Category: Ransomware

Large Scale Ransomware Attacks

The ransomware threat is on the rise as almost 40% of businesses reported an attack in the previous year according to a recent survey.

Security firm Malwarebytes surveyed companies and found one-third of victims lost revenue as a result of a ransomware attack. It’s the downtime caused by the ransomware rather than the cost of paying the ransom that does the most damage to a business.

Malwarebytes™ (software company selling anti-malware products) released its “Second Annual State of Ransomware Report”. The multi-country study surveyed 1,054 companies with no more than 1,000 employees across North America, France, U.K., Germany, Australia, and Singapore. More than one-third of businesses have experienced a ransomware attack in the last year. Twenty-two percent of these impacted businesses ceased operations immediately.

Key Findings

“Businesses of all sizes are increasingly at risk for ransomware attacks,” said Marcin Kleczynski, CEO, Malwarebytes. “However, the stakes of a single attack for a small business are far different from the stakes of a single attack for a large enterprise.

The impact of ransomware on SMBs can be devastating. For roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours. Further, among SMBs that experienced a ransomware attack, 22 percent reported that they had to cease business operations immediately, and 15 percent lost revenue.

The most common source of ransomware infections is via email – links to scammer websites or malware loaded attachments.

Seventy-two percent of respondents believe that ransomware demands should never be paid. Most of the remaining organizations believe that demands should only be paid if the encrypted data is of value to the organization. Among organizations that chose not to pay cybercriminals’ ransom demands, about one-third lost files as a result.

“Companies of all sizes need to remain vigilant and continue to place a higher priority on protecting themselves against ransomware.”

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

How to Identify Ransomware

If you are hit by Ransomware, you need to block off the attack by removing Internet access from your PCs and servers, stop any encryption processes in progress and any other processes running that shouldn’t be running.

Then the first stage of investigation is to identify what you’re facing and the website https://id-ransomware.malwarehunterteam.com/ is a good starting point.

You upload one encrypted file or the file that is the ransom message to this website and it will try to identify the variant of ransomware. Currently it can identify several hundred variants.

For each there is extra information which can tell you if there are decryption keys available on the Internet.

Some anti-hackers try to find the decryption keys and post them freely, but the blackmailers do know this and try to stay of ahead of them by using new variants for which there are no keys available except for the one held by the blackmailer.

The website is run purely as a free service to the public and does not decrypt files for you – you need an IT  professional for that (assuming it’s possible as many cannot be decrypted without a key from the blackmailer)

If you have a suspected virus rather than ransomware then there is a website that may help to identify it  at https://www.virustotal.com

As always, the advice is that it’s best to avoid being held to ransom – ensure you have adequate systems protection in place, staff that have been educated on the danger of cyber-attacks, regular backups (including off-site) and have a plan in place to deal with a ransomware attack.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

Ransomware Pay or Not Pay

Ransomware is software designed to block access to your computer device or system by encrypting files and demanding a payment for the unlock key.

This malware typically gets into your device or system through a phishing email or can be through a weakness in your software protection.

Once in, the malware encrypts everything it can find and then issues a warning that payment must be made (usually in Bitcoin) in order to get the decryption key necessary to restore your files.

Businesses and individuals with proper backups and security can usually get around the temporary inconvenience caused by the attack but for many it be a disaster and they have to choose whether to get in an expert to try to recover the systems or to pay the ransom and hope the criminals hand over the decryption key.

Statistics on how many people choose to pay the ransom are hard to find and vary from a few percent to more than half.

The general principle on ransom is to not pay as that would encourage the criminals to keep using the tactic.

There are cases where people chose to pay, only to receive a following larger demand and were never able to get the key.

In other case, people pay and do get the unlock key.

So, it can be a tricky choice – pay and hope to get the key or refuse and cope with the damage caused.

There is no certain answer to this problem, except protect your devices and systems so you never have to make the choice

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Ransomware as a Service

Software as a Service (SaaS) is common and is where companies or individuals pay a subscription to access software rather than actually buying it. This is how Microsoft 365 works – you pay a monthly or annual subscription to use Microsoft Office on your devices.

Unfortunately, criminals are now treating ransomware like this – with some criminal setups letting scammers make use of their ransomware for a subscription charge.

This makes it easier for the scammers who are less computer literate as they don’t need to make or buy the ransomware software.

The Coveware 2020 report shows that ransomware attacks have increased by 25 percent from Q4 2019 to Q1 2020. The monetary value of the average ransom payment has also increased from an average ransom of $41,198 to $84,116.

Ransomware is malware that once it gets onto a computer system encrypts information files and then issues a demand for a ransom to be paid or the decryption key to unlock those files will not be provided.

Payment is often demanded in Bitcoin or other untraceable methods.

Once infected with ransomware, it is very difficult for the victims to save their data and recently, these criminals have started to publish the information they find, onto the Internet as a way of embarrassing the owners and trying to force them to pay the ransom.

All computer systems should be protected against ransomware by the standard practices of

  1. Making regular backups of all important files
  2. Taking backups off site
  3. Keeping anti malware up to date and installed on every device.
  4. Maintain firewalls and all other protections against intrusion

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

The Please Read Me Ransomware Attack

In 2020, around 250,000 MySQL database servers were attacked in a very large scale ransomware attack.

The victims were threatened into paying a ransom or else see their confidential documents revealed to the public.

The campaign has been known as “Please_Read_Me,”

Two variants of this attack were seen in 2020. The first was the standard encrypt the files and then demand payment in Bitcoin payment for the decryption key and the second included the use ‘leak’ web sites to publish documents until the ransom is paid.

How This Happens

How This Happens

MySQL is a database management system.

The attack starts by finding those databases with Internet access and tries every password in the dictionary and all common passwords to see if it can login successfully.

If successful, then the attack runs a series of database queries to determine the contents, then zips the data and sends it to the scammer. It then renders the user’s database unusable by deleting all data.

Ransom notes are then left on the user computers and they must pay in Bitcoin to regain access to their data.

Read the full Guardicore Labs write-up for more details at www.guardicore.com/labs/please-read-me-opportunistic-ransomware-devastating-mysql-servers/

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

 

Conti Ransomware

Ransomware is where malware infects a computer system and encrypts the files then demands a ransom for the unlock key.

These criminals typically target larger companies but it can happen to anyone, including private citizens.

The criminal organisers of Conti have created a paid service whereby criminals have access to the relevant malware and means of attack and Conti run the ransomware leak site and extortion.

It is easily identified, as during the encryption process, all files encrypted are changed to a “.conti” file extension.

So, Conti is a set of tools to make it easy for other criminals to run these extortion operations on a large scale.

Once the encryption has completed a file named conti.txt is left on the relevant computer desktops.

The message states that files been encrypted and that payment is required to release them. It also warns the computer users must not try to decrypt the files themselves.

If the victim pays, then sometimes the decryption key is provided and other times nothing further is heard from the criminals, leaving the victim without their files.

If organisations and individuals follow best practice and keep copies elsewhere of their important files, then getting their data back may just be an inconvenience but if there are no other copies of the data then it can be a big loss and this can lead to customer’s losing trust and moving their business elsewhere.

Recently Conti has also moved to the use of leak sites.

In these cases Conti start to publish the victim’s documents publicly – anything that could be damaging to them.

Recently, Conti added the Scottish Environment Protection Agency (SEPA) to its list of victims and they published various documents from SEPA.

The Conti malware typically gets into the victim’s computers as a PDF document opened by someone on their email. The malware then spreads itself around the organisation and starts to encrypt data.

All organisations and users must backup all important documents and data as that is the safest way to avoid being struck down by such an attack.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature