Since it first appeared, ransomware’s profitable business – in short, compromising and encrypting data belonging to companies and users and requesting payment in exchange for the restoration of infected files –has grown rapidly.
One of the threats that has had a significant impact and infected a considerable number of users worldwide was the family detected by ESET solutions as Win32/Filecoder.Crysis. However, and luckily, ESET has developed a free tool to decrypt files and recover the information that might have been compromised.
A new tool to recover encrypted files
ESET has created a free decryption tool for Crysis ransomware victims in order to help anyone whose data or devices have been affected by the Crysis family. The tool was developed using the master decryption keys recently published.
If you have been a victim of Crysis ransomware, you can find and download the ESET Crysis decryptor from our free utilities page. If you need additional information on how to use the tool, please refer to ESET Knowledgebase.
As a report from the Anti-Phishing Working Group (APWG) revealed earlier this year, there has been a notable rise in the number phishing attacks. It’s a widespread problem, posing a huge risk to individuals and organizations (there were, for example, more attacks in Q1 2016 than in any other quarter in history).
Needless to say, it’s something we all need to be aware of, as these types of attacks are not going to go away anytime soon. But worry not, as our Top 5 guide will help keep these criminals at bay.
Before we go into that, here’s a brief overview of what phishing is (for more detail, check out this expert feature). In short, it’s a vector for identity theft where cybercriminals try to get users to hand over personal and sensitive information (without them knowing it). Interestingly, phishing has – in one form or another – been around for years via phone calls and physical letter scams.
Cybercriminals have typically deployed phishing attacks post-breach. This was the case with the Anthem and eBay data breaches, where criminals sent out warnings to users advising them to change their passwords (but directing them to a fake website in an attempt to harvest their details).
However, some information security pros now believe that cybercriminals view phishing attacks as a successful (and easy) way of getting into an enterprise to launch more sophisticated attacks. Humans are, after all, increasingly seen as the weakest link (insider threats are a big problem) and thus the most effective target for criminals looking to infiltrate an enterprise or SME.
Follow the tips below and stay better protected against phishing attacks.
1. Be sensible when it comes to phishing attacks
You can significantly reduce the chance of falling victim to phishing attacks by being sensible and smart while browsing online and checking your emails.
For example, as ESET’s Bruce Burrell advises, never click on links, download files or open attachments in emails (or on social media), even if it appears to be from a known, trusted source.
You should never click on links in an email to a website unless you are absolutely sure that it is authentic. If you have any doubt, you should open a new browser window and type the URL into the address bar.
Be wary of emails asking for confidential information – especially if it asks for personal details or banking information. Legitimate organizations, including and especially your bank, will never request sensitive information via email.
2. Watch out for shortened links
You should pay particularly close attention to shortened links, especially on social media. Cyber criminals often use these – from Bitly and other shortening services – to trick you into thinking you are clicking a legitimate link, when in fact you’re being inadvertently directed to a fake site.
You should always place your mouse over a web link in an email to see if you’re actually being sent to the right website – that is, “the one that appears in the email text” is the same as “the one you see when you mouse-over”.
Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attack, thus infesting your device with malware.
3. Does that email look suspicious? Read it again
Plenty of phishing emails are fairly obvious. They will be punctuated with plenty of typos, words in capitals and exclamation marks. They may also have an impersonal greeting – think of those ‘Dear Customer’ or ‘Dear Sir/Madam’ salutations – or feature implausible and generally surprising content.
Cyber criminals will often make mistakes in these emails … sometimes even intentionally to get past spam filters, improve responses and weed out the ‘smart’ recipients who won’t fall for the con.
Indeed, it has been rumored that China’s infamous PLA Unit 61398 spends time seeing just how many people would open and interact with their worst phishing emails.
4. Be wary of threats and urgent deadlines
Sometimes a reputable company does need you to do something urgently. For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach.
However, this is an exception to the rule; usually, threats and urgency – especially if coming from what claims to be a legitimate company – are a sign of phishing.
Some of these threats may include notices about a fine, or advising you to do something to stop your account from being closed. Ignore the scare tactics and contact the company separately via a known and trusted channel.
5. Browse securely with HTTPs
You should always, where possible, use a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar) to browse, and especially when submitting sensitive information online, such as credit card details.
You should never use public, unsecured Wi-Fi for banking, shopping or entering personal information online (convenience should not trump safety). When in doubt, use your mobile’s 3/4G or LTE connection.
As a slight aside, it should be easier to spot dodgy, unsecure websites – Google, for example, is looking to crack down on this soon by labeling sites that do not offer appropriate protection.
Towards the end of July 2016, Kevin Townsend brought it to my attention that Europol, the European Union’s law enforcement agency, had announced an initiative to address the ransomware problem. No More Ransom is intended to provide information and help victims recover their data without paying a ransom to the criminals. As well as being quoted by Kevin in his article linked above, I commented on the No More Ransom portal at more length for AVIEN, where I maintain information resources on ransomware and on tech support scams.
39% of enterprises were hit by ransomware last year … Of those, 40% paid the attackers in order to retrieve their data.
Picking up on the suggestion that ‘40% of corporate victims pay up’, he said:
Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?
You can read a brief extract from my response to that question in Kevin’s article, as well as the replies of other commentators such as Jérôme Segura and Graham Cluley. However, here’s my full response (slightly re-edited for clarity):
In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the wellbeing of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In other words, you’re providing sustenance to a protection racket.
On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time the security industry can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – if they decide to pay up rather than commit financial suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the board of directors to survive the damage to their finances.
If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark and sinister alleyways. However, the attacks will remain economically viable as long as people aren’t willing or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – which is not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.
We sometimes hear of instances where organizations pay ransomware even though they do have backups because it’s the cheaper option. That’s not only irresponsible (because there is no doubt that it encourages criminality) but it suggests something significantly wrong with the backup strategy they have in place. A deterrent that you can’t afford to use is of little practical use.
Most security bloggers will advise individuals and businesses not to pay the ransom, taking the same view as Europol, as quoted in another article.
If your own business data are at stake, or even your personal data such as photographs which are irreplaceable by any other means, you might feel differently. It seems to me, though, that there is a certain amount of recent softening on that hard-line view. Martijn Grooten pointed out for Virus Bulletin that:
… Paying the ransom should always be the last resort … but sometimes … the only sensible business decision left is to pay the criminals …
As you may have gathered from the above, I’m pretty much in agreement. Ryan Naraine also admits to a shift in his viewpoint. He described in How to avoid becoming the next victim of ransomware, how he was forced to acknowledge that some institutions have real difficulty in resourcing the sort of security that defeats ransomware and have no choice but to pay up after a ransomware incident simply in order to stay in business. Specifically, he quotes from a healthcare organization’s IT administrator, who pointed out that:
We have no computers to use. All our backups are encrypted. It’s a case of desperation. We either pay $800 or we spend thousands to rebuild systems and try to recover data. In practice, we have no choice but to pay the ransom …”
It’s worth pointing out that in such a case an organization is not only obliged to meet statutory obligations but also has a duty of care to the people who use their services. In the event of a failure to protect their data, irrespective of whether that failure is down to technological shortcomings or human error, and where there is no other way of retrieving those data, that duty of care might – and perhaps should – outweigh the point of principle stressed by Europol. Healthcare is not the only area in which such a conflict may arise with a serious impact on the individual, of course, but healthcare organizations have been heavily and publicly hit by ransomware over the last year or so.
Nevertheless I’m going to repeat my own advice that an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering. It’s worth remembering that paying the ransom doesn’t get the data back, either. And there’s unlikely to be a money-back guarantee, as pointed out in an advisory issued by the FBI that also takes a strong ‘no pay’ position.
The agency also offers a series of basic tips on reducing the risk from ransomware that will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I’m still mildly amused, though, by the advice to:
Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
Since it’s a bit tricky to back up data without connecting to the system used for primary storage, I suspect that what they meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted by the ransomware. The expanded tips given in an FBI brochure are somewhat clearer on that point.
This week, Microsoft issued the Windows 10 Anniversary Update, which changes the way in which security status is presented to home users.
Windows Defender now displays a user’s protection status as “off” if any non-Microsoft antivirus protection, including ESET, is in use. Additionally, Windows Defender advises the user to remove their non-Microsoft antivirus protection.
This is a very different stance to Microsoft’s position in the past, where Windows Defender played well with others, and if you ran ESET (or any other) antivirus with Windows Defender, they co-existed relatively well together. Computer Security Solutions always recommended turning off the real-time protection of Windows Defender, so that you didn’t have two programs scanning the same file when you accessed it – but leaving Windows Defender “on” for a “second look” during an overnight scan was not a problem. Even though we have never heard of Microsoft’s product finding something that ESET didn’t (quite the reverse) – we felt it was OK to leave Defender on “just in case”.
Well now that Microsoft has changed the way the defender works, our advice has to change – because Microsoft is going to recommend that you remove ESET (and any other 3rd-party antivirus), and keep their Windows Defender as a single product.
This is actually quite a BAD IDEA – because in independent test, ESET’s protection technologies used in NOD32 Antivirus, Smart Security, CyberSecurity for Macintosh, ESET Endpoint Antivirus, ESET Endpoint Security, and just about every ESET product, will out-perform Microsoft in every available metric.
Before we even get to important factors, such as system performance hits, or Memory usage, or malware detection – you need to consider that ESET (which you have bought and paid for a license to run and operate) – has a much larger feature-set:
But when it comes to metrics which matter – ESET outperforms Microsoft where it counts…
ESET beats Microsoft in Malware Detection:
ESET beats Microsoft in Impact on System Performance:
ESET uses far less memory than Microsoft:
ESET has much faster scan-times than Defender:
We Strongly recommend that you keep your ESET product and disable Windows Defender – to learn how to do this with a step-by-step guide on how to do this, just visit this ESET Support Article – How to Disable Windows Defender.
Did you see our most recent Computer Security Solution blog post?
Many of us use dozens (or hundreds) of online websites that need a password. Traditionally, experts have offered two pieces of advice about passwords: first, strong passwords are those with random characters and second, avoid using the same password for different accounts. Most Internet users manage an increasingly large portfolio of password-protected accounts – and that includes us here at CompSecGlobal. It has become a practically impossible task to remember a long-string of alphanumeric characters. We have some many passwords that we MUST use a password manager.
We’re running a twitter promotion – it ends on the 31st of July, 2016.
This month (and through July – because we’re actually starting this before the end of June) – save 10% on all licenses in our online store – use the coupon: save3words
This coupon cannot be combined with other coupons and cannot be applied retroctively to orders already placed in our online store
Have you been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt? If your encrypted files had the extensions .xxx, .ttt, .micro, .mp3 or were left unchanged, then ESET has good news for you: we have a decryptor for TeslaCrypt.
We have been covering this malware for a few months now, sometimes along with Locky or being spread by Nemucod. Recently, TeslaCrypt’s operators announced that they are wrapping up their malevolent activities:We must stress that ransomware remains one of the most dangerous computer threats at this moment, and prevention is essential to keep users safe. Therefore, they should keep operating systems and software updated, use reliable security solutions with multiple layers of protection, and regularly back up all important and valuable data at an offline location (such as external storage).
We also advise all users to be very careful when clicking on links or files in their email or browsers. This is particularly true when messages are received from unknown sources or otherwise look suspicious.
For more information about how to protect yourself against these and other ransomware threats, please check this: 11 things you can do to protect against ransomware.
“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” Mr. Gardoň notes.
“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.
When reading about new malware, the first question that comes to mind is ‘What is the goal of its creator?’. What is your take on the USB Thief?
We can guess their intentions from the capabilities implemented in the malware. Because it is USB-based, the malware is capable of attacks on systems isolated from the internet. Another benefit of being run from a USB removable device is that it leaves no trace – victims don’t notice that their data has been stolen.
Another feature – and one that makes this malware unusual – is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn’t be duplicated or copied. This binding, combined with its sophisticated implementation of multi-staged encryption that is also bound to features of the USB device hosting it, makes it very difficult to detect and analyze.
Could you elaborate on reasons behind binding the malware to a particular device and encrypting it?
Traditionally, malware is often encrypted, and the obvious reason is that encryption prevents the malware from being detected or – if it gets detected – from being analyzed. In this case, encryption also serves the purpose of binding the malware to a particular device.
As for the reasons for binding to a particular device – this obviously makes it harder for the malware to spread but on the other hand it prevents it from leaking outside the target environment. And, given that the attack leaves no traces, the chances are that the malware won’t be spotted if kept on the USB device and wiped off the machine after completing its mission.
To sum up, to me it seems that this malware has been created for targeted attacks.
Malware capable of targeted attacks against systems isolated from the internet – it’s quite a dangerous tool, isn’t it?
Well, taking into account that organizations isolate some of their systems for a good reason … yes. Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous. More so if it is able to disappear without leaving any trace.
How can organizations prevent attacks based on such malware from succeeding?
This malware is unique because of some particular features but the defense against it still falls within the capabilities of general cybersecurity measures.
Most importantly, USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use. It’s highly desirable for staff at all levels to undergo cybersecurity training – including real-life testing – if possible …
… Not to get tricked into running the malware, right?
Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on. It can be stored as a plugin source of portable applications or just a library – DLL – used by the portable application. And therefore, whenever such an application is executed, the malware will also be run in the background.
But people should understand the risks associated with dealing with USB storage devices from sources that may not be trustworthy. Several surveys have shown that people are surprisingly likely to insert every thumb drive they may find into their computers.
Of course, other means of protecting data should be also deployed – from perimeter protection to encryption to data backup.
When we talk about air-gapped systems, these may also be industrial systems, right? This malware is not that serious of a threat to industrial systems as it is only capable of stealing data …
Well, there are many ways in which bad guys could damage a system once they get into it. And this malware’s payload can be redesigned, moving away from data stealing to any other kind of malicious action.
Mr. Gardoň has delivered a technical analysis of the trojan here.