Ransomeware and its impact on it's Users - Part 2

When it comes to servers, the attack is downright vicious:

Some groups do this by infiltrating the target server and patching the software so that the stored data is in an encrypted format where only the cybercriminals have the key to decrypt the data.

The premise of this attack is to silently encrypt all data held on a critical server, along with all of the backups of the data.

This process may take some time, depending on the organization, so it requires patience for the cybercriminals to carry it out successfully.

Once a suitable number of backups are encrypted, the cybercriminals remove the decryption key and then make their ransom demands known, which could be in the order of tens of thousands of dollars.

How do ransomware threats spread?

Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.

Nevertheless, these are the most common infection methods used by cybercriminals

• Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
• Security exploits in vulnerable software;
• Internet traffic redirects to malicious websites;
• Legitimate websites that have malicious code injected in their web pages;
• Drive-by downloads;
• Malvertising campaigns;
• SMS messages (when targeting mobile devices);
• Botnets;
• Self-propagation (spreading from one infected computer to another); WannaCry, for instance, used an exploit kit that scanned a user’s PC, looking for a certain vulnerability, and then launched a ransomware attack that targeted it.
• Affiliate schemes in ransomware-as-a-service. Basically, the developer behind the ransomware earns a cut of the profits each time a user pays the ransom.

Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).

These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions. The WannaCry attack is a perfect example of this since it used a wide-spread Windows vulnerability to infect a computer with basically no user interaction.

That’s why each new variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more.

How do ransomware infections happen?

Though the infection phase is slightly different for each ransomware version, the key stages are the following:

• Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
• If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
• The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
• The contacted C&C server responds by sending back the requested data.
• The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.
• A warning pops up on the screen with instructions on how to pay for the decryption key.

Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.

Ransomware uses several evasion tactics that keep it hidden and allow it to:

• Not get picked up by antivirus products
• Not get discovered by cyber security researchers
• Not get observed by law enforcement agencies and their own malware researchers.

The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.

So here are just a few of the tactics that encryption malware employs to remain covert and maintain the anonymity of its makers and distributors:

• Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
• It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
• It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
• It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals.
• It features Fast Flux, another technique used to keep the source of the infection anonymous;
• It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
• It has polymorphic behavior which gives it the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
• It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.

Ransomware and its impact on the Users

May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS). A ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe.

What is Ransomware?

Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files, and the only way to regain access to the files is to pay a ransom.

There are two types of ransomware in circulation:

Encryptors, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.Some locker versions infect theMaster Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families.
Crypto-ransomware, as encryptors are usually known, are the most widespread ones, and also the subject of this article. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment.

Ransomware has some key characteristics that set it apart from other malware:

• It feature sunbreakable encryption, which means that you can’t decrypt the files on your own.
• It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
• It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
• It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
• It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
• It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
• Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
• It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
• It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
• It can spread to other PCs connected to a local network, creating further damage;
• It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals; encrypting files isn’t always the endgame.
• It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.

Their feature list keeps growing every day, with each new security alert broadcasted by our team or other malware researchers.

Ransomware is here to stay. The current conditions are a perfect storm which makes it the easiest and viable source of money for any malicious hacker out there:

• Ransomware-as-a-service, where malware creators sell its services in exchange for a cut in the profits.
• Anonymous payment methods, such as Bitcoin, that allow cybercriminals to obtain ransom money knowing their identity can’t be easily revealed.
• It’s impossible to make a completely secure software program. Each and every program has its weaknesses, and these can be exploited to deliver ransomware, as was the case with WannaCry.
• The number of infections would drastically shrink if all users were vigilant. But most people aren’t, and they end up clicking infected links and other malicious sources.

Why ransomware creators and distributors target home users:

• Because they don’t have data backups;
• Because they have little or no cyber security education, which means they’ll click on almost anything;
• Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers;
• Because they lack even baseline cyber protection;
• Because they don’t keep their software up to date (even if specialists always nag them to);
• Because they fail to invest in need-to-have cyber security solutions;
• Because they often rely on luck to keep them safe online (I can’t tell you how many times I’ve heard “it can’t happen to me”);
• Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware;
• Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).

Why ransomware creators and distributors target businesses:

• Because that’s where the money is;
• Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid;
• Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
• Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
• Because ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core;
• Because cyber criminals know that business would rather not report an infection for fear or legal consequences and brand damage.
• Because small businesses are often unprepared to deal with advanced cyber attacks and have a relaxed BYOD (bring your own device) policy.

Why ransomware creators and distributors target public institutions:

• Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;
• Because budget cuts and mismanagement frequently impact the cybersecurity departments.
• Because the staff is not trained to spot and avoid cyber attacks (malware frequently uses social engineering tactics to exploit human naivety and psychological weaknesses);
• Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;
• Because a successful infection has a big impact on conducting usual activities, causing huge disruptions;
• Because successfully attacking public institutions feeds the cyber criminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target).

In terms of platforms and devices, ransomware doesn’t discriminate either. We have versions tailor-made for personal computers (too many types to count, but more on that in “Notorious families” section), mobile devices (with Android as the main victim and a staggering growth) and servers.

Will continue on Ransomware, its infectious and its precautions in the next blog. Please be updated.

What is Dark Web? How to access dark web?

Deep Web, also known as “Deepnet,” the “Invisible Web,” the “Undernet” or the “hidden Web,” are parts of the Internet that are not considered part of the “surface web,” or the portion of the World Wide Web that is indexed by conventional search engines. Many deep web sites are not indexed because they use dynamic databases that are devoid of hyperlinks and can only be found by performing an internal search query.

The dark web is the World Wide Web content that exists on darknets, overlay networks which use the public Internet but require specific software, configurations or authorization to access.The dark web forms a small part of the deep web, the part of the Web not indexed by search engines, although sometimes the term "deep web" is mistakenly used to refer specifically to the dark web.

The darknets which constitute the dark web include small, friend-to-friend peer-to-peer networks, as well as large, popular networks like Tor, Freenet, and I2P, operated by public organizations and individuals. Users of the dark web refer to the regular web as Clearnet due to its unencrypted nature. The Tor dark web may be referred to as onionland, a reference to the network's top level domain suffix .onion and the traffic anonymization technique of onion routing.

Darknet websites are accessible only through networks such as Tor ("The Onion Router") and I2P ("Invisible Internet Project"). Tor browser and Tor-accessible sites are widely used among the darknet users and can be identified by the domain ".onion". While Tor focuses on providing anonymous access to the Internet, I2P specializes on allowing anonymous hosting of websites. Identities and locations of darknet users stay anonymous and cannot be tracked due to the layered encryption system. The darknet encryption technology routes users' data through a large number of intermediate servers, which protects the users' identity and guarantees anonymity. The transmitted information can be decrypted only by a subsequent node in the scheme, which leads to the exit node. The complicated system makes it almost impossible to reproduce the node path and decrypt the information layer by layer. Due to the high level of encryption, websites are not able to track geolocation and IP of their users as well as the users are not able to get this information about the host. Thus, communication between darknet users is highly encrypted allowing users to talk, blog, and share files confidentially.

Darknet markets

Commercial darknet markets, which mediate transactions for illegal drugs and other goods, attracted significant media coverage starting with the popularity of Silk Road and Diabolus Market its subsequent seizure by legal authorities. Other markets sell software exploits and weapons. Examination of price differences in Dark web markets versus prices in real life or over the World Wide Web have been attempted as well as studies in the quality of goods received over the Dark web. One such study performed on the quality of illegal drugs found in Evolution, one of the most popular crypto markets active from January 2014 to March 2015. An example of analytical findings included that digital information, such as concealment methods and shipping country, seems accurate," but the illicit drugs purity is found to be different from the information indicated on their respective listings." Less is known about consumer motivations for accessing these marketplaces and factors associated with their use. 

Deep Web vs. Dark Web

The dark web is the World Wide Web content that exists on darknets, overlay networks which use the public Internet but require specific software, configurations or authorization to access.

The dark web forms a small part of the deep web, the part of the Web not indexed by search engines, although sometimes the term "deep web" is mistakenly used to refer specifically to the dark web.

The darknets which constitute the dark web include small, friend-to-friend peer-to-peer networks, as well as large, popular networks like Tor, Freenet, and I2P, operated by public organizations and individuals. Users of the dark web refer to the regular web as Clearnet due to its unencrypted nature.

The Tor dark web may be referred to as onionland, a reference to the network's top level domain suffix .onion and the traffic anonymization technique of onion routing.

7 Technology Trends That Will Dominate 2017

1. IoT and Smart Home Tech

We’ve been hearing about the forthcoming revolution of the Internet-of-Things (IoT) and resulting inter contentedness of smart home technology for years. So what’s the holdup? Why aren’t we all living in smart, connected homes by now? Part of the problem is too much competition, with not enough collaboration—there are tons of individual appliances and apps on the market, but few solutions to tie everything together into a single, seamless user experience. Now that bigger companies already well-versed in uniform user experiences (like Google, Amazon, and Apple) are getting involved, I expect we’ll see some major advancements on this front in the coming year.

2. AR and VR

We’ve already seen some major steps forward for augmented reality (AR) and virtual reality (VR) technology in 2016. Oculus Rift was released, to positive reception, and thousands of VR apps and games followed. We also saw Pokemon Go, an AR game, explode with over 100 million downloads. The market is ready for AR and VR, and we’ve already got some early-stage devices and tech for these applications, but it’s going to be next year before we see things really take off. Once they do, you’ll need to be ready for AR and VR versions of practically everything—and ample marketing opportunities to follow.

3. Machine Learning

Machine learning has taken some massive strides forward in the past few years, even emerging to assist and enhance Google’s core search engine algorithm. But again, we’ve only seen it in a limited range of applications. Throughout 2017, I expect to see machine learning updates emerge across the board, entering almost any type of consumer application you can think of, from offering better recommended products based on prior purchase history to gradually improving the user experience of an analytics app. It won’t be long before machine learning becomes a kind of “new normal,” with people expecting this type of artificial intelligence as a component of every form of technology.

4. Automation

Marketers will be (mostly) pleased to learn that automation will become a bigger mainstay in and throughout 2017, with advanced technology enabling the automation of previously human-exclusive tasks. We’ve had robotic journalists in circulation for a couple of years now, and I expect it won’t be long before they make another leap into more practical types of articles. It’s likely that we’ll start seeing productivity skyrocket in a number of white-collar type jobs—and we’ll start seeing some jobs disappear altogether. When automation is combined with machine learning, everything can improve even faster, so 2017 has the potential to be a truly landmark year.

5. Humanized Big Data (visual, empathetic, qualitative)

Big data has been a big topic for the past five years or so, when it started making headlines as a buzzword. The idea is that mass quantities of gathered data—which we now have access to—can help us in everything from planning better medical treatments to executing better marketing campaigns. But big data’s greatest strength—its quantitative, numerical foundation—is also a weakness. In 2017, I expect we’ll see advancements to humanize big data, seeking more empathetic and qualitative bits of data and projecting it in a more visualized, accessible way.

6. Physical-Digital Integrations

Mobile devices have been slowly adding technology into our daily lives. It’s rare to see anyone without a smartphone at any given time, giving us access to practically infinite information in the real-world. We already have things like site-to-store purchasing, enabling online customers to buy and pick up products in a physical retail location, but the next level will be even further integrations between physical and digital realities. Online brands like Amazon will start having more physical products, like Dash Buttons, and physical brands like Walmart will start having more digital features, like store maps and product trials.

7. Everything On-Demand

Thanks to brands like Uber (and the resulting madness of startups built on the premise of being the “Uber of ____”), people are getting used to having everything on demand via phone apps. In 2017, I expect this to see this develop even further. We have thousands of apps available to us to get rides, food deliveries, and even a place to stay for the night, but soon we’ll see this evolve into even stranger territory.

Anyone in the tech industry knows that making predictions about the course of technology’s future, even a year out, is an exercise in futility. Surprises can come from a number of different directions, and announced developments rarely release as they’re intended.

Still, it pays to forecast what’s coming next so you can prepare your marketing strategies (or your budget) accordingly. Whatever the case may be, it’s still fun to think about everything that’s coming next.