Category Archives: Ransomware

The Chronicle of Ransomware – 26th May 2021

May 26, 2021 admin Leave a comment

Preface: The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the ‘father of ransomware’). It was called the AIDS Trojan, also known as the PC Cyborg.

Synopsis: Perhaps mankind cannot imagine that in our modern world. We still impact by viral infection. The situation looks like we are replaying the seen in 1346 – 1353 (plague). But the digital world is the same. In past few weeks we heard ransomware wreak havoc. As far as we know, ransomware not only appears today. Since 2013, CryptoLocker attack found. But what is the standpoint by public began to focusing “WannaCry” ransomware in 2017. Unlike crypto-ransomware (WannaCry), Locker ransomware does not encrypt files. Instead goes one step further, and it locks the victim out of their device.

What is the countermeasure after the ransomware attack?
– Changed passwords for all end-users and privileged users.
– Changed access keys for all service accounts.
– Enhanced malware/ransomware protection on endpoints and servers.
– Enhanced monitoring and logging to identify malicious activities.

The objective of this topic is only for information base. Perhaps when you read below article posted in 2017. You will have resonance.

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/

2021, cyber security incident news highlight, Data privacy, Ransomware

Aforementioned – Insurance company infected by ransomware – 25th May 2021

May 25, 2021 admin Leave a comment

News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.

Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own.
The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.

What is the consequence if AXA underestimate this matter? Or it is just a bluff!

A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Latest news: https://www.thestandard.com.hk/section-news/section/2/230327/Axa-HK-unaffected-by-cyberattack

Public safety, Ransomware, Under our observation

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

May 20, 2021 admin Leave a comment

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Ransomware

Headline news – Insurer AXA hit by ransomware (17th May 2021)

May 17, 2021 admin Leave a comment

Preface: Perhaps we think that ransomware only looked at hard drive C. But the truth is that other mapped drives like D:, E:, F will be compromised.

Headline News: PARIS (Reuters) – French insurer Axa said on Sunday that one of its businesses in Asia was hit by a ransomware attack, adding that it was investigating after some data processed in Thailand was accessed, said Reuters News (May 16, 2021).

Possible attack scenario: A possibility may occur when setup ssl VPN. Perhaps we can overlook the routing option. For instance SSL VPN route the target subnet. For the rest, it will allow go to internet.
For example: If Phishing Email encountered by remote SSL VPN client. When they click the link, if the option (refer to attached diagram), not enable. It will allow ramsomware to do his dirty works.

Headline News: https://www.reuters.com/article/us-axa-cyber/axa-division-in-asia-hit-by-ransomware-cyber-attack-idUSKCN2CX0B0

Ransomware

Just heard Whirlpool hit in Nefilim ransomware attack (28th Dec 2020)

December 29, 2020 admin Leave a comment

Preface: Do you have doubt? For example: Mimikatz tool & Psexec.exe will detected by antivirus. How ransomware disable antivirus?

Technical Reference: Malware can no longer disable Microsoft Defender via the Registry.So it increase the difficulties to evade the defense mechanism. But it still cause great damage. A ransomware wreaked havoc on the digital world.

The most common ransomware attack vectors are:

Remote desktop protocol (RDP).
Email phishing.
Software vulnerabilities.
Malicious code hidden on the site
Malicious Email Links

How ransomware disable antivirus?

According to the vulnerability in operating system, software application,..etc. For more details, please refer to attached diagram. In additional, hackers exploit a vulnerability in a legitimate (.SYS) driver to gain kernel access will be an additional way. As a result, ransomware installs legitimate driver kill antivirus services.

Headline News: Home appliance giant Whirlpool hit in Nefilim ransomware attack – https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/

Ransomware

Ransomware attacks are raging recent. The victim firm including famous watch manufacture, Bank, Health Services, etc. (30th Sep 2020)

October 1, 2020 admin Leave a comment

Background: Cyber attack commonly based on vulnerability and user negligence. Ransomware also use the same concept.

An example of ransomware today: Conti and Ryuk code is similar. Conti uses a similar ransomware note template to Ryuk and that it appeared to be deploying the same TrickBot infrastructure.When the attack campaigns send unsolicited emails that it will using social engineering technique. Whereby, let users reduce the awareness. Therefore user will download malware from malicious websites or trick the user into opening malware through an attachment. Security expert noticed that the Conti ransomware has multiple anti-analysis features to slow detection and reverse engineering. Their method is using VBA code executes a multi-stage high obfuscation PowerShell script in the attempt to evade AV and security solutions. Ransomware is one of the most troublesome item since cyber attacks. Perhaps you can through below guideline to enrich related knowledge.

CISA and MS-ISAC Release the Prevention Best Practices – https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

Public safety, Ransomware, Under our observation

Hong Kong Broadband Network customer staying alert! 17th Feb 2020

February 17, 2020 admin

Synopsis: The threat actors hidden their email phishing package anywhere. As common we know, email phishing scam foot print are wide in area. But the antivirus and malware solution vendor setup blacklist domain name and content filtering function has reduced the infection ratio of malware and ransomware. It looks that the similar of idea to hunting cyber victim still valid. In my observation, the attacker sometimes will be reuse their technique. This time they store the trap in social media web. Found that the scam activities which mimic Hong Kong Broadband luck draw online program activities is awaken again. I found similar activities on yesterday (16th Feb 2020). Even the VirusTotal repository has only one cybersecurity vendor detected a similar record type. In the sense that they can escape your defense solution.

For more detail, please refer to announcement by HKBN in past. https://www.hkbn.net/personal/dist/img/src/pdf/Warning-Against-Phishing-Website_en.pdf

Cyber War, Public safety, Ransomware

About Emotet malware (2019)

October 28, 2019 admin

Preface: Emotet malware found in 2015. But he is still aggressive nowadays. It shown that it is a long life cyber attack product .

Details: Australian Cyber Security Centre (ACSC) released an advisory that Emotet malware widespread in rapidly. The Emotet malware is distributed mostly by means of phishing email that contains either links to malicious sites, or malicious attachments.
Since Emotet is a polymorphic design.Emotet is a polymorphic engine to mutate different values and operations. From observation, it now link with ransomware.
The change in shape of Emotet more or less proof that his design is equivalent as a cyber weapon. It provide the functions for infiltration. Meanwhile, after finished the mission. It can link to ransomware. Such design can avoid forensic investigator conduct the validations.

For more details, please refer to ACSC announcement. https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign

2019, cyber security incident news highlight, Ransomware

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

June 29, 2019 admin Leave a comment

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

Volume Shadow Server & Backup Kill
Installed lang check:
SYSTEM\CurrentControlSet\Control\Nls\Language\
InstallLanguage
0419 (Russia)
0422 (Ukrainian)
0423 (Belarusian)
Arp Blaclklist check
GetComputerName check
Process kill

Advisory report for download – https://www.ncsc.gov.uk/news/ryuk-advisory

Ransomware

US-CERT Ransomware Guidance – 2018

April 10, 2018 admin

An article issued by US-CERT with subject. Protecting Your Networks from Ransomware. Their aim is going to provide a guidance to fight against ransomware. Before you read the articles. There are few slogans are able to enhance your data protection framework. For instance:

1. Ransomware and Phishing Work Together

2. For whom who visiting online Gaming zone and Pornography web site in frequent are easy for encounter ransomware attack.

In order to avoid similar of cyber attack, enhance your awareness is the first priority. For more details, please refer below url for reference.

Protecting Your Networks from Ransomware:

https://www.us-cert.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_Document-FINAL.pdf