No More Ransom adds law enforcement partners from 13 new countries

bh_home-router-ransomware2

 

Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel Security, Kaspersky Labs, Dutch National Police, and Europol will be joined by members from Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland, and the United Kingdom.

Since its launch on July 25, 2016, No More Ransom has enabled ransomware victims to avoid paying an estimated $1.48 million or EUR 1.35 million in ransom payments to cybercriminals. The No More Ransom portal has received more than 24.5 million visitors since its launch, a consolidated average of 0.4 million visitors per day.

No More Ransom addresses one of the fastest growing and most lucrative and efficient types of cybercrime. Whereas other types of cybercrime require cybercriminals to infect and infiltrate systems, exfiltrate data, exploit and monetize that data, ransomware simply requires an infection cycle, followed by a payment process. There is no need to sell stolen data before banks and credit card companies can cancel stolen credit or debit numbers, or freeze logins to compromised accounts.

Because of this “ease of monetization” advantage, it should be no surprise that McAfee Labs has seen overall ransomware increase 128% over the past year. In the second quarter of 2016 alone, McAfee Labs detected 1.3 million new ransomware samples, the highest ever recorded since McAfee Labs began tracking this type of threat.

Furthermore, the ransomware threat has extended from individual users, to systems belonging to businesses and life-saving organizations such as hospitals, and Intel Security’s Advanced Threat Research team has identified numerous ransomware attack scenarios targeting Internet of Things devices such as home automation systems and routers and in-vehicle infotainment (IVI) systems within connected automobiles.

Home router infected with ransomware

Home router infected with ransomware

Automobile IVI system infected with ransomware

Automobile IVI system infected with ransomware

 

At present, five decryption tools are listed on the www.nomoreransom.org website. Since the launch of the portal in July, the WildfireDecryptor has been added and two decryption tools updated: RannohDecryptor (updated with a decryptor for the ransomware MarsJoke aka Polyglot) and RakhniDecryptor (updated with Chimera). In order to broaden the audience and improve results even further, the portal is currently being adapted to support different language versions.

For more information on McAfee Labs’ analyses of various ransomware types and trends of ransomware evolution:

 

For more information on Intel Security’s participation in the No More Ransom project, please visit www.nomoreransom.org.

 

The post No More Ransom adds law enforcement partners from 13 new countries appeared first on McAfee.

Botnet that enslaved 770,000 PCs worldwide comes crashing down

Law enforcement groups and private security companies around the world said they have taken down a botnet that enslaved more than 770,000 computers in 190 countries, stealing owners' banking credentials and establishing a backdoor to install still more malware.

Simda, as the botnet was known, infected an additional 128,000 new computers each month over the past half year, a testament to the stealth of the underlying backdoor trojan and the organization of its creators. The backdoor morphed into a new, undetectable form every few hours, allowing it to stay one step ahead of many antivirus programs. Botnet operators used a variety of methods to infect targets, including exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight. The exploits were stitched into websites by exploiting SQL injection vulnerabilities and exploit kits such as Blackhole and Styx. Other methods included sending spam and other forms of social engineering. Countries most affected by Simda included the US, with 22 percent of the infections, followed by the UK, Turkey with five percent, and Canada and Russia with four percent.

The malware modified the HOSTS file Microsoft Windows machines use to map specific domain names to specific IP addresses. As a result, infected computers that attempted to visit addresses such as connect.facebook.net or google-analytics.com were surreptitiously diverted to servers under the control of the attackers. Often the booby-trapped HOSTS file remains even after the Simda backdoor has been removed. Security researchers advised anyone who may have been infected to inspect their HOSTS file, which is typically located in the directory %SYSTEM32%driversetchosts. People who want to discover if they have been infected by Simda can check this page provided by AV provider Kaspersky Lab. The page is effective as long as a person's IP address hasn't changed from when the infection was detected.

Read 2 remaining paragraphs | Comments

Feds used Adobe Flash to identify Tor users visiting child porn sites

A little more than 16 months ago, word emerged that the FBI exploited a recently patched Firefox vulnerability to unmask Tor users visiting a notorious child pornography site. It turns out that the feds had waged an even broader uncloaking campaign a year earlier by using a long-abandoned part of the open source Metasploit exploit framework to identify Tor-using suspects.

According to Wired, "Operation Torpedo," as the FBI sting operation was dubbed, targeted users of three darknet child porn sites. It came to light only after Omaha defense attorney Joseph Gross challenged the accuracy of evidence it uncovered against a Rochester, New York-based IT worker who claims he was falsely implicated in the campaign. Operation Torpedo used the Metasploit Decloaking Engine to identify careless suspects who were hiding behind Tor, a free service used by good and bad guys alike to shield their point of entry to the Internet.

The Decloaking Engine went live in 2006 and used five separate methods to break anonymization systems. One method was an Adobe Flash application that initiated a direct connection with the end user, bypassing Tor protections and giving up the user's IP address. Tor Project officials have long been aware of the vulnerability and strenuously advise against installing Flash. According to Wired:

Read 1 remaining paragraphs | Comments