Posts tagged " ransomware "

Ethical hackers to boost NHS cyber-defences

November 28th, 2017 Posted by Uncategorized No Comment yet

The NHS is spending £20m to set up a security operations centre that will oversee the health service’s digital defences.

It will employ “ethical hackers” to look for weaknesses in health computer networks, not just react to breaches.

Such hackers use the same tactics seen in cyber-attacks to help organisations spot weak points.

In May, one-third of UK health trusts were hit by the WannaCry worm, which demanded cash to unlock infected PCs.

Essential step

In a statement, Dan Taylor, head of the data security centre at NHS Digital, said the centre would create and run a “near-real-time monitoring and alerting service that covers the whole health and care system”.

The centre would also help the NHS improve its “ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats”, he said.

And operations centre guidance would complement the existing teams the NHS used to defend itself against cyber-threats.

NHS Digital, the IT arm of the health service, has issued an invitation to tender to find a partner to help run the project and advise it about the mix of expertise it required.

Kevin Beaumont, a security vulnerability manager, welcomed the plan to set up the centre.

“This is a really positive move,” he told the BBC.

Many private sector organisations already have similar central teams that use threat intelligence and analysis to keep networks secure.

“Having a function like this is essential in modern-day organisations,” Mr Beaumont said.

“In an event like WannaCry, the centre could help hospitals know where they are getting infected from in real time, which was a big issue at the time, organisations were unsure how they were being infected”.

In October, the UK’s National Audit Office said NHS trusts had been caught out by the WannaCry worm because they had failed to follow recommended cyber-security policies.

The NAO report said NHS trusts had not acted on critical alerts from NHS Digital or on warnings from 2014 that had urged users to patch or migrate away from vulnerable older software.

 

Thanks to the BBC for this story.

Ransomeware ‘here to stay’, warns Google study

August 22nd, 2017 Posted by Latest News, Subjects, Tech Talk No Comment yet

Cyber-thieves have made at least $25m (£19m) from ransomware in the last two years, suggests research by Google.

The search giant created thousands of virtual victims of ransomware to expose the payment ecosystem surrounding the malware type.

Most of the money was made in 2016 as gangs realised how lucrative it was, revealed a talk at Black Hat.

Two types of ransomware made most of the money, it said, but other variants are starting to emerge.

Track and trace

“It’s become a very, very profitable market and is here to stay,” said Elie Bursztein from Google who, along with colleagues Kylie McRoberts and Luca Invernizzi, carried out the research.

Ransomware is malicious software that infects a machine and then encrypts or scrambles files so they can no longer be used or read. The files are only decrypted when a victim pays a ransom. Payments typically have to be made using the Bitcoin virtual currency.

Mr Bursztein said Google used several different methods to work out how much cash was flowing towards ransomware creators. As well as drawing on reports from people who had paid a ransom, it sought out the files used to infect machines and then ran those on lots of virtual machines to generate “synthetic victims”. It then monitored the network traffic generated by these victims to work out to where money would be transferred. The data gathered in this stage was also used to find more variants of ransomware and the 300,000 files it found broke down into 34 of them.

The most popular strains were the Locky and Cerber families.

Payment analysis of the Bitcoin blockchain, which logs all transactions made using the e-currency, revealed that those two strains also made the most money over the last year, with Locky collecting about $7.8m (£5.9m) and Cerber $6.9m (£5.2m).

The research project also revealed where the cash flowed and accumulated in the Bitcoin network and where it was converted back into cash. More than 95% of Bitcoin payments for ransomware were cashed out via Russia’s BTC-e exchange, found Google.

On 26 July, one of the founders of BTC-e, Alexander Vinnik, was arrested by Greek police on money laundering charges. The police were acting on a US warrant and his extradition to America is being sought.

The gangs behind the ransomware explosion were not likely to stop soon, said Mr Bursztein, although established strains are facing competition from newer ones.

“Ransomware is a fast-moving market,” he said. “There’s aggressive competition coming from variants such as SamSam and Spora.”

Novel variants were expanding quickly and many were encouraging fast expansion by paying affiliates more if they placed the malware on to large numbers of machines. The ransomware as a service model was already proving popular, he warned.

“It’s no longer a game reserved for tech-savvy criminals,” he said. “It’s for almost anyone.”

Microcomms can help you with cyber security protection. Please contact us for advice and information.

 

Companies have been crippled by an attack dubbed ‘Petya’, the second major ransomware crime in two months.

June 28th, 2017 Posted by News No Comment yet

The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.

The Petya ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools.

The malware tries one option and if it doesn’t work, it tries the next one.

What should you do if you are affected by the ransomware?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, as flagged by @HackerFantastic on Twitter.

“If machine reboots and you see this message below, power off immediately! This is the encryption process. If you do not power on, files are fine.

hackerfantastic

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway. Disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup. Back up your files regularly and keep your anti-virus software up to date.

Contact Microcomms for a free Security Audit and for information about anti-virus and anti-malware software.

ransomware attack

Facebook denies Ransomware attack

December 1st, 2016 Posted by Uncategorized No Comment yet

Thanks to TechNewsWorld for the information below:

hacker_facebook_attack

Facebook on Monday denied that its network and Messenger app were being used to spread ransomware to its users, contradicting the claims of researchers Roman Ziakin and Dikla Barda.

The two researchers last week reported they had discovered a new method for delivering malicious code to machines, which they dubbed “ImageGate.” Threat actors had found a way to embed malicious code into an image, they said.

Due to a flaw in the social media infrastructure, infected images are downloaded to a user’s machine, Ziakin and Barda explained. Clicking on the file causes the user’s machine to become infected with a ransomware program known as “Locky,” which encrypts all the files on the infected machine. The user then must pay a ransom to the purveyor of the malicious software in order to decrypt the files.

Facebook has disputed the findings

“This analysis is incorrect,” Facebook said in a statement provided to TechNewsWorld by spokesperson Jay Nancarrow.

“There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook,” the company maintained.

“We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week,” Facebook noted. “We also reported the bad browser extensions to the appropriate parties.”

Consumer Protection

While Ransomware is always a serious threat to consumers, this new twist on its distribution raises the bar even higher.

Anti-virus specialists have commented, “Consumers simply do not expect malware to be delivered via a Facebook message. Most people probably consider social media sites to be a safe space, so the lack of concern and vigilance makes it powerful as a potential infection channel for malware.”

For consumers concerned about an ImagteGate attack, it is recommended that you do not open any files downloaded to a device after clicking any image. The same is true for image files with unusual extensions, such as SVG, JS or HTA.

Users should also keep their operating system and antivirus software up to date, and make backups. Even if you’re never infected with ransomware, you never know when something might go wrong with your machine.

If you are concerned about Cyber Security at your company – speak to our experts today hello@microcomms.co.uk or call 01209 843636.