Scam Of The Week: IRS Refund Ransomware
Many of us waited till the last moment before the April 15 tax deadline and are now holding our collective breath in expectation of that possibly rewarding refund. The problem is that cybercriminals are very aware of this anticipation and use social engineering tactics to trick taxpayers.
Knowing that many in America are waiting for word from the Internal Revenue Service concerning pending refunds, the cyber mafia is working hard to get in first with a massive phishing attack that has a ransomware attachment.
The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
I suggest you send this Scam Of The Week to all your friends, family and employees with something like the following message (Feel free to copy/paste/edit:)
“Cyber criminals are preying on American tax payers that have made the April 15th deadline and are now waiting to hear about their refund. There is a massive phishing scam going on right now which tries to trick you into opening a Microsoft Word attachment. But if you do, all your files will get hijacked and encrypted. If that happens, you only get your files back after paying around $500 ransom. Remember, think before you click, and do not open any attachments you did not ask for!”
Step employees through effective security awareness training, it is how to stay safe out there on the Wild, Wild, Web. Here is what the email looks like:
New TeslaCrypt Ransomware Uses More Exploit Kits As Infection Vector
The new Internet Security Threat report from Symantec shows that the growth of file-encrypting ransomware attacks expanded from 8,274 in 2013 to 373,342 in 2014. This is 45 times more crypto-ransomware in the threat landscape within a one-year span.
Combine that with the new Verizon Breach Investigations Report last week which showed that you’ve got one minute and 22 seconds to save your files from being encrypted and you see the problem. Verizon calculated 82 seconds as the median time it takes for an employee to open a phishing email that lands on a company’s network and in their inbox.
TeslaCrypt is one of the latest copycat ransomware strains which has ripped off the CryptoLocker brand, and is now infecting user’s workstations through multiple exploit kits.
Apart from a laundry list of file types that ransomware normally encrypts, TeslaCrypt also tries to cash in on the $81 billion game market and encrypts over 40 file types associated with popular computer video games, like Call of Duty, Minecraft, and World of Warcraft as well as files related to iTunes. In other words: “all your files are belong to us”.
Instead of phishing attacks with attachments, the TeslaCrypt strain uses multiple exploit kits. An exploit kit (EK) is crimeware that gets sold on the dark web, and allows cyber gangs to infect legit websites. The workstation of the employee who clicks through to or visits that infected website gets exploited when it is not updated with the latest patches.
TeslaCrypt started out with the Angler EK, but recently also the Sweet Orange and Nuclear EKs. The Nuclear kit is used in a campaign right now. Employees that click on a link in a phishing email are being redirected to compromised WordPress sites that have this EK installed.
Brad Duncan, security researcher at Rackspace observed April 16th that in one case the kit successfully exploited a vulnerability in an out-of-date version of Flash player (188.8.131.52).
Once the workstation is infected, the delivered ransomware still uses the Cryptolocker branding. However, when the victim visits the payment site that instructs them on how to pay the ransom, it becomes obvious you are dealing with TeslaCrypt, which is the screen shot you see in our blog which has the links to the reports mentioned above as well:
The payment process is run through a website located in the TOR domain. Each instance of the ransomware has its own Bitcoin BTC address. The files are encrypted by using the AES cipher, and encrypted files gain the .ecc extension.
What To Do About It
• The rule “Patch Early, Patch Often” still applies, but these days, better to “Patch Now” all workstations for both OS fixes and popular third party apps that are part of your standard image rolled out to end-users. A product like Secunia can scan for all unpatched third party apps.
• Make sure your Backup/Restore procedures are in place. Regularly TEST, TEST, TEST if your restore function actually works. The latter is often overlooked.
• The TeslaCrypt strain uses social engineering to make a user click on a link in a phishing email (It does not use email attachments). Also, this type of ransomware can use malicious ads on legit websites to infect workstations. End users need to be stepped through effective security awareness training so that they are on their toes with security top of mind when they go through their email or browse the web.
Find out how affordable this is for your organization today. You will be pleasantly surprised.
A Serious Legal Liability: Bad or No Security Awareness Training
If you have trouble getting budget for employee security education, please read this article and then forward it to the head of your legal department and/or or the person in your organization who is responsible for compliance.
The Department of Health and Human Services has stated that bad or no security awareness training is a main cause for compliance failures. This is true for not only health care, but all kinds of industries like banking, finance, manufacturing, and surprisingly, high-tech.
It does not stop with mere compliance failures causing regulatory fines. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack. The problem is that to be “letter of the law” compliant, you only need to herd your users once a year into the break room, keep them awake with coffee and donuts, and give them a “death by PowerPoint” awareness update. However, ineffective security awareness training could turn out to be a serious legal liability.
Why? Cybercrime goes after the low-hanging fruit: your users. Why spend time exploiting complicated software vulnerabilities when you can easily social engineer an end-user to click on a link? So your end-user did not get effective awareness training and falls for the hacker trick. Their workstation gets infected with a keylogger, the hacker now knows their login and password, and with that penetrates your network.
Simply put: if it’s the Eastern European cyber-mafia, their focus is to transfer out money from your operating account over a long weekend. If it’s the Chinese, they will steal your intellectual property. If it’s independent hackers, your customer database and credit card transactions are exfiltrated and sold on dark web criminal sites.
In all three cases you run the risk of a lawsuit:
• You might sue the bank for negligence, and they might sue you back. Massive legal fees are inevitable. If it is found out the attackers came in by social engineering a user, your case is significantly weakened. Go to Brian Krebs’ site and search for Patco Construction, a nightmare scenario. Here it is:
• If the Chinese steal your intellectual property and you are exposed to a shareholder lawsuit, there will be a lengthy and costly discovery period. If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
• If hackers get into your network, and an investigative journalist like Brian Krebs discovers a website that has all your customer records and credit card transactions, a class action lawsuit is not far away. (This is the legal profession’s biggest growth industry) cialis pills online. If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
See the trend here? Not scaling your training to a level that effectively mitigates the risk you are exposed to is a severe legal liability. We have a whitepaper called “Legal Compliance Through Security Awareness Training” written by KnowBe4 and Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP, CRISC. He explains the concept of acting “Reasonably” or taking “Appropriate” or “Necessary” measures.
Reading this whitepaper will help you to prevent violating compliance laws or regulations. In it, there are some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. I strongly recommend you download this whitepaper if you have not already: