The Hacker News — Cyber Security, Hacking, Technology News

We don't really know the pain and cost of a downtime event unless we are directly touched.

Be it a flood, electrical failure, ransomware attack or other broad geographic events; we don't know what it is really like to have to restore IT infrastructure unless we have had to do it ourselves.

We look at other people's backup and recovery issues and hope we are smarter or clever enough to keep it from happening to us.

Recovery from a downtime event includes inconvenience, extra work, embarrassment and yes, real pain.

A ransomware attack is a good example.

Unitrends—an American company specialised in backup and business continuity solutions—recently shared with us a real cyber-attack incident happened with one of their customers to describe the required steps they took to recover functionality following a CryptoLocker attack against a US city.

Also, how it cost city's Governance team days of production and hundreds of man-hours to recover.

The Challenge

Issaquah is a small city of 30,434 people in Washington, United States. According to Forbes, they are the 2nd fastest growing suburb in the state of Washington.

John T, IT Manager leads a team of five employees who execute all IT initiatives co-developed with the city's IT Governance team. John's team manages all technology, from phones, networks, servers, desktops, applications and cloud services.

The city has only two IT staff dedicated to infrastructure.

"We are spread so thin that logs are not monitored consistently," reports John. "We are slowly recovering from a decade of underinvestment in IT and have a large backlog of software, hardware and network upgrades."

Part of that underinvestment is that they continued to rely on a tape drive that was ten years old using Backup Exec.

They continued to stumble along until they were hit with a CryptoLocker ransomware attack.

The Infection

Here below find the complete story shared by John with us:

In the final analysis, we believe the ransomware attack originated from a "drive-by" where a single city employee visited and opened a .pdf file that had been compromised on a grant coordination site run by a non-profit. This is not an uncommon risk—a small company or organisation website that doesn’t have IT funding to keep up with the security risks in today’s lightspeed world.

Most entries in the User’s Log file were harmless, though the way this virus worked, it could have been downloaded at any time but still needed to be executed by the user. It could have been sitting on the hard drive for weeks (looking like a .pdf) before being executed, though we would need to interview the user to see if she remembers anything like this. This ransomware appeared to disable our anti-virus systems, and is known to remove all traces once finished.

This virus ran only in PC memory and did not turn up on any other devices in our system. It only attacked Microsoft Office, image, .pdf, and text files in folders on the user’s PC and file shares to which the user had to write access. It stopped encrypting files once the PC was restarted in safe mode. The lack of propagation could have been a result of either the virus being designed to reside solely in memory to prevent triggering alarms or because our anti-virus software intercepted it at other devices as it attempted to propagate.

The physical server that hosted the file also hosted five critical virtual application servers. After careful analysis, it was determined these were not compromised. We immediately moved these virtual machines onto a different host. This was done prior to kicking off the server restore to reduce processor and NIC load on the file server host.

When we began the file server restore process it quickly became apparent it would take a long time… four days as it turned out. A quick analysis revealed we had no other options to restore the file server. The backup.exe device did work and never failed or stopped during the restore process. It seems the scale of the restore was too big for the device capacity and it had to chunk the workout, making the process very long.

Fortunately for us, the attack had happened on a Thursday, so only Thursday and Friday office productivity was lost. Even so, our users were very negatively impacted and quite upset (as were we). This led to funding being released to move to a modern backup appliance.

The Real Cost to Recover from a Ransomware Attack

John said senior executives agreed to fund an upgrade to the backup system, and after a vendor selection process, his team chose what it felt was the best combination of features and capacity with reasonable costs.

If the same Ransomware attack occurred today with data backed up on the Unitrends Recovery Series 933S appliance the results would have been much different.

First, the attack would have been discovered very quickly as all Unitrends appliances include predictive analytic software and machine learning that will automatically recognise the effects of ransomware on backup files.

An email would then automatically be sent to administrators warning of the attack and identifying the affected files. Then the disaster recovery plan they had in place would be executed.

Secondly, deleting, reinstalling affected files and restarting affected servers would take minutes, not hours and probably not four days.

Critical applications could have been spun up instantly on the backup appliance using the last good backups made before the infection. This would greatly limit the negative impact on employees and office productivity.

The Results

There have been several backup and recovery incidents since the Unitrends Appliance was installed, reported John.

"We have used our backup appliance to recover files that were accidentally deleted by end users. We had also used it to recover virtual machines when we had a host system failure. The downtime in the latter case was limited to staff response time as the mission-critical backup VM was up in less than five minutes!"

"We also plan on moving to the cloud very soon since the Unitrends appliance comes with integrated cloud software. The biggest benefits we expect to see from the cloud are low-cost off-site storage, the ability to recover applications in the cloud if needed as a DraaS feature, and access from anywhere in case of a natural disaster type emergency."

"We now have peace of mind knowing that we can recover quickly when needed. We also have increased shared team knowledge on backup and DR with the easy-to-use user interface."

Remember NotPetya?

The Ransomware that shut down thousands of businesses, organisations and banks in Ukraine as well as different parts of Europe in June this year.

Now, Ukrainian government authorities are once again warning its citizens to brace themselves for next wave of "large-scale" NotPetya-like cyber attack.

According to a press release published Thursday by the Secret Service of Ukraine (SBU), the next major cyber attack could take place between October 13 and 17 when Ukraine celebrates Defender of Ukraine Day (in Ukrainian: День захисника України, Den' zakhysnyka Ukrayiny).

Authorities warn the cyber attack can once again be conducted through a malicious software update against state government institutions and private companies.

The attackers of the NotPetya ransomware also used the same tactic—compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapping in a dodgy update including the NotPetya computer virus.

The virus then knocked computers in Ukrainian government agencies and businesses offline before spreading rapidly via corporate networks of multinational companies with operations or suppliers in eastern Europe.

Presentation by Alexander Adamov, CEO at NioGuard Security Lab

The country blamed Russia for the NotPetya attacks, while Russia denied any involvement.

Not just ransomware and wiper malware, Ukraine has previously been a victim of power grid attacks that knocked its residents out of electricity for hours on two different occasions.

The latest warning by the Ukrainian secret service told government and businesses to make sure their computers and networks were protected against any intrusion.

"SBU notifies about preparing for a new wave of large-scale attack against the state institutions and private companies. The basic aim—to violate normal operation of information systems, that may destabilize the situation in the country," the press release reads. 

"The SBU experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017."

To protect themselves against the next large-scale cyber attack, the SBU advised businesses to follow some recommendations, which includes:

• Updating signatures of virus protection software on the server and in the workstation computers.
• Conducting redundancy of information, which is processed on the computer equipment.
• Providing daily updating of system software, including Windows operating system of all versions.

Since the supply chain attacks are not easy to detect and prevent, users are strongly advised to keep regular backups of their important files on a separate drive or storage that are only temporarily connected for worst case scenarios.

Most importantly, always keep a good antivirus on your system that can detect and block any malware intrusion before it can infect your device, and keep it up-to-date for latest infection-detection.

DoubleLocker—as the name suggests, it locks device twice.

Security researchers from Slovakia-based security software maker ESET have discovered a new Android ransomware that not just encrypts users’ data, but also locks them out of their devices by changing lock screen PIN.

On top of that:

DoubleLocker is the first-ever ransomware to misuse Android accessibility—a feature that provides users alternative ways to interact with their smartphone devices, and mainly misused by Android banking Trojans to steal banking credentials.

"Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers," said Lukáš Štefanko, the malware researcher at ESET.

"Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom."

Researchers believe DoubleLocker ransomware could be upgraded in future to steal banking credentials as well, other than just extorting money as ransom.

First spotted in May this year, DoubleLocker Android ransomware is spreading as a fake Adobe Flash update via compromised websites.

Here's How the DoubleLocker Ransomware Works:

Once installed, the malware requests user for the activation of 'Google Play Services' accessibility feature, as shown in the demonstration video.

After obtaining this accessibility permission, the malware abuses it to gain device's administrator rights and sets itself as a default home application (the launcher)—all without the user's knowledge.

"Setting itself as a default home app – a launcher – is a trick that improves the malware's persistence," explains Štefanko.

"Whenever the user clicks on the home button, the ransomware gets activated, and the device gets locked again. Thanks to using the accessibility service, the user does not know that they launch malware by hitting Home."

Once executed, DoubleLocker first changes the device PIN to a random value that neither attacker knows nor stored anywhere and meanwhile the malware encrypts all the files using AES encryption algorithm.

DoubleLocker ransomware demands 0.0130 BTC (approximately USD 74.38 at time of writing) and threatens victims to pay the ransom within 24 hours.

If the ransom is paid, the attacker provides the decryption key to unlock the files and remotely resets the PIN to unlock the victim's device.

How to Protect Yourself From DoubleLocker Ransomware

According to the researchers, so far there is no way to unlock encrypted files, though, for non-rooted devices, users can factory-reset their phone to unlock the phone and get rid of the DoubleLocker ransomware.

However, for rooted Android devices with debugging mode enabled, victims can use Android Debug Bridge (ADB) tool to reset PIN without formatting their phones.

The best way to protect yourself from avoiding falling victims to such ransomware attacks is to always download apps from trusted sources, like Google play Store, and stick to verified developers.

Also, never click on links provided in SMS or emails. Even if the email looks legit, go directly to the website of origin and verify any possible updates.

Moreover, most importantly, keep a good antivirus app on your smartphone that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

Whenever we feel like the Locky ransomware is dead, the notorious threat returns with a bang.

Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the Locky ransomware.

Lukitus Campaign Sends 23 Million Emails in 24 Hours

The campaign spotted by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were "extremely vague," with subjects lines such as "please print," "documents," "images," "photos," "pictures," and "scans" in an attempt to convince victims into infecting themselves with Locky ransomware.

The email comes with a ZIP attachment (hiding the malware payload) that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.

Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called Lukitus (which means "locked" in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim's desktop that instructs the victim to download and install Tor browser and visit the attacker's site for further instructions and payments.

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a "Locky decryptor" in order to get their files back.

This Lukitus attack campaign is still ongoing, and AppRiver researchers had "quarantined more than 5.6 million" messages in the campaign on Monday morning.

Sadly, this variant is impossible to decrypt as of now.

2nd Locky Campaign Sends over 62,000 Emails

In separate research, security firm Comodo Labs discovered another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of "zombie computers" to conduct coordinated phishing attacks.

According to security researchers at Comodo, "this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations' infrastructures."

The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.

The cyber criminals operating Locky's IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.

This massive Locky ransomware campaign targets "tens of thousands" of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Here's How to Protect Yourself From Ransomware Attacks

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including WannaCry, NotPetya, and LeakerLocker.

Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system Up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.

How to become a Professional Hacker? This is one of the most frequently asked queries we came across on a daily basis. Do you also want to learn real-world hacking techniques but don’t know where [...]

"Ransomware" threat is on the rise, and cyber criminals are making millions of dollars by victimizing as many people as they can—with WannaCry, NotPetya and LeakerLocker being the ransomware threats that made headlines recently.

What's BAD? Hacker even started selling ransomware-as-a-service (RaaS) kits in an attempt to spread this creepy threat more easily, so that even a non-tech user can create their own ransomware and distribute the threat to a wider audience.

The WORSE—You could see a massive increase in the number of ransomware campaigns during the next several months—thanks to new Android apps available for anyone to download that let them quickly and easily create Android ransomware with their own devices.

Security researchers at Antivirus firm Symantec have spotted some Android apps available on hacking forums and through advertisements on a social networking messaging service popular in China, which let any wannabe hacker download and use Trojan Development Kits (TDKs).

How to Create Your Own Android Ransomware

With an easy-to-use interface, these apps are no different from any other Android app apart from the fact that it allows users to create their custom mobile malware with little to no programming knowledge.

To create customized ransomware, users can download one such app (for an obvious reason we are not sharing the links), install and open it, where it offers to choose from the following options, which are displayed on the app's on-screen form:

The message that is to be shown on the locked screen of the infected device

• The key to be used to unlock that infected device
• The icon to be used by their malware
• Custom mathematical operations to randomize the code
• Type of animation to be displayed on the infected device

Once all of the information has been filled in, users just require hitting the "Create" button.

If the user hasn't before, the app will prompt him/her to subscribe to the service before proceeding. The app allows the user to start an online chat with its developer where he/she can arrange a one-time payment.

After the payment has been made, the "malware is created and stored in the external storage in ready-to-ship condition," and then the user can continue with the process, making as many as victims as the user can.

"Anyone unlucky enough to be tricked into installing the malware will end up with a locked device held to ransom," Symantec researchers say. 

"The malware created using this automation process follows the typical Lockdroid behavior of locking the device’s screen with a SYSTEM_ALERT_WINDOW and displaying a text field for the victim to enter the unlock code."

The Lockdroid ransomware has the ability to lock the infected device, change the device PIN, and delete all of its user data through a factory reset, and even prevent the user from uninstalling the malware.

Such apps allow anyone interested in hacking and criminal activities to develop a ready-to-use piece of ransomware malware just by using their smartphones without any need to write a single line of code.

"However, these apps are not just useful for aspiring and inexperienced cyber criminals as even hardened malware authors could find these easy-to-use kits an efficient alternative to putting the work in themselves," the researchers say.

So, get ready to expect an increase in mobile ransomware variants in coming months.

How to Protect Your Android Devices from Ransomware Attacks

In order to protect against such threats on mobile devices, you are recommended to:

• Always keep regular backups of your important data.
• Make sure that you run an active anti-virus security suite of tools on your machine.
• Avoid downloading apps from unknown sites and third-party app stores.
• Always pay close attention to the permissions requested by an app, even if it is downloaded from an official app store.
• Do not open any email attachments from unknown sources.
• Finally, browse the Internet safely.

One of the most devastating aspects of the recent WannaCry ransomware attack was its self-propagating capability exploiting a vulnerability in the file access protocol, SMB v1.

Most enterprises defences are externally-facing, focused on stopping incoming email and web attacks. But, once attackers gain a foothold inside the network through malware, there are very few security controls that would prevent the spread of the attack between enterprise locations in the Wide Area Network (WAN).

This is partly due to the way enterprises deploy security tools, such as IPS appliances, and the effort needed to maintain those tools across multiple locations.

It’s for those reasons Cato Networks recently introduced a context-aware Intrusion Prevention System (IPS) as part of its secure SD-WAN service. There are several highlights in this announcement that challenge the basic concept of how IT security maintains an IPS device and sustains the effectiveness of its protection.

Cato Networks is a cloud-based, SD-WAN service provider that uniquely integrates network security into its SD-WAN offering.

The Cato IPS is fully converged with Cato’s other security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection.

With the IPS roll out, Cato continues its march towards providing secure networking everywhere while simplifying the overall IT stack for the enterprise.

Cato Networks IPS as a Service

With IPS as a service, Cato takes care of the work previously spent managing and maintaining the IPS appliances including sizing, capacity planning, patching, and signature management.

These are a complex task because IPS appliance performance is impacted by the mix of encrypted and unencrypted traffic and the number of active attack signatures.

Normally, IT professionals must spend time carefully calculating the effectiveness of a signature and its performance impact to avoid slowing-down traffic due to IPS appliance overload.

Cato addresses both issues. The Cato IPS leverages its elastic cloud platform to inspect any mix of encrypted and unencrypted traffic in real-time.

The decision of which signatures to deploy is made by the experts of Cato Research Labs. They consider the relevancy of the threat and the best way to describe it to the system. Often, an existing signature may already cover a specific attack vector.

New Kind of Signatures With Context-Aware Protection

The Cato IPS has another unique capability. Because it operates in the same software stack as all other network and security services and within a cloud network, it can access a rich set of context attributes.

This forms a foundation for very sophisticated signatures that are hard to compose with stand-alone IPS devices. The use of rich context makes Cato IPS signatures more accurate and more effective.

Context attributes include the application being accessed and the client being used to access it, user identity, geolocation, IP and domain reputation, the file type exchanged, and DNS activity associated with the session.

Cato shared on its blog how Cato IPS stopped the spread of the Wannacry ransomware across sites, and how Cato IPS detected command-and-control communication at one of its customer locations.

Interestingly, the IPS can extend its protection across sites and users without the need to deploy distributed appliances, another benefit of the system.

If you are a distributed enterprise and constraint by your ability to support a complex networking and security environment, Cato’s approach can improve your security posture while keeping overhead to a minimum.

Disclosure: This is a sponsored post from Cato Networks, and it is really coming at a great time because we were just thinking to share with you about how to prevent Wannacry like attacks from spreading across the enterprise networks.

Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine as well as different parts of Europe around 45 days ago.

However, the story is not as simple as it seems, which portrayed this man as a criminal. I recommend you to read complete article to understand the case better and then have an opinion accordingly.

Sergey Neverov (Сергей Неверов), father of two sons and the resident of the southern city of Nikopol, is a video blogger and computer enthusiast who was arrested by the Ukrainian police on Monday, August 7 from his home.

What Neverov Did?

According to a press release published on Thursday by the Ukrainian cyber police department, Neverov uploaded a video, showing how to infect a computer with Petya.A ransomware—and also shared a download link for NotPetya malware to his social media account.

After searching Neverov's home, the authorities seized his computers and other equipment, which were later analysed by the officers from the Ukrainian cyber-crime department, who discovered some files containing the malicious software.

However, the police confirmed that Neverov was neither the actual author of the NotPetya virus, nor he was behind the massive ransomware attack that crippled many businesses and banks in this summer.

The authorities charged Neverov of spreading a copy of NotPetya virus via his social media account that eventually infected at least 400 computers in Ukraine, and also believe that he had helped tax evaders — directly or indirectly.

Companies Intentionally Infected Their Computers to Avoid Paying Taxes & Fines

If you are not aware, 30th June was the last date in Ukraine for filing tax returns and unfortunately, during the same time NotPetya outcry began that encrypted sensitive files and documents for several businesses and organisations across the country.

Since firms that were infected by the virus were unable to submit tax reports on time and liable for paying huge fines for late submissions, the head of the parliamentary committee on tax and customs, Nina Yuzhanina, gave affected taxpayers some relief (through a statement on his Facebook profile) by extending the last date to 31st December, 2017.

Police believe the malware sample distributed by Neverov is being used by some businesses to deliberately infect their systems to avoid paying taxes on time as well as late tax return penalty.

Is Neverov a Hacker or Computer Enthusiast?

However, the story has another angle that indicates charges on Neverov are baseless.

As I mentioned, Neverov is a video-blogger with 11,000 followers on YouTube, who loves to play with computers and publish review videos on computer hardware and gadgets for informational purposes.

Neverov never tried to hide his identity, and even in some of his videos, he revealed his face and the exact GPS location to his house in Nikopol, which suggests that he had nothing to hide, neither his intentions were wrong.

When NotPetya outcry hit his country, Neverov got curious about the ransomware and started studying about the malware to understand how it works and to find a way to recover infected files without paying ransom to the attackers.
To get started, he downloaded a sample of NotPetya ransomware from the Internet and tested it on his computer, just like other malware analysts do.

In fact, while recording a video of the NotPetya infection to demonstrate its impact on a targeted computer, he failed two times in infecting his own computer.

When succeeded in the third attempt, Neverov uploaded the copy of NotPetya malware on file hosting website and shared the link on his social media account just for the informational purpose, saying "use at your own risk."

Moreover, it is important to note that Neverov would not be gaining any profit by distributing the ransomware because of NotPetya has been designed to blackmail victims into paying ransom amount to a specific Bitcoin address that belongs to the original attackers only.

If Convicted, Neverov Could Face 3 Years In Prison

Neverov, the computer enthusiast, has now been charged under article 361 (part 1) of the Criminal Code of Ukraine, which says:

"Unauthorized interference with the work of electronic computing machines (computers), automated systems, computer networks or telecommunication networks, ...which led to the leak, loss, fake, blocking information, distortion of the information processing or violation the established order it's routing."

Although this sanction provides maximum punishment of up to two years in prison, Neverov has been threatened to face up to three years in jail, according to the official comments from the law enforcement authorities.

The case seems somewhat similar to the one currently being faced by Marcus Hutchins, also known as MalwareTech, who gained famed for stopping the WannaCry ransomware.

Hutchins was arrested by the FBI while he was travelling to his home after attending Def Con event in the United States and has been charged with creating and distributing a banking malware.

Since Hutchins is a malware researcher, many infosec community members believe possibly a proof-of-concept code written and published by him publicly was re-used by the criminals to create the banking malware, which mistakenly framed him as the criminal mastermind.

Hutchins is set to face a hearing in the US district court on 14 August, so we still have to wait for more information about his case.

Greek police have arrested a Russian man who is believed to have been the operator of the popular BTC-e Bitcoin exchange on charges of laundering more than $4 billion in bitcoin for culprits involved in hacking attacks, tax fraud and drug trafficking.

A United States jury indicted 38-year-old Alexander Vinnik on Wednesday after his arrest in Greece on Tuesday at the request of US law enforcement authorities. The suspect is one of the operators of BTC-e, a service operational since 2011.

Headquartered in Russia, the digital currency exchange has been offline since the arrest of Vinnik, and its homepage says, "Site is under maintenance. We apologize for the inconvenience.."

According to a press release published by the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN), BTC-e ignored "know your customer" laws in an effort to serve criminals, and even hosted message boards buzzing with illegal activities.
The FinCEN also announced a $110 million penalty against BTC-e for facilitating crimes along with a separate $12 Million fine against Vinnik.

BTC-e Linked to Collapse of Mt. Gox Bitcoin Exchange

This case is really important for the law enforcement because it could reveal the possible culprit behind the collapse of the once-very popular Japanese bitcoin exchange Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totalled at least $375 million in Bitcoin.

According to the U.S. Department of Justice, Vinnik obtained funds from the hacker or insider who stole bitcoins from Mt. Gox and sent them to a bitcoin wallet controlled by Vinnik, who intentionally laundered them through BTC-e, over a period of three years.

"After the coins entered Vinnik's wallets, most were moved to BTC-e and presumably sold off or laundered (BTC-e money codes were a popular choice). In total some 300,000 BTC ended up on BTC-e," according to WizSec, a Japanese security firm that has long been investigating the Mt. Gox case.

"To be clear, this investigation turned up evidence to identify Vinnik not as a hacker/thief but as a money launderer; his arrest news also suggests this is what he is being suspected for. He may have merely bought cheap coins from thieves and offered a laundering service."

Vinnik arrest is the latest in a series of US investigations against Russian cybercriminals in Europe, following the shutdown of two of the biggest dark web marketplaces, AlphaBay and Hansa, last week.

While Greek police described Vinnik as "an internationally sought ‘mastermind’ of a crime organisation," United States authorities accused him of facilitating crimes including hacking, identity theft, tax refund fraud, public corruption and drug trafficking.

Vinnik is to be charged with operation of an unlicensed money service business, conspiracy to commit money laundering, money laundering, and engaging in unlawful monetary transactions.

If found guilty, the suspect could face up to 55 years in prison, together with a $500,000 fine or twice the value of the property involved in the transaction for each count.

Bad news for Android users — Decompiled source code of for one of the oldest mobile and popular Android ransomware families has been published online, making it available for cyber criminals who can use it to develop more customised and advanced variants of Android ransomware.

Decompiled source code for the SLocker android ransomware, which saw a six-fold increase in the number of new versions over the past six months, has just been published on GitHub and is now available to anyone who wants it.

The SLocker source code has been published by a user who uses 'fs0c1ety' as an online moniker and is urging all GitHub users to contribute to the code and submit bug reports.

SLocker or Simple Locker is mobile lock screen and file-encrypting ransomware that encrypts files on the phone and uses the Tor for command and control (C&C) communication. The malware also posed as law enforcement agencies to convince victims into paying the ransom.

Famous for infecting thousands of Android devices in 2016, security researchers discovered more than 400 new variants of SLocker ransomware in the wild in May, and just after a month, the nasty Android ransomware was spotted copying the GUI of WannaCry.

Once infected, SLocker runs silently in the background of a victim's device without their knowledge or consent and encrypts images, documents and videos on mobile devices.

Once it has encrypted files on the device, the Android ransomware hijacks the phone, blocking its user access completely, and attempts to threaten the victim into paying a ransom to unlock it.

Why Should You Worry?

Being in action from 2015, SLocker stands out as one of the first ransomware samples to encrypt Android files. The malware has modified beyond just locking screens and demanding payment to taking over administrative rights and controlling the device's microphone, speakers, and the camera.

And now since the source code of this nasty Android ransomware has been released online on GitHub, Android devices are most likely to receive an increasing number of ransomware attacks in upcoming days.

The leaked source code would be a golden opportunity for those who always look for such opportunities as these kinds of malware programs are only offered for sale in underground forums, but SLocker is now accessible to cybercriminals and fraudsters for FREE.

Earlier this year, researchers discovered a variant of BankBot banking trojan in the wild which was developed using the leaked source code for the malware on an underground hacking forum.

Last year, the source code for the MazarBot (improved version of GM Bot) was also leaked online by its author in order to gain reputation on an underground forum.

How to Protect Yourself?

As I previously mentioned, users are always advised to follow some basic precautions in order to protect themselves against such threats:

• Never open email attachments from unknown sources.
• Never click on links in SMS or MMS messages.
• Even if the email looks legit from some company, go directly to the source website and verify any possible updates.
• Go to Settings → Security, and Turn OFF "Allow installation of apps from sources other than the Play Store."
• Always keep your Android devices, apps and Antivirus app up-to-date.
• Avoid unknown and unsecured Wi-Fi hotspots and keep Wi-Fi switched off when not in use.

Good news for you is that this week's THN Deals brings Ethical Hacking A to Z Bundle that let you get started regardless of your experience level.

Nothing in this world is fully secure, from our borders to cyberspace. I know vulnerabilities are bad, but the worst part comes in when people just don't care to apply patches on time.

Late last year, Cisco's Talos intelligence and research group discovered three critical remote code execution (RCE) vulnerabilities in Memcached that exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers.

Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory.

The Memcached application has been designed to speed up dynamic web applications (for example php-based websites) by reducing stress on the database that helps administrators to increase performance and scale web applications.

It's been almost eight months since the Memcached developers have released patches for three critical RCE vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706) but tens of thousands of servers running Memcached application are still vulnerable, allowing attackers to steal sensitive data remotely.

Researchers at Talos conducted Internet scans on two different occasions, one in late February and another in July, to find out how many servers are still running the vulnerable version of the Memcached application.

And the results are surprising...

• Total servers exposed on the Internet — 107,786
• Servers still vulnerable — 85,121
• Servers still vulnerable but require authentication — 23,707

And the top 5 countries with most vulnerable servers are the United States, followed by China, United Kingdom, France and Germany.

• Total servers exposed on the Internet — 106,001
• servers still vulnerable — 73,403
• Servers still vulnerable but require authentication — 18,012

After comparing results from both the Internet scans, researchers learned that only 2,958 servers found vulnerable in February scan had been patched before July scan, while the remaining are still left vulnerable to the remote hack.

Data Breach & Ransom Threats

This ignorance by organisations to apply patches on time is concerning, as Talos researchers warned that these vulnerable Memcached installations could be an easy target of ransomware attacks similar to the one that hit MongoDB databases in late December.

Although unlike MongoDB, Memcached is not a database, it "can still contain sensitive information and disruption in the service availability would certainly lead to further disruptions on dependent services."

The flaws in Memcached could allow hackers to replace cached content with their malicious one to deface the website, serve phishing pages, ransom threats, and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk.

"With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world," the researchers concluded.

"If left unaddressed the vulnerabilities could be leveraged to impact organisations globally and affect business severely. It is highly recommended that these systems be patched immediately to help mitigate the risk to organisations."

Customers and organisations are advised to apply the patch as soon as possible even to Memcached deployments in "trusted" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.

After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users.

Dubbed LeakerLocker, the Android ransomware does not encrypt files on victim's device, unlike traditional ransomware, rather it secretly collects personal images, messages and browsing history and threatens to share it to their contacts if they don't pay $50 (£38).

Researchers at security firm McAfee spotted the LeakerLocker ransomware in at least two apps — Booster & Cleaner Pro and Wallpapers Blur HD — in the Google Play Store, both of which have thousands of downloads.

To evade detection of malicious functionality, the apps initially don’t contain any malicious payload and typical function like legitimate apps.

But once installed by users, the apps load malicious code from its command-and-control server, which instructs them to collect a vast number of sensitive data from the victim's phone — thanks to its victims granting unnecessary permissions blindly during installation.

The LeakerLocker ransomware then locks the home screen and displays a message that contains details of the data it claims to have stolen and holds instructions on how to pay the ransom to ensure the information is deleted.

The ransom message reads:

All personal data from your smartphone has been transferred to our secure cloud.


In less than 72 hours this data will be sent to every person on your telephone and email contacts list. To abort this action you have to pay a modest ransom of $50 (£38).


Please note that there is no way to delete your data from our secure but paying for them. Powering off or even damaging your smartphone won't affect your data in the cloud.

Although the ransomware claims that it has taken a backup of all of your sensitive information, including personal photos, contact numbers, SMS', calls and GPS locations and browsing and correspondence history, researchers believe only a limited amount of data on victims is collected.

According to researchers, LeakerLocker can read a victim's email address, random contacts, Chrome history, some text messages and calls, take a picture from the camera, and read some device information.

All the above information is randomly chosen to display on the device screen, which is enough to convince the victims that lots of data have been copied.

Both malicious apps have since been removed by Google from the Play Store, but it is likely that hackers will try to smuggle their software into other apps.

If you have installed any of the two apps, uninstall it right now.

But if you are hit by the ransomware and are worried about your sexy selfies and photographs being leaked to your friends and relatives, you might be thinking of paying a ransom.

Do not pay the Ransom! Doing so motivates cyber criminals to carry out similar attacks, and there is also no guarantee that the stolen information will be deleted by the hackers from their server and will not be used to blackmail victims again.

Rejoice Petya-infected victims!

The master key for the original version of the Petya ransomware has been released by its creator, allowing Petya-infected victims to recover their encrypted files without paying any ransom money.

But wait, Petya is not NotPetya.

Do not confuse Petya ransomware with the latest destructive NotPetya ransomware (also known as ExPetr and Eternal Petya) attacks that wreaked havoc across the world last month, massively targeting multiple entities in Ukraine and parts of Europe.

The Petya ransomware has three variants that have infected many systems around the world, but now the author of the original malware, goes by the pseudonym Janus, made the master key available on Wednesday.

According to the security researchers, victims infected with previous variants of Petya ransomware, including Red Petya (first version) and Green Petya (second version) and early versions the GoldenEye ransomware can get their encrypted files back using the master key.

The authenticity of the master key has been verified by an independent Polish information security researcher known as Hasherezade.

"Similarly to the authors of TeslaCrypt, he released his private key, allowing all the victims of the previous Petya attacks, to get their files back," Hasherezade posted her finding on MalwareBytes on Thursday. 

"Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back."

Although the first and second version of Petya was cracked last year, the private key released by Janus offers the fastest and most reliable way yet for Petya-infected victims to decrypt their files, especially locked with the uncrackable third version.

Meanwhile, Kaspersky Lab research analyst Anton Ivanov also analyzed the Janus' master key and confirmed that the key unlocks all versions of Petya ransomware, including GoldenEye.

Janus created the GoldenEye ransomware in 2016 and sold the variants as a Ransomware-as-a-Service (RaaS) to other hackers, allowing anyone to launch ransomware attacks with just one click and encrypt systems and demand a ransom to unlock it.

If the victim pays, Janus gets a cut of the payment. But in December, he went silent.

However, according to the Petya author, his malware has been modified by another threat actor to create NotPetya that targeted computers of critical infrastructure and corporations in Ukraine as well as 64 other countries.

The NotPetya ransomware also makes use of the NSA's leaked Windows hacking exploit EternalBlue and EternalRomance to rapidly spread within a network, and WMIC and PSEXEC tools to remotely execute malware on the machines.

Security experts even believe the real intention behind the recent ransomware outcry, which was believed to be bigger than the WannaCry ransomware, was to cause disruption, rather than just another ransomware attack.

According to researchers, NotPetya is in reality wiper malware that wipes systems outright, destroying all records from the targeted systems, and asking for ransom was just to divert world's attention from a state-sponsored attack to a malware outbreak.

Lucky are not those infected with NotPetya, but the master key can help people who were attacked by previous variants of Petya and Goldeneye ransomware in the past.

Security researchers are using the key to build free decryptors for victims who still have crypto-locked hard drives.

Ukrainian National Police has released a video showing officers raiding company of M.E.Doc accounting software makers, whose systems have been linked to outbreak of Petya (NotPetya) ransomware that recently infected computers of several major companies worldwide.

On 4th July, masked police officers from Ukrainian anti-cybercrime unit — carrying shotguns and assault rifles — raided the software development firm “Intellect Service,” in the capital city Kyiv and seized their servers, which were reportedly compromised by hackers to spread (ExPetr, PetrWrap, Petya, NotPetya) ransomware.

Researchers from ESET security firm have found a very stealthy malicious code in the M.E.Doc software update which was injected by an unknown hacker or group of hackers in mid-April by exploiting a vulnerability.

The malicious software upgrade, designed to install a backdoor and give unauthorized remote access to attackers, was then delivered as an update to nearly 1 million computers belonging to its client companies.
Researchers explain that the backdoor installed in endpoint computers was designed to allow hackers to execute various commands remotely and further install other malicious programs, eventually used to conduct WannaCry like global ransomware attack.

The software company previously denied its servers had been compromised, but several researchers and even Microsoft blamed the company for being "patient zero" for the NotPetya attack.

Ukrainian authority has also said that the company could face charges.

Moreover, the Petya investigation took interesting twist last week when researchers found that NotPetya is not a ransomware; instead, it’s a destructive piece of “wiper” malware designed to destroy all records from the targeted systems, making organizations to shut down their operations.

Ukrainian authority has recommended M.E.Doc customers to stop using its accounting software until further notice. So, you are supposed to turn off your computers if it has the M.E.Doc software installed on and change your passwords.

Ukraine believes Russia is behind the NotPetya cyber attack that shut down the nation's critical operations, including the airport, local metro, hospitals, and government, but authorities are still investigating the case.

NotPetya Hacker Demands 100 Bitcoins for the Decryption Key

It was also reported today that the hackers connected to the NotPetya ransomware moved $10,000 worth of Bitcoins from the online wallet they were using to receive payments from victims to a different wallet.

After that someone claimed to be connected to NotPetya Posted an announcement on DeepPaste and Pastebin, asking for 100 Bitcoins (roughly $256,000) for the private key that supposedly decrypts any file encrypted with NotPetya.

Ransomware Ransomware Everywhere Not a Single Place to Hide!

But, Microsoft has a simple solution to this problem to protect millions of its users against most ransomware attacks.

Two massive ransomware attacks — WannaCry and Petya (also known as NotPetya) — in a month have caused chaos and disruption worldwide, forcing hospitals, ATMs, shipping companies, governments, airports and car companies to shut down their operations.

Most ransomware in the market, including WannaCry and NotPetya, are specifically designed to target computers running Windows operating system, which is why Microsoft has been blamed for not putting proper defensive measures in place to prevent such threats.

But not now!

In the wake of recent devastating global ransomware outbreaks, Microsoft has finally realized that its Windows operating system is deadly vulnerable to ransomware and other emerging threats that specifically targets its platform.

To tackle this serious issue, the tech giant has introduced a new anti-ransomware feature in its latest Windows 10 Insider Preview Build (16232) yesterday evening, along with several other security features.

Microsoft is planning to introduce these security features in Windows 10 Creator Update (also known as RedStone 3), which is expected to release sometime between September and October 2017.

The anti-ransomware feature, dubbed Controlled Folder Access, is part of Windows Defender that blocks unauthorized applications from making any modifications to your important files located in certain "protected" folders.

Applications on a whitelist can only access Protected folders. So you can add or remove the apps from the list. Certain applications will be whitelisted automatically, though the company doesn't specify which applications.

Once turned on, "Controlled folder access" will watch over files stored inside Protected folders and any attempt to access or modify a protected file by non-whitelisted apps will be blocked by Windows Defender, preventing most ransomware to encrypt your important files.

So, whenever an application tries to make changes to Protected files but is blacklisted by the feature, you will get a notification about the attempt.

How to Enable Controlled Folder Access, Whitelist Apps and Add or Remove Protected Folders

Here's how to enable the Controlled folder access feature:

• Go to Start menu and Open the Windows Defender Security Center
• Go to the Virus & Threat Protection settings section
• Set the switch to On

Here's how to allow apps that you trust is being blocked by the Controlled folder access feature to access Protected folders:

• Go to Start menu and Open the Windows Defender Security Center
• Go to the Virus & Threat Protection settings section
• Click 'Allow an app through Controlled folder access' in the Controlled folder access area
• Click 'Add an allowed app' and select the app you want to allow

Windows library folders like Documents, Pictures, Movies, and Desktop are designated as being compulsorily "protected" by default, which can not be removed.


However, users can add or remove their personal folders to the list of protected folders. Here's how to add folders to Protected folders list:

• Go to Start menu and Open the Windows Defender Security Center
• Go to the Virus & Threat Protection settings section
• Click 'Protected folders' in the Controlled folder access area
• Enter the full path of the folder you want to monitor

Users can also enter network shares and mapped drives, but environment variables and wildcards are not supported at this moment.

Other Security Feature Introduced in Windows 10 Insider Program

With the release of Windows 10 Insider Preview Build 16232, Windows Defender Application Guard (WDAG) for Edge — a new system for running Microsoft Edge in a special virtual machine in order to protect the OS from browser-based flaws — also received improvements in usability.

Windows 10 Insider Preview Build also comes with support for Microsoft Edge data persistence when using WDAG.

"Once enabled, data such as your favorites, cookies, and saved passwords will be persisted across Application Guard sessions," Microsoft explains.
"The persisted data will be not be shared or surfaced on the host, but it will be available for future Microsoft Edge in Application Guard sessions."

Another new security feature called Exploit Protection has been introduced in Windows 10 16232, which blocks cyber attacks even when security patches are not available for them, which means the feature will be useful particularly in the case of zero-day vulnerabilities.

Exploit Protection works without Microsoft's Windows Defender Antivirus tool, but you can find the feature in Windows Defender Security Center → App & Browser Control → Exploit Protection.

In the Fall Creators Update for Windows 10, Microsoft has also planned to use a broad range of data from Redmond's cloud services, including Azure, Endpoint, and Office, to create an AI-driven Antivirus (Advanced Threat Protection) that can pick up on malware behavior and protect other PCs running the operating system.

Also, we reported about Microsoft's plan to build its EMET or Enhanced Mitigation Experience Toolkit into the kernel of the upcoming Windows 10 to boost the security of your PC against complex threats such as zero-day vulnerabilities.

Also, the company is planning to remove the SMBv1 (Server Message Block version 1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — from the upcoming Windows 10 (1709) Redstone 3 Update.

Besides this, some other changes and improvements have also been introduced with the release, along with patches for several known issues.

The author of original Petya ransomware is back.

After 6 months of silence, the author of the now infamous Petya ransomware appeared today on Twitter to help victims unlock their files encrypted by a new version of Petya, also known as NotPetya.

"We're back having a look in NotPetya," tweeted Janus, a name Petya creator previously chose for himself from a villain in James Bond. "Maybe it's crackable with our privkey. Please upload the first 1MB of an infected device, that would help."

This statement made by the Petya author suggests he may have held onto a master decryption key, which if it works for the new variant of Petya infected files, the victims would be able to decrypt their files locked in the recent cyber outcry.

Janus sold Petya as a Ransomware-as-a-Service (RaaS) to other hackers in March 2016, and like any regular ransomware, original Petya was designed to lock victim's computer, then return them when a ransom is paid.

This means anyone could launch the Petya ransomware attack with just the click of a button, encrypt anyone's system and demand a ransom to unlock it. If the victim pays, Janus gets a cut of the payment. But in December, he went silent.

However, on Tuesday, the computer systems of the nation's critical infrastructure and corporations’ in Ukraine plus 64 other countries were struck by a global cyber attack, which was similar to the WannaCry outbreak that crippled tens of thousands of systems worldwide.

Initially, the new variant of Petya ransomware, NotPetya, was blamed for infecting systems worldwide, but later, the NotPetya story took an interesting turn.

Yesterday, it researchers found that NotPetya is not a ransomware, rather it's a wiper malware that wipes systems outright, destroying all records from the targeted systems.

NotPetya also uses the NSA's leaked Windows hacking exploit EternalBlue and EternalRomance to rapidly spread within a network, and uses WMIC and PSEXEC tools to remotely execute malware on the machines.

Experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack to a malware outbreak.

Petya’s source code has never been leaked, but some researchers are still trying hard to reverse engineer it to find possible solutions.

Would this Really Help Victims?

Since Janus is examining the new code and even if his master key succeeds in decrypting victims’ hard drive's master file table (MFT), it won't help much until researchers find a way to repair the MBR, which is wiped off by NotPetya without keeping any copy.

Tuesday's cyber outbreak is believed to be bigger than WannaCry, causing disasters to many critical infrastructures, including bricking computers at a Ukrainian power company, several banks in Ukraine, and the country's Kyiv Boryspil International Airport.

The NotPetya virus has also canceled surgeries at two Pittsburgh-area hospitals, hit computers at the pharmaceutical company Merck and the law firm DLA Piper, as well as infected computers at the Dutch shipping company A.P. Moller-Maersk forcing them to shut down some container terminals in seaports from Los Angeles to Mumbai.

What if I say the Tuesday's devastating global malware outbreak was not due to any ransomware infection?

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Is Petya Ransomware Faulty or Over-Smart?

Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.
However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

Don't Pay Ransom; You Wouldn’t Get Your Files Back

So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not.

It's because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak.

Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.

"Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," the security firm said.

"To decrypt a victim’s disk threat actors need the installation ID. In previous versions of 'similar' ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery."

If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

However, it is still speculation, but the virus primarily and massively targeted multiple entities in Ukraine, including the country's local metro, Kiev's Boryspil airport, electricity supplier, the central bank, and the state telecom.

Other countries infected by the Petya virus included Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.

How Did Petya get into the Computers in the First Place?

According to research conducted by Talos Intelligence, little-known Ukrainian firm MeDoc is likely the primary source of the yesterday's global ransomware outbreak.

Researchers said the virus has possibly been spread through a malicious software update to a Ukrainian tax accounting system called MeDoc, though MeDoc has denied the allegations in a lengthy Facebook post.

"At the time of updating the program, the system could not be infected with the virus directly from the update file," translated version of MeDoc post reads. "We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program."

However, several security researchers and even Microsoft agreed with Talo's finding, saying MeDoc was breached and the virus was spread via updates.