the IT field on notice. No one is safe.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ryuk Ransomware Function Spreads Across Networks Quickly

In terms of ransoms paid, Ryuk is the most successful strain of ransomware in use today, having netted an estimated $150 million for the group behind the malicious code.

According to a recent report published by France’s national cybersecurity agency, it just got even more dangerous.

Ryuk has historically been used preferentially against hospitals and companies closely related to the healthcare industry, which is especially malicious during the ongoing pandemic. With its newly discovered capabilities, hospitals around the world are in even more danger.

French IT security professionals discovered a new module added to the core code. It gives the malware worm-like capabilities that enable it to self-replicate across any machine on the same network as an infected device. This allows the latest version of Ryuk to spread like wildfire across any network it can infect at a single point, making it virtually impossible to stop, once it gains a foothold.

If there’s a silver lining, it lies in the fact that hospitals have gotten significantly better at ensuring their backups are robust and taken at regular intervals. Even so, if a hospital network gets shut down because most of the computers on it have their files encrypted, it can put lives at risk in a way that a manufacturing plant or companies in the financial sector simply don’t. That makes the risks, and the stakes, even higher.

In a majority of cases, the initial Ryuk infection comes about when the hackers controlling it take advantage of unpatched system vulnerabilities. This is perhaps another silver lining, because that, at least, is something IT managers can control. The lesson here is simple: If you stay current where installing patches and security updates are concerned, you’re less likely to fall victim to a Ryuk attack. It’s not perfect protection, obviously, but anything that’s easy and inexpensive to do that reduces your risk is well worth doing. The question then, is simply this: Is your network running all the latest security patches? If you’re not sure, make finding out a priority.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Strains Have Researchers On Their Toes

Recently, researchers have discovered two new ransomware strains, dubbed “AlumniLocker” and “Humble”, both of which have very different ways of doing what they do.

This highlights the ongoing development and diversification of the larger ransomware threat and underscores the fact that it will be a major cause for concern in the years ahead.

Both new strains were discovered by researchers at Trend Micro. In the case of AlumniLocker, it seems to be a new variant of the Thanos ransomware. Although new to the game, is notable for its exorbitant ransom demands, as high as $450,000, payable in Bitcoin, in one recent successful attack.

AlumniLocker

This one is delivered along fairly conventional means, via a malicious PDF that purports to be an invoice and delivered via phishing emails, hoping to lure unsuspecting victims into opening the file. As is increasingly the case in the world of ransomware attacks, AlumniLockers controllers threaten to publish stolen data if their demands are not met within 48 hours of the attack.

There are two competing theories about the high ransom demands: One is that the group behind the new strain isn’t in it for the money as much as they are the damage that publication of the data may cause. If they get a payout, great. If it proves too high, causing some companies to balk, then they get to inflict pain in the form of publication of sensitive and proprietary data.

Another theory is that the group is just starting out and still finding their footing. As such, they haven’t yet found the “sweet spot.” A payment demand low enough to be readily accepted by a desperate company but high enough to earn them consistent, easy profits.

Humble

This one is quite different. Although it is distributed in much the same way, their ransom demands are quite low; stunningly low in fact, in some cases as little as $10, again, payable in Bitcoin. This has led researchers to conclude that Humble is meant to target end users, rather than large organizations, or, if the hackers shift gears and begin targeting organization, we should expect to see the amount of the ransom increase quite a bit.

Another feature that makes Humble stand out is that they pressure victims into paying by threatening to rewrite their Master Boot Record, rendering the machine entirely unusable. Also of interest, it utilizes Discord (a voice, text and video service) to send reports back to its controllers.

If you have yet to encounter either of these new threats, stay tuned. It’s probably just a matter of time, so stay on your guard.

0
Posted on Author Atlantic Computer Services Categories Blog

New Exchange Online Feature Helps Prevent Phishing And Ransomware

Microsoft has been busy of late, making a raft of improvements to their email system that are designed to enhance user security.

Not long ago, they added a fantastically useful feature called ‘Plus Addressing’ which allows Office 365 users to make use of an unlimited number of disposable recipient email addresses and track email sources.

Now, the Redmond giant is upping the ante further, with an “External” email tag coming soon to your cloud-based email inbox.

Once the feature becomes available, Exchange admins will have a new tool in their arsenal to provide better protection from phishing, and malicious emails that rely on unsuspecting users opening attachments from senders outside the company. Any email received from an external source will be automatically tagged on the inbox view pane. Additionally, in some Outlook clients, the “mail tip” will also be included at the top of the reading pane, along with the sender’s email address.

Note that this change will not show up for absolutely everyone. It will only be visible to users who make use of Outlook on the web, the new Outlook for Mac, and Outlook Mobile (for both iOS and Android users).

When the new feature is ready to use, it will roll out to all Office 365 environments with the external tag feature set to ‘off’ by default. If you want to enable it, you’ll need to use the “Get-ExternalInOut” and “SetExternalINOutlook” PowerShell cmdlets.

If you enable the feature, then withing 24 to 48 hours your users will start seeing the tag on all emails received from outside your organization.

In addition to this change, the company is also working on adding SMTP MTA Strick Transport Security to Exchange Online to better combat man in the middle attacks. These are exceptional changes and we look forward to seeing the new tag in action. Kudos to Microsoft for continuing to enhance their ubiquitous email service.

0
1 4 5 6 7 8 17