“Pay The Ransom” Says FBI Ransomware Advice

Ransomware is a significant threat to huge corporations as it is to you and me, the notion of every single byte of your personal files being locked up is a frightening thought to those who have treasured memories in the form of images and documents. How effective is Ransomware? It turns out very considering the FBI (Federal Bureau of Investigation) is warning companies that they may be better of paying the ransom to the attackers in order to see their files again.

This centres on the success rate of Cryptolocker, Cryptowall and also other forms of ransomware that utilizes ultra-secure encryption algorithms in order to lock up data.  Joseph Bonavolonta who is the Assistant Special Agent in Charge of the FBI’s CYBER and Counter intelligence Program in its Boston office was speaking at the Cyber Security Summit 2015 where he stated that “The ransomware is that good”.

This form of attack has been around for more than a decade which is slightly surprising considering one associates this technique as a newish phenomenon. Although the last three years have seen attacks rise sharply via both malicious email attachments and also drive by downloads which include Malvertising.

According to the FBI, Cryptowall is the most common form of ransomware considering it had received 992 complaints that totalled $18 million in losses. The FBI still wants firms to contact their local law enforcement agency, but, if a company’s data is locked then in all probability the FBI will not be able to retrieve it without a ransom payment.

An interesting element is the feeling that if attackers keep ransoms low for consumers, a bigger percentage will just pay, after all, many people have expendable income and may be inclined to pay.

I am not sure this advice from Joseph Bonavolonta is necessarily helpful, granted, I can understand his sentiments that the FBI may not be able to retrieve any data without a ransom payment, but, if you advise people to pay then this will keep happening over and over again. Criminals partake in these practices in order to make money; if they are making money then I am sure they would feel it’s worthwhile.

Also, there is no guarantee that you would actually gain access to your data once a ransom has been paid, after all, there is no incentive to do so despite Mr Bonavolonta’s reassurances that “You do get your access back”

The best prevention is to be aware of any email attachments or links contained within spam emails and to Not Click on them, if you’re expecting an attachment from a known source, always verify the email just in case said source has been hacked themselves. Any attachments should be scanned to be on the safe side if you trust the email, if you don’t, don’t download or click anything, I know that Nigerian Billionaire sounds tempting, but it’s not worth it, also, always keep your system backed up for a variety of reasons.

Image source

Synology NAS OS Vulnerable to CryptoLocker [updated]

The operating system run on Synology’s NAS devices, called DiskStation Manager (DSM), is reportedly vulnerable to a CryptoLocker hack. This particular version has been dubbed SynoLocker and is holding the infected NAS devices for ransom.

The nature of how the systems get infected is still unclear, but when infected, the malware encrypts parts of the data until you pay 0.6 Bitcoins (about £208 at current rate). Decryption is promised upon payment, but there is no guarantee it will happen and that you won’t be infected again.

The company believes it to be limited to devices still running non-updated versions of DSM 4.3, they are however still investigating if the vulnerability also could infect the newer version 5.0, just in case.

While a press release is being prepared, Synology gave this emergency statement:

You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker – as of yesterday (08/03/14). It’s a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:
A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

[UPDATE 16:50 GMT]

Since we originally posted this, we’ve recieved an official statement from Synology via email. The problem is more limited then first thought and only affects a few software version. As also initial suggested, those with up-to-date system can feel safe from this threat.

Synology are fully dedicated to investigating this issue and possible solutions. Based on their current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, synology recommends they shut down their system and contact the technical support team.

  • When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later

It is easy to update the Disk Station Manager OS by going to Control Panel and then navigating to the DSM Update. Users can also manually download and install the latest version from Synology’s Download Center. If you notice any strange behaviour or suspect your Synology NAS has been affected by the above issue, you’re also encouraged to contact Synology at security@synology.com where a dedicated team will look into each case.

Thank you TechPowerUp for providing us with this information

Image courtesy of Synology

GoZeuS Returns a Month after Authorities Take Measures Against the Malware

Though authorities had taken action against the GoZeuS and CryptoLocker malware which stole hundreds of thousands of banking logins from users and blackmail them for millions of pounds, it seems that the malwares are back. A month after the campaign, online criminals seem to have tried to rebuild the sophisticated software named GameOver ZeuS, having researchers warn that new threats using much of the same code are aimed at UK users.

Reports say that the ‘original strain’ of the malware targeted by authorities around the world, including the NSA and the FBI, has been in a decline since the campaign started. However, it appears that criminals are now re-establishing the GameOver botnets by taking the original code and reworking it to avoid detection, much like a biological virus modifies its genetic code in order to survive medicine administered against it.

A security company by the name of Malcovery has stated that the new trojan based on the GameOver Zeus binary is spreading through spam emails, claiming to be from the NatWest bank, coming with an attached statement in the content. Anyone who opens the ‘statement’ are said to risk infection, since traditional anti-virus software cannot detect the malicious software. Also, the CEO of Heimdal Security, Morten Kjærsgaard, states that the heads of the original GoZeuS will try to use lesser-known strains in order to avoid law enforcement agencies detecting it.

“Until we start to see a more clear movement pattern of these new Zeus variants, which are starting to surface, we can’t say anything definitive about their extent,” said Kjærsgaard. “There is no doubt though, that many small malware variants could pose the same financial problem for end users as one big nasty piece of malware.” he added.

While the GameOver Zeus botnet earned more than $100 million for its creators, more infections are likely to take place given the new strains. In June however, US authorities are said to have named Evgeniy Bogachev, a Russian national, as the main suspect behind the original malware.

Thank you The Guardian for providing us with this information
Image courtesy of The Guardian

Comodo Internet Security 7.0 Launces in the UK, Backed by a £300 Virus-Free Guarantee

Comodo is a company offering leading solutions in terms of PC/Mac antivirus and malware software, SSL digital certifications, as well as android antivirus and malware solutions. It’s latest product is the all-in-one protection software, Comodo Internet Security Pro 7, which has been recently made available to the UK market.

The all-in-one software is said to be a unique and patented prevention tool for unknown viruses, as well as a detection tool for known ones. It works by inspecting each file attempting to run on a computer and instantly compares the file to its White List and Black List database. In the case of a file not being present in either list, the software restricts its access using Auto Sandbox Technology, keeping the computer clean and virus-free.

The company has also made a few changes to its latest Comodo Internet Security Pro 7 software, including a user interface update that allows tasks to be performed quicker while delivering more information on the current computer status. In addition to the interface update, Comodo claims that it has shortened the Sandbox function’s average process time per file by up to 700%, while adding the ability to reverse potentially undesirable actions of software without necessarily blocking the software entirely.

Also, Comodo has added an advanced Website Filtering feature, allowing website access rules to be created for particular users of a computer and logging each activity when a user tries to visit a website which is in conflict with a rule. Another interesting new feature added is the Protected Data Folder, which keeps each and every file placed inside a ‘Protected Data Folder’ from being read, accessed and modified by applications running in Sandbox mode. The last but not least addition is PrivDog, a software specially designed to suppress any malicious advertisement, while being able to run alongside all major browsers on the market.

What makes Comodo’s Internet Security Pro 7.0 one of the best antivirus and malicious software prevention is the company’s confidence in suppressing each and every virus and malware roaming the internet, including GOZeuS and CryptoLocker, as the company stated. This is why the company offers a $500 (£298.54) money back guarantee, should a user’s computer become infected while using the Comodo Internet Security Pro 7.0.

The Comodo Internet Security Pro 7.0 comes with a yearly subscription of just £30 which covers three machines and includes GeekBuddy online support. Comodo’s Internet Security Complete 7 is also available at a £68 yearly subscription, including all of the Pro’s features, plus TrustConnect Wi-Fi/Hotspot encryption and 50 GB of Online Storage. A trial for the software can be downloaded over at Comodo’s website.

Traditional Antivirus Software “Simply Don’t Work” According to Security Specialists

While the National Crime Agency did warn people about the upcoming GOZeuS and CryptoLocker malware, information given by security specialists point to the fact that traditional antivirus software is not enough even for a simple malware prevention, yet alone the more advanced malware types.

Comodo Group‘s CEO, Melih Abdulhayoglu, points out that most traditional antivirus software on the market “simply don’t work” and detects threats such as viruses and malware only when they have already infected the system, rendering them obsolete.

“For years the antivirus industry has been promoting a flawed product to the mass market as a protection product – a huge con. As a result, there are millions of business and home users who think that they are safe online, just by running an antivirus product – this is madness! Traditional antivirus products do not and can not protect you from new malware like Cryptolocker that they can’t detect.”

Melih emphasises that the only method of keeping a system clean is through containment technology. The technology puts unknown traffic coming from the internet into a sandbox environment for further analysis, meaning that the data cannot react or spread within the system until it has been identified as ‘safe’. This way, Melih states that the malware is detected and denied access before it can even get near the system at hand.

Businesses however are more susceptible to viruses and malware than homes. This is said to be due to the fact that hackers are writing specific malware which target a single individual system inside the company, from which it will inevitably grant access to the entire company’s network.

“For businesses, the problem is Advanced Persistent Threats (APT). Criminals are writing specific tailored malware aimed at one person in a company and then stealing data via that person. It’s designed to be undetectable, or viewed as too small a problem to solve. Think of it like this: the pharmaceutical industry wouldn’t bother to spend billions on curing a disease that infects just one person, so these bad guys are hoping that the security industry doesn’t put resources into solving a problem targeted at just one individual.”

However, this does not mean everyone is doomed to have their systems infected. Egemen Tas, VP of Engineering at Comodo, emphasises that a combination of a strong and trusted† antivirus software along with basic execution control (such as the annoying popup in Windows, which everyone tends to deactivate, appearing every time an ‘unknown’ or application requiring elevated privileges wants to launch) is enough to keep your system clean.

“In order to stay protected from GOZeuS and CryptoLocker, users should follow cyber-hygiene best practices,” said Egemen Tas, VP of Engineering at Comodo. “It’s not as complicated as you may think. You should use a certified and proven antivirus product, always installing the latest version and applying updates. Additionally, you should go beyond traditional security prevention by utilizing a HIPS (host-based intrusion prevention system) product, and applying some basic application execution control to prevent these types of malware from taking over your system.”

Also, since there are cases where malware can infect a system through the e-mail service, Egemen states that a good prevention practice is “not opening attachments from unsolicited emails”, meaning that if an unexpected email from an unknown person or even a friend arrives in your inbox containing a strange attachment, it is better to delete it rather than risk opening it.

UK’s National Crime Agency Gives Two-Weeks Notice Regarding GoZeuS and CryptoLocker

The UK National Crime Agency warns the public to take advantage of a two-week notice in order to protect themselves from two major malware roaming the internet, the GoZeuS and CryptoLocker, which are responsible for transferring cash from online accounts and holding personal data for ransom.

The NCA stated that the alert is the most largest industry and law enforcement collaborations to this date and that the FBI’s involvement in several countries has weakened the global network of infected computers, meaning that the notice and prevention ahead of the malware activity can help diminish the infection chance.

GoZeuS, also known as P2PZeuS or Gameover ZeuS, and CryptoLocker are said to target all versions of Windows operating systems, including the ones running in virtual environment, servers or embedded versions. The agency also states that the malware is responsible for transferring hundreds of millions of pounds around the world.

In the case where GoZeuS cannot transfer significant amounts of money from a personal computer, it is said that CryptoLocker is called as a back-up plan, locking the user’s personal data and holding it for ransom, currently price at 1 Bitcoin. The recent estimate of infected systems is said to be at 15,500 PCs in the UK alone.

The infection is said to occur by clicking fake links or attachments in e-mail sent by people in the contact book who have already been infected by the malware. The NCA recommends users to always keep their software up to date and check their computers for infection using antivirus software.

Thank you TheNextWeb for providing us with this information
Image courtesy of TheNextWeb