New Locky Variant Discovered: Osiris Ransomware

Osiris ransomware is the latest variant of Locky. As with other versions of the ransomware, there is no free way of unlocking encrypted files if a viable backup of data does not exist.

Cybercriminals use a variety of techniques and attack vectors to spread malicious files such as ransomware and malware. Exploit kits are popular as they can be hidden on websites and used to silently probe visitors’ browsers for vulnerabilities in plugins such as Adobe Flash, Microsoft Silverlight, and Oracle Java. Those vulnerabilities are leveraged to download malware. Malvertising – malicious web adverts – are often used to direct users to these malicious webpages; however, all too often, links to these websites are sent via spam email.

The rise in malware and ransomware attacks over the past few years has prompted many organizations to start providing security awareness training to staff members. Employees are instructed never to click on a link contained in an email unless they are sure that it is genuine.

However, even with security awareness training, a great many employees inadvertently infect their computers with malware or accidentally download ransomware. One of the biggest problems is not malicious links in spam email but malicious attachments. Cybercriminals have increased the use of malicious file attachments in the last year, especially to infect end users with ransomware.

One of the biggest ransomware threats in the past 12 months has been Locky. Locky has been spread via exploit kits in the past, although spam email is now primarily used to infect users.

Office Macros Used to Infect Computers with Osiris Ransomware

The gang behind Locky frequently updates the ransomware, as well as the methods used to fool end users into installing the malicious file-encryptor. The latest Locky variant – Osiris ransomware – encrypts files and adds the .osiris extension to encrypted files.

Locky is commonly spread via malicious macros in Word documents. Typically, the malicious Word documents claim to be invoices, purchase orders, or notifications of missed parcel deliveries.

However, a recent campaign used to distribute the Osiris ransomware variant switches from .DOC files to Excel spreadsheets (.XLS). Recipients of the emails are told the Excel spreadsheet is an invoice. Opening the attached Excel spreadsheet will not automatically result in an Osiris ransomware infection if macros have not been set to run automatically. The user will be presented with a blank spreadsheet and a prompt to enable macros to view the content of the file.

Clicking on ‘Enable Content’ will launch a VBA script that downloads a Dynamic Link Library (DLL) file, which is automatically executed using the Windows file Rundll32.exe. That DLL file is used to download Osiris ransomware. Osiris ransomware encrypts a wide range of file types and deletes Windows Shadow Volume Copies, preventing the user from restoring the computer to the configuration before the ransomware was installed. The only option for recovery from an Osiris ransomware infection is to pay the ransom demand or to wipe the system and restore files from backups.

Protecting Networks From E-Mail-Based Ransomware and Malware Attacks

An advanced spam filtering solution such as SpamTitan can be used to block the vast majority of email-borne threats. SpamTitan performs a wide range of front line tests to rapidly identify spam email and prevent it from being delivered, including RBL, SPF, Greylisting and SMTP controls.

SpamTitan uses two enterprise-class anti-virus engines to scan for malicious attachments – Kaspersky Anti-Virus and ClamAV – to maximize detection rates.

SpamTitan can also be configured to block specific files attachments commonly used by cybercriminals to infect end users: EXE files and JavaScript files for example. The contents of compressed files are also automatically scanned by SpamTitan.

Host-based tests are performed to examine mail headers, while the contents of messages are subjected to a Bayesian analysis to identify common spam signatures and spam-like content. Messages are also scanned for malicious links.

These extensive tests ensure SpamTitan blocks 99.97% of spam emails, preventing malicious messages from being delivered to end users. SpamTitan has also been independently tested and shown to have an exceptionally low false positive rate of just 0.03%.

If you want to keep your network protected from malicious spam emails and reduce reliance on employees’ spam detection abilities, contact the TitanHQ team today. SpamTitan is available on a 30-day free trial, allowing you to fully test the product and discover the difference SpamTitan makes at your organization before committing to a purchase.

W2 Phishing Scams Aplenty as Tax Season Commences

Its tax season in the United States, which means the start of scamming season. W2 phishing scams and other tax-related email and telephone scams are rife at this time of year. Businesses need to be particularly careful. There have already been a number of victims of W2 phishing scams and the year has barely started.

2016 Saw a 400% Rise in Tax Season Phishing and Malware Incidents

Tax season in the United States runs from the start of January to April 15. It is the time of year when Americans calculate how much tax they need to pay from the previous financial year. It is also a busy time for cybercriminals. They will not be filing their own tax returns however. Instead they are concentrating on filing tax returns on behalf of their victims.

In order for tax refunds to be fraudulently filed, cybercriminals need information about their victims. Given the number of data breaches that have resulted in the theft of Social Security numbers in the past 12 months, 2017 could well be a record year for tax scams.

However, while past data breaches can provide cybercriminals with the information they need to file fraudulent tax returns, tax season usually sees a massive increase in phishing scams. The sole purpose of these scams is to get victims to reveal their Social Security numbers and the other personal information necessary to file tax returns.

Since the IRS started allowing Americans to e-file their tax returns, scammers had a new option for filing fraudulent tax returns. Phishing emails claiming to have been sent by the IRS request the recipients update their IRS e-file. A link is included in the emails for this purpose. Clicking on the link in the emails will not direct the recipient to the IRS website, but a spoofed version of the site. The information entered online is then used to e-file on behalf of the victims and the scammers pocket the tax refunds.

In 2016, the IRS reported a massive increase in phishing and malware incidents. These scams and malware infections increased by an incredible 400%. The massive rise in scams prompted the IRS to issue a warning to Americans about the scams, with the IRS confirming that it does not initiate contact with taxpayers by email to request personal or financial information.

2017 is likely to be no different. Until April 15, tax-related scams are likely to be rife. All Americans should therefore be wary and must exercise caution.

Tax Season Sees a Massive Rise in W2 Phishing Scams

While consumers are at risk. Businesses in the United States are also extensively targeted at this time of year. The scammers impersonate CEOs, CFOs, and other individuals with authority and make requests for W2 data and other financial information about employees. The requests can be highly convincing and each year many employees fall for these types of scams. The scammers are well aware that some employees would be nervous about questioning a request that has been emailed from their SEO or CFO.

It is difficult to determine how many attempted W2 phishing scams took place last year, but in the first quarter of 2016, at least 41 U.S companies reported that they were the victims of successful W2 phishing scams. Employees were sent email requests to send W2 data by return and they responded. By doing so, employees’ tax information was sent directly to the scammers’ inboxes.

2017 is not yet a month old, yet already W2 phishing scams have been reported. The week, the Tipton County Schools District in western Tennessee reported that it had fallen victim to one of these W2 phishing scams. The attacker had posed as the director of the schools and had requested W2 tax data on all employees. W2 form data were then emailed to the attacker by an employee.

A similar email phishing scam was reported to have been used to attack 8 school districts in Missouri, according to a report by the Missouri Department of Elementary and Secondary Education. In this case, only one of the eight school districts responded to the scam: An employee from the Odessa School District was fooled and send the tax details of the district’s employees to the attackers.

It is not only schools that are being targeted. A hospital in Campbell County, Wyoming was attacked this week. According to a Campbell County Health news release, a hospital executive was impersonated in this attack. A 66-year old hospital worker fell for the scam and emailed W-2 information about employees as requested.

Preventing successful W2 phishing scams requires a combination of technological solutions, employee training, and updates to policies and procedures.  All employees with access to sensitive data must be advised of the risk and told to exercise caution. Policies should be introduced that require all email requests for employees’ tax information to be authenticated via telephone or other means. Organizations should also implement a robust spam filtering solution to prevent the scam emails from being delivered to employees’ inboxes.

However, if nothing is done to mitigate risk, 2017 is likely to be another record breaking year for the scammers.

Satan Ransomware: A Particularly Worrying New RaaS

You have no doubt heard of Locky and Cryptolocker, but what about Satan ransomware? Unfortunately, you may soon be introduced to this new ransomware variant. No matter where your organization is based, if you do not have a host of cybersecurity defenses to block ransomware attacks, this nasty file-encryptor may be installed on your network.

Satan Ransomware is being offered to any would-be hacker or cybercriminal free of charge via an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is simple. Developers of ransomware can infect more computers and networks if they get an army of helpers to distribute their malicious software. Anyone willing to commit a little time to distributing the ransomware will receive a cut of any profits.

Ransomware authors commonly charge a nominal fee for individuals to participate in these RaaS schemes, in addition to taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS totally free of charge. Anyone who wants to distribute the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The remaining 30% goes to the ransomware authors. The gang behind the RaaS also offers higher percentages as infections increase as a reward for effort. All that is required to get started is to create a username and password. Access to the ransomware kit can then be gained.

What is alarming is how easy it is to participate in this RaaS scheme and custom-craft the malware. The gang behind the campaign has developed an affiliate console that allows the malware to be tweaked. The ransom amount can be easily set, as can the time frame for making payments and how much the ransom will increase if the payment deadline is exceeded.

Help is also offered with the distribution of the malware. Assistance is provided to make droppers that install the malware on victims’ systems. Help is offered to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also offered to encrypt the ransomware to avoid detection. Even multi-language support is provided. Any would-be attacker can craft ransom demands in multiple languages via the RaaS affiliate console.

Satan ransomware performs a check to determine if it is running on a virtual machine. If it is, the ransomware will terminate. If not, it will run and will search for over 350 different file types. Those files will be locked with powerful encryption. File extensions are changed to. stn and the file names are scrambled to make it harder for victims to identify individual files. The ransomware will also wipe all free space on the hard drive before the ransom demand is dropped onto the desktop.

There is no decryptor for Satan ransomware. Recovery without paying the ransom will depend on organizations being able to restore files from backups. Since the ransomware also encrypts backup files, those backups will have to be in the cloud or on isolated devices.

RaaS is nothing new, but what is so worrying about Satan ransomware is how easy it has been made for affiliates. Next to no skill is required to run a ransomware campaign and that is likely to see many individuals take part in the RaaS program.

25 Worst Passwords of 2016 Announced

Take a look at the list of the worst passwords of 2016 and you would be forgiven for thinking you are looking at the worst password list for 2015. Or 2014 for that matter. Little appears to have changed year on year, even though the risk to network and data security from the use of weak passwords is considerable.

Every year, SplashData compiles a list of the worst 25 passwords of the year. 2017 is the sixth consecutive year when the company has produced its list. Given the number of largescale data breaches that occurred in 2016, it would be reasonable to assume that organizations would take a proactive step and introduce restrictions on the passwords that can be used to secure corporate networks, computers, and email accounts. Many still don’t. It is still possible for end users to use passwords with no capital letters (or no letters at all), no symbols, and consecutive number strings are still permitted.

Should a hacker attempt a brute force attack – attempting to gain access using an automated system that guesses potential password combinations – a weak password would allow access to be gained incredibly quickly.

If any of the passwords from the list of the worst passwords of 2016 were used, it would be like there was no password required at all. How quickly can a hacker crack one of these passwords? According to Random ize, most of the passcodes on the list of the worst passwords of 2016 could be guessed in under a second. BetterBuys is more pessimistic, claiming most could be guessed in about 0.25 milliseconds.

To compile its list, SplashData scraped data dumps that included passwords. 2016 saw a great deal of data published on darknet sites by cybercriminals that had succeeded in breaching company defenses. For its list, SplashData analyzed more than 5 million credentials, most of which came from data breaches in North America and Europe.

The most commonly used password in 2016 was 123456, as it was in 2015. Password was the second most common password in 2016. There was no change in the top two worst passwords even though cybersecurity awareness has increased. As we saw last year, even John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, allegedly used a variation of the word password to “secure” his accounts. That poor choice clearly demonstrated that the use of poor passwords offers very little protection against hackers.

The worst password of 2016 was used on an incredible 4% of user accounts, and almost as many individuals used password. SplashData says around 10% of individuals use a password that was on the list of the 25 worst passwords of 2016.

Some individuals have got clever, or so they think. They use a variation of ‘password’. However, password1 and passw0rd are barely any better. The small change would not delay a hacker by any noticeable degree. Hackers are well aware of the use of numbers to replace letters and other techniques to make passwords more secure, such as adding a digit to the end of a word. – Password1 for example.

SplashData’s List of the Worst Passwords of 2016

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq1zaq1
  25. password1

If you were wondering how the list has changed year on year, take a look at last year’s list and you will see a number of similarities.

List of the Worst Passwords of 2015

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

In order to make it harder for hackers, complex passwords should be chosen. Passwords should be at least 9 characters, contain numbers, letters (lower and upper case), and symbols. They should not be words, although pass phrases of 15 or more characters would be acceptable. Passwords should also be changed frequently. The use of a password manager is recommended to ensure that these complex passwords can be remembered.

Spate of Gmail Phishing Attacks Detected

A spate of Gmail phishing attacks has hit the headlines this week. While the phishing scam is not new – it was first identified around a year ago – cybercriminals have adopted the campaign once more. The phishing emails are used to obtain Gmail login credentials are highly convincing,. A number of different tactics are used to evade detection, some of which are likely to fool even the most security aware individuals.

The Gmail phishing attacks start with an email sent to a Gmail account. Security aware individuals would be wary about an email sent from an unknown source. However, these attacks involve emails sent from a contact in the target’s address book. The email addresses are not masked to make them look like they have come from a contact. The email is actually sent from a contact’s account that has already been compromised.

Email recipients are far more likely to open emails sent from their contacts. Many people do not perform any further checks if the sender is known to them. They assume that emails are genuine solely from the source.

However, that is not the only technique used to fool targets. The attackers also use information that has been taken from the contact’s sent and received messages and add this to the email. An screenshot of an attachment or image that has already been included in a previous email between the contact and the target is included in the message. Even if the target is slightly suspicious about receiving an email, these additional touches should allay concern.

The aim of the email is to get the target to click on the image screenshot. Doing so will direct them to a Gmail login page where the target is required to sign in again. While this is perhaps odd, the page that the user is directed to looks exactly as it should. The page exactly mirrors what the user would normally expect.

Checking the website address bar should reveal that the site is not genuine; however, in this case it does not. The address bar shows the site is secure – HTTPS – and the web address includes accounts.google.com. The only sign of the scam is the inclusion of ‘data.text/html’ before accounts.google.com in the address bar.

Entering in account credentials will send that information directly to the attackers. The response is lightning quick. Account credentials are immediately used to log into the victim’s account. Before the victim even suspects they have been scammed, the entire contents of their Gmail account could be stolen, including sent and received emails and the address book. Contacts will be subjected to these Gmail phishing attacks in the same fashion.

Google is aware of the scam and is currently developing mitigations to prevent these types of attacks from occurring. In the meantime, however, users of Gmail should be particularly wary. Many users just glance at the address bar and look for the HTTPS and the web address. Failure to very carefully check the address bar and protocol before entering login credentials can – and certainly will in this case – result in the user’s account being compromised. Gmail accounts contain a huge amount of personal information. Information that could be used in future spear phishing attacks, extortion attempts, and other scams on the target and their contacts.