TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Ransomware

Why Is Ryuk The Most Dangerous Ransomware?

Ryuk is one of the most prevalent ransomware variants in the threat landscape, with infections doubling from the second to the third quarter in 2019.

Ransomware infections continue to increase in tandem with overall impact and monetary demands.

Furthermore, Ryuk’s ability to delete shadow copies and backups makes Ryuk extremely costly and almost impossible to remediate.

For instance, Ryuk operators demanded nearly $600,000 from one government agency after successfully encrypting nearly all files on the network.

Ryuk uses encryption to block access to a system, device, or file until a ransom is paid. It is often dropped on a system by other malware (e.g., TrickBot) or delivered by cyber threat actors (CTAs) after gaining access to the system through compromising Remote Desktop Services.

Once on a system, CTAs deploy Ryuk through the network using PowerShell, PsExec, or Group Policy, with aim to infect as many systems as possible. The number of infected systems depends upon how the malware is deployed as well as the CTA’s access and privileges.

This may be a local subnet, the list of computers in active directory, or the entire organization depending on the variability and process specific nature of spreading the malware.

Once the malware is pushed out to the network, it targets backups and begins the encryption process.

Researchers have observed an increase in Emotet or TrickBot infections leading to a Ryuk infection.

For example, TrickBot disabled the organization’s endpoint antivirus application and spread throughout the network, infecting hundreds of endpoints and multiple servers.

Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial and other sensitive information prior to deploying Ryuk.

Once Ryuk is deployed network-wide, the CTAs encrypted the organization’s data and backups, and left ransom notes on the machines.

Ryuk ransom notes once contained a message and a ransom amount, but have since evolved over time.

Throughout most of 2019, the ransom note did not list a ransom amount and only contained a message and email address. However, now Ryuk ransom notes are very simplistic, with no price or message, only containing an email address, the ransomware’s name, and the statement “balance of shadow universe.”

The CTAs demands payment via Bitcoin cryptocurrency and direct victims to deposit the ransom into specific Bitcoin wallets.

The ransom demand is typically between $100,000-$600,000, which as of 12/19/19 is 14-84 Bitcoins. Notably the ransom demand is determined by the organizations’ assessed ability to pay and the sensitivity of the data affected.

It is highly likely the CTAs account for characteristics like industry, solvency, subscription to cyber insurance, and network saturation when calculating ransom demands. Furthermore, the CTAs have been known to negotiate with victims and adjust the initial ransom amount.

Ryuk’s main infection method is to be dropped on a system by other malware. The file will have a five-letter random name that is usually generated by the srand1 and GetTickCount2 functions.

Persistence
Once executed, the main payload attempts to stop antivirus related processes and services. It uses a preconfigured list to kill more than 40 specific processes and 180 services with taskkill and net stop commands.

This preconfigured list includes antivirus processes, databases, backups, and document editing software. Additionally, the main payload establishes persistence in the registry and injects malicious payloads into several running processes.

To increase persistence, Ryuk makes changes to the registry allowing it to run the payload every time the user logs on.

Ryuk’s anti-recovery techniques are more extensive and sophisticated than most types of ransomware, making recovery almost impossible without restoring from clean external offline backups.

Ryuk’s process injection allows the malware to gain access to the volume shadow service and delete all shadow copies, including those used by third-party applications.

Encryption
Ryuk uses unbreakable RSA and AES encryption algorithms with three keys. The CTAs use a private global RSA key as their base encryption model. The second RSA key is delivered to the system via the main payload and is encrypted with the CTA’s private global RSA key.

Once the malware is ready for encryption, the final key is created in their three-key encryption model.

Ryuk scans the infected systems and encrypts almost every file, directory, drive, network share, and network resource.

Ryuk attempts to encrypt all mounted network drives. As long as the drives are not CD-ROM types, the files will be encrypted.

Finally, once the malware is finished with the encryption process, it will create the ransom note, “RyukReadMe.txt”, placing it in every folder on the system.

Top 5 Cybersecurity Predictions For 2019

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Cyber threats are a genuine danger for businesses, no matter their size or industry. Companies that face data breaches are likely to fail within months after the attack, according to the National Cyber Security Alliance. Security issues can ruin your reputation and cause expensive damage to your company.

In 2019, we are already predicting increased cyber crimes to steal more data and resources. The FBI reported that over $1.4 billion in losses were experienced by companies and individuals in 2017.

These expenses come from increasing security, losing information, losing physical resources, ransomware payouts, scams and more. The most significant sources of cybercrime included: [Read more…] about Top 5 Cybersecurity Predictions For 2019

Wannacry Ransomware Continues To Be A Problem For Some

It’s been almost two years since the outbreak of the Wannacry ransomware epidemic. Unfortunately, all this time later, some companies are still dealing with the fallout. According to the latest research, Wannacry is still infecting hundreds of thousands of computers around the globe.

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting Windows computers, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization connected to the North Korean government.

As grim as that sounds, it’s not all bad news. After all, the malware has been rendered harmless by the now famous “kill switch” discovered by Kryptos Logic security researcher Marcus Hutchins, who found a glaring flaw in the design of the software. The flaw allowed him to register a domain and encode it with instructions that would keep the ransomware component of Wannacry from activating and actually encrypting files.

That, however, did nothing to get rid of the malicious code infecting legions of PCs around the world. Sadly, much of the code remains in place on infected machines, silently lurking in the background. Kryptos Logic is uniquely positioned to know, since they control the kill switch domain and have continued to monitor traffic to it since building the kill switch on it. To this day, their site continues to be pinged by new IP addresses as the now toothless infection continues to spread.

It’s not hard to see why the removal of a piece of malware that has been rendered suddenly toothless takes a lower priority for busy and often harried IT security professionals. Leaving the code in place on infected machines is not without risk, however.

It is possible, however unlikely, that the hackers who built the program to begin with could find a way to get around the kill switch. If that should happen, then we’ll be facing the full fury of the epidemic all over again, something no one in the field of digital security wants to contemplate.

The bottom line is simply this: If you were impacted by Wannacry when the outbreak initially occurred, it’s worth double checking to make sure that all traces of the malicious code are gone from your network.

Crypto Blackmail: How To Protect Yourself

Frank DeLuca is a field technician for Tech Experts.

A criminal contacts you over email or snail mail and insists they have a webcam video of you watching “unsavory” videos or evidence you cheated on your wife.

To stop the release of this compromising information and to make the problem go away, the criminal asks for digital payment in Bitcoin or another form of cryptocurrency.

You should never respond or pay. All the criminals have are empty threats and they’re just trying to trick you.

What is CryptoBlack Mail?

CryptoBlackmail is any sort of threat accompanied by a demand that you pay money to a cryptocurrency address.

Just like traditional blackmail, it’s a “pay up or we’ll do something bad to you” threat. The difference is the demand for payment in online currency rather than traditional hard (and traceable) cash.

Why cryptocurrency? It’s not possible to “undo” a transaction and it’s hard for the authorities to track down the owner of a Bitcoin address.

With cryptocurrency, the money is gone as soon as you send it.

Some examples of CryptoBlackmail:
– Physical mail saying “I know you cheated on your spouse,” and demanding payment in the form of Bitcoin to a specified Bitcoin wallet.

– Emails claiming an attacker has placed malware on your computer and recorded you in a uncompromising position, along with a video feed from your webcam. The attacker also claims to have copied your contacts and threatens to send the video to them unless you pay.

– Emails including a password to one of your online accounts along with a threat and demand for payment to make the problem go away.
The attacker just found your password in one of the many leaked password databases and hasn’t compromised your computer. Keep in mind that the criminals almost certainly cannot follow through on their threat and they probably do not have the information they claim to have. It is simply a numbers game.

For example, someone may just send emails saying “I know you cheated on your spouse” to a large number of people knowing that, statistically, some of them will be tempted to act.

The important thing to note is that this not a personally targeted attack. Unfortunately, the scammers do trick some people, which then perpetuates this ongoing CryptoBlackMail scam as an easy payday for criminals with little to no work involved.

How to Protect Yourself

Ignore the scammers. Delete and forget the scam. Don’t try to negotiate or even respond with the scammer. Don’t pay a single cent.

Don’t re-use passwords. If a criminal sent you one of your passwords, it’s likely that password was from one of many leaked password databases available online.

Change your passwords. If you’re concerned a criminal might have your passwords, you should change them immediately.

Get a password manager. They can help keep track of those unique passwords. They remember passwords for you, letting you use strong, unique passwords everywhere without having to remember them all.

Disable your webcam. If you’re really worried about someone spying on you with malware on your computer, you can just disable your webcam when you aren’t using it.

The most important thing to do — aside from never paying the scammers — is to ensure you aren’t re-using passwords, especially if they’ve already been leaked. Use strong, unique passwords and you won’t have to worry about password leaks. Just change a single password whenever there’s a leak and you are done.

Colorado Company Taken Down By Ransomware And What That Means for Your Business

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.
According to Statista, there were 184 million ransomware attacks in 2017 and the average ransomware demand is over $1,000. Individuals, organizations, and companies have fallen victim to these attacks.

Most people recognize the fact that ransomware is a danger, but they may not realize that it can actually destroy their company.

The recent closure of Colorado Timberline after a ransomware attack is a solemn reminder of the seriousness of the dangers of ransomware.

What Happened to Colorado Timberline?
Colorado Timberline, a printing company in Denver, was forced to cease operations for an unspecified amount of time after a severe cyber attack. [Read more…] about Colorado Company Taken Down By Ransomware And What That Means for Your Business

The Ransomware Threat Is Growing – Here’s Why

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

One of the biggest problems facing businesses today is ransomware. In 2017, a ransomware attack was launched every 40 seconds and that number has grown exponentially in 2018. What are the main reasons for this type of escalation and why can’t law enforcement or IT experts stop the growing number of cyber-attacks?

Ransomware Trends
One of the reasons involves the latest trends. The art of ransomware is evolving. Hackers are finding new ways to initiate and pull off the cyber-attack successfully.

Hackers rarely get caught. So, you have a crime that pays off financially and no punishment for the crime. The methods of attack expand almost daily. Attack vectors increase with each new breach. If cyber thieves can get just one employee to click on a malicious link, they can take over and control all the data for an entire company. [Read more…] about The Ransomware Threat Is Growing – Here’s Why

Ransomware Vs Atlanta: How To Protect Your Systems

Chris Myers is a field service technician for Tech Experts.

On March 22, the local government in the city of Atlanta, Georgia experienced a widespread ransomware cyberattack that affected several city applications and devices.

Ransomware is a type of malware that takes over a computer and locks out the user. The attackers then make contact with the victim and request payment. If the ransom is not paid, they may publish the victim’s personal files and data or just continue to block access to them.

In Atlanta, the attackers gained access to some of the city’s applications through a network vulnerability. Once they had locked the city’s systems with a ransomware known as “SamSam,” they asked for six bitcoins to unlock everything. Six bitcoins are currently worth around $51,000 US dollars.

Atlanta chose not to pay the ransom, as there is no guarantee that they would get their files back and they didn’t want to encourage any similar attacks. Instead, Atlanta officials awarded nearly 2.7 million dollars to eight private companies in the first couple days after the start of the attack.

The FBI, Department of Homeland Security, and Secret Service have also been assisting city officials in investigating the attack.

As you can see, the consequences of a ransomware attack can be severe. Nearly a month after the breach, nearly all city functions were still being carried out with pen and paper. With that in mind, what are the best ways to prevent them from happening in the first place?

How to protect yourself against similar cyberattacks

Ransomware attacks usually infiltrate organizations through their network. Therefore, maintaining good network security practices is a must. These can include:

Using strong, unique passwords. Both individuals and companies have a tendency to use shared passwords for different programs, even Windows logins.

If someone gains illicit access to your network or a specific computer, they can’t immediately gain access to all of your program logins and computers if you use unique passwords.

Staying vigilant for phishing. Phishing is another common method of attack for gaining entry to install ransomware. 91% of phishing attacks are targeted at specific people in a company, a technique known as spear phishing.

The attacker will study an organization’s email format, then send a simple email to an employee designed to appear as if it is a common email from a co-worker.

Most of these emails will look completely normal except for the full sender email address, which is usually something odd such as “ejhjsh@jk.cn.”

In many email management applications, the full address is automatically hidden behind the given name of the sender, so staff must be trained to interact with that name to confirm the address.

Securing your network. Ensure that a monitored firewall is in place and that all Wi-Fi networks are password protected with WPA2 encryption.

A VPN, or Virtual Private Network, is also a very good thing to have, especially if you have any staff working remotely.

Keeping operating systems and firmware up-to-date. Patches for known security vulnerabilities are released quite often.

Most of these are to combat specific new threats that are being used or about to be used in the wild. Staying up-to-date with security and operating system patches shores up your defenses against many common attacks.

Windows 10 Creator’s Fall Update to Bring Hardened Ransomware Protection

jared-stemeye
Jared Stemeye is a Help Desk Technician at Tech Experts.

2017 has seen some of the most high-profile ransomware and cryptoware attacks to date. These incidents have demonstrated that these types of attacks can have catastrophic effects that reach far beyond the ransom demands paid to these attackers.

The cost of downtime and damage control multiplies quickly. Even more damaging is being impacted because critical infrastructure or health care services are unexpectedly unavailable for extended periods of time, consequently costing much more than any monetary value.

Microsoft has stated that they recognize the threat that these cybercrimes represent and have since invested significant yet simple strategies that are proving to be extremely effective as new attacks emerge. These new security features are now coming to all businesses and consumers using Windows 10 with the Creators Fall Update.

These advanced security features are focusing on three primary objectives:

  1. Protecting your Windows 10 system by strengthening both software and hardware jointly, improving hardware-based security and mitigating vulnerabilities to significantly raise the cost of an attack on Windows 10 systems. Meaning hackers will need to spend a lot of time and money to keep up with these security features.
  2. Recognizing that history has revealed vastly capable and well-funded attackers can find unexpected routes to their objectives. These latest security updates detect and help prevent against these threats with new advances in protection services like Windows Defender Antivirus and Windows Defender Advanced Threat Protection.
  3. Enabling customers and security experts to respond to threats that may have impacted them with newly updated tools like Windows Defender ATP. This will provide security operations personnel the tools to act swiftly with completeness of information to remediate an attack that may have impacted them.

Microsoft states this is a proven strategy that has remained 100% successful on Windows 10 S, the new secure version of Microsoft’s flagship operating system. Albeit, this version of the operating system does not allow any software from outside the Microsoft App Store to be installed.

Further, Microsoft states that even prior to the fall security updates rolling out, no Windows 10 customers were known to be compromised by the recent WannaCry global cyberattack. Despite this, Microsoft knows that there will always be unforeseeable exploits within their systems.

This is why the Windows 10 Creator’s Fall Update benefits from new security investments to stop malicious code via features like Kernel Control Flow Guard (kCFG) and Arbitrary Code Guard (ACG) for Microsoft Edge. These kinds of investments allow Windows 10 to mitigate potential attacks by targeting the techniques hackers use, instead of reacting to specific threats after they emerge.

Most importantly, Windows Defender security updates coming in this Fall will begin to leverage the power of the cloud and artificial intelligence built on top of the Microsoft Intelligent Security Graph (ISG) to promptly identify new threats, including ransomware, as they are first seen anywhere around the globe.

Though no exact date is set in stone, all of the amazing security updates detailed above will be available this Fall 2017 for free. For more information about the Creator’s Fall update beyond the security features, visit https://www.microsoft.com/en-us/windows/upcoming-features.

Drawbacks To The “Smart” World

We have mentioned ransomware and viruses many times. It’s something that can be seen daily without much effort. Everywhere you look, a computer is hacked and held for ransom. The user ends up losing everything in most scenarios.

However, in today’s world, we have more than just laptops and desktops. What if someone hacked your fancy new “smart” device? If someone took over or locked you out of your phone, then what would be your next move? What if they locked your home devices like your thermostat or refrigerator? The technological world can sometimes cause quite a panic.

The first question to address is a pretty big concern: How in the world does this even happen? With poor security standards, it’s not the most difficult job for those with malicious intent. In the most recent scenario released, a thermostat was hacked by adding files remotely and setting them to run in the background.

The operating system on the device did not check the security or contents of any files processed and ran the ransomware, which then requested money. In this case, if the victim did not pay, the temperature would be locked at 99F degrees.

Sadly, this is just one example. While not all malware attacks on smart devices may cause this type of concern, others are no better. Some other attacks will actually store data on the infected devices, then perform DDOS attacks against unsuspecting victims.

Small apps and programs that can be used for phishing can also find their way onto devices and be completely unknown to the user.

Fixes have rolled out over time for some of the bigger concerns, but there always seems to be something new. With these on your network, it’s not a big step to get to your actual files and programs on your PC either.
Currently, not everyone has a smart appliance in their home. That said, smart phones have obviously worked their way to the larger majority. We all download apps for one reason or another to make the phone better serve us. A wave of people will flock to the latest craze and download the most popular apps. In these scenarios, there are often “fakes” as well. These will offer some form of related service or product but will also bundle in malicious code. This code has all sorts of capabilities. Some may send texts without the owner’s knowledge. Other times, it’s possible to have information stolen. The possibilities are sometimes frightening.

So what can be done in the world of smart devices encroaching on all sides of life? In terms of larger devices and appliances, there isn’t room for removal and clean-up on the user side.

Developers are both the ones at fault and the ones that will find solutions ahead of time for the worst infections and hacks. Phones can have anti-malware programs run to help prevent data breaches, however. Most will come with a manufacturer version, but it’s always best to explore options to ensure you are protected.

Even if your smart devices don’t store information vital to you, they can still act as a gateway to anything else on your network.

As such, your office area or business workstation may fall victim soon after. Since these are the real powerhouses that hold your programs, data, and backups of other devices, it’s imperative to keep these clean and functional. Luckily, there are teams such as the one at Tech Experts that are able to identify and neutralize a threat. That alone adds peace of mind in a sometimes uncertain “smart” world.

Is Your System’s Backup Plan Working?

Luke Gruden is a help desk technician for Tech Experts.
At any moment, anything can happen that can cause your computer to fail and lose months – if not, years – of company data. This is why it’s important to have some sort of system backup in place so that files can be retrieved in case anything ever does happen to your computer or network.

Without a backup, recovery often isn’t possible and when it is, it’s often more expensive than having a long-term backup solution in place.

Some believe that just because they have a backup solution, they’ve covered their bases. If a computer goes down, they’re still safe.

Well, what about a fire in the company building? What if both your backup device and your computer are gone? What if the cloud server goes down and your computer goes out around the same time? Seems unlikely, but it can happen.

Natural disasters like flooding or lightning storms, accidents such as fires or the destruction of physical property, human influence like a tampering ex-employee or a ransomware infection… these things typically don’t give you enough warning to move your files somewhere safe. No matter what single backup solution you might use, there is a situation where it can fail.

This is why redundancy of backups is important, such as the cloud or another device. With different backup plans utilizing different locations, you can make sure that no one natural disaster or ransomware infection can stop your business for long. If anything should happen, your data will be untouched somewhere.

It’s recommended that you have at least two different backup plans in different locations. However, the more, the better. Having three different backup plans in different locations like the cloud, an offsite backup, and onsite is optimal in making sure your data is safe.

If your company data is important (which it is), there should not be a second thought in backing it up.
Remember that the more redundancy you have with your backups, the chances of losing your data drop significantly. Also, check to make sure your backup services are working and up to date as often as possible.

That way, you will not have any surprises when you least expect it and when you most need your data. At Tech Experts, we offer backup solutions that include status notifications for every backup.

It seems like we talk about this issue a lot and it’s true. We bring it up so often because disasters do happen and there have been companies that have been crushed by not having a good backup plan. Don’t let your workplace be one of them.

Take a moment and really consider how much effort you would have to put in to bring your business back up to speed after a data disaster. As always, work with your IT department and figure out what plan is best for your company before committing to anything. Interested in learning which backup solutions would best suit your business? Contact Tech Experts at (734) 457-5000.