If SamSam has infected your computer or network, turn off computer(s), disconnect all media, and call Datarecovery.com at 1-800-237-4200. Our ransomware experts will assess your situation and offer a plan to restore your files and remove SamSam.

What is SamSam Ransomware (And How Does It Work)?

SamSam is a type of crypto-ransomware, which means the malware encrypts files in such a way that only the attacker can decrypt them. If a victim doesn’t pay the ransom or have current backups, recovery from SamSam is extremely difficult. Hospitals and city governments have found that a SamSam attack cripples the organization’s ability to function normally, leading some to pay the ransom.

Notable Targets of SamSam Ransomware Include:

• MedStar 27, 2016 ($18,500 ransom)
• Follet’s Learning Destiny software 2016 (undisclosed ransom)
• Erie County Medical Center 9, 2017 ($44,000 ransom)
• City of Farmington, NM 3, 2018 ($35,000 ransom)
• Adams Memorial Hospital 11, 2018 (undisclosed ransom)
• Hancock Health 11, 2018 ($55,000 ransom)
• Davidson County, N.C. 16, 2018 (undisclosed ransom)
• Colorado Dept. of Transportation 21 and March 1, 2018 (undisclosed ransom)
• City of Atlanta, GA March 22, 2018 ($51,000 ransom)

In addition to these high-profile targets, there have been other unspecified victims. A 2016 FBI alert referred to multiple “attacks on healthcare facilities” without mentioning specific names. More recently, an unnamed Industrial Control Systems (ICS) company was hit by the ransomware.

How Does SamSam Ransomware Infect My System?

Unlike the majority of ransomware, SamSam does not spread through spam emails or malicious links. Instead, the distributors target vulnerable servers using brute-forced credentials or by exploiting outdated software. After gaining access, the hackers harvest other credentials and use Remote Desktop Protocol to manually spread SamSam through a network.

The attackers wait a number of days before executing the ransomware payload, making it harder for organizations to discover the initial breach. This can allow the hackers to reinfect a system if the organization attempts to recover without paying the ransom, as happened with the Colorado Department of Transportation. After sufficient time has passed, the hackers run batch scripts which begin running the ransomware. Once SamSam has encrypted files, it drops a ransom note with the payment demand, which varies by incident.

Can I Disable or Remove SamSam Ransomware Encryption?

Removing SamSam and decrypting affected files is difficult. As such, it is critical to prevent the ransomware from infecting systems with the following best practices:

• Update all software promptly (businesses should use a centralized patch management system to detect vulnerabilities).
• Limit the number of attempts to correctly enter passwords for systems.
• Regularly back up data while maintaining redundant copies — SamSam can spread to network-based backups before it begins encrypting files, which makes recovery from an attack more difficult when only one backup exists.
• Use the principle of least privilege to mitigate damage done by ransomware.

If your systems have been infected by SamSam, Datarecovery.com can help. We’ll assess your situation and start you down the road to recovery as soon as you call or start a case with us.

As with all data recovery situations, time is an important factor. If ransomware has infected your computer or network, call 1-800-237-4200 to speak to a malware expert. We’ll go over your options and help determine the best way to recover from a SamSam attack.

The post SamSam Ransomware Infection And Decryption Services appeared first on Datarecovery.com.

A ransomware attack on the city of Atlanta on Mar. 22 has left officials scrambling to provide services to residents. Many critical services, like public-safety and wastewater treatment, have been unaffected. Meanwhile, other systems have ground to a halt or slowed considerably.

For instance, the city is temporarily not accepting employment applications. New water service requests and other planning services can be made in person, but processing times are longer than usual. The Hartsfield-Jackson International Airport has disabled its wifi and taken security wait times and flight information off its website out of an abundance of caution.

Perhaps the biggest headache for the city is keeping the courts running during the mayhem. The city court cannot validate warrants or process ticket payments (even in person). Court dates continue being pushed back (via tweets) as the city struggles with the ransomware attack.

RESET NOTICES WILL BE MAILED. pic.twitter.com/hyV3pcLSE0

— ATL Municipal Court (@ATLCourt) March 28, 2018

Mayor Keisha Lance Bottoms gave few details on what the city’s response would be.

When asked if she would consider paying the $51,000 ransom, Bottoms admitted, “Everything is up for discussion.” She added that she would consult with federal authorities to determine the best course of action. The city hired a private security company, SecureWorks, to investigate the attack. The FBI, Homeland Security, and the Secret Service are all involved in determining exactly what happened.

“I just want to make the point that this is much bigger than a ransomware attack,” Bottoms said at a press conference. “This is really an attack on our government, which means it’s an attack on all of us.”

Fears that the attackers accessed personal data continue.

Officials initially warned city employees and any member of the public who had made transactions with the city to check their bank accounts for fraudulent activity.

“Because we don’t know, I think it would be appropriate for the public just to be vigilant in checking their accounts and making sure their credit agencies have also been notified,” Bottoms said shortly after the incident.

On March 26, an official tweet from the city reiterated that sentiment but added that there is still no evidence that sensitive data has been compromised.

GENERAL REMINDER: At this time, there is no evidence to show that customer or employee data has been compromised. However, customers and employees are encouraged to take precautionary measures to monitor and protect their personal information.

— City of Atlanta, GA (@Cityofatlanta) March 28, 2018

The city hasn’t identified the attacker, but media reports point to a familiar name.

A New York Times article has identified the SamSam hacking crew as the responsible party. While few details are known about SamSam, they do have several trademarks.

The group tends to target large organizations who have the resources to pay a hefty ransom. SamSam also has sophisticated methods of covering their tracks that allow them to attack organizations repeatedly.

The same group victimized the Colorado Department of Transportation twice this year.

The first attack shut down over 2,000 employee computers, forcing workers to use pen and paper to complete work. The city decided not to pay the ransom, but to painstakingly clean the computers of any malware.

When the city’s IT professionals had cleared 20 percent of computers for employee use, a variant of SamSam reinfected them. Hearing stories like these, it’s easy to understand why some organizations simply pay the ransom.

To put even more pressure on victims, the SamSam attackers generally target health care facilities and municipal organizations. Allscripts, Adams Memorial Hospital, Erie County Medical Center, and the city of Farmington, New Mexico all fell prey to SamSam ransomware in the last year.

Atlanta is now learning a painful but useful lesson in cybersecurity.

The city is documenting its progress and answering frequently asked questions on its website, while the mayor promises that more attention will be given to cybersecurity in the future.

“Just as much as we really focus on our physical infrastructure, we need to focus on the security of our digital infrastructure,” Bottoms said. “I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.”

The post City of Atlanta Hit by SamSam Ransomware appeared first on Datarecovery.com.

The report came from CyberEdge, who surveyed 1,200 IT security professionals and is not affiliated with any security vendor.

Their 2018 Cyberthreat Defense Report is an attempt to understand the variety of threats faced by organizations that employ at least 500 people. The results showed that cyberattacks have become increasingly successful over the past five years (though, mercifully, the number of successful attacks is slightly down from last year).

Another illuminating trend is that the percentage of IT professionals who are optimistic about dodging successful attacks in the coming year went from 62 percent in 2014 to 38 percent in 2018. This can be viewed as pessimism or realism, but either way, it’s an acknowledgement of the great challenges ahead. Respondents listed application containers (like Docker or Rocket), mobile devices, and cloud infrastructure as the weakest links likely to be targeted by a cyberattack.

Malware (viruses, worms, trojans) was voted as the number one general threat to IT security for the second year in a row.

Second place was a tie between ransomware and phishing attacks. Given that many ransomware attacks were paired with worms and other malware (as well as phishing attacks), you can understand how big of a concern ransomware is for security professionals.

And it was not a rare phenomenon either. A surprising 55 percent of surveyed organizations were hit by ransomware in 2017. One area of good news was that many who refused to pay ransoms still recovered their data. Instead of buckling to cybercriminals, they worked to recover data from backups or simply dealt with the data loss. Almost 87 percent of victims who did not pay the ransom recovered their data anyway.

The scarier news was that only 49.6 percent of ransomware victims who paid the ransom were able to decrypt their data. This statistic should convince businesses and individuals of the importance of keeping current backups that are offline or in the cloud.

If a victim cannot recover backups, consulting a professional data recovery company is highly recommended. At Datarecovery.com, the recovery rates for ransomware cases are far higher than those in the CyberEdge survey. Knowing the landscape and having experience help ensure a successful recovery from a ransomware attack. Some strains have freely available decryptors, while others have coding issues that prevent even the attacker from decrypting files. Knowing which avenues to pursue saves time and increases the odds of a successful recovery.

Survey respondents listed “lack of skilled personnel” as the greatest barrier to defending against cyberthreats.

In past surveys, “low security awareness among employees” has topped that list, but a skilled personnel shortage has slowly climbed the ranks over the past five years. Poor security awareness still placed second as a barrier to IT security (which is concerning, given how long it’s been an issue).

Overall, the survey showed positive as well as negative trends. Many perennial threats remain: mobile devices and poorly trained employees continue to be security challenges. On the other hand, the number of successful cyberattacks decreased for the first time in five years and security budgets are higher than they’ve ever been. More than anything, the CyberEdge report reminds us that good IT security requires constant vigilance and adaptation to new threats.

The post Only Half of Ransomware Payments Resulted in Decrypted Files appeared first on Datarecovery.com.

SamSam ransomware has infected thousands of computers at the Colorado Department of Transportation. Over 2,000 employee computers were shut down to stop the spread of the malware after it was discovered on Feb. 21, and systems are still not back online.

Office of Information Technology chief technology officer David McCurdy released a statement shortly after the attack that said, “This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

SamSam is a strain of ransomware that targeted hospitals and others throughout January.

An Indiana hospital, Hancock Health, paid a $55,000 ransom to restore files and functionality after SamSam infected its servers. Even though the hospital claimed to have complete backups of encrypted files, administrators chose to pay the ransom to avoid costly delays in restoring their systems.

Security researchers say that the group behind SamSam uses a brute-force attack on Remote Desktop Protocol (RDP) connections to gain access to internal networks. Then, hackers manually install the ransomware, which begins encrypting files. To protect against SamSam, researchers warn that any computers open to remote RDP connections should have strong and unique passwords.

SamSam was also the culprit behind attacks on Allscripts, Adams Memorial Hospital, Erie County Medical Center, and the city of Farmington, New Mexico. Security experts believe that these attacks were carried out by a single group of hackers.

CDOT continues with daily work the old-fashioned way.

“Our critical systems, our road operations, traffic operation systems are still online. We still have people on the road plowing and doing construction,” CDOT spokesperson Amy Ford told the Denver Post. “The things we have changed a little bit is we’ve had some business bids in the process of being done and we’ve extended times and dates. And we’re working with our contractors.”

The incident demonstrates the difficulties of recovering from a ransomware attack. Even though CDOT backed up their data, they are beginning their second week offline. Mecklenburg County, North Carolina faced a similar slog after a ransomware called LockCrypt infected county government servers. Officials spent well over a month scrambling to restore services after that incident.

Ford summarized the frustrating but manageable limbo that CDOT is currently in.

“No one is back online. What we’re doing is working offline. All our critical services are still online — cameras, variable message boards, CoTrip, alerts on traffic. They are running on separate systems,” Ford said. “The message I’m sharing is CDOT operated for a long time without computers, so we’ll use pen and paper.”

The post SamSam Ransomware Infects CDOT appeared first on Datarecovery.com.

Even with the awareness of this threat, companies and individuals couldn’t stop the onslaught of ransomware attacks in 2017. This year has seen a steady drizzle of new ransomware variants punctuated by three large-scale attacks that used hacking tools from our own National Security Agency.

Because of ransomware attacks, two companies estimated their losses in the hundreds of millions of dollars and Britain’s National Health Service diverted ambulances and cancelled operations until they regained control of their computers. In addition to the major attacks, the underground market for smaller-scale operations continued to boom, and open-source ransomware gave hackers a head start. Here’s how the big events of 2017 went down.

St. Louis Public Library

When staff arrived to work on Thursday, Jan. 19, they were greeted with locked computer screens throughout all branches of the St. Louis Public Library. Hackers had exploited a vulnerability in a library voicemail server and locked 700 staff and public computers. The attackers demanded $34,000 in bitcoin to restore the computers.

The library refused to pay and began furiously working to restore services. Finally, on Jan. 30, they were able to announce that all computers used by the public were fully restored. Enhancements to the library system’s cybersecurity remains an ongoing project.

Microsoft Releases Eternal Blue Patch

On March 14, Microsoft issued a critical security bulletin for a vulnerability in all unsupported versions of Windows. The reason? The NSA had discovered a security flaw in Windows operating systems and added it to the agency’s stockpile of cyber weapons. A group called the Shadow Brokers accessed and leaked this stockpile, giving hackers powerful tools for wreaking havoc.

By installing Microsoft’s patch, users protected themselves from the vulnerability that the NSA discovered (which was known as Eternal Blue). Unfortunately, those who did not patch their operating systems would fall victim to cyber attacks in the coming months when the NSA exploit was paired with ransomware and unleashed.

WannaCry

The first attack that paired ransomware with Eternal Blue was WannaCry. The attack initially occurred in Asia on May 12 and quickly spread to more than 230,000 devices. Infected computers spread the ransomware to other machines on the same network as well as random computers over the internet.

A security researcher discovered a kill switch which stopped the spread, but more than 300,000 computers had already been infected. Companies and organizations affected by the attack include Britain’s National Health Service, FedEx, Honda, Hitachi, Telefónica, and dozens more.

While an unprecedented number of machines were infected, the attackers received relatively little money from ransom payments. Just $140,000 in bitcoin was withdrawn from the three accounts associated with the attack.

In the months following the attack, many pointed fingers at North Korea’s cyber unit as the originator of the attacks. Finally, in a Dec. 18 op-ed piece, a Trump adviser officially declared North Korea responsible for the attack.

Petya, NotPetya, Nyetna

Whatever you call it, this attack wreaked havoc and proved that not everyone learned a lesson from the WannaCry attack. NotPetya targeted the same Windows security flaw that Microsoft provided a patch for (and that WannaCry exploited).

Ground zero for this attack was Ukraine, where a popular piece of tax-filing software, MEDoc, spread NotPetya to businesses and government organizations. Soon, NotPetya moved beyond Ukraine’s borders and devastated international businesses, such as advertising company WPP, law firm DLA Piper, shipping giant Maersk, and FedEx. Both Maersk and FedEx estimated their losses from the attack to be around $300 million.

Initially, analysts blamed a ransomware called Petya for the cyber attack. However, security experts make a convincing case that NotPetya is a wiper (meaning the intent was to destroy files, not hold them hostage) and that the attackers could not decrypt a victim’s files even if they wanted to.

So, why would an attacker disguise a wiper as ransomware? Ukraine’s security service (SBU) blames Russia. Since the downfall of the Soviet Union in 1991, the two countries have had periods of tension. In 2014, Ukrainian voters ousted their pro-Russia president Viktor Yanukovych. Shortly after, Russia annexed Crimea, a Ukrainian peninsula, and the international community responded with heavy sanctions against Russia.

This may be more geopolitical history than you wanted to know, but the moral of the story is: cyber wars between nation-states can spill out into the general public. If NotPetya was in fact intended to cripple Ukraine’s infrastructure, then all those thousands of infected computers throughout the rest of the world were simply collateral damage. Welcome to the 21st century.

Bad Rabbit

Bad Rabbit was the ransomware used in the third major international attack of 2017. Compared to the massive disruptions and economic costs of WannaCry and NotPetya, Bad Rabbit was a mere nuisance. But for those affected, including Kiev’s metro system, Odessa’s airport, and Russian media group Interfax, the ransomware caused major disruptions. After its website went down, Interfax took to publishing news stories on Facebook until the site was restored.

Researchers believe the same attackers may be responsible for NotPetya and Bad Rabbit. There are similarities in the codes of NotPetya and Bad Rabbit, and the same web servers were used to distribute the initial software in both cases.

Bad Rabbit did not use the Eternal Blue exploit, though it used a different leaked NSA tool called Eternal Romance. Ukrainian state cyber police claimed that the ransomware attack was used as cover to steal financial information from targeted Ukrainian companies.

Ransomware-as-a-Service

If 2016 put ransomware on the map, 2017 established it in the marketplace. Ransomware-as-a-service (RaaS) has existed since at least 2015, but there are now more opportunities than ever for someone with little technical skill to buy ransomware from the dark web. Here’s how it works.

A customer either pays a subscription to or agrees to share a percentage of ransom money with the ransomware developer. The customer can then launch an attack on the targets of his choosing. Slicker RaaS variants have user-friendly dashboards to allow even the most technologically novice to launch cyber attacks.

A report from Carbon Black found a 2,502 percent increase in ransomware for sale on the dark web from 2016 to 2017. The same report discovered 45,000 listings for RaaS products. With that kind of competition, expect the products to become even more sophisticated and user-friendly in the 2018.

Open Source Ransomware

Another cause for the proliferation of ransomware is the posting of open source code. Hidden Tear was the first such ransomware to be posted freely on the internet. The developer, Utju Sen, claimed that he shared it for educational purposes.

Sen built several backdoors into the code so that anyone affected by it could decrypt their files. Unfortunately, hackers have taken his code and closed those backdoors in order to make more functional ransomware. Hackers have since created at least a dozen ransomware families (8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Globe, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, and Sanction) based on Hidden Tear.

And Sen’s Hidden Tear isn’t the only example. Others have created open-source ransomware ostensibly to improve ransomware detection and prevention. However, most security professionals have more sophisticated means of understanding and detecting malware. That makes these source codes a head start for criminals and not much more.

Ransomware in the New Year

Several large security companies have released reports with their predictions for the new year, and the message is clear. If you or your business use the internet, ransomware will continue to be a threat.

One firm predicts that the combination of ransomware as a service (like Cerber) and the resurgence of worms will lead to a surge in attacks and infections. Because hackers now have access to a trove of NSA tools, expect to see attacks similar to WannaCry again in 2018.

We can also expect to see more attacks on Mac computers. Keranger was the first ransomware to target a Mac OS, and it did so with limited success. However, Mac users remain a lucrative target for hackers, who likely haven’t given up in their attempts to infect this relatively untapped group.

What You Can Do

Security experts recommend a multi-pronged approach to protecting yourself from ransomware. Most importantly, keeping multiple copies of current backups will ensure that you never have to pay a ransom.

Avoid suspicious attachments and links (and teach everyone who uses your network to do the same) to reduce the chances of downloading malware. Keep all software up to date and rely on reputable antivirus software to give you further protection.

The massive global attacks of 2017 showed that everyone from individual computer users to multi-national corporations are vulnerable. Following the above practices (and ensuring that anyone who uses your computer does too) will protect you from the costly headache of ransomware.

The post 2017 Ransomware Recap appeared first on Datarecovery.com.

“It’s like some sort of gold rush,” Limor Kessem, executive security adviser for IBM Security, told NBC News. “Cybercriminals are using ransomware to bring extortion to the masses and more criminals are now doing it because they’re interested in getting a piece of the action.”

The news is particularly worrisome for the healthcare industry, which is a frequent victim of ransomware. It’s not clear if hackers intentionally target hospitals and medical centers, but because doctors need access to crucial files, medical organizations feel more pressure to pay ransoms to restore data.

Arkansas Oral and Facial Surgery Center is the latest victim from the medical industry.

The healthcare organization discovered the attack on July 26, 2017, but only recently sent an explanation to its patients. In the notice, the medical practice explains that ransomware rendered three weeks worth of imaging files, x-rays, and other documents inaccessible.

The U.S. Department of Health and Human Services lists the incident as a case currently under investigation and reports that 128,000 individuals may have been affected. The Arkansas Oral and Facial Surgery Center did not disclose information about a ransom payment, but did say that they reported the case to the FBI.

A number of factors make the healthcare industry a frequent victim of ransomware attacks.

Perhaps the biggest factor is that hospitals and other medical centers need immediate access to files. This makes them more likely to pay a hefty ransom, as happened with the Hollywood Presbyterian Medical Center.

A Locky ransomware attack froze up services at Hollywood Presbyterian in February 2016. The medical group quickly paid $17,000 to its attackers in order to receive a decryption key and regain access to their files.

In May 2017, WannaCry ransomware affected hundreds of thousands of computers in 150 countries. The most prominent victim was Britain’s National Health Service (NHS), whose services were severely disrupted by the incident.

The NHS incident laid bare another factor that makes medical centers more susceptible to ransomware attacks.

Many healthcare organizations use medical devices that run on older, unsupported operating systems. Because the systems no longer receive patches, hackers can find and exploit their vulnerabilities.

During the WannaCry attack, Forbes reported that some medical facilities in the U.S. had radiology equipment compromised by the ransomware. Of course, healthcare facilities are reticent to say what operating systems they use, but clearly, many are relying on older systems.

This is horrifying to computer security experts, but it’s a simple matter of economics for hospitals. A ransomware attack is costly, but so is replacing a building full of medical equipment and retraining employees every time an operating system becomes obsolete.

Operating systems are now adding defenses against ransomware, but that doesn’t protect everyone.

Microsoft has been beefing up their anti-ransomware capabilities and claims there have been no successful attacks against their “most hardened” operating system, Windows 10 S. That’s great news for those who have up-to-date software, but leaves behind those organizations running unsupported systems.

For those organizations, backing up files offline and educating employees on phishing schemes are crucial to avoiding ransomware. Experts say that security awareness training for employees can dramatically decrease the rates of clicking on scam emails.

Training employees and using more secure operating systems will make it harder for successful ransomware attacks. Unfortunately, with the malware market burgeoning, hackers will continue searching for vulnerabilities in software and in internet users.

The post Ransomware Market Expands as Healthcare Industry Continues Feeling the Effects appeared first on Datarecovery.com.

Every once in a while, a new malware will make headlines based on some novel feature. The distributors of Popcorn Time, an in-dev ransomware, would decrypt a victim’s files if they infected two other victims who ended up paying.

Jigsaw used images from Saw to increase the intimidation factor and brand their otherwise nondescript malware. Philadelphia ransomware can be bought as a service and tweaked to fit an attacker’s specific needs. However, none of these have proven to be large players in the long run.

There are a handful of malicious programs that have changed the landscape of the ransomware world. Here are the four most revolutionary, game-changing ransomware strains and how they influenced their successors.

The AIDS Trojan Horse: The Advent of Ransomware

In 1989, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks to AIDS researchers around the world. The disks contained a questionnaire that Popp claimed would help doctors determine a patient’s risk of developing the AIDS virus. In reality, Popp had hidden an early form of ransomware on the disks and was using a social engineering technique to spread it.

To avoid being pinpointed as the author of the malware, Popp wrote the code so that the ransomware lay dormant until an infected computer booted up 90 times. On that 90th boot, the virus encrypted the computer’s files and displayed a ransom note.

The note instructed victims to send $189 to a PO box in Panama, a country with infamously lax business laws. Few victims made payments and British authorities quickly arrested Popp and charged him with blackmail. He avoided jail time when a judge declared Popp mentally unfit to stand trial. In the meantime, a researcher named Jim Bates created a tool to restore victims’ files by removing the virus and decrypting the files.

What it changed: Popp’s malware had four characteristics that future ransomware developers and distributors would copy: a scaremongering note, a hard-to-track payment scheme, encryption of important files (albeit rudimentary and breakable), and the use of social engineering to trick victims into installing the malware themselves.

CryptoLocker: Ransomware Modernizes and Scales

In September 2013 (almost 25 years after the first ransomware incident), the modern era of ransomware began. CryptoLocker spread through the Gameover ZeuS botnet via infected email attachments.

The exact number of victims is unknown, but estimates suggest there were 500,000 people who lost data because of CryptoLocker. This sophisticated crypto-ransomware may have been too successful for its own good, as the staggering number of victims prompted international cooperation to catch the attackers. The U.S. Department of Justice, the FBI, Europol, and others collaborated for Operation Tovar, which took down the Gameover ZeuS botnet and gained access to the decryption keys.

While all victims eventually had the opportunity to decrypt their data, it took nearly a year for law enforcement and security firms to create a tool for this purpose. The CryptoLocker attack was an early indication that ransomware had the potential to massively disrupt business and prevent access to data from thousands of miles away.

What it changed: CryptoLocker showed the devastation that a large botnet could cause when it sends out millions of phishing emails infected with ransomware. The sophisticated encryption method also proved that ransomware could permanently prevent access to files when the decryption key was withheld.

Hidden Tear: Open-Source Code Makes Ransomware Easy

Utju Sen was a Turkish programmer who created a ransomware called Hidden Tear. Sen didn’t want to use the malware for financial gain, but he did want to share his creation. So, he made it freely available to download for educational purposes. Sen built several backdoors into the code so that any files encrypted by it could be decrypted.

Hackers quickly realized they could use Sen’s code for ransomware campaigns of their own. They also realized that they could tweak the code to close the backdoors. To make matters worse, some of the variants had changes to the code that made it difficult to decrypt—even if the attackers supplied the decryption key.

Variants of Hidden Tear continue showing up in new guises. In June 2017, a McAfee engineer found that nearly 30 percent of new ransomware strains were based on Hidden Tear.

What it changed: Hidden Tear provided open-source code for programmers who have minimal skills to attack computers. Even inexperienced hackers who botch the code can wreak havoc and earn money (even if they can’t successfully decrypt encrypted files).

WannaCry: With Help From the NSA, Ransomware Spreads Fast

This sophisticated attack combined ransomware with a worm that targeted a vulnerability in older Microsoft Windows operating systems. The public was shocked to learn that the U.S. National Security Agency had discovered the vulnerability and created a hacking weapon out of it (known as an exploit) rather than report it to Microsoft.

The worm aspect of WannaCry allowed it to spread laterally to other computers on the same network. One of the hardest hit organizations was Britain’s National Health Service, whose services were severely disrupted. Germany’s national railway service, a Spanish telecom giant, and French carmaker Renault were all affected by the attack as well.

The cryptoworm spread to over 150 countries over the course of 48 hours. The spread slowed when a security researcher Marcus Hutchins found a kill switch in the malware’s code. Microsoft also took the unusual step of providing a patch for their older, unsupported operating systems to prevent any further attacks using the NSA exploit.

What it changed: The attack proved how quickly a combined ransomware/worm can spread—especially on networks using unsupported operating systems. Sadly, the Petya/Nyetna attack that occurred months later successfully targeted the same vulnerability on thousands of computers that still were not patched.

What Comes Next?

Many of the tactics used by the above strains of ransomware continue to be used today. Mass phishing campaigns conducted by botnets allow attackers to cast a wide net for potential victims. As email providers get better at detecting malware in attachments, hackers change their tactics to better hide it.

To protect your home or business from ransomware attacks, you don’t need to predict the exact method that hackers will use. Rather, protect yourself from any data loss situation by regularly backing up all essential data. Having reliable backups on media disconnected from your computer can save your data from ransomware attacks and the more mundane situations that might occur.

The post The 4 Most Game-Changing Ransomware Attacks appeared first on Datarecovery.com.

The message, “Enable macro if the data encoding is incorrect,” would prod users into changing their settings. Those who turned on macros in Word initiated the ransomware’s installation process and became the first victims of Locky.

Since that first wave of infections, Locky has vanished and then reappeared repeatedly. The one constant is that it always returns with a new extension and a few tweaks to better evade antivirus software.

A previous Locky version ransom message

Ykcol Variant Uses 7z or 7zip Extension

The latest incarnation of Locky is the ykcol variant (for those wondering about the unusual name, ykcol is locky backwards). More significant than the updated extension is an updated tactic. This variant is distributed in a 7z file.

This file extension is probably unfamiliar to less techy computer users—it’s a format for highly compressed and encrypted files. Most computer users don’t even have the necessary software for unzipping such a file. Experts believe that the distributors hid the Locky variant in the obscure format to evade the filters of Gmail and other mail providers.

Ykcol Is the Latest in a String of Variants

From February 2016 to September 2017, Locky has morphed its .locky extension to .zepto, .odin, .shit, .thor, .aesir, .zzzzz, .osiris, .loptr, .diablo6, .lukitus, and finally, to .ykcol. None of these variants can be decrypted without the key, which only the distributors of the ransomware hold.

Locky has been a persistent threat over the last 18 months accounting for 14 percent of all ransomware detections globally in fall of 2016. It has since overtaken Cerber as the largest ransomware family. At times, the prolific ransomware appears to become inactive, but time and time again, it has reappeared with new features and distribution tactics.

Who Created Locky?

There are numerous clues, but no firm answers as to who created Locky. The ransomware has a flag that detects if a computer’s operating system uses the Russian language. If the OS is in Russian, Locky and its variants will not infect the computer. On top of that evidence, the majority of the ransomware’s attacks have been traced to Russia.

Though experts believe that a Russian group is responsible for creating and distributing Locky, it’s unclear exactly who they are. Locky is one of the most sophisticated ransomware families, so its creators are certainly highly skilled.

Attacks Continue at Huge Volumes

In early September 2017, security experts at Appriver detected 23 million spam messages containing Locky in a single 24-hour period. Clearly, the distributors are playing a numbers game. If only a miniscule fraction of those targeted download the ransomware, there will still be plenty of victims and potential ransom payments.

The subject lines of the spam emails contained words like “please print,” “documents,” or “photos.” The attackers attempt to lure in victims with curiosity over what may be attached to the email. Because of the overwhelming number of spam emails sent, it is more important than ever to scrutinize and verify attachments before downloading them.

Other security measures to avoid Locky and other ransomware include:

• Back up essential files frequently.
• Patch all software when updates become available.
• Use security software that detects ransomware behavior.
• Enable extension viewing so you can see executable files hidden as other documents.

Locky continues to evolve and other families of ransomware pose new threats every day. Use good internet hygiene and follow the above tips to avoid the costly effects of a ransomware infection.

The post Locky Creators Tweak Variants To Evade Detection appeared first on Datarecovery.com.

At Datarecovery.com, we frequently recover lost passwords for everything from Word documents and RAR files to encrypted Linux volumes (LUKS encryption) and Bitcoin wallets. Our customers often ask about our methods; do we simply try every possible password, or is there more to it?

To put it simply: There’s more to it. Password recovery services require a solid understanding of the various possible password cracking methods used in modern cryptography. Our engineers work with our clients to choose an appropriate methodology, then use dedicated equipment to complete the crack as efficiently as possible.

Some of the common password cracking methods used by software password cracker tools such as hashcat are listed below. For more information or to discuss password recovery services, call 1-800-237-4200 to speak with a specialist.

Brute-force attack – A brute-force attack exhaustively tries every possible combination of letters, numbers, and symbols to crack a password. It’s the simplest way to crack a password, but also the most ineffective, since it wastes a lot of time making unlikely guesses.

Most types of encryption effectively prevent a brute-force attack by using hashing algorithms to slow down password entry. Longer passwords can also defeat this technique. For example, a brute-force attack might take 5 minutes to crack a 9-character password, but 9 hours for a 10-character password, 14 days for 11 characters, and 3.9 years for 12 characters.

While we have specialized hardware that allows for extremely fast brute-force cracking, this technique is rarely effective.

Dictionary attack – The name says it all: A dictionary attack enters every word in a dictionary as a password. This removes some of the randomness of a brute-force attack, reducing the amount of time needed to find the password—provided that the password is in the dictionary, of course.

Note that “dictionary” doesn’t literally refer to a simple English dictionary; the entries in a cryptography dictionary may include common substitutions (for instance, “4pple” for “apple”) and numeric entries.

A common example is a rainbow-table attack. A rainbow table is essentially a dictionary optimized for common hash values as well as passwords. A rainbow-table attack is, therefore, a dictionary attack, but with a specialized dictionary optimized for the cracking attempt.

Combinator attack – This attack appends dictionary entries to other dictionary entries. It’s effective because users often choose passphrases that combine a few common, easy-to-remember phrases, for instance “password123.”

Let’s say that the dictionary for a combinator attack has the words “dog” and “cat.” The combinator would try “dogcat” and “catdog” as possible passwords. A combinator attack can be extraordinarily effective at cracking user-generated passphrases, but it’s not too effective for cracking machine-created passphrases.

Fingerprint attack – This is a fairly new type of attack, and its method is fairly sophisticated. It breaks possible passphrases down into “fingerprints,” single- and multi-character combinations that a user might choose. For the word “dog,” the technique would create fingerprints including “d,” “o,” “g,” along with “do,” and “og.”

This can be an especially effective attack when a user remembers part of a password. However, due to its sophistication, it requires extraordinary computing power.

Hybrid attack – This is a blend of a dictionary and a brute-force attack. It makes a dictionary attack stronger by placing a string of brute-force characters to the beginning or end of the dictionary entries.

For instance, “software” might be appended with “software001,” “software002,” “001software” and so on.

Mask attack – Similar to a brute-force attack, but with rules to reduce the number of errant entries. It’s extremely useful if some of the characters are known, or if character types are known. For instance, if a user knows that his password has a capital letter at the beginning and three numbers at the end, the mask attack would be far more effective than a simple brute-force attack. The masks are often generated by the password cracker.

Permutation attack – A permutation attack uses a dictionary, but each entry in the dictionary also generates permutations of itself. For the word “dog,” a permutation attack would create the candidates “god,” “ogd,” “odg,” “gdo,” and “dgo.”

PRINCE attack – Stands for “PRobability INfinite Chained Elements.” The PRINCE attack uses an algorithm to try the most likely password candidates with a refined combinator attack. It creates chains of combined words by using a single dictionary.

Rule-based attack – As the name implies, a rule-based attack uses rules to eliminate possibilities. It’s one of the more complex types of attacks, but the possibilities are effectively endless. A password recovery engineer could create any criteria necessary to weed out unlike or impossible guesses.

Table-Lookup attack – Each word in a dictionary generates masks for a mask attack while creating new words by consulting a table. Simply put, it’s effective for guessing passwords when the user replaced one or more characters with numbers or symbols (for instance, “m$ney” instead of “money”).

Toggle-Case attack – This attack creates every possible case combination for each word in a dictionary. The password candidate “do” would also generate “Do” and “dO.”

If you’ve lost your password or if you need access to an encrypted file that you legally own, Datarecovery.com can help. Call us at 1-800-237-4200 to get started.

The post Cracking Passwords: 11 Password Attack Methods (And How They Work) appeared first on Datarecovery.com.

The ransomware is also known as Ronggolawe or AwesomeWare.

Indonesian hackers originally uploaded the malware to GitHub under the name AwesomeWare. The developers claimed that the open-source malware was for educational purposes, but before long, security companies started detecting attacks using the malware on WordPress sites.

What sets this ransomware apart from others is that it targets web servers as opposed to the more usual target of Windows workstations. The attackers attempt to encrypt the site owner’s files and deny them access to their site.

The specific attack vector for EV ransomware is unknown. Because WordPress allows a wide variety of third-party plugins, there are many possible vulnerabilities. However, WordPress users can still protect themselves with a couple of precautions.

WordPress users should employ a web application firewall (WAF) and maintain backups offline.

A WAF can prevent hackers from uploading the malicious .php files used to infect web servers with EV ransomware. A good WAF protects against known malware and blocks any suspicious files from being uploaded.

Prevention of ransomware is preferable, but keeping current backups of files will protect your website if malware does encrypt your files. These copies should be kept offline or in the cloud so that they are isolated from a ransomware infection.

Restoring a WordPress website through backups may be the only viable option if EV ransomware encrypts your files. Because the ransomware is not fully functional, it can encrypt, but not decrypt, files. Even if a victim pays the ransom and receives a decryption key, a data recovery expert would be necessary to fix the broken code and decrypt the files.

An Indonesian hacking group is linked to the malware.

A group known as Bug7sec uploaded the source code that EV ransomware uses. On the group’s Facebook page, Bug7sec also takes credit for two other strains of ransomware that operate similarly to EV. Their motivation is unclear since they are offering the code for free.

This new threat highlights the importance of using good internet hygiene and security software. Hackers will continue to search for new vulnerabilities as old ones are patched. Keep your website safe by regularly updating plugins, using a web application firewall, and maintaining current backups in an isolated location.

The post EV Ransomware Targets WordPress Sites appeared first on Datarecovery.com.