Colorado Company Taken Down By Ransomware And What That Means for Your Business

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

According to Statista, there were 184 million ransomware attacks in 2017 and the average ransomware demand is over $1,000. Individuals, organizations, and companies have fallen victim to these attacks.

Most people recognize the fact that ransomware is a danger, but they may not realize that it can actually destroy their company.

The recent closure of Colorado Timberline after a ransomware attack is a solemn reminder of the seriousness of the dangers of ransomware.

What Happened to Colorado Timberline?
Colorado Timberline, a printing company in Denver, was forced to cease operations for an unspecified amount of time after a severe cyber attack. [Read more…]

The Ransomware Threat Is Growing – Here’s Why

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

One of the biggest problems facing businesses today is ransomware. In 2017, a ransomware attack was launched every 40 seconds and that number has grown exponentially in 2018. What are the main reasons for this type of escalation and why can’t law enforcement or IT experts stop the growing number of cyber-attacks?

Ransomware Trends
One of the reasons involves the latest trends. The art of ransomware is evolving. Hackers are finding new ways to initiate and pull off the cyber-attack successfully.

Hackers rarely get caught. So, you have a crime that pays off financially and no punishment for the crime. The methods of attack expand almost daily. Attack vectors increase with each new breach. If cyber thieves can get just one employee to click on a malicious link, they can take over and control all the data for an entire company. [Read more…]

Ransomware Vs Atlanta: How To Protect Your Systems

Chris Myers is a field service technician for Tech Experts.

On March 22, the local government in the city of Atlanta, Georgia experienced a widespread ransomware cyberattack that affected several city applications and devices.

Ransomware is a type of malware that takes over a computer and locks out the user. The attackers then make contact with the victim and request payment. If the ransom is not paid, they may publish the victim’s personal files and data or just continue to block access to them.

In Atlanta, the attackers gained access to some of the city’s applications through a network vulnerability. Once they had locked the city’s systems with a ransomware known as “SamSam,” they asked for six bitcoins to unlock everything. Six bitcoins are currently worth around $51,000 US dollars.

Atlanta chose not to pay the ransom, as there is no guarantee that they would get their files back and they didn’t want to encourage any similar attacks. Instead, Atlanta officials awarded nearly 2.7 million dollars to eight private companies in the first couple days after the start of the attack.

The FBI, Department of Homeland Security, and Secret Service have also been assisting city officials in investigating the attack.

As you can see, the consequences of a ransomware attack can be severe. Nearly a month after the breach, nearly all city functions were still being carried out with pen and paper. With that in mind, what are the best ways to prevent them from happening in the first place?

How to protect yourself against similar cyberattacks

Ransomware attacks usually infiltrate organizations through their network. Therefore, maintaining good network security practices is a must. These can include:

Using strong, unique passwords. Both individuals and companies have a tendency to use shared passwords for different programs, even Windows logins.

If someone gains illicit access to your network or a specific computer, they can’t immediately gain access to all of your program logins and computers if you use unique passwords.

Staying vigilant for phishing. Phishing is another common method of attack for gaining entry to install ransomware. 91% of phishing attacks are targeted at specific people in a company, a technique known as spear phishing.

The attacker will study an organization’s email format, then send a simple email to an employee designed to appear as if it is a common email from a co-worker.

Most of these emails will look completely normal except for the full sender email address, which is usually something odd such as “ejhjsh@jk.cn.”

In many email management applications, the full address is automatically hidden behind the given name of the sender, so staff must be trained to interact with that name to confirm the address.

Securing your network. Ensure that a monitored firewall is in place and that all Wi-Fi networks are password protected with WPA2 encryption.

A VPN, or Virtual Private Network, is also a very good thing to have, especially if you have any staff working remotely.

Keeping operating systems and firmware up-to-date. Patches for known security vulnerabilities are released quite often.

Most of these are to combat specific new threats that are being used or about to be used in the wild. Staying up-to-date with security and operating system patches shores up your defenses against many common attacks.

Windows 10 Creator’s Fall Update to Bring Hardened Ransomware Protection

jared-stemeye

Jared Stemeye is a Help Desk Technician at Tech Experts.

2017 has seen some of the most high-profile ransomware and cryptoware attacks to date. These incidents have demonstrated that these types of attacks can have catastrophic effects that reach far beyond the ransom demands paid to these attackers.

The cost of downtime and damage control multiplies quickly. Even more damaging is being impacted because critical infrastructure or health care services are unexpectedly unavailable for extended periods of time, consequently costing much more than any monetary value.

Microsoft has stated that they recognize the threat that these cybercrimes represent and have since invested significant yet simple strategies that are proving to be extremely effective as new attacks emerge. These new security features are now coming to all businesses and consumers using Windows 10 with the Creators Fall Update.

These advanced security features are focusing on three primary objectives:

  1. Protecting your Windows 10 system by strengthening both software and hardware jointly, improving hardware-based security and mitigating vulnerabilities to significantly raise the cost of an attack on Windows 10 systems. Meaning hackers will need to spend a lot of time and money to keep up with these security features.
  2. Recognizing that history has revealed vastly capable and well-funded attackers can find unexpected routes to their objectives. These latest security updates detect and help prevent against these threats with new advances in protection services like Windows Defender Antivirus and Windows Defender Advanced Threat Protection.
  3. Enabling customers and security experts to respond to threats that may have impacted them with newly updated tools like Windows Defender ATP. This will provide security operations personnel the tools to act swiftly with completeness of information to remediate an attack that may have impacted them.

Microsoft states this is a proven strategy that has remained 100% successful on Windows 10 S, the new secure version of Microsoft’s flagship operating system. Albeit, this version of the operating system does not allow any software from outside the Microsoft App Store to be installed.

Further, Microsoft states that even prior to the fall security updates rolling out, no Windows 10 customers were known to be compromised by the recent WannaCry global cyberattack. Despite this, Microsoft knows that there will always be unforeseeable exploits within their systems.

This is why the Windows 10 Creator’s Fall Update benefits from new security investments to stop malicious code via features like Kernel Control Flow Guard (kCFG) and Arbitrary Code Guard (ACG) for Microsoft Edge. These kinds of investments allow Windows 10 to mitigate potential attacks by targeting the techniques hackers use, instead of reacting to specific threats after they emerge.

Most importantly, Windows Defender security updates coming in this Fall will begin to leverage the power of the cloud and artificial intelligence built on top of the Microsoft Intelligent Security Graph (ISG) to promptly identify new threats, including ransomware, as they are first seen anywhere around the globe.

Though no exact date is set in stone, all of the amazing security updates detailed above will be available this Fall 2017 for free. For more information about the Creator’s Fall update beyond the security features, visit https://www.microsoft.com/en-us/windows/upcoming-features.

Another Major Ransomware On The Loose: Locky

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Ransomware, a virus that essentially holds a computer user’s data hostage for a monetary reward, isn’t a new threat. It is in fact, becoming more prevalent with an estimated 35% increase of attacks in the past year alone.

One of the newest forms of this virus is known as Locky, which finds its way onto unsuspecting users’ devices through vulnerabilities in the Adobe Flash Player. This ransomware was detected by Trend Micro, and the type of operating system used seems to have little effect on risk. Locky has infiltrated systems through Windows, Mac, Chrome, and Linux.

Many of the Locky attacks, however, have affected Windows 10 users who are unknowingly using outdated versions of the Adobe Flash Player. Anyone running the 20.0.0.306 or earlier versions of Flash is at risk of Locky taking over data and holding it hostage for payment.

Therefore, the simplest way for people to protect themselves from this new ransomware is to ensure they are running the most recent version of Flash.

To do this, access Flash content within your browser and right click on it. Then, choose “About Adobe Flash Player” to view which version is being used. Alternatively, users can visit the Adobe website, which can automatically detect the installed version and also offer the option to upgrade to the most current one.

Locky ransomware isn’t just spread through Adobe Flash. It also can find its way onto systems through attachments in spam emails. In this case, the emails have most frequently been distributed through the same botnet responsible for sending out the online banking malware Dridex.

While actual numbers for how many people have fallen prey to Locky infections are not public, security companies have revealed that the majority of the ransomware attacks have taken place in the United States, Japan, and France.

The amount demanded to remove Locky from affected devices is usually around $100, but security experts suggest not giving in to such demands. Instead, victims are advised to create a backup of files and seek help from your IT provider.

The best defense against such attacks, however, is in prevention. Regularly update your operating system and frequently used programs, never open suspicious emails, and only log in as an administrator on your computer system when and as long as you absolutely must to prevent hackers from intercepting your login credentials.

Ransoming Your Business One Step At A Time

When it comes to business security, today’s climate is a careful one. It seems like every week the latest and most dangerous ransomware is coming for us.

These can come through a variety of ways, like employees, clients, and websites. The most recent threat we’ve seen is called Rokku. Built upon predecessors, it’s only the next step in the fight against business security systems. Ransomware is a dangerous thing. The main concept is a mix of fear tactics and file encryption. After the system is infected, the virus will normally lay dormant for a time.

Once every file is found and changed to an encrypted state, a message will display, stating the worst.

All of your files are locked until you pay whatever sum the developers demand. Once in this state, you are generally given only a number of hours before your files and content are deleted permanently.

In this instant, many people will jump up to pay for their files in order to save further expense and headache. Unfortunately, doing so rarely helps the issue.

After the ransom is paid, you are supposedly granted access to the files and everything continues on unhindered. That said, there are many times you can send the money in and receive nothing in return.

Your files will still have their encrypted extensions (e.g. *filename*.rokku) and you will be in an even bigger hole than before. Some of the older encryptions have programs made by third parties to help those infected, but this is also often not the case.

In the Rokku scenario, there is no progress made in decryption. No patterns have been found and files are completely distorted in comparison to their original state.

As if it isn’t already enough, there is still more to worry about. Rokku as well as other ransomwares will not stop at only the infected computer. Network shares are also subject to complete encryption.

In short order, your entire network is no longer your own. With this in mind, the question is simple. What can you do?

Ransomware is definitely a problem and is not going away anytime soon.

That said, there is more progress these days than when we first started seeing it pop up on systems. Using Rokku as an example, some newer versions are built off of older attacks.

As such, they can often follow the same patterns and can be taken care of. Anti-virus and anti-malware services are also more and more proactive against these threats.

User error can, however, still cause alarm and ruin things very quickly. Rokku and many of its predecessors are sent through email attachments. Once opened, they will start to run and everything will spiral downward from there.

It is important to know and keep others informed on basic safety practices when it comes to operating computers. Keep in mind to not trust strange sites, emails, or messages that you were not expecting or do not know the sender. Also, be aware of common spam signs.

Misspellings, exaggerated results, and poor grammar are often giveaways.

If you want to review your current computer climate, we recommend giving us a call. With preventive maintenance, business class protection, corporate antivirus, and monitors running to ensure a steady flow, we can ensure the safety and reliability of any network and the important files that it may contain.

The absolute best way to avoid a disaster such as Rokku and other ransomwares is to stop it before it happens.

Ransomware Now Targeting Mac Computers

While ransomware has been around for some time, it has never appeared to pose a threat to Apple’s Mac computers. That recently changed with the first attack of its kind last month. Ransomware is a malicious software that, once downloaded, essentially locks important files on a computer and then prompts users to pay a fee to have those files unlocked. There have undoubtedly been attempts to target Mac users in this way in the past, but this incident involving KeRanger software transmitted through the peer-to-peer file sharing network BitTorrent was the first successful one.

The attack affected approximately 6500 Mac users who downloaded the malicious KeRanger software. In the scheme of things, that number is quite low. The incident, however, proves that Mac users aren’t immune to this type of threat. As John Bambeneck of Fidelis Cybersecurity notes, “It’s a small number but these things always start small and ramp up huge. There’s a lot of Mac users out there and a lot of money to be made.” In this case, Palo Alto Networks detected the ransomware quickly, which is why Apple was able to neutralize the problem.

In the future, however, ransomware attacks on Macs may become more subtle. Apple reports that it has increased its security measures and revoked the digital certificate that was responsible for launching the KeRanger software.

Don’t Pay A Ransom To Get Your Data Back

Michael Menor is Vice President of Support Services for Tech Experts.

Requesting a ransom from victims is an unfortunate trend gaining momentum in the hacking world. This is typically done using ransomware (where hackers encrypt data and request money for the key) and distributed denial of service attacks (where hackers threaten to overwhelm a system with traffic, thus knocking it offline).

In both scenarios, hackers are looking for the victim to pay up…or else. Should they?

The answer should be obvious: absolutely not.

However, when a person’s valuable data becomes encrypted or they receive a legitimate threat to take down their servers, emotions often get in the way and they’ll end up “paying the piper.” Hackers know this, which is why their ransom methods employ fear tactics.

For example, ransomware like CryptoLocker will lock the user out of their computer while the screen displays a countdown to when their data will be deleted.

With DDoS attacks, a hacker may contact the victim mid-attack and promise to cease the attack for a fee. Both of these situations play straight into a person’s irrational fear, causing them to cough up cash.

Before reaching for your credit card to pay a hacker’s demands… stop, take a deep breath, and think objectively about the situation.

What guarantee do you have that these hackers will actually make good on their promise to turn over your data or cease the attack?

This guarantee is only as good as a hacker’s word, which is pretty worthless seeing as they’re, you know, criminals. Therefore, whatever you do, DON’T GIVE MONEY TO A HACKER!

By paying hackers money, you’ll only add fuel to the fire and help fund the spread of their devious acts.

Plus, there are several reported cases where a victim pays the ransom, only to still have their data deleted or the attacks on their site continue.

What’s it to them if they go ahead and follow through with the attack? They have your money, so who cares? It’s a classic case of adding insult to injury.

Need proof? There’s a recent example of this happening to ProtonMail, a Switzerland-based email encryption service.

On November 3rd, ProtonMail was threatened with a DDoS attack by the hacking group Armada Collective.

Like many companies would do, they ignored the threat, deeming it to not be credible. Soon afterward, their servers became overloaded to the point where they had to cease operations. After paying the ransom, the hackers continued the attack.

Now, consider your own situation. How much would it cost your company if you lost revenue for a full day of work, and you still had to make payroll?

For a medium-to-large sized company, losing a full day’s work would likely come to much more than a few thousand dollars. In fact, hackers understand how downtime can be so costly, which is why they feel justified asking for such an exorbitant fee.

What are you supposed to do if you were asked to pay a ransom by a hacker? The first thing you’ll want to do is contact the IT professionals at Tech Experts. We’re able to take an assessment of the attack to determine how bad it is and restore your data to a backed up version that’s not infected with malware.

When facing a hack attack, we can present you with all the options you can take – none of which will include paying a hacker money.

Yes, You Can Still Get Infected – Even With Anti-Virus

Scott Blake is a Senior Network Engineer with Tech Experts.

With the sudden release of a new variants of malware and ransomware such as CryptoWall, users are wondering why their anti-virus programs are not blocking the ransomware infection from infecting their computer.

As with many other forms of malware, the infection needs to exist before a cure or way to detect the threat can be created. This takes time and during this period of R&D, the malware spreads like wildfire.

While there are several forms and classifications of infections, there are basically only two different methods in which infections are released into your system: User Initiated and Self Extraction.

User Initiated infections are caused by a user clicking on a link within a webpage or email or by opening infected email attachment. Once opened, the malware is released and quickly spreads throughout your system.

Because the user manually clicked on or opened the link/document, most anti-virus programs receive this as an authorized override by the user and either internally whitelists the link/document or skips the scan.

CryptoWall is spread through this method, usually contained within an infected Word, Excel or PDF document. The creators of these programs take advantage of the programming of the document to hide the infection.

With the world becoming a paperless society, we are becoming more and more accepting of receiving and opening attachments sent to us through email. It has practically become second nature to just click and open anything we receive, regardless of any warning.

Self-Extracting infections are exactly what they’re named. These infections require no outside assistance to worm their way through your system, infecting as they go.

The number one method creators of this form use to place their software on your system is through “piggy back” downloads.

Red button on a dirty old panel, selective focus - virus

Piggy back downloads occur when you authorize the download and install of one program and other programs (related or unrelated to the original program) are automatically downloaded and installed with it. The most common way is by downloading programs promising to speed up your computer.

Infections can also exist on your system and lay dormant for long periods of time, waiting for the computer to reach a certain calendar day or time. These infections are called “time bomb” infections. Just like piggy back infections, they require no outside assistance to infect your system.

They are mostly found buried in the registry of the system or deep within the system folders. Because they are not active on the time of placement, most anti-virus programs will not detect them. Active reporting through toolbars is another means of becoming infected over time.

When a user downloads and installs a toolbar for their browser, they authorize at the time of install that it is okay to install and all of its actions are safe. However, most toolbars are actively scanning, recording, and reporting back to the creator. They also act have conduits for installations of other unwanted programs behind the scene.

If left unchecked, those additional programs can become gateways for hackers to gain access to your system and spread even more infections.

To help stop the spread of malware/ransomware such as CryptoWall and its variants, we need to become more vigilant in our actions when either surfing the Internet or opening email and attachments.

The best rule of thumb to follow for email is: if you don’t know the sender, or you didn’t ask for the attachment, delete it. As for websites, read carefully before you download anything and avoid adding toolbars.

Top Signs Your Computer May be Infected

Scott Blake is a Senior Network Engineer with Tech Experts.

Ranging from minor spyware and adware to complete system lock-outs courtesy of ransomware, infections have become a standard in today’s high-speed electronic age.

Even when using the latest state of the art detection software, the most modern systems are prone to infection.

Some basic low-level forms of adware and spyware are add-ons called toolbars. A toolbar is an add-on to a web browser, putting another bar at the top of your browser window below the address bar.

They can come in several different forms and functions. Some are helpful and pose no threat to your system. Others serve as a reporting tool for the toolbar’s designer.

They can collect data on surfing habits such as websites visited and search topics used. This data is then transmitted back to the designer and sold off to advertisers who, in turn, use the information to start spamming you with their client’s websites and ads.

Building off of the spam generated from the data collected from the adware and spyware, you will start to see more and more pop-ups on webpages and possibly even on your desktop.

Sometimes, these pop-ups are harmless and very easy to remove, but more often, they are the beginning stages of an invasion of malicious programs.

The pop-ups use false and misleading information to scare the user into believing they are already infected and they need to download “their” software to clean the infections.

What ends up happening is that you think you are downloading one program to clean your system, but you are really downloading and installing additional programs in the background.

I have seen instances where one so-called program install downloaded nine additional programs in the background. None of the additional programs had anything to do with “cleaning” or “speeding” up your system. They just wreak havoc on your operating system.

Through these malicious programs, more dangerous infections can occur. High-risk level malware, trojans, and viruses become residents on your system.

From this point forward, you will start to experience extreme slowness or even a complete inability to browse the Internet. You will start to see an increase in spam email and email messages containing attachments or web links to strange web addresses.

The attachments are what you need to be very cautious about. A very high-risk level malware called Crypto is primarily transmitted through these infected attachments. Once infected, the Malware spreads though your system, encrypting all of your data.

After that, there is little hope of recovering any of your data.

Viruses, malware, trojans and malicious programs are lurking on the web at every turn.

The most important thing to remember is “knowledge is power.” Don’t fall victim to the overwhelming number of companies advertising that their products can and will clean your computer of these nasty bugs and speed up the performance of your computer at the same time.

The truth is that the vast majority of these companies will install a ton of “freeware” programs on your system that will bog down your CPU and eat up your memory resources.

Once these programs are installed, get ready for Pop-Up City. It turns into a giant game of Whack-A-Mole just trying to close all the windows and pop-ups generated by these programs.

Several of these programs will also inject a proxy server into your Internet settings. This will severely limit your Internet browsing and even redirect you to predefined webpages in an attempt to lure you into purchasing additional programs to remove the programs you already installed.

For additional information or if you think you may have a virus or spyware infection, contact Tech Experts at (734) 457-5000.