KnowBe4 Cautions to Guard Against Targeted Hybrid Ransomware


New FBI and Microsoft alerts drive home the exponential growth and innovation of ransomware attacks

(Tampa Bay, FL) March 23, 2016-- KnowBe4 cautioned companies to heed new FBI and Microsoft alerts, warning of hybrid targeted ransomware attacks that attempt to encrypt an organization’s entire network. Criminal hackers have upped the ante. They are changing their approach and penetrate a network, wipe out all backups, infect all key machines with ransomware and then demand payment. The latest method uses a little-known strain of ransomware called "Samas", first discovered in 2014. According to research reports by Microsoft, the majority of infections thus far have been detected in North America, with a few instances in Europe.

KnowBe4’s CEO Stu Sjouwerman said, “It is not clear yet if the current attack starts with phishing emails which infect a single workstation with ransomware and then installs a Trojan that allows the hackers into the network, or if the network gets penetrated first and subsequently gets infected with ransomware. It could very well be that both attack vectors are used.

Microsoft posted their technical analysis of Samas on TechNet with a detailed overview noting that first an attack-scan gets launched, looking for vulnerabilities, and then malware gets deployed using the PSEXEC tool.

SAMAS_schematic-1.png

Figure 1 - Source: Microsoft

The FBI wrote the first alert Feb 18, 2016, and Microsoft published their analysis on March 17, 2016. IntelSecurity also published a PDF with more details about this hybrid attack. The FBI calls it an "aggressive campaign" which initially targeted vulnerable JBOSS applications allowing the hackers in and then infecting the network.

Intel said: "During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, encrypt, and delete the original files as well as any backups.

These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files.  By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible.

Sjouwerman commented, “It looks like targeted ransomware attacks have indeed arrived and will be around awhile."

KnowBe4 offered tips on prevention and mitigation:

  1. Keep all software applications up to date and patched

  2. Use strong passwords

  3. Disable the loading of Macros in Office programs through Group Policy settings described in an earlier KnowBe4 post

  4. Implement strong backup and recovery policy, such as the 3-2-1 rule (3 copies, 2 different media, 1 offsite).

  5. KnowBe4 offers a 20-page Ransomware Hostage Rescue Manual with actionable information to prevent infections and what to do when hit with ransomware.

For more information, visit www.knowbe4.com

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning, anti-malware software company that was acquired in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training.

Thousands of organizations, in a variety of industries, including highly-regulated fields, such as healthcare, finance, energy, government, and insurance have mobilized their end users as a first line of defense using KnowBe4. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” For more information, visit www.knowbe4.com and follow on @KnowBe4 Twitter.

 

 

Get the latest about social engineering

Subscribe to CyberheistNews