Ransomworm: The Next Level of Cybersecurity Nastiness

2017 could see further evil innovations of ransomware.

By Ryan Francis
Managing Editor, CSO

As if holding your data hostage and seeking cash payment weren’t harsh enough, security experts foresee the next stage of ransomware to be even worse.

Scott Millis, CTO at mobile security company Cyber adAPT, expects ransomware to spin out of control in the year ahead. That is an astounding statement when you consider that there were more than 4,000 ransomware attacks daily in 2016, according to Symantec’s Security Response group (Report).

Corey Nachreiner, CTO at WatchGuard Technologies, predicts that 2017 will see the first ever ransomworm, causing ransomware to spread even faster.

Crypto-ransomware is a type of ransomware that encrypts your files and holds them captive until ransom demands are met. Since the release of Cryptolocker in late 2013, Crypto-ransomware has taken off. According to the FBI, cyber criminals used ransomware to steal over $209 million from U.S. businesses alone, just in the first quarter of 2016. Furthermore, a recent ransomware report from Trend Micro shows 172 percent more ransomware in the first half of 2016 than all of 2015.

“In short, bad guys realize ransomware makes money, and you can expect them to double down in 2017,” he says.

To make matters worse, Nachreiner expects cybercriminals will mix ransomware with a network worm. Years ago, network worms like CodeRed, SQL Slammer, and more recently, Conficker were pretty common. Hackers exploited network vulnerabilities and tricks to make malware automatically spread itself over networks.

“Now, imagine ransomware attached to a network worm. After infecting one victim, it would tirelessly copy itself to every computer on your local network it could reach,” he says. “Whether or not you want to imagine such a scenario, I guarantee that cyber criminals are already thinking about it.”

Nir Polak, Co-Founder & CEO of Exabeam, a provider of user and entity behavior analytics, agrees that ransomware will move from a one-time issue to a network infiltration problem like Nachreiner describes. “Ransomware is already big business for hackers, but ransomworms guarantee repeat business. They encrypt your files until you pay, and worse, they leave behind presents to make sure their troublesome ways live on,” says Polak.

Nir Polak, Co-Founder & CEO of Exabeam

Earlier this year, Microsoft warned of a ransomworm called ZCryptor that propagated onto removable drives. By placing a code on every USB drive, employees bring more than just their presentations to a sales meeting; they’re carrying a ransomworm — not the greatest impression you want to give a prospect.

Alex Vaystikh, cybersecurity veteran and co-founder/CTO of advanced threat detection software provider SecBI, thinks along those same lines. He says ransomware will become smarter and merge with information-stealing malware, which will first steal information and then selectively encrypt, either on-demand or when other goals have been achieved or found to be unachievable. Although ransomware is an extremely fast way to get paid as a fraudster/hacker, if you are also able to first steal some information before you encrypt the device, you can essentially hack it twice.

[ MORE: The history of ransomware ]

“In this scenario, if the victim says, ‘You know what? I have backup files’ and refuses to pay for decryption, the hacker can threaten to leak it all. We hear of ransomware being used in sensitive environments like in hospitals, but so far there hasn’t been significant damage. However, if the malware had first exfiltrated patient information and then encrypted it, that could have been extremely damaging,” Vaystikh says.

Norman Guadagno, chief evangelist at Carbonite, said Ransomware as a service (RaaS) will continue to gain foothold. The RaaS business model is an extremely attractive one given the minimal effort and low cost needed to launch an attack. This doesn’t require highly-sophisticated technology, a knowledgeable IT expert or even a large bank account to get off the ground. All you need is a mailing list of potential targets and RaaS does the rest as a one-stop-shop for hacking resources.

“Given the success these hackers have seen so far – a $1 billion business in 2016 alone – there’s no doubt RaaS will continue to gain traction. Fortunately, just as the cloud enables RaaS, it also enables safe cloud backup to protect against attacks,” he said.

Lucas Moody, CISO at Palo Alto Networks, says ransomware isn’t going away. Ever wonder what economic driver has led to the explosion of bitcoin ATMs into affluent neighborhoods in the U.S.? His hunch is it is correlated with the number of ransomware infections affecting small businesses. Ransomware in 2016 has been a significant problem, and current trends suggest that this problem will not slow down in 2017. Business resilience and recovery capabilities are the best defense to avoid frequent trips to your local bitcoin ATM, he says.

Vaystikh also forsees the first cloud data center-focused ransomware. In 2017, ransomware will target databases, causing significant downtime. There are not currently many hackers attacking corporate networks with ransomware; information-stealing malware is the preferred tool, he says.

“But what we might see in the coming year is ransomware targeting places where there is less chance of backup files being available. For example, I think we’ll see that SMBs who move their files to the cloud generally do not have backups and do not know how to recover. Specifically encrypting cloud-based data like this would have a significant impact on cloud providers and cloud infrastructures,” he says.

Harnessing Big Data is Life or Death for Your Business

By: Alan Gamzu

Successful companies in the 21st century revolve around superior customer service. But it’s not as human-oriented as it sounds. Consumer behavior is shifting to online shopping because of technological innovations. Entrepreneurial Insights estimates the expanse of the digital universe will be over 40 trillion gigabytes by 2020. Many companies gather personal and web data, but they do not know how to leverage the information in their disparate formats. Benchmark spreadsheets are business intelligence tools, and involve no underlying algorithm to process unstructured data or reveal insights into customer satisfaction.

Click here to read more.

10 FAQ About the Windows 10 Upgrade

Can I get an invitation?
Can I get an invitation to upgrade to Windows 10, when it’s ready? Where is the link? – Olga

If you are running Windows 7 or Windows 8, you should already have had an invitation to “reserve” a copy of Windows 10. If not, run Windows Update to see if any updates are available for your PC. The one you want is KB3035583. This puts a small white Windows logo – the GWX or Get Windows 10 app – in the system tray on the right hand side of the Taskbar. Alternatively, you should be able to find the invitation by going to Windows Update in the Control Panel (via System and Security).

If you are running Windows XP, Vista, or any other version of Windows then you will not get a free upgrade offer. However, you will be able to buy a copy for a maximum price of $119 (Windows 10 Home) or $199 (Windows 10 Pro).

It remains to be seen whether Microsoft will offer launch discounts to XP and Vista users. I wouldn’t bank on it. Such users have already ignored cheap upgrade deals for Windows 7 and 8, either of which would have got them Windows 10 free.

Can I cancel my reservation?
How do I cancel my acceptance to Windows 10 free? – mattyphyllis

To cancel your reservation, right-click on GWX, the white Windows icon on the Taskbar, select “Check your upgrade status” and then “Cancel reservation”.

Can I cancel and reapply?
Can I apply for a reservation and then cancel it? Then can I reapply for the reservation? – dragothunder wolf

Yes, but it’s better to leave it until you’re sure you want it, as long as you do that before July 29 next year. That’s when the free upgrade offer ends.

The point of “reserving” the upgrade is to allow Microsoft to download Windows 10 – probably 4GB or more – to your PC in the background over a period of time. It doesn’t want to download the code to 400m (or whatever) PCs on the same day. Indeed, even if you reserve Windows 10 now, you may not be invited to install it for days or weeks after the official launch on July 29.

Is my PC compatible?
Is there going to be a Windows 10 upgrade advisor? – Andrew S

There already is. Run the Get Windows 10 app, click the menu and select “Check your PC” or “Your PC is good to go”. This will warn of any compatibility problems that Microsoft has found, bearing in mind that there are millions of devices and tens of millions of Windows programs that Microsoft knows nothing about. (Anybody can write software for Windows without telling Microsoft.)

If you have any unusual hardware or software, hold off installing Windows 10 until the “early adopters” have found the major problems and Microsoft has had a chance to fix them.

How much memory do I need?
What is the recommended memory size for Windows 10? My Acer W7 laptop has 3GB fitted, and I use a further 4GB as ReadyBoost (which doesn’t seem to make much difference). – Robin

Microsoft reckons 32-bit Windows 10 will run in 1GB and the 64-bit version in 2GB. While this may be true, I’d recommend doubling each number, ie 2GB and 4GB. However, if you are running the 64-bit version of Windows 7 in 3GB, 64-bit Windows 10 should run slightly better. You need the 64-bit version to support more than 4GB.

ReadyBoost was an interesting idea but turned out to be not worth the effort.

Can I upgrade both my PCs?
I have a desktop PC and a laptop. Can I upgrade both for free? – Roy

Yes. It doesn’t matter if you have two or 20 PCs, or more. The free offer applies to every PC that is running a “genuine” copy of Windows 7 or 8, with a few exceptions. For example, the offer does not apply to corporate or education copies installed under some volume or site licensing deals. (Enterprises on Microsoft’s Software Assurance scheme get Windows 10 free anyway.)

Is it Windows 10 Home or Pro?
I have Windows 8.1 Pro. Will the free download be Home or Pro? – Tim

If you have a Home version, you will get Windows 10 Home, and if it’s a Pro version, you will get Windows 10 Pro. Microsoft always does like-for-like upgrades, where possible. However, there isn’t a Windows 10 Ultimate, so I believe people who bought Vista Ultimate (me!) or Windows 7 Ultimate (not me!) will be downgraded to Windows 10 Pro.

Can I go to 64-bit Windows 10?
Will I be able to go from 32-bit Windows 8.1 to 64-bit Windows 10? – John

Not directly. If you let Windows Update upgrade your system “in place”, it will always do it on a like-for-like basis: 32-bit to 32-bit; 64-bit to 64-bit. If you want to move from any 32-bit version of Windows to any 64-bit version, it always requires a “clean installation” from a DVD or USB drive or whatever. This will delete your old operating system, programs and data, so you will have to re-install everything from scratch.

From the preview versions, it looks as though Microsoft will at some point enable Windows 10 to import backups made using Windows 7’s backup program. But, frankly, I’d make a fresh start.

Can I downgrade later?
If I upgrade to Windows 10 and do not like it, will I be able to go back to Windows 7 or 8? millrambr82

Yes: Microsoft aims to enable you to “roll back” to your old operating system, if required. However, I wouldn’t rely on this. In my view, it’s essential to back up your old system before installing a new one. You should also use the option to create “recovery media” with your old system, so that you’re not totally dependent on the “roll back” working.

You and you alone are responsible for preserving your own data.

How can I avoid Windows 10?
I most definitely DO NOT want to upgrade to Windows 10. How can I make sure this quasi-enforced upgrade does not happen? And how can I get rid of that nagging “reminder” on my Taskbar? – Dolores

Nobody is forcing you to get Windows 10. If you don’t want it, don’t reserve it or install it.

To remove the reminder, right-click on Start and select Properties. Next, go to the Taskbar tab, click the button that says “Customize …”, and find GWX, the Get Windows 10 app. The drop-down menu offers the option to “Hide icon and notifications”.

If you want to go further, run Windows Update and click “View update history” to see all the updates you have installed. Look for, or search for, KB3035583, select it, and then click to uninstall or change it. Windows will ask “Are you sure?” Just click “Yes”. It will never bother you again … unless you re-install KB3035583.

Citrus Harvest Festival 2015

CHF logo

Come join us this year at the Citrus Harvest Festival!


Event Information
Date: Saturday, March 28, 2015
Event Time: 10 AM to 5 PM
Event Location: Highland Historic District
Booth Number: 64

Enter festival on Church Ave South.


Anthem: Non-customers may have been hit by hack


You don’t have to be a direct customer of Anthem to have been a victim of the company’s recent hack.

Anthem’s initial analysis indicates that about 78.8 million people may have been affected by the cyberattack, according to the company’s Anthem Facts page. That number refers to the volume of people whose data could have been viewed by the hackers but not necessarily stolen from the database.

Around 60 million to 70 million of those 78.8 million people are current or former Anthem members. The rest include non-members, specifically current and former non-Anthem Blue Cross Blue Shield members who used their Blue Cross and Blue Shield insurance over the last 10 years in a state where Anthem operates Doing the math, that means anywhere from 8.8 million to 18.8 million people who were not direct Anthem customers could have been impacted by the attack.

“Because of the way Blue Cross and Blue Shield plans work, we process each other’s claims when they’re in states where we operate,” a spokesman for Anthem told CNET. “So if you work for Boeing and their plan is Blue Cross Blue Shield of Illinois, but they have employees in California, our California plan processes those claims, and those people were in the database also.”

On February 4, Anthem revealed that it had been the target of a massive cyberattack by hackers who broke into its servers and stole the personal information of as many as 80 million current and former members and employees. Anthem CEO Joseph Swedish said the attack compromised names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information. But he said he found no evidence that any credit card or medical records had been exposed.

Anthem has promised to individually contact every person whose information was stolen and to provide free credit monitoring services. But the company has been criticized by the attorneys general in several states for not acting fast enough to inform individual users. A letter sent to the insurance provider on behalf of ten attorneys general said “few follow-up details have been made available, and none at all about how individuals can sign up for the protections Anthem will provide them.” The letter expressed “alarm” at Anthem’s failure thus far to follow up with customers impacted by the hack.

Anthem said it will start sending letters next week to all those affected by the hack and will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection, Reuters noted. The company continues to work with federal and state law enforcement to investigate the hack and said it believes tens of millions of customers records were stolen and not simply accessed.

The data breach and the resulting financial consequences could reportedly surpass $100 million. Anthem’s own cyberinsurance policy covers losses of up to $100 million. However, the cost of informing more than 80 million people may extend beyond that amount.

CTB-Locker Ransomware Variant Being Distributed in Spam Campaign


A variant of Curve-Tor-Bitcoin (CTB) Locker ransomware – also known as Critroni – being distributed in a spam campaign now offers victims additional time to pay the ransom, but also requires them to pay a whole lot more than previously, according to the latest research by Trend Micro.

The variant observed by Trend Micro gives victims 96 hours to pay three Bitcoins – or nearly $700, as of Friday – before the files become permanently encrypted, according to a Wednesday post. In July 2014, versions of CTB-Locker were observed giving victims 72 hours to make a payment that was typically less than one Bitcoin.

Trend Micro has observed this CTB-Locker variant being distributed through spam, and some samples were sent by systems that are part of the Cutwail botnet, the post indicates, going on to state that the ransomware is predominately impacting users in the Europe, the Middle East and Africa (EMEA), China, Latin America and India.

In a Thursday email correspondence, Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com that while he could not confirm conclusively, a Wednesday post by ESET appears to address the same threat.

In that post, spam is also how CTB-Locker is being distributed, but victims are required to pay a ransom of 8 Bitcoins – or more than $1,800, as of Friday – within 96 hours. ESET listed Poland, Czech Republic and Mexico as the most impacted countries, with the U.S. making up five percent of total infections.

Kafeine first wrote about CTB-Locker in July, and the researcher updated his post in August to report that CTB-Locker has a test decryption feature, which gives victims the opportunity to decrypt up to five files of their choosing.

Trend Micro and ESET both indicated that the feature is still available.

“We can only speculate on the criminals’ thinking for this feature, but ultimately changes in tactics are meant to maximize their return,” Budd said. “We can only conclude that they view this sample decryption as increasing the likelihood someone affected will pay. It can best be thought of as a “proof of life” step in real life hostage situations.”

A new feature to this variant is a language option that allows victims to view the ransom messages in English, Italian, German and Dutch, according to a Wednesday post.

“I wouldn’t say [the attackers have] elevated their game as much as are continuing to refine their tactics in order to maximize their returns,” Budd said.

A Wednesday McAfee Labs post also appears to address CTB-Locker, but Budd said it is “hard to say” if it is the same threat.

“The best thing people can do regarding ransomware is prevent infections in the first place,” Budd said. “Running modern security packages and not opening unknown or unexpected attachments can best protect against ransomware infections.”

US government warns iOS users their devices may be in danger


Apple iOS "Masque Attack" Technique

Apple customers are being warned by computer security experts, including the United States government’s own cyber squad, to watch out for a new bug affecting iOS devices like the iPhone and iPad.

Systems Affected
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Masque Attack was discovered and described by FireEye mobile security researchers.[1](link is external) This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.
This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

An app installed on an iOS device using this technique may:
• Mimic the original app’s login interface to steal the victim’s login credentials.
• Access sensitive data from local data caches.
• Perform background monitoring of the user’s device.
• Gain root privileges to the iOS device.
• Be indistinguishable from a genuine app.

iOS users can protect themselves from Masque Attacks by following three steps:
1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
2. Don’t click “Install” from a third-party pop-up when viewing a web page.
3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1](link is external). US-CERT does not endorse or support any particular product or vendor.