Jump to content

US, Canada Issue Ransomware Advisory


RV_

Recommended Posts

Folks this is a current and ongoing threat that locks up your computer until you pay a "ransom" to get the unlock code. The infections still require in most cases that you open a file or attachment, or enable Word Macros on request. Don't enable Macros for anything today.

 

There is no way to overstate this vulnerability average users have to social engineering. By reading the below closely and becoming educated in how the infections are done, you can avoid these for now until they evolve again.

 

I recommend keeping complete images as backup and separate up to date data backups, as well as hard copies of downloaded programs like MS office. Just copy the files to a DVD or CD if small enough so you will be able to reload your programs. If you are like some folks I have cleaned out infections for who rather than pay for several hours of my work, preferred the minimum $60 for a factory reset, then you have nothing to lose, and none of this is required. You still need to make a hard copy of your recovery partition which will require a 16GB USB flash drive to be sure it is large enough. You have to make a copy of your recovery partition because it will be locked up too.

 

CERT means Cyber Emergency Response Team which each nation has today. Their warnings are like State Department travel warnings, some folks ignore them and come back, others may not.

 

 

Excerpt:

 

"Ransomware clearly has people on many fronts worried, so much so that the United States and Canada took an unprecedented step last week to issue a joint advisory on the threat posed by crypto-ransomware.

 

The U.S. Cyber Emergency Response Team together with the Canadian Cyber Incident Response Centre penned a comprehensive warning on the heels of high-profile infections at hospitals nationwide that have made headlines the past few weeks.

 

The advisory describes the threat, potential impact and offers solutions which companies and consumers can take advantage of.

 

“The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware,” the advisory reads.

 

Contrary to advice given by the FBI last fall, the respective CERTS say that paying the ransom may not be the best solution.

 

“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information,” the advisory says. “In addition, decrypting files does not mean the malware infection itself has been removed.”

 

Ransomware has shut down major health care providers, including MedStar Health in the D.C. area, and Los Angeles-based Hollywood Presbyterian Medical Center, affecting not only access to data stored on computers network-wide, but also patient care as in the case of Hollywood Presbyterian Medical Center, sick and injured has to be shuttled to other facilities in the area.

 

The respective CERTS warn against financial loss and reputational harm, in addition to possibly permanently corrupted files. The advisory urges organizations to employ common sense computer hygiene, starting with regular, available, secure backups of critical information. Application whitelisting and vigilant patching are also recommended; the CERTS also caution that organizations should educate users to avoid enabling macros. Many ransomware strains, including Locky, arrive in spam and phishing emails with Word documents posing as a business invoice. The victim is directed to enable macros in order to properly view the document, but instead the macro is downloading the ransomware in the background.

 

The speed by which ransomware is evolving is striking, perhaps more so than any other type of malware or exploit.

 

In the past two weeks, we’ve seen PowerWare co-opt Windows PowerShell via a malicious macro to pull down the ransomware and avoid writing files to the disk.

 

More recently, Petya ransomware was exposed in attacks targeting HR operations at German companies. The twist with Petya is that it spreads via a Dropbox link—which has since been disabled—spammed out to organizations. The malware replaces the boot drive’s Master Boot Record with a malicious loader. The malware forces Windows to reboot and displays a phony check disk (CHKDSK) operation to the victim while the malware executes in the background and encrypts the master file table.

 

Researcher Hasherezade said in a detailed analysis posted to the Malwarebytes blog that despite claims in the ransom note, Petya does not encrypt the full disk; by encrypting the master file table, it makes it so that the file system is not readable. The ransomware executes in stages and Hasherezade said that if detection happens in the first stage, data can be recovered."

 

The full article has links to each type of ransomware for detailed information, and related articles here:

https://threatpost.com/us-canada-issue-ransomware-advisory/117157/

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

FYI the Malwarebytes folks have a Beta "Anti-Ransomware" program available for free. I'm using it and it is unobtrusive. I've seen a couple of false positives but there have been no problems from the program. Malwarebytes doesn't guarantee the program, but I figured it was worth a try.

Sandie & Joel

2000 40' Beaver Patriot Thunder Princeton--425 HP/1550 ft-lbs CAT C-12
2014 Honda CR-V AWD EX-L with ReadyBrute tow bar/brake system
WiFiRanger Ambassador
Follow our adventures on Facebook at Weiss Travels

Link to comment
Share on other sites

Do you have a link Joel?

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Sandie & Joel

2000 40' Beaver Patriot Thunder Princeton--425 HP/1550 ft-lbs CAT C-12
2014 Honda CR-V AWD EX-L with ReadyBrute tow bar/brake system
WiFiRanger Ambassador
Follow our adventures on Facebook at Weiss Travels

Link to comment
Share on other sites

Thanks Joel!

I will load it on our systems ASAP. I hadn't heard of this before. I knew about anti exploit but when I searched on malwarebytes.org it shoed no results. Now I see why. It is in the forum for the more experienced users. Man am I ever glad I got six licenses for our systems with the old lifetime premium with no annual payments.

How long have you been using it Joel? Any system hangs or other issues?

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

 

How long have you been using it Joel? Any system hangs or other issues?

 

I've had it on both laptops for ~2 weeks. As far as I know there haven't been any adverse issues. Both computers have at least once displayed a popup that a threat had been found and quarantined but both times the quarantine folder was empty. The Beta version I started with has just been updated on both machines. I'm currently using version 09.15.416

Sandie & Joel

2000 40' Beaver Patriot Thunder Princeton--425 HP/1550 ft-lbs CAT C-12
2014 Honda CR-V AWD EX-L with ReadyBrute tow bar/brake system
WiFiRanger Ambassador
Follow our adventures on Facebook at Weiss Travels

Link to comment
Share on other sites

Joel those are false positives and they have a way to report them as a beta tester on the forum you linked to for the download, but a different thread.. I may just go ahead and give it a try.

Thanks.

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Doc J/RV

 

When the Beta anti-ransomware is running is the symbol shown down on the taskbar? Is this always running in the background when the symbol is shown down on the task bar?

 

Dennis

USA Master Sergeant Ret.

Link to comment
Share on other sites

Doc J/RV

 

When the Beta anti-ransomware is running is the symbol shown down on the taskbar? Is this always running in the background when the symbol is shown down on the task bar?

 

Dennis

'

The small icon is present in the background area when the program is active. The taskbar icon pops up during boot and can be closed.

Sandie & Joel

2000 40' Beaver Patriot Thunder Princeton--425 HP/1550 ft-lbs CAT C-12
2014 Honda CR-V AWD EX-L with ReadyBrute tow bar/brake system
WiFiRanger Ambassador
Follow our adventures on Facebook at Weiss Travels

Link to comment
Share on other sites

Dennis,

I reduced it to my task bar and right clicked it, and pinned it to the taskbar. Then when I single click it once it opens to the dashboard telling the system is protected by Malwarebytes Antiransomware. When it is reporting or I open by clicking on the taskbar icon, it shows it is protected and on the task bar shows as active by widening and with a line at the bottom of the icon.

 

 

I keep my taskbar always on top. It has things like the snipping tool, Task Manager so I can instantly shut down my browser if anything starts I didn't start. These along with my TV tuner icon, Word, Outlook, calculator (Remember it is a touchscreen so works the same as a hand held) Wifi info view, control panel, Defender, Windows file explorer, Notepad, Windows Media Player, Opera, Internet Explorer, and Edge browser icons are on the task bar too.

 

I detested the start button and start menu and since the taskbar became usable in Windows 98 or XP, I forget when it became "pinnable," used/use double click Icons on the desktop, quick start single click taskbar icons, and notifications area of the taskbar which is double click to open. I always had Windows Search, now called File Explorer on the desktop and taskbar later as I use the file system extensively. I never really used search and always turn off indexing to increase performance. I pretty much know where everything personal and Utilities are anyway. So it is quicker for me to just have them on task bar that I use daily with one click.

 

I always have my Antimalware/Control Panel/Task manager/utility programs available in one click on the taskbar so they can be accessed fast no matter what I am doing or have open.

 

Thus my pinning this one to the taskbar too.

 

However, I love the right click options on the start button in Windows 10 giving me quick access to Command Prompt with admin rights, Disk Manager, Administrative tools etc.

 

So far no issues with the two main AIO desktops here, both touch screens. Doing the Surface tablet this morning.

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Duke,

I have Malwarebytes Premium on all my systems and already installed the Malwarebytes Beta and 0 issues on four systems so far. Tomorrow is Windows updates day and I will install it on the other five systems then. Two are Laptops (Intel and 256GB SSDs/4 GB each) to sell and a third is my hybrid Atom Z3795 64GB/4GB Asus T200, then my wife's desktop tower/24" monitor/8 GB RAM quad core A6 SSD we just replaced with an All in one touch, and a MIni PC with another Atom 3735. So with a good spread of systems we'll see if there are any issues. They have cracked the code for the Petya ransomware, see my new post here:

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...