TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Ransomware

Lately, Ransomware Has Added Blackmail To Its Arsenal

Mark Funchion is a network technician at Tech Experts.

At this point, ransomware is practically a lifeform – it’s constantly growing and adapting.

Originally, if you were hit with ransomware, your data was encrypted and you could pay to (hopefully) get the data restored.

If you had an effective backup solution, you could restore your data without paying and adjust your security to prevent this from happening again.

Now, many of these attackers using ransomware have upped their game. They realize that more businesses are using backups, so the chances of getting paid are lessening. To combat that, the attackers added an additional feature to their attacks: blackmail / extortion.

Not only do they encrypt your data, but they take it as well. Now, the payment is to decrypt the data AND keep it from being posted online for all to see.

If you are a business with sensitive files, this can be a real issue. Having a backup is not enough in this case; even if you don’t pay the ransom and you’re back up and running in a few hours, all your data could be shared. Worse than the hassle of recreating all your files, the lasting effects from customer data, financials, and personal information being leaked could be devastating.

This is why it’s crucial to partner with an IT provider who understands network security.

An effective and tested backup solution is important, but there’s more that you need to have in order to be protected. Your network needs to be secured with a firewall, and all your devices need to be patched regularly to limit your exposure when exploits are discovered.

Are you using 2FA? Do you know what 2FA is? Are your passwords changed regularly and are they complex? Do all users in your office use the same password? Do they share accounts?

We know it seems more efficient to have easy passwords and shared log-ins, but it’s a huge security risk.

Businesses often find it easier to give users full administrative access to their local machine and network shares too. However, in that scenario, one compromised password that has full access to everything means the attackers do not need to look any further and can “walk” right in.

Another item that too many people turn off or find annoying is User Account Control. Yes, it can be frustrating to verify your user identity when you want to make changes.

That is, until a malicious program is launched without your knowledge and the User Account Control prompt stops your network and data from being attacked. What’s worse – a few seconds’ worth of verification or a costly business disaster?

These cyberthreats will always continue to grow and evolve. They have been since we started using the Internet. If you are not in the business of technology, it is very difficult for you to adapt efficiently enough to stay secure.

That is why the right technology partner who does adapt and evolve is very important to the success of your business.

Over $1 Trillion Lost To Cyber-crime Every Year

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

$1 trillion! That’s a lot of money. And it’s a figure that’s increased by more than 50% since 2018.

In 2019, two-thirds of all organizations reported some type of incident relating to cyber-crime.

You could make a sure bet this figure rose significantly last year, thanks to criminals taking advantage of the pandemic.

It’s easy to look at big figures like these and not relate them back to your own business. But here’s the thing. The average cost of a data breach to a business is estimated to be around $500,000.

[Read more…] about Over $1 Trillion Lost To Cyber-crime Every Year

Four Signs You’re Under Attack From Ransomware

You’ve probably heard a lot about ransomware recently. This is the computer attack where a hacker locks you out of your systems and data. And you must pay a ransom, typically in Bitcoin, to get access again.

While it’s not a new crime, it’s one of the fastest growing crimes online because it’s so lucrative to criminals. Thanks to COVID and work-from-home, more and more businesses are unintentionally opening themselves up to the threat.

In fact, it’s estimated there are more than a hundred calls to insurers every day relating to problems caused by ransomware. Unless you take necessary precautions, your business could fall victim.

But how do you know you’re not already under attack? Because here’s something most people don’t realize about ransomware. If a hacker gets access to your systems today, they won’t launch the attack right away. It can take around 60 to 100 days – if not longer – from the time you’re breached, to the delivery of ransomware.

You might be wondering why these cybercriminals spend such a long time launching their attack. They spend weeks or more just skulking around, investigating your network for weaknesses, and waiting for just the right time to maximize their profit.

So how do you know if you’re under attack? And what do you do if you are? Here are four of the best ways for you to check that your network is safe and secure.

Check for open RDP links
What’s an RDP link and how do you open or close it? We don’t want to get too techy here, so put simply, an RDP (or Remote Desktop Protocol) is Microsoft technology that allows a local computer to connect to and control a remote PC over a network or the Internet.

You’re probably utilizing this kind of thing if you’ve had any of your people working from home this year, as it makes remote access a lot easier. But RDP links left open to the Internet are a very common route for cybercriminals to enter your network.

Look for unexpected software
One of the methods ransomware gangs use to take control of your system is certain software tools. It’s important that you use a network scanner to check exactly what’s running and who’s running it.

Often, cybercriminals will take control of just one PC first, perhaps using a phishing email to persuade someone to click on a bad link without realizing it. Once they have control of one PC, they can then target the entire network.

Criminals also utilize tools to steal your passwords and log-in credentials. If you spot anything unfamiliar anywhere in your system, contact your IT support partner, who can investigate further.

Monitor your administrators
Your network administrators typically have the authority over which applications are downloaded to your network. So what’s the best way for hackers to download the applications they need? They create a new administrator account for themselves.

Then they can download whichever tools they need to compromise your network.

Check for disabled tools and software
Once the cybercriminals have administrator rights, they can locate and disable your security software. You can tell that an attack is close to being launched if something called Active Directory and your domain controllers are disabled.

Next, any backup data the criminals have found will be corrupted. And any systems that automatically deploy software will also be disabled to stop your attempts to update your computers after an attack.

It’s worth remembering that this will all be done slowly. Your hackers will take their time because that makes it much harder to detect them.

Once an attack has been launched and your data held to ransom, most of the time there’s little you can do other than attempt to restore backups. Or pay the ransom.

The hackers have normally been so thorough with their preparation that even the best IT security specialists have few options open to them.

So, once you’ve detected that something might be wrong, what can you do to stop an attack from being launched?

You can force a password change across your core systems, which many times will also throw your attackers out.

Monitor your administrator accounts. This may sound like a simple step, but you’d be surprised at how often it’s neglected.

Keep all of your software and security patched and updated. It’s very tempting to click ‘later’ on updates. But saving a little time now is not worth the huge amount of time and money that you’ll lose should you become the victim of a ransomware attack.

Implement multi-factor authentication across all of your applications, if you haven’t already. This adds another level of security for your network and helps to prevent unauthorized access.

Is There A Hidden Intruder Lurking In Your Business?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

If you’re like us, you believe you have the best, most trustworthy people working for you.

But have you ever considered the possibility you may have someone unknown hidden within your business, trying to cause a lot of damage and make a lot of money at the same time?

This might sound a little far-fetched. Perhaps something that’s more likely to happen in a film than in your business.

But actually, you’d be surprised. Cyber criminals are targeting businesses exactly like yours all the time.

Because often, small and medium sized businesses don’t spend big bucks on their cyber security. Hackers know this. And will put a lot of effort in to try to exploit that. [Read more…] about Is There A Hidden Intruder Lurking In Your Business?

Targeted Attacks On Small Businesses Are On The Rise

Mark Funchion is a network technician at Tech Experts.
Many of us have heard of ransomware. This is an attack where someone gains access to a system and encrypts all of the data until a ransom is paid. Once they get their money, they either unencrypt the data… or not. There is no guarantee that paying the ransom will actually work.

Most attacks in the past, both viruses and ransomware, were the “spray and pray” variety. Basically, the attackers would send out thousands (or hundreds of thousands) of emails and hope that a small percentage of them were successful. This procedure worked, but the success rate was low and the attackers had to have a large volume to make it successful.

The more profitable attacks that are on the rise are targeted attacks. These attacks rely on quality rather than quantity. Research goes into the attacks that then target a single or very few companies. These attackers will even go as far to check a company or institution’s financial information to see how much of a ransom they can expect to get.

In addition to demanding a ransom for the data to be decrypted, there is often a threat that the data will be released if the ransom is not paid. The threat of data being released can lead to the ransom being paid even if the target has a way to recover from the attack.

While many home users would hate to have their data released, it would not be completely devastating in most cases. If you are a financial, medical, or education institution, it could end your business or severely harm it. These institutions all contain sensitive information of their employees and clients.

For this reason, a recent spike has been seen in the UK involving their schools. Attackers are seeing schools as an easier target in today’s environment with the increase in remote learning. Banks and hospitals have been targeted numerous times before, and their main goal is to be as secure as possible, spending large amounts of money on it.

Schools and universities, on the other hand, are concerned with security, but they’re in a position today with COVID where they need to have fairly open access.

As colleges are pivoting to a distance learning model on a scale never envisioned, they have to allow more and more access in. This means more and more devices the schools have no direct control over, creating potential entry points into the network.

Although most of you reading this are not educational institutions, there is no industry or business (regardless of size) that is safe from a potential attack. Having a good network security system in place with effective backups is critical.

Don’t rely only on a day or a few days’ worth of backups either; some attacks will infect a system, then remain dormant for a while, hoping to outlive the backups you have available.

Having a technology partner who understands the dangers and how to recover is essential. You cannot just plug in a firewall and use an antivirus software and consider yourself protected.

Your business should have an incident response plan that includes backups and restore procedures, as well as testing. You also need to make sure you have a procedure to keep all of your systems up-to-date with the most current patches. Making sure any remote sessions are secure and using 2FA whenever possible is another area often overlooked too.

The list of vulnerabilities is endless, but we are here to assist. Let us provide you the security and comfort that your business is protecting not only your data, but your users from a potential breach.

Why IT Professional Are Terrified Of Ransomware

If you want to scare someone who works in IT, start talking to them about ransomware.

There are few things as scary for IT professionals as the prospect of their systems locking up with hackers demanding money to return things back to normal.

When discussing it, you may notice them breaking into a sweat and starting fidgeting as they contemplate one of the most terrifying cybersecurity threats computers face.

How does ransomware spread?
There are several ways that ransomware can get into computers.

Email is one of the most common ways in. Hackers will send bad files that can trigger a ransomware infection when opened and quickly spread across your network.

Another favorite way to spread ransomware is to send bad URL links that download ransomware when they’re clicked. This ‘drive-by downloading’ can happen without anybody noticing that anything has happened until it’s too late.

These bad files and links are not always easy to spot. Cybercriminals are getting increasingly sophisticated in the ways they try to persuade people to do what they want them to do.

A growing trend is for cybercriminals to pose as trusted people, like a client, a colleague, or a friend. And ask you to do something urgently before you have the time to think things through.

This isn’t a modern crime. Ransomware’s been around for years
Ransomware dates to the late 1980s when payment was often sent by check through the mail!

Now, modern hackers normally demand payment in cryptocurrencies that make them much more difficult to track.

Here is some information on two of the more infamous ransomware attacks.

WannaCry
The WannaCry ransomware attack took over the news when it spread widely in 2017.

More than 200,000 computers in over 100 countries were left useless. The ransomware exposed weaknesses in critical IT systems, like those in hospitals and factories.

One of the worst-hit victims was the National Health Service (NHS) in the UK. Operating theatre equipment, MRI scanners, and other computers essential for hospitals were left useless and patients suffered.

NotPetya
NotPetya is less well-known than WannaCry but the financial costs are estimated to have been far higher.

Mainly spread among businesses due to the early infection of a major financial software vendor, the cost of this ransomware to small businesses and governments is estimated to have been around $10 billion.

This attack impacted computers around the world. But around 80% of the cases are estimated to have been in Ukraine.

Ransomware Attacks On Healthcare Providers Rose 350% In Q4 2019

Ransomware assaults against healthcare providers expanded an astounding 350 percent during the last quarter of 2019 with the quick pace of assaults previously proceeding all through 2020.

Ransomware attacks dominated healthcare headlines during the later part of 2019 with attacks on IT vendors disrupting services on hundreds of dental and nursing facilities, while a number of hospitals, health systems, and other covered entities reported business disruptions from these targeted attacks.

Also, in December, Blackberry Cylance specialists revealed that another ransomware variation known as Zeppelin was spotted focusing on the human services division and tech associations through the supply chain.

IT research group Corvus broke down the ransomware attacks of the last few years to get a feeling of malware’s effect on the part and its assault surface and discovered there were in excess of 24 announced ransomware occurrences a year ago.

These findings mirror similar reports, which also noted that these numbers are likely lower than the actual number of attacks – as some ransomware victims do not report the incidents to the public.

In fact, Emsisoft research shows that more than 759 healthcare providers were hit with ransomware last year, reaching crisis levels.

Further, the trend has continued in 2020 with at least four healthcare covered entities reporting attacks in January alone. According to Corvus, the number is more than any other quarter in healthcare since Q3 2017. And if the rate continues, there will be at least 12 reported during Q1 2020.

The researchers also found that healthcare actually has a smaller attack surface, on average, than the web average. Those that have reduced their overall exposure, especially hospitals, have limited the risk of exposure.

But health services and medical groups are the most at risk in the sector, according to the data.

That’s not to say that healthcare is successfully securing its attack surface. For example, one of the most common exposure types is through the remote desktop protocol, which is associated with a 37 percent greater likelihood of a successful ransomware attack.

Healthcare is also struggling to secure its email security, overall. Eighty-six percent of healthcare covered entities don’t use scanning and filtering tools on their email platforms. Even hospitals, which typically leverage these services at a higher rate, are failing to deploy this tool at a successful rate (just 25 percent use the tech).

What’s more, health practitioners, such as dentists and physicians are 14 percent less likely on average to use the most basic form of email authentication, which are known to prevent suspicious emails from making it to the inbox.

It’s concerning, as Corvus showed that more than 91 percent of ransomware attacks are the result of phishing exploits.

“Hospitals use email scanning and filtering tools more than average, but the average is low,” researchers wrote. “These services are associated with a 33 percent reduction in the likelihood of a ransomware attack. All healthcare entities should strongly consider such services to help prevent phishing.”

Corvus also found that hospitals are six times more likely to internally host their own servers, instead of leaning on a third-party vendor. As a result, those entities have “the responsibility for maintaining some aspects of security in their court: keeping up with the everchanging threats rather than handing it off.”

“As commodity ransomware has become more readily available and examples of successful attacks on smaller organizations, like local governments, gain attention, attackers may well turn their attention to organizations like individual health practitioners or nursing/long-term care facilities,” researchers wrote.

“We can see that the security measures at these kinds of organizations are average at best, and in some areas worse,” they continued. “Healthcare organizations of all sizes are at risk… They should be taking advantage of opportunities to improve email security.”

As the number of successful ransomware attacks increased, several industry stakeholders released guidelines to help organizations shore up their defenses, including the Department of Homeland Security, Microsoft, NIST, and the Office for Civil Rights. Healthcare organizations, especially those with limited resources, should turned to these insights to bolster their defenses.

Lastly, the FBI has continually reminded organizations that they should not pay the ransom for a host reasons, including that there is no guarantee the hackers will unlock the data and the threat actor may launch a subsequent attack.

Ransomware attacks have cost the healthcare sector at least $160 million since 2016, according to Comparitech.
This article was adapted from research published by Health IT Security.

Why Is Ryuk The Most Dangerous Ransomware?

Ryuk is one of the most prevalent ransomware variants in the threat landscape, with infections doubling from the second to the third quarter in 2019.

Ransomware infections continue to increase in tandem with overall impact and monetary demands.

Furthermore, Ryuk’s ability to delete shadow copies and backups makes Ryuk extremely costly and almost impossible to remediate.

For instance, Ryuk operators demanded nearly $600,000 from one government agency after successfully encrypting nearly all files on the network.

Ryuk uses encryption to block access to a system, device, or file until a ransom is paid. It is often dropped on a system by other malware (e.g., TrickBot) or delivered by cyber threat actors (CTAs) after gaining access to the system through compromising Remote Desktop Services.

Once on a system, CTAs deploy Ryuk through the network using PowerShell, PsExec, or Group Policy, with aim to infect as many systems as possible. The number of infected systems depends upon how the malware is deployed as well as the CTA’s access and privileges.

This may be a local subnet, the list of computers in active directory, or the entire organization depending on the variability and process specific nature of spreading the malware.

Once the malware is pushed out to the network, it targets backups and begins the encryption process.

Researchers have observed an increase in Emotet or TrickBot infections leading to a Ryuk infection.

For example, TrickBot disabled the organization’s endpoint antivirus application and spread throughout the network, infecting hundreds of endpoints and multiple servers.

Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial and other sensitive information prior to deploying Ryuk.

Once Ryuk is deployed network-wide, the CTAs encrypted the organization’s data and backups, and left ransom notes on the machines.

Ryuk ransom notes once contained a message and a ransom amount, but have since evolved over time.

Throughout most of 2019, the ransom note did not list a ransom amount and only contained a message and email address. However, now Ryuk ransom notes are very simplistic, with no price or message, only containing an email address, the ransomware’s name, and the statement “balance of shadow universe.”

The CTAs demands payment via Bitcoin cryptocurrency and direct victims to deposit the ransom into specific Bitcoin wallets.

The ransom demand is typically between $100,000-$600,000, which as of 12/19/19 is 14-84 Bitcoins. Notably the ransom demand is determined by the organizations’ assessed ability to pay and the sensitivity of the data affected.

It is highly likely the CTAs account for characteristics like industry, solvency, subscription to cyber insurance, and network saturation when calculating ransom demands. Furthermore, the CTAs have been known to negotiate with victims and adjust the initial ransom amount.

Ryuk’s main infection method is to be dropped on a system by other malware. The file will have a five-letter random name that is usually generated by the srand1 and GetTickCount2 functions.

Persistence
Once executed, the main payload attempts to stop antivirus related processes and services. It uses a preconfigured list to kill more than 40 specific processes and 180 services with taskkill and net stop commands.

This preconfigured list includes antivirus processes, databases, backups, and document editing software. Additionally, the main payload establishes persistence in the registry and injects malicious payloads into several running processes.

To increase persistence, Ryuk makes changes to the registry allowing it to run the payload every time the user logs on.

Ryuk’s anti-recovery techniques are more extensive and sophisticated than most types of ransomware, making recovery almost impossible without restoring from clean external offline backups.

Ryuk’s process injection allows the malware to gain access to the volume shadow service and delete all shadow copies, including those used by third-party applications.

Encryption
Ryuk uses unbreakable RSA and AES encryption algorithms with three keys. The CTAs use a private global RSA key as their base encryption model. The second RSA key is delivered to the system via the main payload and is encrypted with the CTA’s private global RSA key.

Once the malware is ready for encryption, the final key is created in their three-key encryption model.

Ryuk scans the infected systems and encrypts almost every file, directory, drive, network share, and network resource.

Ryuk attempts to encrypt all mounted network drives. As long as the drives are not CD-ROM types, the files will be encrypted.

Finally, once the malware is finished with the encryption process, it will create the ransom note, “RyukReadMe.txt”, placing it in every folder on the system.

Top 5 Cybersecurity Predictions For 2019

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Cyber threats are a genuine danger for businesses, no matter their size or industry. Companies that face data breaches are likely to fail within months after the attack, according to the National Cyber Security Alliance. Security issues can ruin your reputation and cause expensive damage to your company.

In 2019, we are already predicting increased cyber crimes to steal more data and resources. The FBI reported that over $1.4 billion in losses were experienced by companies and individuals in 2017.

These expenses come from increasing security, losing information, losing physical resources, ransomware payouts, scams and more. The most significant sources of cybercrime included: [Read more…] about Top 5 Cybersecurity Predictions For 2019

Wannacry Ransomware Continues To Be A Problem For Some

It’s been almost two years since the outbreak of the Wannacry ransomware epidemic. Unfortunately, all this time later, some companies are still dealing with the fallout. According to the latest research, Wannacry is still infecting hundreds of thousands of computers around the globe.

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting Windows computers, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization connected to the North Korean government.

As grim as that sounds, it’s not all bad news. After all, the malware has been rendered harmless by the now famous “kill switch” discovered by Kryptos Logic security researcher Marcus Hutchins, who found a glaring flaw in the design of the software. The flaw allowed him to register a domain and encode it with instructions that would keep the ransomware component of Wannacry from activating and actually encrypting files.

That, however, did nothing to get rid of the malicious code infecting legions of PCs around the world. Sadly, much of the code remains in place on infected machines, silently lurking in the background. Kryptos Logic is uniquely positioned to know, since they control the kill switch domain and have continued to monitor traffic to it since building the kill switch on it. To this day, their site continues to be pinged by new IP addresses as the now toothless infection continues to spread.

It’s not hard to see why the removal of a piece of malware that has been rendered suddenly toothless takes a lower priority for busy and often harried IT security professionals. Leaving the code in place on infected machines is not without risk, however.

It is possible, however unlikely, that the hackers who built the program to begin with could find a way to get around the kill switch. If that should happen, then we’ll be facing the full fury of the epidemic all over again, something no one in the field of digital security wants to contemplate.

The bottom line is simply this: If you were impacted by Wannacry when the outbreak initially occurred, it’s worth double checking to make sure that all traces of the malicious code are gone from your network.