Browse Category

Disaster Recovery

Protecting our customers: A look into how Cisco’s Meraki MX prevents Ransomware like WannaCry

The WannaCry Ransomware outbreak started hitting the headlines around the world on May 12th. This is just the latest in a particularly pernicious type of exploit, which typically involves locking or encrypting data to render a computer unusable, and then demanding a ransom to have that encryption removed. Sadly, many victims have felt compelled to pay up, even when there is no guarantee their system will recover, which only encourages criminals to repeat their behavior.

Exploits of this nature are entirely indiscriminate in the way they target their victims, seeking out any unpatched machine or unwary user. Unfortunately this means that even systems crucial to protecting lives can be affected, as was the case with WannaCry. The ransomware hit, among many others, the UK’s National Health Service, causing severe disruption to vital services. This was not the first attack of this kind, and we can be sure it won’t be the last.

This attack serves as a reminder of the importance of keeping our computer systems patched, but human nature being what it is, there will always be systems vulnerable to attack. So what else can we do to protect ourselves? Fortunately, Cisco invests heavily in security technology and boasts the industry’s foremost threat intelligence organization, Talos.

Among the tools maintained by Talos is Snort, the industry leading intrusion detection and prevention technology, which is integrated into every Meraki MX. Snort performs real-time traffic analysis and packet logging in order to identify traffic patterns that match known threats. The good news for Meraki MX customers is that if they have Intrusion Prevention enabled and set to the ‘security’ ruleset on the Threat Protection page, the signatures for WannaCry are already in place, having already been added to the Snort database. For this outbreak we’ve taken the additional measure of adding them to the ‘balanced’ ruleset as well, to protect a broader set of customers against this threat.

We’re proud of our integration of critical Cisco security technologies like Snort and Advanced Malware Protection into our MX platform, ensuring that customers who choose Meraki enjoy world-class protection for their valuable network assets.

Hackers who infected 200,000 machines have only made $50,000 worth of bitcoin, Bitcoin for ransomware definitely complicates the disaster recovery process!

As is indicated in the article below, titled: Hackers who infected 200,000 machines have only made $50,000 worth of bitcoin, Bitcoin for ransomware definitely complicates the disaster recovery process!  It takes time to get educated on Bitcoin, to learn how and where to obtain Bitcoin.  It can sometimes take more than 2 days to just get verified to be able to purchase a few hundred dollars in Bitcoin, which quite often is not enough to meet the ransom required to decrypt the files.  We, at Innovativ IT have helped multiple local companies in Houston purchase Bitcoins through third parties, in order to meet the ransom and get their data back.  Contact Innovativ IT to purchase large quantities of Bitcoin quickly.  We have over 2 years of Bitcoin experience for ransomware recovery.

Hackers who locked files on 200,000 computers globally and asked for a bitcoin ransom payment to unlock them, have only made around $50,000, an industry source told CNBC, despite the large scale of the attack.

On Friday, a virus known as WannaCry infected machines across 150 countries. It’s known as ransomware which is a malicious piece of software that encrypts a user’s files then demands them pay money to unlock them. In this case, the hackers asked for $300 worth of bitcoin.

James Smith, CEO of Elliptic, a London-based start-up that helps law enforcement agencies track criminals using the cryptocurrency, said his company had uncovered that since Friday, around $50,000 worth of bitcoin payments have been made to the hackers by 7 a.m. ET on Monday. This was up from $45,000 at 4 a.m. ET.

“We have seen the number of payments start to go up today,” Smith told CNBC Monday.

After 72 hours from when the attack started on Friday, the hackers said the fine would double to $600, and after seven days, the files would be permanently locked.

“We think over the course of today as we approach the first deadline where fines double we will see a bigger increase (in bitcoin payments),” Smith added.

The amount paid so far is still a small amount despite the global nature and scale of the attack. Security experts and government agencies have been urging people not to pay the ransom.

Why payments have been slow

One of the major reasons for the slow payments is perhaps because many people wouldn’t know how to obtain and pay in bitcoin.

“If a business is told it needs to pay this amount of bitcoin, most companies will be asking what bitcoin is … it’s not straightforward,” Smith explained.

Obtaining large amounts of the cryptocurrency might take some time, and then setting up an account via a bitcoin wallet and exchange would also require a long onboarding process.

At the same time, researchers have seen no evidence that paying the cybercriminals necessarily unlocks your files.

“The decryption process itself is problematic, to say the least,” cybersecurity firm Check Point said in a blog post on Sunday.

“Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware … generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then … wait.”

Tracing bitcoin

Hackers who deploy ransomware often ask for payments in bitcoin as it is often believed to be completely anonymous. But law enforcement agencies, working with companies like Elliptic, have figured out ways to trace this.

It traces so-called bitcoin addresses back to people. These addresses are required to make payments to other people or organizations. At the moment, Elliptic is working on trying to trace the payments, but Smith said this would become clearer when the hackers try to withdraw their bitcoin in fiat currency.

“The attackers haven’t moved it. In previous cases we have been able to work with law enforcement to see where the funds move because ultimately the attacker wants to turn it back into a currency they want to spend,” Smith explained.

Ransomware cyber-attack threat escalating – Europol

Friday’s cyber-attack has affected more than 200,000 victims in 150 countries, Europol chief Rob Wainwright says.

He told the BBC the act was “unprecedented in its scale” and warned more people could find themselves affected on Monday morning.

The virus took control of users’ files, demanding payments; Russia and the UK were among the worst-hit countries.

Experts say another attack could be imminent and have warned people to ensure their security is up to date.

Mr Wainwright said that the ransomware – software that blocks access to data until a ransom is paid – was combined with a worm application – a program that replicates itself in order to spread to other computers.

This, he said, was allowing the “infection of one computer to quickly spread across the networks”.

He added: “That’s why we’re seeing these numbers increasing all the time.”

‘Patch before Monday’

Although a temporary fix earlier slowed the infection rate, the attackers had now released a new version of the ransomware, he said.

Companies need to make sure they have updated their systems and “patched where they should” before staff arrived for work on Monday morning, the EU law enforcement agency head said.

In England, 48 National Health Service (NHS) trusts reported problems at hospitals, GP surgeries or pharmacies, and 13 NHS organisations in Scotland were also affected.

Media captionFirms must patch their systems before Monday morning, Europol chief warns

What occurred was an “indiscriminate attack across the world on multiple industries and services”, Mr Wainwright said, including Germany’s rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia’s interior ministry.

However, he said that so far “remarkably” few payments had been made by victims of the attack.

BBC analysis of three accounts linked with the global attack suggests the hackers have been paid the equivalent of £22,080.

The Europol chief said his agency was working with the US Federal Bureau of Investigation to find those responsible, and that more than one person was likely to be involved.

The virus exploits a vulnerability in Microsoft Windows software, first identified by the US National Security Agency, experts have said.

After taking computers over, it displayed messages demanding a payment of $300 (£230) in virtual currency Bitcoin to unlock files and return them to the user.

Microsoft released security updates last month to address the vulnerability, with another patch released on Friday.

The UK security researcher known as “MalwareTech”, who helped to limit the ransomware attack, predicted “another one coming… quite likely on Monday”.

MalwareTech, who wants to remain anonymous, was hailed as an “accidental hero” after registering a domain name to track the spread of the virus, which actually ended up halting it.

The 22-year-old told the BBC it was very important for people to patch their systems as soon as possible.

Massive ransomware infection hits computers in 99 countries

WannaCryImage copyrightWEBROOT

Image captionThe ransomware has been identified as WannaCry – here shown in a safe environment on a security researcher’s computer

A massive cyber-attack using tools believed to have been stolen from the US National Security Agency (NSA) has struck organisations around the world.

Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as WannaCry and variants of that name – around the world.

There are reports of infections in 99 countries, including Russia and China.

Among the worst hit was the National Health Service (NHS) in England and Scotland.

The BBC understands about 40 NHS organisations and some medical practices were hit, with operations and appointments cancelled.

Media captionNHS cyber attack: “My heart surgery was cancelled”

How did the cyber-attack unfold?

The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.

NHS staff shared screenshots of the WannaCry program, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.

Throughout the day other, mainly European countries, reported infections.

Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.

Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.

In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.

People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.

France’s car-maker Renault, Portugal Telecom, the US delivery company FedEx and a local authority in Sweden were also affected.

China has not officially commented on any attacks it may have suffered, but comments on social media said a university computer lab had been compromised.


Read more:

Who has been hit by the NHS cyber attack?

Explaining the global ransomware outbreak

A hack born in the USA?


Coincidentally, finance ministers from the Group of Seven wealthiest countries have been meeting in Italy to discuss the threat of cyber-attacks on the global financial system.

They are expected to release a statement later in which they pledge greater co-operation in the fight against cyber-crime, including spotting potential vulnerabilities and assessing security measures.

How does the malware work and who is behind it?

The infections seem to be deployed via a worm – a program that spreads by itself between computers.

Most other malicious programs rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.

By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too.

Some experts say the attack may have been built to exploit a weakness in Microsoft systems that had been identified by the NSA and given the name EternalBlue.

The NSA tools were stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.

At the time, some cyber-security experts said some of the malware was real, but old.

A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.

Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.

The number of infections seems to be slowing after a “kill switch” appears to have been accidentally triggered by a UK-based cyber-security researcher tweeting as @MalwareTechBlog.

He was quoted as saying he noticed the web address the virus was searching for had not been registered – and when he registered it, the virus appeared to stop spreading.

But he warned this was a temporary fix, and urged computers users to “patch your systems ASAP”.


Why do companies still use Windows XP? By Chris Foxx, technology reporter

Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs – so they build their own.

For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.

Developing niche but useful software like this can be very expensive – the programming, testing, maintenance and continued development all adds up.

Then along comes a new version of Windows, and the software isn’t compatible. Companies then face the cost of upgrading computers and operating system licenses, as well as the cost of rebuilding their software from scratch.

So, some choose to keep running the old version of Windows instead. For some companies, that is not a huge risk. In a hospital, the stakes are higher.

New Sinister Ransomware On The Loose

This new ransomware known as Popcorn Time will decrypt your files if you forward the link to the ransomware to your contacts and two or more of them pay the ransom of two bitcoins, which cost more than $700 each.

To prevent being a victim of ransomware, it is imperative that you have the essential layers in place to protect your computers and data. The essentials are a working backup solution of all of your critical data from all PCs (laptops, desktops and servers), top of the line Anti-virus software running on all PCs, a good and properly configured firewall, good SPAM and Email security software, and general awareness of users (don’t click on links that look suspicious).

For more information, read:

AUTHOR: LILY HAY NEWMAN. LILY HAY NEWMAN
www.wired.com

DEVIOUS RANSOMWARE FREES YOU IF YOU INFECT TWO OTHER PEOPLE

A PARTICULARLY NASTY malware that holds your data hostage until you pay up—just got more pernicious with a version that lets you sell out your friends instead of handing over your cash.

The diabolical software Popcorn Time, which is not at all affiliated with the Popcorn Time piracy app, shakes victims down like any other ransomware. If you can’t afford the one bitcoin payout or you’re feeling especially spiteful, you can share a link to download Popcorn Time in an attempt to infect others. If two of your victims pay up, the attackers give you the key to decrypt your data. It’s a bit like the movie It Follows, but for malware instead of killing.

MalwareHunter, a hacker with the MalwareHunterTeam research group, recently discovered Popcorn Time. It resembles any other malware in terms of infecting a computer, encrypting its drive, and locking you out. The social aspect is what makes it novel. It’s like sharing a referral code for cheap takeout or a free Uber ride. “The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” says Kevin Butler, a cybersecurity and malware propagation researcher at the University of Florida. “It could certainly make for some interesting discussions amongst one’s group of friends if you’re trying to figure out who infected you with this malware.”

Hackers regularly get creative with ransomware, offering things like support desks where victims can negotiate their ransom. Popcorn Time goes further by tapping into eat-or-be-eaten instincts. It’s fascinating in its psychological gamesmanship, and indicative of experimentation in an already disruptive field. “The bad guys are making a lot of money and they’re going to make a lot more money. A certain percentage of those funds are going to go into research and development for them to try new things,” says Jeremiah Grossman, chief of security strategy at cybersecurity defense firm SentinelOne. “The bad guys are innovating.”

There’s some good news, though. First, the Popcorn Time code doesn’t appear to be finished. “It is still not perfect, but it’s getting better,” MalwareHunter says. “Infect more to get free key is already unique thing. This system is something you not see every day.”

It also remains to be seen how wide Popcorn Time spreads. “No one really knows if the mechanism is going to have any meaningful impact,” Grossman says. “You infect someone and you try to get them to infect other people. That’s a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”

Still, ransomware tends to cluster in families and strains that share similar attributes. Even if Popcorn Time isn’t a viral hit, hackers could study its successes and failures to make their own variations more effective. Your best bet? Avoid getting hit in the first place. Regardless of whether Popcorn Time spreads like a virus, there’s no reason to be patient zero.

One Billion Yahoo Accounts Hacked

If you’re using Yahoo for Email, you should stop ASAP, especially if you’re using Yahoo Email for business Email. Yahoo’s Email has proven to not be secure, and it’s also a lousy Email platform.

If you must maintain the Email address, we recommend that you setup forwarding your Yahoo mail to a new Email address at your company’s domain (ie @sony.com, @amex.com, etc.). If you don’t have your company’s domain name setup, along with Email services to your company’s domain, we at Innovatviv IT can get you going in no time. Using @yahoo or @gmail for your business Email is missing a branding opportunity, and makes your company look small and unprofessional.

If you choose to continue to keep your Yahoo Email account alive and functional, then we recommend you follow these guidelines to keep your account secure:

By Lucian Constantin
Romania Correspondent, IDG News Service | Dec 15, 2016 6:46 AM PT
via: www.pcworld.com

1. Don’t save emails you don’t need

Because space is no longer a problem with most email services, users tend to never delete emails. While that’s extremely convenient, it’s not a very good idea, because it allows hackers to easily discover what other online accounts are tied to that address by searching for sign-up or notification emails from various online service providers.

Aside from exposing the link between your email address and accounts on other websites, sign-up and notification emails can also expose specific account names that you’ve chosen and are different from the email address.

You might want to consider cleaning your mailbox of welcome emails, password reset notifications and other such communications. Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

2. Check your email forwarding and reply-to settings

Email forwarding is one of those “set it and forget it” features. The option is buried somewhere in the email account settings and if it’s turned on there’s little to no indication that it’s active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices or IP addresses.

Which Programming Languages Are Currently In-Demand?
SponsoredPost Sponsored by DeVry University
Which Programming Languages Are Currently In-Demand?
More than 500 programming languages are available to create our digital world.
Another technique that attackers might use to get a copy of your emails is to change the reply-to address in your email settings, although this is noisier and can be spotted more easily than a forwarding rule.

The reply-to field is included in every email message that you send and allows the recipient’s email client to automatically populate the To field with an address you chose when they hit reply. If a hacker changes the reply-to value with an address that he controls, he will receive all email replies intended for you and these typically include the original emails that you sent.

In order to ensure that you also get those replies, the attacker can set up a forwarding rule in their own email account and automatically forward those replies to your address.

3. Two-factor authentication everywhere

Turn on two-factor authentication—this is sometimes called two-step verification—for any account that supports it, including Yahoo. This will prompt the online service to ask for a one-time-use code sent via text message, phone call, email or generated by a smartphone app when you try to access the account from a new device. This code is required in addition to your regular password, but Yahoo also has a feature called Account Key that does away with regular passwords completely and instead requires sign-in approval via phone notifications.

Two-factor authentication is an important security feature that could keep your account secure even if hackers steal your password.

4. Never reuse passwords

There are many secure password management solutions available today that work across different platforms. There’s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

According to Yahoo, this breach happened in August 2013, at a time when the company hadn’t yet switched to the more secure bcrypt password hashing algorithm. As a result, most passwords that were stolen are in the form of MD5 hashes, which are highly vulnerable to cracking.

If you made the mistake of using your Yahoo password elsewhere and haven’t changed it yet, you should do so immediately and review the security settings of those accounts too. It’s very likely that hackers have already cracked your password and had three years to abuse it.

5. Phishing follows breaches

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incidents. These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools or can direct users to websites that ask for additional information under the guise of “verifying” accounts.

Be on the lookout for such emails and make sure that any instructions you decide to follow in response to a security incident came from the affected service provider or a trusted source. Official Yahoo emails are easily recognizable in the Yahoo Mail interface because they are marked with a purple Y icon.

In the future, be selective in what personal information you choose to share and which websites you choose to share it with, even when those websites are legitimate. There’s no guarantee that they won’t be hacked in the future and you simply don’t know how securely they store your details.

In Yahoo’s case, the compromised account information includes names, email addresses, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. These details can be used to impersonate you or to authenticate you on other websites.

Don’t provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn’t even recommend using security questions anymore, so you can go into your account’s security settings and delete them.

Ransomware is Big Business and How You Can Prevent Being Attacked

Ransomware in Houston, as well as nationwide is continuing to grow.  The prevention of ransomware requires that best practices are strictly followed when it comes to IT security.  IT security is proving to be an imperative for companies, if they want to prevent costly ransomware attacks which may cause some SMBs to go out of business.

The minimum best practices when it comes to Ransomware prevention include: reliable server backups, anti-virus for all computers, quality SPAM filtering, properly configured firewalls, proper patch-management (regular server patching and workstation patching), training of staff to not open email attachments (fishing is the number 1 way that ransomware spreads), and utilizing OpenDNS to prevent infected computers from phoning home.

According to a recent study by the FBI, “ransomware is on pace to become a billion-dollar annual crime”.    Two weeks ago, the third-largest electric and water utility in Michigan has shut down all its corporate IT systems while it attempts to clean up after a ransomware attack.  The Lansing Board of Water & Light (Lansing BWL) announced last Monday, 25 April, that it was hit by ransomware after a phishing attack.

Ransomware has hit both small companies, and big companies alike.  The common thread for the outages is that the organizations affected did not have good IT security in place on all of their IT assets.  Human error is always a factor in Ransomware cases, which is why the layered IT security stack must be in-place to prevent these costly attacks.

 

Sources: http://www.breitbart.com/tech/2016/05/03/fbi-warns-ransomware-rise/ , https://nakedsecurity.sophos.com/2016/05/04/electric-utility-hit-by-ransomware-shuts-down-it-systems-for-a-week/

 

 

Ransomware is No Joke!

Ransomware is no joke, especially when it comes to Cryptolocker and Cryptowall. These menacing malware programs not only encrypt files on the infected PC, but will also encrypt on network drives mapped to servers. We’ve seen cases where more than 100,000 documents were encrypted.

2015-030201-5710-99.1

 

It is imperative that all PCs on the network are protected with a quality anti-virus solution. It is equally important that there are frequent and reliable backups being made of the data, ideally real-time replication of the data to the cloud.

It really is viscous stuff, and mafia-like in it’s shrewdness.  The truth of the matter though, is the decrypt process seems to work, as long as a list of provisions are met (reliable power for all infected systems, reliable LAN connectivity, reliable internet connectivity, etc.).  Paying these heartless bastards is painful, but it often works when there’s no other option for getting the data back.

 

For more technical details on Cryptolocker, visit this Symantec URL:
https://www.symantec.com/security_response/writeup.jsp?docid=2015-030201-5710-99&tabid=2

 

Submitted by Tom Duke, CEO at Innovativ IT Services (Feb, 2015)

Houston! Protect your computers from a thunderstorm! Flood Fire Surge Oh My!

Still afraid of thunder and lightning? Your IT systems aren’t, but that’s because they have no feelings.

They are however, dependent on their owners and managers to keep them protected and up 24×7. Sure, we’ve all had our PC’s re-boot due to a brief outage of power; we’ve also experienced internet outage during extreme weather. What do you have in place to keep your computers and critical systems protected from bad weather? Do you have a disaster recovery plan in place to deal with an outage should one occur? If you cannot answer yes to the following questions, let this inclement weather we’re experiencing here in Houston serve as a reminder.

Questions:

  • Do you have your critical systems (PCs, network infrastructure, applications) identified?
  • Do you have up-to-date documentation of your network and critical systems?
  • Do you have an up-to-date list of passwords to restore systems back to normal?
  • Do you have a list of support contacts for all critical systems in case of an outage?
  • Do you know for sure that all of your critical systems are being backed up?
  • Have you tested your back-up software and restore procedure (imperative)?
  • Do you have quality surge protectors (power strips don’t count) on all of your PCs?
  • Do you have a UPS (http://en.wikipedia.org/wiki/Uninterruptible_power_supply) for your critical systems?
  • If you are the person with the passwords, phone numbers, etc.; have you written this information and made it available to the next person in-line if you are not available?
  • If you don’t have an internal IT person, do you know who to call in the event of an IT emergency?

If you answered no to any of the following questions, now is the perfect time to take steps to prepare your business for any sort of event that might take down your critical business systems.

Call us if you have any questions or if you would like to schedule a meeting to discuss Disaster Recovery or any other IT related topics. Our number is 832.429.5220. We’re here 24×7.

Submitted by Tom Duke, CEO at Innovativ IT Services (Jan., 2011)