Category Archives: ransomware

Victims Of Ransomware Attacks Have Paid $25 Million Last Two Years, Report Says

CBS Local — Ransomware, the malware hackers use to lock victims’ computers and demand money to unlock them, has garnered more than $25 million in payments for those responsible for deploying viruses in just the last two years, The Verge reports. A study on 34 separate cases of ransomware by researchers from Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering were able to better map out the ransomware underworld. Specifically, they discovered Locky, a strain of ransomware that has alone accrued more than $7 million in payments. “Locky’s big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines,” said Damon McCoy, a professor at NYU who worked on the study. “Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business.” Ransomware is a scary byproduct for many and is becoming more and more frequent as the digital world continues to evolve. Antivirus software is the main defense against ransomware. It blocks similar codes to known ransomware viruses but hackers have adapted by creating ransomware that will automatically change its code once detected.

Victims Of Ransomware Attacks Have Paid $25 Million Last Two Years, Report Says

CBS Local — Ransomware, the malware hackers use to lock victims’ computers and demand money to unlock them, has garnered more than $25 million in payments for those responsible for deploying viruses in just the last two years, The Verge reports. A study on 34 separate cases of ransomware by researchers from Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering were able to better map out the ransomware underworld. Specifically, they discovered Locky, a strain of ransomware that has alone accrued more than $7 million in payments. “Locky’s big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines,” said Damon McCoy, a professor at NYU who worked on the study. “Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business.” Ransomware is a scary byproduct for many and is becoming more and more frequent as the digital world continues to evolve. Antivirus software is the main defense against ransomware. It blocks similar codes to known ransomware viruses but hackers have adapted by creating ransomware that will automatically change its code once detected.

Victims Of Ransomware Attacks Have Paid $25 Million Last Two Years, Report Says

CBS Local — Ransomware, the malware hackers use to lock victims’ computers and demand money to unlock them, has garnered more than $25 million in payments for those responsible for deploying viruses in just the last two years, The Verge reports. A study on 34 separate cases of ransomware by researchers from Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering were able to better map out the ransomware underworld. Specifically, they discovered Locky, a strain of ransomware that has alone accrued more than $7 million in payments. “Locky’s big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines,” said Damon McCoy, a professor at NYU who worked on the study. “Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business.” Ransomware is a scary byproduct for many and is becoming more and more frequent as the digital world continues to evolve. Antivirus software is the main defense against ransomware. It blocks similar codes to known ransomware viruses but hackers have adapted by creating ransomware that will automatically change its code once detected.

Denver Company Has Advice For Those Affected By Ransomware

DENVER (CBS4) – It’s being a called a case of high-tech extortion. The WannaCry ransomware has infected computers in the U.S. and across the globe. The hackers demand money to let computer users back into their computer files. It’s impacted more than 300,000 machines in 150 countries. CBS4 Investigator Rick Sallinger found a cyber-security company in Denver called Red Canary that monitors clients’ computer operations to try to prevent them from being hit with devastating bugs.
ransomware 5pkg consolidated 01 Denver Company Has Advice For Those Affected By Ransomware

(credit: CBS)

The WannaCry ransomware demands hundreds of dollars to free up a computer. “By the time you get here the attacker has already encrypted all your files,” said Chris Rothe, CEO of Red Canary. A clock demonically counts down the time until files can no longer be restored.
ransomware 5pkg consolidate567d 01 Denver Company Has Advice For Those Affected By Ransomware

(credit: CBS)

Rothe says those who get the ransomware have a couple of choices. “One is to pay the ransom and hope that the attacker is actually going to give you the encryption key to get your data back, or just deal with the fact that data is gone,” he said.
ransomware 5pkg consolidated789 01 Denver Company Has Advice For Those Affected By Ransomware

CBS4’s Rick Sallinger interviews Chris Rothe, CEO of Red Canary (credit: CBS)

The bug is believed to be spread in part by email. “We have a small number of affected parties in the U.S. including FedEx,” said Homeland Security Adviser Tom Bossert.
ransomware 5pkg consoli789dated 01 Denver Company Has Advice For Those Affected By Ransomware

(credit: CBS)

Those who are affected are advised to call law enforcement if don’t pay the ransom as they might not get their files back anyway.

Surfer Works From Bedroom To Beat Worldwide WannaCry Cyberattack

ILFRACOMBE, England (AP) — As a vast “ransomware” attack raced from computer to computer, infecting tens of thousands around the world, a young tech expert worked from his bedroom in England to bring the rampage to a halt. But Marcus Hutchins doesn’t consider himself a hero. The 22-year-old credited with cracking the WannaCry cyberattack told The Associated Press he fights malware because “it’s the right thing to do.” In his first face-to-face interview, Hutchins, who works for Los Angeles-based Kryptos Logic, said late Monday that hundreds of computer experts worked throughout the weekend to fight the virus, which paralyzed computers in some 150 countries. “I’m definitely not a hero,” he said. “I’m just someone doing my bit to stop botnets.” • ALSO READ: Experts See Possible North Korea Links To Global Cyberattack In the first hours after the virus struck Friday, the computer whiz and surfing enthusiast who lives with his family in a small seaside town in southwest England discovered a so-called “kill switch” that slowed the unprecedented outbreak. He then spent the next three days fighting the worm that crippled Britain’s hospital network as well as factories, government agencies, banks and other businesses around the world. WannaCry paralyzed computers running mostly older versions of Microsoft Windows by encrypting users’ computer files and displaying a message demanding a ransom of $300 to $600 to release them; failure to pay would leave the data mangled and likely beyond repair. Hutchins said he came across the solution when he was analyzing a sample of the malicious code and noticed it was linked to an unregistered web address. He promptly registered the domain, something he regularly does to discover ways to track or stop cyber threats, and found that stopped the worm from spreading. Kryptos Logic chief executive Salim Neino said Hutchins’ quick work allowed him to slow the virus on Friday afternoon European time, before it could fully affect the United States. “Marcus, with the program he runs at Kryptos Logic, not only saved the United States but also prevented further damage to the rest of the world,” Neino said in an interview from Venice, Italy. “Within a few moments, we were able to validate that there was indeed a kill switch. It was a very exciting moment.” Neino said the worm was “poorly designed” – patched together and a “sum of different parts” with an unsophisticated payment system. Kryptos Logic is one of hundreds of companies working to combat online threats for companies, government agencies and individuals around the world. Hutchins himself is part of a global community that constantly watches for attacks and works to thwart them, often sharing information on Twitter. It’s not uncommon for members to use aliases, to protect from retaliatory attacks and ensure privacy, and Hutchins has long tweeted under the handle MalwareTech, which features a profile photo of a pouty-faced cat wearing enormous sunglasses. But he realizes his newfound fame will mean an end to the anonymity. “I don’t think I’m ever going back to the MalwareTech that everyone knew,” said the curly-haired young man, shrugging and flashing a winning smile. Hutchins’ mother Janet, a nurse, couldn’t be prouder – and was happy to have the veil of anonymity lifted. When her son made the breakthrough, she said, she wanted to tell the world about it. “I wanted to scream, but I couldn’t,” she said. And now he’s a celebrity. He’s been in touch with the FBI, as well as British national cyber security officials. His new life is likely to be a big adjustment. Hutchins works out of his bedroom in the seaside resort town of Ilfracombe on a sophisticated computer setup with three large screens. The concept of celebrity was clearly foreign to him. He was nervous about giving an interview. The journalists were given the address minutes before it started, and had to provide a password before Hutchins would let them in. As he did a sound-check for the camera, he was so anxious he misspelled his last name, giving it as “H-U-T-C-H-I-S,” without the “n.” His mother made tea and coffee for the visitors. Once Hutchins started to talk, he relaxed. Constantly smiling, he was shy and polite, and happy to explain how he fights malware. He said he was eager to get through the media frenzy and go back to his normal life. “I felt like I should agree to one interview,” he said. Many will be following his next moves. CyberSecurity Ventures, which tracks the industry, estimates global spending on cybersecurity will jump to $120 billion this year from just $3.5 billion in 2004. It forecasts expenditures will grow between 12 percent and 15 percent annually for the next five years. “While all other technology sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime,” the firm said in a February report. “The unprecedented cybercriminal activity we are witnessing is generating so much cyber spending, it’s become nearly impossible for analysts to keep track.” After more analysis, Hutchins, an avid surfer, plans to take a vacation – traveling to Las Vegas and California on the company dime. One guess on what he’ll be doing: Yes, surfing. On waves this time. © Copyright 2017 The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.

Experts See Possible North Korea Links To Global Cyberattack

SEOUL, South Korea (AP) — Cybersecurity experts are pointing to circumstantial evidence that North Korea may be behind the global “ransomware” attack: the way the hackers took hostage computers and servers across the world was similar to previous cyberattacks attributed to North Korea. Simon Choi, a director at South Korean anti-virus software company Hauri Inc. who has analyzed North Korean malware since 2008 and advises the government, said Tuesday that the North is no newcomer to the world of bitcoins. It has been mining the digital currency using malicious computer programs since as early as 2013, he said. In the attack, hackers demand payment from victims in bitcoins to regain access to their encrypted computers. The malware has scrambled data at hospitals, factories, government agencies, banks and other businesses since Friday, but an expected second-wave outbreak largely failed to materialize after the weekend, in part because security researchers had already defanged it . • ALSO READ: Surfer Works From Bedroom To Beat Worldwide WannaCry Cyberattack Choi is one of a number of researchers around the world who have suggested a possible link between the “ransomware” known as WannaCry and hackers linked to North Korea. Researchers at Symantec and Kaspersky Lab have found similarities between WannaCry and previous attacks blamed on North Korea. While Choi’s speculation may deepen suspicions that the nuclear-armed state is responsible, the evidence is still far from conclusive. Authorities are working to catch the extortionists behind the global cyberattack, searching for digital clues and following the money. “We are talking about a possibility, not that this was done by North Korea,” Choi said. — ABOUT THAT NORTH KOREA LINK WannaCry paralyzed computers running mostly older versions of Microsoft Windows in some 150 countries. It encrypted users’ computer files and displayed a message demanding $300 to $600 worth of the digital currency bitcoin to release them; failure to pay would leave the data scrambled and likely beyond repair . The hackers appeared to have taken control of computers and servers around the world by sending a type of malicious code known as a worm to file-sharing protocols. The worms quickly scanned computers with vulnerability, in this case the older versions of Microsoft Windows, and used those computers as hackers’ command and control centers. This method, which allows quick and massive infections of computers with security weaknesses, has been found in previously known North Korean cyberattacks, including the Sony hack in 2014 blamed on North Korea. “Since a July 2009 cyberattack by North Korea, they used the same method,” Choi said. “It’s not unique in North Korea but it’s also not a very common method.” Choi also cited an accidental communication he had last year with a hacker traced to a North Korean internet address who admitted development of ransomware. South Korea was mostly spared from the latest ransomware attack, partly because constant threats from the North have made the government and companies careful about always updating their software. South Korea has been a frequent target of cyberattacks that it traced to its northern neighbor. Some high-profile attacks between 2009 and 2013 shut down government websites, banking systems and paralyzed broadcasters. On Monday, the Russian security firm Kaspersky Lab said portions of the WannaCry program use the same code as malware previously distributed by the Lazarus Group, a hacker collective behind the 2014 Sony hack. But it’s possible the code was simply copied from the Lazarus malware without any other direct connection. Kaspersky said “further research can be crucial to connecting the dots.” Another security company, Symantec, has also found similarities between WannaCry and Lazarus tools, and said it’s “continuing to investigate for stronger connections.” If North Korea, believed to be training cyber warriors at schools, is indeed responsible for the latest attack, Choi said the world should stop underestimating its capabilities and work together to think of a new way to respond to cyber threats, such as having China pull the plug on North Korea’s internet. “We have underestimated North Korea so far that since North Korea is poor, it wouldn’t have any technologies. But North Korea has been preparing cyber skills for more than 10 years and its skill is significant. We should never underestimate it,” Choi said. — FOLLOW THE MONEY Researchers might find some additional clues in the bitcoin accounts accepting the ransom payments. There have been three accounts identified so far, and there’s no indication yet that the criminals have touched the funds. Although bitcoin is anonymized, researchers can watch it flow from user to user. So investigators can follow the transactions until an anonymous account matches with a real person, said Steve Grobman, chief technology officer with the California security company McAfee. But that technique is no sure bet. There are ways to convert bitcoins into cash on the sly through third parties. And even finding a real person might be no help if they’re in a jurisdiction that won’t cooperate. — TELL-TALE SIGNS James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said U.S. investigators are collecting forensic information – such as internet addresses, samples of malware or information the culprits might have inadvertently left on computers – that could be matched with the handiwork of known hackers. Investigators might also be able to extract some information about the attacker from a previously hidden internet address connected to WannaCry’s “kill switch.” That switch was essentially a beacon sending the message “hey, I’m infected” to the hidden address, Weaver said. That means the very first attempts to reach that address, which might have been recorded by spy agencies such as the NSA or Russian intelligence, could lead to “patient zero” – the first computer infected with WannaCry. That, in turn, might further narrow the focus on possible suspects. — THE PLAYERS Forensics, though, will only get investigators so far. One challenge will be sharing intelligence in real time to move as quickly as the criminals – a tricky feat when some of the major nations involved, such as the U.S. and Russia, distrust each other. Even if the perpetrators can be identified, bringing them to justice could be another matter. They might be hiding out in countries that wouldn’t be willing to extradite suspects for prosecution, said Robert Cattanach, a former U.S. Justice Department attorney and an expert on cybersecurity. On the other hand, the WannaCry attack hit – and annoyed – many countries. Russia was among the hardest hit, and Britain among the most high-profile, and both have “some pretty good investigative capabilities,” Cattanach said.

Global “Ransomware” Attack Spreads To More Than 200,000 Computers

CHICAGO (CBS) — Companies in the United States and around the world were bracing for a second wave of problems from a weekend cyber attack on Monday, after a “ransomware” attack hit dozens of nations on Friday. Experts said the WannaCry attack has spread to at least 150 countries. When it first surfaced late last week, many overseas businesses already had closed shop for the weekend. As those businesses began coming online again Monday, many were finding the ransomware had infected their systems. RELATED: 2 Investigators: Hackers Using ‘Ransomware’ To Hold Computers Hostage | Business Beware: What To Know About Ransomware The hackers responsible for the attack were demanding $300 ransoms, threatening to erase all the data on infected computers if they aren’t paid. More than 200,000 computers have been infected, and many more were at risk. “We could have hundreds of thousands, potentially millions of computers that are turned on on Monday that could be vulnerable,” said Proofpoint senior security research engineer Darien Huss. It took Huss 10 minutes to disable the malware that hit computers over the weekend, helping contain the ransomware before hackers started spreading new strains. The ransomware been recoded, allowing computers to override the kill switch Huss and a British researcher helped turn on over the weekend to protect countless computers from the attack.

Log In, Look Out: Cyber Chaos May Grow At Workweek’s Start

LONDON (AP) — Employees booting up computers at work Monday could see red as they discover they’re victims of a global “ransomware” cyberattack that has created chaos in 150 countries and could wreak even greater havoc as more malicious variations appear. As a loose global network of cybersecurity experts fought the ransomware hackers, officials and experts on Sunday urged organizations and companies to update older Microsoft operating systems immediately to ensure they aren’t vulnerable to a more powerful version of the software — or to future versions that can’t be stopped. The initial attack, known as “WannaCry,” paralyzed computers that run Britain’s hospital network, Germany’s national railway and scores of other companies and government agencies worldwide in what was believed to be the biggest online extortion scheme so far. Microsoft blamed the U.S. government for “stockpiling” software code that was used by unknown hackers to launch the attacks. The hackers exploited software code from the National Security Agency that leaked online. The company’s top lawyer said the government should report weaknesses they discover to software companies rather than seek to exploit them. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” attorney Brad Smith wrote on Microsoft’s blog. New variants of the rapidly replicating worm were discovered Sunday and one did not include the so-called kill switch that allowed researchers to interrupt its spread Friday by diverting it to a dead end on the internet. Ryan Kalember, senior vice president at Proofpoint Inc. which helped stop its spread, said the version without a kill switch was able to spread but was benign because it contained a flaw that wouldn’t allow it to take over a computer and demand ransom to unlock files. However, he said it’s only a matter of time before a malevolent version exists. “I still expect another to pop up and be fully operational,” Kalember said. “We haven’t fully dodged this bullet at all until we’re patched against the vulnerability itself.” The attack held users hostage by freezing their computers, popping up a red screen with the words, “Oops, your files have been encrypted!” and demanding money through online bitcoin payment — $300 at first, rising to $600 before it destroys files hours later. The ransomware attack was particularly malicious, because if just one person in an organization clicked on an infected attachment or bad link, all the computers in a network would be infected, said Vikram Thakur, technical director of Symantec Security Response. “That’s what makes this more troubling than ransomware was a week ago,” Thakur said. It hit 200,000 victims across the world since Friday and is seen as an “escalating threat,” said Rob Wainwright, the head of Europol, Europe’s policing agency. “The numbers are still going up,” Wainwright said. “We’ve seen that the slowdown of the infection rate over Friday night, after a temporary fix around it, has now been overcome by a second variation the criminals have released.” The effects were felt around the globe, disrupting computers that run factories, banks, government agencies and transport systems in nations as diverse as Russia, Ukraine, Brazil, Spain, India and the U.S. Britain’s National Health Service was hit hard, while Russia’s Interior Ministry and companies including Spain’s Telefonica, FedEx Corp. in the U.S. and French carmaker Renault all reported disruptions. Chinese media reported that more than 29,000 institutions in the country had been hit, with universities and other educational entities the hardest hit, along with railway services and retailers. Japanese broadcaster NTV reported 600 companies in that country had been hit, and automaker Nissan and the Hitachi conglomerate said they were addressing the problem at their units that were affected. The full extent of the attack won’t become fully clear until people return to their workplaces Monday, for the first time after the attacks. Many may click infected email attachments or bad links and spread the virus further. “It’s this constant battle,” said Ryan O’Leary, vice president of WhiteHat Security’s threat research center. “The bad guys are always one step ahead.” The White House held emergency meetings Friday and Saturday to assess the global cyber threat, a White House official said Sunday. No details were disclosed. The official was not authorized to discuss the private meetings by name and requested anonymity. It was too early to say who was behind the onslaught, which struck 100,000 organizations, and what their motivation was, aside from the obvious demand for money. So far, not many people have paid the ransom demanded by the malware, Europol spokesman Jan Op Gen Oorth told The Associated Press. Researchers who helped prevent the spread of the malware and cybersecurity firms worked around the clock during the weekend to monitor the situation and install a software patch to block the worm from infecting computers in corporations across the U.S., Europe and Asia. “Right now, just about every IT department has been working all weekend rolling this out,” said Dan Wire, spokesman at Fireeye Security. Businesses, government agencies and other organizations were urged to quickly implement a patch released by Microsoft Corp. The ransomware exploits older versions of Microsoft’s operating system software, such as Windows XP. Installing the patch is one way to secure computers against the virus. The other is to disable a type of software that connects computers to printers and faxes, which the virus exploits, O’Leary added. Microsoft distributed a patch two months ago that could have forestalled much of the attack, but in many organizations it was likely lost among the blizzard of updates and patches that large corporations and governments strain to manage. “It’s one of those things, in a perfect world, if people were up to date on the patches, this wouldn’t be a problem,” O’Leary said. “But there are so many things to patch. The patch lists can be ginormous. It can be tough to tell which patch is important, until it is too late.”

Fears Next Global Cyberattack Could Hit Infrastructure, Nuclear Plants, Railways

REDMOND, Wash. (AP) — A cybersecurity expert says the biggest cyberextortion attack in history is going to be dwarfed by the next big ransomware attack. Ori Eisen, an expert in Arizona, says the cyberattack Friday that held hospitals, factories and government agencies hostage around the world appears to be “low-level” stuff, given the ransom demands. But he says the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems. Eisen says “this is child’s play, what happened. This is not the serious stuff yet. What if the same thing happened to 10 nuclear power plants, and they would shut down all the electricity to the grid? What if the same exact thing happened to a water dam or to a bridge?” Eisen says the internet itself is diseased and these attacks will continue until some serious restructuring is done. He says “today, it happened to 10,000 computers … there’s no barrier to do it tomorrow to 100 million computers.” A young cybersecurity researcher has been credited with helping to halt the spread of the global ransomware cyberattack by accidentally activating a so-called “kill switch” in the malicious software. The 22-year-old Britain-based researcher, identified online only as MalwareTech, found that the software’s spread could be stopped by registering a garbled domain name. The paper quoted the researcher as saying: “This is not over. The attackers will realize how we stopped it, they’ll change the code and then they’ll start again.” He urged Windows users to update their systems and reboot. The worldwide cyberextortion attack has been called “unprecedented” by Europol, which is investigating who is behind it. The worldwide cyberextortion attack has prompted Microsoft to take the unusual step of making security fixes available for older Windows system. Before this, Microsoft had made fixes for older systems, such as 2001’s Windows XP, available only to mostly larger organizations that pay extra for extended support. But millions of individuals and smaller businesses still had such systems. Microsoft says now it will make the fixes free for everyone. Friday’s attack was based on a Windows vulnerability that was purportedly identified by the U.S. National Security Agency and was later leaked to the internet. Microsoft released fixes for the vulnerability in March, but computers that didn’t run the update were subject to the ransom attack. Once inside an organization’s network, the malware behind the attack spread rapidly using this vulnerability.
© Copyright 2017 The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.

Scammers Trick Consumers Into Believing Their Computers Are Infected

SAN FRANCISCO (CBS SF) — As tens of thousands of computers in countries around the world were being attacked by hackers demanding bitcoin payment on Friday, the U.S. Federal Trade Commission and its state partners were urging internet users to take measures to protect themselves online. The ransomware attacks that crippled computer systems in over 60 countries Friday were likely caused when people either clicked on or downloaded malicious files. Aside from these threats, federal and state authorities warned consumers about scammers who try to gain access to people’s computers by claiming viruses or malware have been found on their computers, and that they can help get rid of them. “We released the consumer alert regarding tech support scams this morning ahead of the news of the malware cyberattack,” California Attorney General spokeswoman Tania Mercado told CBS San Francisco Friday. “However, today’s news of the attack is a reminder of the importance of remaining vigilant about these types of scams and protecting consumers against attacks on their personal computers.” The FTC, along with federal, state and international law enforcement partners on Friday announced “Operation Tech Trap,” a crackdown on scammers who trick consumers into believing their computers are infected with viruses and malware, and then charge them hundreds of dollars for unnecessary repairs. Tech support scammers use convincing tactics to make the consumer believe their computer has been infected. In the scams — and in the real cybersecurity breaches on Friday — computer users often see countdown clocks, allegedly representing the time remaining before the computer hard drive will be deleted. While the ransomware attacks on Friday appear to be a real cybersecurity threat that will delete files from computers, by taking advantage of vulnerabilities purportedly identified by the U.S. National Security Agency, the scammers don’t actually have access to the user’s computer yet. The scammers, according to the California Attorney General’s Office, claim there is a virus and have the user call a phone number and then try to the user to grant the scammer access to their computer. Then they demand the user pay them for repairs and anti-virus programs. In the global cybersecurity breaches happening on Friday, the attackers appear to want payment in bitcoin and hold files on the user’s computer hostage until they receive payment. By Hannah Albarazi – Follow her on Twitter: @hannahalbarazi.