TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
The Emotet botnet took a Christmas holiday but its now up and running again and the massive phishing and spamming campaigns have resumed. These campaigns, which involve millions of spam emails, use a variety of lures to trick people into opening an attachment and enabling content. The content in question includes a macro which runs a PowerShell command that downloads and executes the Emotet Trojan.
The Emotet Trojan is bad news. Emotet was once just a banking Trojan whose purpose was to steal online banking credentials. It still does that and much more besides. Emotet also steals credentials from installed applications and browsers. It is also self-propagating and will send copies of itself via email to the victim’s contacts. As if that was not bad enough, Emotet has another trick up its sleeve. It is also a downloader of other malware variants such as the TrickBot Trojan and Ryuk ransomware. These additional payloads allow data to be stolen and sold for profit and for files across the network to be encrypted and ransom demands issued. Emotet has also delivered cryptocurrency miners in the past and could deliver any number of other malware payloads.
The scale of the botnet is staggering. In the first quarter of 2019, Emotet was responsible for 6 out of 10 malicious payloads delivered via email. There are often breaks in activity, but even though the threat actors behind the botnet took almost half of 2019 off, Emotet still ranks as the top malware threat of the year.
Emotet sprung back to life on January 13, 2020 with targeted attacks on the pharmaceutical industry in North America, but it didn’t take long for the attacks to spread even further afield. Now more than 80 countries are being attacked and in addition to English, campaigns have been detected in Italian, Polish, German, Spanish, Japanese and Chinese.
The lures used to fool end users into opening email attachments are highly varied and often change. Tried and tested lures such as fake invoices, orders, statements, agreements, payment remittance notices, receipts, and delivery notifications are often used in attacks on businesses, which are the primary targets. Before the botnet shut down for a break in December, Greta Thunberg-themed emails were being used along with Christmas party invitations. A host no new lures can be expected in 2020.
The themes of the emails may change but the messages have one thing in common. They require an end user to take action. That is usually opening a document, spreadsheet or other file, but could be a click on a hyperlink in an email. Once that action is taken, Emotet will be silently downloaded.
There are two main ways of blocking attacks and both are necessary. The first is to ensure that the email system is secure, which means implementing an effective spam filter. Businesses that use Office 365 will have a modicum of protection through Exchange Online Protection (EOP), which is included with Office 365 subscriptions. However, businesses should not rely on EOP alone. Layered defenses are required.
SpamTitan is a powerful spam filter that will improve protection against malware threats such as Emotet. SpamTitan can be layered on top of Office 365 to provide greater protection and prevent the malware from being delivered to inboxes. Dual anti-virus engines are incorporated into the solution to detect known threats and SpamTitan includes a sandbox for identifying threats that signature-based detection mechanisms miss.
Many businesses deploy a variety of security solutions but fail to prepare their employees for an attack. If malicious emails make it past security solutions and are delivered to inboxes, all it takes is for one employee to fail to spot the threat and respond for Emotet to be installed (and potentially ransomware as well). It is therefore important to provide regular security awareness training to everyone in the company from the CEO down. If employees are not told how to identify malicious emails, they cannot be expected to spot threats and report the messages to the security team.
Fortunately, through a combination of email security solutions and security awareness training, the threat from Emotet can be neutralized. For more information on the former, give TitanHQ a call today.
Whenever there is a major event that attracts a lot of media attention cybercriminals will be poised to take advantage, so it is no surprise that warnings are being issued about Travelex phishing scams.
The Travelex ransomware attack that struck on New Year’s Eve involved a ransomware variant called Sodinokibi. The gang responsible is one of the most prolific threat groups using ransomware. The group’s attacks are highly targeted and seek to encrypt entire networks and the ransom demands reflect the scale of encryption. Travelex was initially issued with a demand for a payment of $3 million. That soon doubled to $6 million when payment was not made within the allocated timescale.
The fallout from the attack has been immense, which is unsurprising given that Travelex is the largest provider of currency exchange services worldwide. Many banks and retailers rely on Travelex to provide for their currency exchange services. Without access to those online services, currency exchange services came to a grinding halt. It has taken two weeks for Travelex to start bringing some of its services back online, but its website remains down and the disruption continues.
The attackers claimed to have stolen large quantities of customer data from Travelex. The attackers threatened to publish or sell the data if the ransom was not paid. This tactic is becoming increasingly common with ransomware gangs. In this case, the sodinokibi gang claimed to have gained access to Travelex systems 6 months previously and said they had stolen customer data including names, payment card information, and Social Security numbers and National Insurance numbers. The gang had also recently attacked the American IT company Artech Systems and had posted 337MB of data stolen in that attack, demonstrating to others that it was not an empty threat. Travelex maintained that no customer data had been stolen, but that has yet to be confirmed.
Warning Issued About Travelex Phishing Scams
Travelex customers should naturally err on the side of caution and monitor their accounts for signs of fraudulent use of their information but there are other risks from an attack such as this.
Travelex has issued a warning to its customers recommending they should be alert to the threat of phishing attacks via email and over the phone. Opportunistic scammers often take advantage of major events such as this and Travelex phishing scams are to be expected, as was the case following the TalkTalk data breach. These phishing scams are likely to be most effective on Travelex customers who have lost money as a result of the attack. Any offer of compensation or a refund is likely to attract a response.
For consumers, the advice is never to open email attachments or click on links in unsolicited emails. Businesses should also take steps to protect their networks from malware and phishing attacks.
Businesses should adopt a defense in depth strategy to protect against phishing scams and malware attacks. An advanced email security solution such as SpamTitan should be used to protect Office 365 accounts. SpamTitan improves protection against zero-day malware and phishing threats and blocks threats at the gateway.
A web filtering solution such as WebTitan should be used to block the web-based component of phishing and malspam campaigns and prevent end users from visiting malicious websites. End user training is also a must. It is important to teach employees how to identify phishing emails and malspam, and condition them how to respond when suspicious emails are received.
A new ransomware threat – Ako ransomware – has emerged which is targeting business networks and is being distributed via spam email. The ransomware is being offered to affiliates under the ransomware-as-a-service model and the aim of the attackers is clear. To maximize the probability of payment of the ransom by making recovery harder, and to steal data prior to encryption to ensure the attack is still profitable if the ransom is not paid. Having the data could also help convince the victims to pay up, as we have seen in recent attacks involving Maze and Sodinokibi ransomware, where threats are issued to publish stolen data if the ransom is not paid.
The developers of Ako ransomware appear to be going for large ransom payments, as they are not targeting individual workstations, rather the entire network. The ransomware scans local networks for other devices and will encrypt network shares. The ransomware deletes shadow copies and recent backups and disables Windows recovery to make recovery more difficult without paying the ransom.
Encrypted files are given a randomly generated file extension and retain the original file name. No ransom amount is stated in the ransom note. Victims are required to contact the attackers to find out how much they will need to pay for the keys to decrypt their files.
One of the intercepted emails being used to distribute the ransomware uses a password-protected zip file as an attachment. The email appears to be a business agreement which the recipient is asked to check. The password to open and extract the file is included in the message body. The zip file attachment – named agreement.zip – contains an executable file which will install Ako ransomware if it is run. The malicious file is called agreement.scr.
There is no free decryptor for Ako ransomware. Recovery without paying the ransom will depend on whether viable backups exist that have not also been encrypted. It is therefore important to make sure backups are regularly performed and at least one copy of the backup is stored on a non-networked device to prevent it also being encrypted by the ransomware. Backups should also be tested to make sure file recovery is possible.
Since Ako ransomware is being distributed via spam email, this gives businesses an opportunity to block an attack. An advanced spam filtering solution should be implemented that scans all inbound messages using a variety of detection mechanisms to identify malware and ransomware threats. A sandbox is an important feature as this will allow email attachments to be analyzed for malicious activity. This feature will improve detection rates of zero-day threats.
nd user training is important to ensure that employees do not open potentially malicious files. Training should condition employees never to open email attachments in unsolicited emails from unknown senders. As this campaign shows, any password protected file sent in an unsolicited email is a big red flag. This is a common way that ransomware and malware is delivered to avoid detection by antivirus solutions and spam filters.
Anti-spam solutions and antivirus software will not be able to detect the threat directly if malicious files are sent in password-protected archives, which can only be opened if the password is entered. Rules should therefore be set to quarantine password-protected files, which should only be released after they have been manually checked by an administrator. With SpamTitan, these rules are easy to set.
Ako ransomware is one of many new ransomware threats that have been released in recent months. High profile attacks on companies such as Travelex that see massive ransom demands issued, which in many cases are paid, show a huge payday is possible.
Ransomware developers will keep developing new threats for as long as attacks remain profitable, and there is not likely to be a shortage of affiliates willing to run spamming campaigns to get their slice of the ransom payments.
With the attacks increasing, it is essential for you to have strong defenses that can detect and block malware, ransomware, and phishing threats, and that is an area where TitanHQ can help.
To find out more about how you can improve your defenses against email and web-based threats, give the TitanHQ team a call today.
The Travelex ransomware attack that started around December 31, 2019 is one of several recent ransomware attacks where threat actors have upped the ante by threatening to publish data stolen from victims prior to the deployment of ransomware.
A New Trend in Ransomware Attacks
Most ransomware attacks, especially those conducted by affiliates using ransomware-as-a-service, see ransomware deployed instantly. An employee receives a ransomware attachment via email, opens the attachment, and the encryption process is started. Now, several threat actors have taken steps to increase the probability of their ransom demand being paid.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has recently issued warnings about changing ransomware tactics, which now involve data theft prior to file encryption. This tactic is nothing new, as several threat actors have been conducting these types of attacks for some time, attacks of this nature have been increasing.
to the network is gained, the attackers then move laterally and gain access to as many devices as possible. Data is stolen and when the attackers have stolen as much as they want, ransomware is deployed. In these types of attacks, the time between the initial compromise and deployment of ransomware is typically several months.
Data may be stolen and sold online with the ransomware deployed as a coup de grace after a long-term compromise to extort money from the company. Now it is increasingly common for a threat to be issued along with the ransom demand that the stolen data will be published or sold if the ransom is not paid.
This tactic has been adopted by the threat actors behind Maze ransomware and they have gone ahead and published stolen data when the ransom was not paid. The threat actors using MegaCortex ransomware and LockerGoga ransomware have similarly issued threats.
Now the gang behind Sodinikibi (REvil) ransomware have also changed tactics and have started issuing threats to publish stolen data. The Sodinokibi gang have made several threats to sell on or publish stolen data but it was only recently that they did just that. The gang attacked Artech Information Systems, one of the largest IT staffing companies in the U.S. When the ransom demand was not paid, 337MB of stolen data was published on a Russian hacking and malware forum. The Travelex ransomware attack is one of the latest Sodinokibi ransomware attacks, and a threat to publish stolen data was similarly issued.
The Travelex Ransomware Attack
On New Year’s Eve, Travelex took its systems offline to contain the infection and limit the damage caused. More than two weeks on, Travelex systems are still offline although the company is now starting to restore some of its systems. The number of branches affected by the attack, and banks and other companies that rely on its currency exchange services, makes this one of the most serious and damaging ransomware attacks ever.
With its systems offline, Travelex has been unable to provide its currency services to banks such as HSBC, Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, all of which rely on Travelex for providing their currency services. Many other companies, such as the supermarket chains Sainsbury’s and Tesco, have also had to stop providing online currency services to their customers. Travelex has been forced to provide services manually using pen and paper for over the counter currency exchanges in its branches. More than 70 countries in which Travelex operates were affected by the attack.
Travelex has only released a limited amount of information about the attack, but the attackers have been in contact with several media outlets. Initial reports suggested a payment of $3 million was required for the keys to unlock the encryption, although the demand doubled to $6 million when payment was not received within the stipulated 2 days. The attackers also threatened to publish data stolen in the attack if the payment was not made within 7 days.
Travelex issued a statement saying no customer data was breached and that the infection was contained, a position that has been maintained since the attack, even though the Sodinokibi gang has threatened to publish customer data.
The Sodinokibi ransomware gang, through a spokesperson, said the gang had stolen 5GB of customer data including customers’ names, dates of birth, credit card information, Social Security numbers, and National Insurance numbers. The gang claimed that all stolen data would be deleted and would not be used if the ransom demand was paid, but that the data would be sold if payment was not received. The gang also said access to Travelex systems was gained 6 months before the ransomware was deployed.
How Was Travelex Attacked?
It is not known at this stage exactly how ransomware was installed on its network, but there have been several security researchers that have offered some clues. According to BleepingComputer, Travelex was using insecure services prior to the attack. Security researcher Kevin Beaumont found Travelex had AWS Windows servers that did not have Network Level Authentication enabled, which could have given the attackers the opportunity they needed to launch an attack.
A critical vulnerability in the Pulse Secure VPN enterprise solution for secure communications – CVE-2019-11510 – was identified and was patched by Pulse Secure on April 24, 2019, but many companies were slow to apply the patch, despite receiving multiple warnings from Pulse Secure. An exploit for the vulnerability was made public on August 21, 2019.
Troy Mursch, chief research officer at Bad Packets, found that Travelex had not applied the patch by the time the exploit was released. The Sodinokibi ransomware gang said they compromised Travelex 6 months prior to the deployment of ransomware. This could have been the vulnerability that was exploited.
Recovery Now Well Underway
On January 13, 2020, more than 2 weeks after the ransomware attack was experienced, Travelex issued a statement confirming that the recovery process was well underway, although the firm’s website was still offline. The company had started restoring its currency services to banks and its own network. Internal order processing has been restored and customer-facing systems are slowly being brought back online. What Travelex has not confirmed is whether the ransom was paid. No Travelex data appears to have been published online so it is possible that a ransom payment has been negotiated with the attackers.
Cost of the Travelex Ransomware Attack
The ransom payment is considerable but is likely to be several orders of magnitude less than the costs of downtime and disruption to its services.
No customer data appears to have been misused, but Travelex could still face a barrage of lawsuits from customers and the Information Commissioner’s Office and other data protection authorities my choose to fine Travelex over the data breach, either for the exposure of data or for the failure to report under GDPR.
GDPR requires data breaches to be reported to data protection authorities within 72 hours and it appears that did not happen. The maximum financial penalty for a GDPR violation is €20 million or 4% of a company’s global annual turnover, whichever is greater. Travelex’s global annual turnover in 2018 was $947.86 million. A fine of $189.57 million could therefore be issued. It should be noted that even if data was not stolen by the attackers and was just made inaccessible, it still counts as a reportable data breach under GDPR.
A payment of $6 million to the attackers would only be a tiny proportion of the total losses from downtime, lost business, lawsuits, and regulatory fines.