Defense Against Crime

15/05/2017

Ransomware Attack!


If you have not watched the news, or just haven’t paid attention, there is a worldwide ransom-ware attack that began last week and may continue this week. The New York Times has an active map showing where all the attacks have been happening. You can google it or see this link  (https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0)

If you want to keep up to date on the latest on this event, just watch the news or do an internet search on the topic.

If you want to know more about Ransom-ware we have written about this before. You can open these previous posts.

Victims of ransomware usually receive an e-mail or some other type of electronic message that asks them to download or run software. Some of these e-mails may appear as if they were coming from someone you know, or can even come from a software hack (like a cracked version of some game or popular software).  When you run the software and it appears that NOTHING is happening, .. something is.WannaCrypt

The software will encrypt your hard drive, or encrypt part of your hard drive so that your computer is still operable and you can continue to use it, but you cannot access all your personal files. This includes all personal documents, images, music files.

If you are the victim of a ransomware attack you’ll open your computer and instead of your normal files you’ll see a pop-up appear that says, ‘Surprise, we’ve taken control of your computer and if you want access to your files you need to pay us.'”

 Here are some things you can do to prevent being a victim.

  1. Please update your computer security software as soon as releases are available. It’s best to set it to auto update.
  2.  Please run all software and OS patches. Again please set it to auto update.
  3. If you value your files back up your computer on an external drive on regular intervals. You may want invest in a cloud backup service. You can search for and review them.
  4.  Finally, just be very vigilant you need to constantly look out for emails that seem suspicious, and you need to err on the side of not downloading random files. Delete them. We often receive random invoices, and reports that seemingly credible companies send us. Like Bank of America, or UPS. Sometime I get invitations to download a file from a cousin.  If you know the e-mail is fake, delete it.  You can always verify before opening any attachment that your cousin actually did send the files

We are dedicated to providing you with the best and most affordable self-defense products on the market to meet the security needs of you, your family members or your business, by assisting anyone who is unwilling to become a victim of crime. If you want to take personal responsibility for self-protection, home security, business security, purchase our high quality discount self-defense products and arm yourself with the knowledge about self-defense and security products and information of the best way to stay secure in an ever-increasing violent world. In today’s society, being equipped mentally and physically is no longer an option. Victor Swindell, Onyx Knight Enterprises

Advertisements

01/09/2016

BACK UP YOUR FILES BEFORE DISASTER STRIKES


Backing up has become more important than ever, thanks to cyber-attacks like ransom-ware or having a natural disaster like a flood or tornado.

If you are a regular reader here you already know how pervasive and frustrating ransom-ware is. If you’re new to our blog, here is a bit of background – Ransom-ware is one of the newest attack method in the malware world. It can be pulled off with great ease as all a hacker has to do is buy some premade ransom-ware kit from malware creators on the dark web. Then he or she distributes the malicious code, usually by way of email attachments, but as we have explained earlier, ransom-ware can also get onto systems via security holes, or vulnerabilities in outdated system software. When the ransom-ware code is executed by say, clicking that infected link in an email, it begins to encrypt all the files on your computer or device. That’s when you’ll get a notice from the ransom-ware creators, letting you know that your files have been encrypted and if you want to retrieve them you’ll need to pay them in untraceable bitcoins ($hundreds to thousands of dollars).

You have two choices, pay to perhaps get your files back, or not pay…and loose EVERYTHING you have on your computer!  The sad truth is that even if you pay you may not get your files back because once they have been encrypted, they can only be un-encrypted with the correlating key – which the hackers have and aren’t about to give to you.

If you have been meticulous in backing up your files, data, pictures and whatever else you have that’s precious to you, then you can stand your ground and walk away.

Make multiple backups

Before we delve into the different backup methods out there, it’s important to note that you should have more than one backup of your files stored in different places to ensure that you are completely covered.

Types of backup

Cloud-based backup – You are probably familiar with cloud storage like Google Drive and s9ihizonvcfhc0wndarsDropBox. The idea here is that your files are stored in the Google or DropBox cloud respectively and you can access them from anywhere that you can log into your account. These services are great for sharing pictures and collaborating on documents and presentations but they aren’t really designed for heavy duty, let alone automatic backup. Instead, look for a cloud based backup that automatically backs up all your files and folders. Some important features to watch out for:

  • Unlimited storage.
  • Folder syncing and sharing.
  • Continuous backup throughout the day automatically.
  • Available for smartphone.
  • Price tag factor – some plans like Carbonite can run at about $60 per license per year and others can run over $120 or more per year depending on the level of service or options you choose

Do your research and find the service and plan that fits your needs best and go with it! Some of the best plans out there are: Crashplan, SOS Online Backup, Backblaze, SugarSync, Spideroak , Carbonite, and iDrive.

iDrive is the PCMag Editor’s choice for 2016: (http://www.pcmag.com/article2/0,2817,2288745,00.asp)

“It has been one of the more ambitious online backup and cloud-based syncing service services in recent years, offering not only some of the most attractive pricing plans, but also a multitude of features in clear desktop, mobile, and Web applications.”

Local backup – Your other option is to back up to an external hard drive or a flash drive. This method is a bit less user-friendly as it cannot be done automatically and since flash drives are so small, they tend to get lost easily. But it’s not a bad idea to have a physical backup of your digital stuff.  You can purchase external drives, you just have to be careful not to leave them connected AFTER you backup.

PLEASE NOTE: Ransom-ware can affect every file on every drive on your computer, and even cloud drives like Dropbox. If you get infected with Ransom-ware, your backups can be affected as well. So please discount them when not using them.

 

When it comes to ransom-ware, follow our mantra “Backup, don’t pay up”.

16/12/2014

Wait…Don’t Open that PDF!

Filed under: Cyber Crimes — peppereyes @ 7:55 PM
Tags: , ,

Now that I have your attention, please gather around while I tell you a story. It’s a story about a lady, a computer and a thief. cyberattack_1805164bThe best part, or worst part is that this story actually happened, and is happening to thousands of unsuspecting computer users who just clicked on an innocent looking PDF attachment in their e-mail box that looked legitimate.

On day a very clever computer thief sent our millions of e-mails that stated that they were medical invoices and he attached a very cleaver file that looked like an ordinary PDF document.  He knew that there were unsuspecting people who would think that this email was read and that a PDF couldn’t harm them.  He was counting on it.  Several days later Nancy (not her real name), got the e-mail and thinking that it was an invoice for her mother who had been ill for the last few months. So she click on it and followed the instructions. However it wasn’t a PDF.  It was a Trojan horse that she let into her front door.  This thief was a very clever computer malware (bad software) called ransomware.  We discussed ransom ware previously. The name of this virus was called Cryptowall 2.0 (A new improved version of Cryptowall, and CryptoLocker)

What Happened Next?

While Nancy’s computer was on CryptoWall started doing what it was designed to do, infect her computer.  This infection is REAL NASTY. The infection process began by establishing a network connection to random servers, where it uploads connection information like the public IP address, location, and system information including OS of Nancy’s computer.

Next, the remote server will generate a random 2048-bit RSA key () pair that’s associated with Nancy’s computer. It copies the public key to the computer and begins the process of copying each file on its pre-determined list of supported file extensions (Text files, word documents, images, music..etc). As a copy is created, it’s encrypted using the public key, and the original file we deleted from the Nancy’s hard drives.

This process continued until all the files matching the supported file types have been copied and encrypted. This included files that are located on other drives, such as external drives and network shares — basically, any drive that’s assigned a drive letter was be added to the list. Also, cloud-based (such as DropBox or Microsoft, Amazon Cloud,  storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud, and down to the other connected location as the files are changed.

Finally, once the encryption process completed, CryptoWall 2,0 executed some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified. The command run by the ransomware stops the service altogether and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore.  Yes this was bad news for Nancy

Her Files would Not Open .. Now What?

Nancy went to open one of her Word Documents, and they were gibberish.  Nancy thought she has gotten a virus and went to the store to get some virus software. While I encourage everyone to get a nice software package to scan for viruses and Malware and a host of other security measure, and keep them updated, you should do these things prior to going on line.  Also as a word of warning many of the new viruses won’t be detected because they haven’t been identified, or the creator is clever enough to make them currently undetectable.  After lots of frustration Nancy called me as I know a few things about computer.  After doing some work to speed up her computer I saw some interesting files:

  • DECRYPT_INSTRUCTION.txt
  • DECRYPT_INSTRUCTION.html
  • DECRYPT_INSTRUCTION.url

Clicking on any of these files will provide the victim to step-by-step instructions necessary to carry out the ransom payment. The HTML file will actually have a caption indicating the amount of time left on the ransom and how much money is being requested as payment. Typically, the ransom amount begins at $500 (USD) in bitcoins, and the countdown timer provides for a period of three days in which to get payment to the requester.

cryptowall-2-0-update-ransomware-message

After the timer has reached zero, the caption will change. The new amount requested will double to $1,000 (USD) in bitcoins and the timer will provide a cutoff date and time. Usually, the time frame is about one week, and it will indicate that if payment is not received before the cutoff time, the remote server housing the private key and decryption application to decrypt your files will be automatically deleted, making your files unrecoverable.

0057cryptowallhero

So what could she do?

At this point Nancy had two option

  1. Pay The Ransom
    If she had taken the choice to pay the ransom then there is a slight chance that these thieves would honor the ransom and release the unencrypted version of Nancy’s files. However, remember these are  Who says that once they have your money they will do anything.
  2. Not Pay the Ransom
    By Not paying you are saying you really don’t care about this data, and you can live without it (sorta the same fate has having your hard drive crash). If you take this route, you will need to reformat your hard drive, re-install your operating system, and software There is the possibility of using a File Recovery software to restore the files deleted by CryptoWall.20, but the more you use your computer after being attacked, the harder it will be to undelete the original files.

Protecting Yourself from being the victim

  • If you get an attachment that you were not expecting from a friend or company contact the friend before opening.
  • The best way to survive a ransomware attack is to keep up-to-date backups of your important files off site (like Carbonite) or onto a portable drive that you don’t connect to your computer unless you are doing a backup. A ransomware infection, which encrypts all of your files, is similar to a drive failure, except that for a small fee you have the chance to get your files back.
  • As mentioned above have an active and up-to-date anti-virus and malware detection program install on your computer. Make sure you so a full system scan once a week.
  • Learn all the things you should and should not do on the internet concerning file sharing, viruses, and malware. This blog has lots of resources, because there are new and creative threats happening all the time.
  • Viruses, regardless of whether they’re creating harmless pop up screens, attacking your files or stealing your personal or financial information, are a major annoyance. As a society, will need to continue to contend with them as digital divides slowly shrink and our connected lives stretch further out and the criminal element exists.
  • While there may be little recourse once infected, there’s a lot in the realm of possibilities that can be done to limit our exposure to infection and subsequent loss of data. You just need to be proactive enough to ensure that these fail-safes are in place and check on them from time to time.

“Out here, it’s better safe than sorry, because generally speaking, too much of the time sorry means you’re dead.”  ― Patricia C. Wrede, Across the Great Barr

Technical Things To do

  • Block downloads of executable files from the web without specific user consent from your web browser settings.
  • Employ an advanced detection system  to analyze all incoming executables, PDF files, and Microsoft Office Documents.
  • Consider blocking the Tor application completely within your network.
  • Ensure that only necessary users have write-access to network shares.CryptoWall will encrypt all files in network shares if the share is mounted at the time of infection and accessible to the logged-in user.
  • Disconnect or unmounts back-up drives when they aren’t being used, as CryptoWall can also encrypt your backups.

 Beware Geeks Bearing Gifts

As I mentioned above the CryptoWall 2.0 is a Trojan horse that is disguised to look legitimate and gain your trust to allow it onto your system. The majority of these types of malware have come through e-mails with executable attachments, sometimes contained in .zip files and in this case disguised PDF.Most of the e-mail attacks used fake invoice, fax and voicemail themes with attachments named like the following:

  • Complaint_IRS-Id-12839182.scr
  • fax00415741732781728.scr
  • VOICE387-778-3454.zip
  • CH_Import_Information.exe

A computer expert I know received an e-mail campaign pretending to be a fax report that carried a .zip attachment with a PDF inside. The PDF exploits CVE-2013-2729 to download a binary which also installed CryptoWall 2.0.

 

PepperEyes.com Self-Defense is dedicated to providing you with the best and most affordable self-defense products, and safety products on the market to meet the security needs of you, your family members or your business, by assisting anyone who is unwilling to become a victim of crime.  If you want to take personal responsibility for protection, home security, business security, purchase our high quality discount self-defense products and arm yourself with the knowledge about self-defense and security products and information of the best way to stay secure in an ever-increasing violent world. In today’s society, being equipped mentally and physically is no longer an option.

Create a free website or blog at WordPress.com.

%d bloggers like this: