During 2016, Ransomware exploded. It clearly became the biggest menace on the net, using phishing as it's No.1 infection vector.

Hundreds of ransomware strains competed for market dominance last year, but one was clearly dominant; Locky, costing victims over 1 billion dollars. However, a recent report of our friends at Malwarebytes showed that Locky has fallen off the face of the earth in Q1 2017, making way for the Cerber strain to become the new king of ransomware.

Malwarebyte's new Cybercrime Tactics and Techniques Q1 2017 report shows Cerber has totally taken over "the market", accounting for 90 percent of Windows ransomware. Note that ransomware accounts for 60 percent of all malware attacks on Windows.

So why has Cerber become the Apex Predator?

The success of Cerber is down to its features (robust encryption, offline encryption etc) combined with the adoption of a RAAS (Ransomware-as-a-Service) business model, where the malicious code can be modified or leased through an affiliate scheme. "It's also very easy for non-technical criminals to get their hands on a customized version of the ransomware," Malwarebytes reports.

Another factor contributing to the rise of Cerber is that those behind it are constantly upgrading it with new features and evasion techniques. Researchers at Trend Micro recently detailed how Cerber has gained the ability to evade detection by cybersecurity tools which use machine learning to identify threats.

The Cerber strain, like most ransomware, is mostly delivered by a phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload which is a social engineering tactic which is hard to protect against.

The Locky strain which was last year's number one, has dropped off the map due to a switch in tactics by the cyber gang behind the Necurs spam botnet. The Necurs network used to distribute Locky, but suddenly surged back to life last month to distribute fake stock tips for 'pump and dump' scams.

Cerber is more difficult to stop than Locky

"We've already observed evolution in its distribution mechanisms and it's likely they will continue to do this to ensure that their malware can infect users effectively. It might also start instituting additional functionality like different files to target and increasing victim support capabilities," Adam Kujawa, lead malware intelligence analyst at Malwarebytes, said.

"However it's hard to predict the exact modifications Cerber will make, the only definite is that it's not going away," he added.

They ended off with: "We expect to see continued heavy distribution of Cerber through Q2 2017 due to new developments made to the malware design and its continued use of the ransomware as a service (RaaS) model."

At the moment, Cerber may be king of the hill, but if you look at the tumultuous history of ransomware, this won't last for too long. Either the Cerber mafia will withdraw on their own when the heat gets too much, or they will pivot to a new business model just like the Locky/Necurs gang just did. Third option: they'll get arrested like BitCryptor/CoinVault.

In any case, there will be another ransomware strain waiting in the wings to grab the No.1 slot, and at the moment it looks like Spora is the contender for the crown.

Better get ready and step your users through new-school security awareness training.

Warm regards, Stu

Motherboard reported: "A quickly-spreading, world-wide ransomware outbreak has reportedly hit targets in Spain, France, Ukraine, Russia, and other countries.

On Tuesday, a wide range of private businesses reportedly suffered ransomware attacks. Although it is not clear if every case is connected, at least several of them appear to be related to the same strain of malware."

Motherboard continued: "The attacks are similar to the recent WannaCry outbreak, and motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.

"We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

"If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

Raiu believes the ransomware strain is known as Petya or Petrwrap, a well-known type of ransomware. According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers (Motherboard could not independently confirm this at the time of writing).

EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.

Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.

If You Have Not Done So Yet, Apply This Patch Immediately.

From what we have been able to learn, this new worm spreads through SMB jkust like WannaCry so when we're talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It'd only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the "MS17-010" security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Note, the patch is included in the Monthly Quality rollups.

Emisoft Security researcher xXToffeeXx discovered another new phishing threat adept at bypassing Antivirus using a variation of the game played by PowerPoint PPSX attachment phishing email scam we posted about last week.

“SyncCrypt” distinguishes itself by using a JPG file and a Trojan horse trick of hiding a ZIP file inside a JPG file with automated download of the graphic from one of the several sites controlled by the bad guys.

The method uses Windows Scripting Language (WSF) which is an old friend of ransomware authors. But this is a clever way to offload and activate the malware on the user's computer while displaying a graphic designed to confuse or buy a minute of time.

As Larry at Bleepingcomputer observed: "SyncCrpt uses the WSF scripting language to download images with embedded ZIP files making it invisible to many leading antivirus vendors on VirusTotal."

The attachments then encrypt all the files with a .kk extension.

The bad news is that there’s no way yet to de-encrypt SyncCrypt encrypted files yet.

The phishing emails look like Court Orders which are named (not very sophisticated) as CourtOrder_XXXXX.wsf (where X equals a number). Bleepingcomputer reports that the (WSF) Windows scripting files will execute JScript code when released from the JPG encapsulated Zip file.

The scripting process calls one of three websites to manage the upload of the JPG.

The screenshot demonstrates the WSF script calling one of the three sites to download the JPG trojan loaded with a Zip file.

Once the image is rendered the graphic displays “Olafur Arnalds' album titled “They Have Escaped the Weight of Darkness" which Arnalds released in 2010. Does this have significance to the location and origin of the ransomware author? We don’t know.

Meanwhile, hiding in the embedded a zip file is sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.

According to bleepingcomputers.com, the sync.exe file is able to fool about 28 of 63 VirusTotal’s indicators and able to sneak by many of the leading AV vendors.

Here is the attack sequence:

• User gets phished
• Sync.exe is extracted from the attachment
• WSF file is executed
• Schedules a task one minute later to execute encryption process using AES encryption with a public encryption key saved in %Desktop%\READM
• Encrypted files contain a .kk extension
• A splash screen reads you the ransom note and gives you 48 hours to act by sending the exact amount of Bitcoin (which when discovered was about $USD 429) to an address and refers to payment details in a file called amount.txt located in the desktop folder Readme.
• Victim sends “key” file to one of three email accounts. Instructions are emphasized you must follow all directions exactly or your files will stay encrypted.
• Currently no way to decrypt files for free

Way more technical detail:

KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails with attached zip files so you can see which users answer the emails and/or click on links in them or open infected attachments.

See it for yourself and get a live, one-on-one demo.

Request A Demo

https://info.knowbe4.com/kmsat-request-a-demo

Warm regards, Stu

A new survey by Webroot shows that 86% of security professionals worry that AI and ML (machine learning) technology could be used against them. And they are right, because it will and probably is already happening right now with fake celebrity sex videos.

The survey shows the US is an early adopter of AI for cyber security, with 87 percent of US professionals reporting their organizations are currently using AI as part of their security strategy.

Three quarters of cyber security professionals in the US believe that, within the next three years, their company will not be able to safeguard digital assets without AI. Overall, 99 percent believe AI could improve their organization's cyber security.

Respondents identified key uses for AI including time-critical threat detection tasks, such as identifying threats that would have otherwise been missed and reducing false positive rates.

"There is no doubt about AI being the future of security as the sheer volume of threats is becoming very difficult to track by humans alone," says Hal Lonas, chief technology officer at Webroot. More detail at Webroot's Quarterly Threat Trends report.

AI is a game changer for better or for worse

This is the first time in history that AI has come up to the level predicted in Sci-Fi for decades. And some of the smartest people in the world are working on ways to tap AI’s immense power to do just that.

And some bad guys are using it to create fake celebrity sex videos. Yes, you read that right.

This is going to be the next wave of phishing emails that use social engineering to manipulate your users into opening an infected attachment.

With help from a face swap algorithm of his own creation using widely-available parts like TensorFlow and Keras, Reddit user “Deepfakes” tapped easily accessible materials and open-source code that anyone with a working knowledge of machine learning could use to create serviceable fakes.

"Deepfakes" has produced videos or GIFs of Gal Gadot (now deleted ), Maisie Williams, Taylor Swift, Aubrey Plaza, Emma Watson, and Scarlett Johansson, each with varying levels of success. None are going to fool the discerning watcher, but all are close enough to hint at a terrifying future.

After training the algorithm — mostly with YouTube clips and results from Google Images — the AI goes to work arranging the pieces on the fly to create a convincing video with the preferred likeness. That could be a celebrity, a co-worker, or an ex. AI researcher Alex Champandard told Motherboard that any decent consumer-grade graphics card could produce these effects in hours. (THIS LINK IS NFSF!)

So, picture this. (Or rather, don't picture this!)

Your user gets a spear-phishing email based on their social media "likes and shares", inviting them to see a celebrity sex video with.. you guessed it, their favorite movie star! Take it one step further and your user will be able to order fake celeb sex videos with any two (or more) celebrities of their liking and get it delivered within 24 hours for 20 bucks.

And a good chunk of these video downloads will come with additional malware like Trojans and Keyloggers that give the bad guys full pwnage. Yikes.

All the more reason to educate your users within an inch of their lives with new-school security awareness training that sends them frequent simulated tests using phishing emails, the phone, and txt to their smartphone.

We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone with our new, improved free Phishing Security Test

Get Your Free PST Now

https://www.knowbe4.com/phishing-security-test-offer

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

2017 was a dumpster fire of privacy and security screw-ups.

To start 2018 with a simple, effective, IT security strategy is an excellent New Years resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent... hands-down.

This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.

Here are the Top 5 reasons...

• Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.

• Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.

• Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready for you in 24 languages.

• Legally you are required to act "reasonably" and take "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today's social engineering risks and "scale security measures to reflect the threat". Don't trust me, read this, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don't even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.

• Board members' No. 1 focus today is cyber security. Some very pointed questions will be asked If they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target's CEO and CISO are just an example. Help your CEO to keep their job.

So now that it's clear you just have to do this ASAP, why choose KnowBe4?

OK, let's list the 5 reasons why KnowBe4 is the complete no-brainer option—after casually mentioning we are the fastest growing vendor in this field and have 15,000+ customers, more than all our competitors combined:

• KnowBe4 was recognized by Gartner as a Leader in the Magic Quadrant

• Goldman Sachs recently invested $30M of Series B funding in KnowBe4 because they believe in our mission

• The KnowBe4 platform was built from the ground up for IT pros that have 16 other fires to put out

• The KnowBe4 ModStore has the world's largest choice in fresh awareness training content

• Pricing is surprisingly affordable, and gives you a 127% ROI with a one-month payback

• BONUS: It's actually a lot of fun to phish your users and get the conversation started!

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP because your filters have an average 10.5% failure rate. Get a quote now and you will be pleasantly surprised.

Get A Quote
https://info.knowbe4.com/kmsat_get_a_quote_now

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

I'm excited to announce the actual release of a new tool to help protect your organization from the bad guys.

Phishing is still the most widely used cyber attack vector, and criminal attack campaigns often use spoofed websites to deceive your users so they simply allow the bad guys to take over your network.

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

Better yet, with these results you can now generate an online assessment test to see what your users are able to Domain Doppelganger recognize as “safe” domains for your organization. You then receive a summary of the test results to understand how security-aware your users are when it comes to identifying potentially fraudulent or phishy domains.

With Domain Doppelgänger, you can:

• Search for existing and potential look-alike domains
• Get a report with aggregated results that includes risk indicators, and
• Generate an online “domain safety” quiz based on the results to administer to your end users
• This is a complimentary tool and will take only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.

Find your look-alike domains here:

Copy & paste this link into your browser:

https://www.knowbe4.com/domain-doppelganger

Warm regards, Stu

In a Jan 10, 2019 article, the Wall Street Journal reconstructed the worst known hack into the USA's power grid revealing attacks on hundreds of small contractors.

The title is very apt: "America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It".

It's so relevant because it describes a very effective supply-chain attack that could happen to your own organization as well. The article focuses on the spear phishing and watering hole attacks that compromised small contractors and giving the attackers a footprint to hack further up the power grid chain. Remember the Target hack?

The Wall Street Journal pieced together this account of how the attack unfolded through documents, computer records and interviews with people at the affected companies, current and former government officials and security-industry investigators. Some experts believe two dozen or more utilities ultimately were breached.

It's a must-read because this is the No.1 vulnerability that leads to the dreaded data breach. If I were you I would sit down with your management team do the following exercise:

• Identify the top 5 suppliers that would cause downtime or serious disruption of your production if they would get hacked or were off the air

• Find out if they only require once-a-year awareness training just to be compliant

• To keep their business as your supplier, require them to sign up with KnowBe4, and deliver you the evidence that their users have stepped through the 45-minute module and get sent simulated phishing attacks once a month. As you see, I'm dead serious here.

This excellent WSJ reporting demonstrates again that your own employees need to be the strongest human firewall possible, and that your suppliers also need to be part of that same defense-in-depth strategy.

Here is the link to that article one more time, so you can cut & paste it. This may be the most important article related to InfoSec your C-levels read this year. Make sure they do:

https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc

SAM is right: . They already are. They are a major force in new deployments. We have 9 people in our sales group, all running an HP chromebox, with Google apps. Totally Windows-free environment, with everything in the cloud.

I wanted to share a horror story with you, something that happened to somebody the day before yesterday. This is what happened in their own words:

"We are a 250 employee non-profit and we heavily rely on our computer systems in almost everything we do. Yesterday, one of our admin workstations was hit with CryptoWall Version 2.0, and because this workstation had drives mapped to all our servers, and the administrator had permissions, all our seven servers were encrypted and we were dead in the water.

CryptoWall took just 55 minutes to encrypt 75 Gigs of information, and it had penetrated most of our network before we found out what was happening, isolate the workstation and get it disconnected from the network. We had backups of the seven servers but it would take days to restore those, so we opted to find out if we could decrypt the files first.

Luckily we had just signed up for KnowBe4’s Kevin Mitnick Security Awareness Training, which came with a crypto-ransom guarantee in case something like this would happen. We called them and got instant help with this very urgent problem.

They had bitcoins ready in a wallet and were able to pay the $500 ransom within hours. The CryptoWall criminals were actually also pretty quick, and we were issued our decryption key soon after. We immediately started to decrypt all the files with the provided decryption tool and pulled an all-nighter. It was amazing how long it took to get through all of the data. It finally completed at around 8:30 am. So we estimate about 18 hours of running the decrypt tool on our 75 gigs of data.

So far it only appears that one older database file was corrupted during the encryption, but we restored it from our backup and all is fine. I can’t say enough about KnowBe4’s quick response and support with this situation. We dodged a very big bullet here.

While only a portion of our staff have completed the training, something tells me more will complete the training requirement after this event. Thank you very much!" - Q.M. IT Director

As you can see, ransomware hitting a key employee like an admin or perhaps a CEO, controller, or CFO with a lot of access, can do immense damage.

Having all employees step through security awareness training and sending them simulated phishing attacks, is an essential element of your defense-in-depth!

Warm regards, Stu

Fascinating discussion. And yes, we provide an integrated platform for simulating phishing attacks and security awareness training. Cost: avg 10 bucks per user per year. www.KnowBe4.com

Warm regards, Stu

Facebook, Google, and Twitter have recently been facing scrutiny for promoting fake news stories. Depending on your sources and who you believe, fake news played and is still playing a role in the 2016 presidential election.

However, fake news is misused in a number of ways, especially in an election season, and we have seen plenty of examples in the last few weeks:

• Propaganda, trying to influence opinion like RT.COM
• Direct attacks on a political opponent
• Stock manipulation scams
• Shock people into clicking and infect their machine with malware (celebrity deaths)
• Sell advertising

Fake news and its malicious cousin "malvertising" are some of the most hard-to-spot types of social engineering attacks facing employees of both non-profits and for-profits.

“Fake news” can originate practically anywhere on the Internet through tweets, posts, digital images, video, and/or so-called "citizen journalist" sites where people can directly publish their content without fact-checking or any other kind of content-curation. And then there are the sites pretending to be legit news organizations but dedicated to only fake news. Here are a few examples:

Bipartisan Report
PoliticusUSA
USUncut
The Freethought Project
Politicalo / Newslo
DailyNewsBin
American News X
The Other 98%

This type of site is the most damaging. Their content is not monitored, un-curated, not fact-checked and can create a raft of problems for both the people who fall for that type of social engineering and the enterprise that is being targeted. A recent example is FitBit that saw its stock jump and then crash because of a fake news stock manipulation scheme.

In another variation of a fake news attack, scammers launch stories announcing the untimely death or injury of a key corporate executive or celebrity. A big one on the enterprise side was in 2009, when the CNN iReport site posted news that AT&T CEO Randall Stephenson was "found dead in his multimillion dollar beachfront mansion" under questionable circumstances. Recent fake news that Brad Pitt had committed suicide is fresh in memory.

In cases like stock scams, trading of these shares stops quickly, but the damage to the attacked company, and key partners and suppliers is done and the bad guys have gotten their ill-gotten gains. Fake news about M&A activity, clinical trials, product announcements, plant closings, earnings, executive appointment, product delays, partnerships, or headcount reductions might take only minutes to debunk, but can impact revenues, operations and business reputations for weeks.

Realistically, the only team in any organization who can deal with this type of attack is the security department but few organizations actively monitor for and defend against false news. It's a good idea to conduct an external threat audit across all threat sources, not just social networks, blog sites, wikis, discussion forums, and video sites, but also mobile app stores, online marketplaces, and domains. Organizations like BrandProtect and PhishLabs are a good place to start for a quote.

What To Do About It

How do you train your employees about this risk? It's one of the most pernicious social engineering attacks out there. Here is some suggested copy you can cut / paste / edit and send to your employees, friends, and family:

Facebook, Google, and Twitter have recently been accused of promoting fake news stories. Depending on your sources and who you believe, fake news played a role in the 2016 presidential election. However, fake news is misused in a number of ways:

• Propaganda trying to influence opinion
• Direct attacks on a political opponent
• Stock manipulation scams
• Shock people into clicking and infect their machine with malware (celebrity deaths)
• Sell advertising

So, how do you protect yourself against this type of scam? The very first thing you need to do with any kind of internet message you see is this: CONSIDER THE SOURCE. Meaning you ask yourself the following questions: Where did this come from? Who wrote it? What is their agenda?

There are a large number of false, misleading, clickbait, and/or satirical “news” sources you need to watch out for. Here are 8 Tips to analyze news sources and make sure you do not fall for their scams:

• Avoid websites that end in “lo”, for example Newslo. These sites take pieces of accurate information and then packaging that information with other false or misleading “facts”.
• Watch out for websites that end in “.com.co” as they are often fake versions of real news sources, and strange or unusual domain names are a big Red Flag.
• If other known and reputable news sites are not also reporting on the story, that is a Red Flag.
• If it is an anonymous story and there is no known / trusted author, it's suspect.
• Some news organizations are letting bloggers post under their banner, but many of these posts are opinion and not facts, make sure you note the difference. (ex: BuzzFeed, Forbes blogs).
• If you are in doubt because of bad design or grammar/spelling, check their “About Us” tab or look them up on Snopes for verification of that source.
• If the story makes you upset or angry, it’s a good idea to keep reading about the topic using other sources to make sure the author wasn’t doing that on purpose (with potentially misleading or false information) to generate shares and ad revenue.
• It’s always best to read multiple sources of information to get a variety of viewpoints and perspectives, which allows you to spot bias in reporting and confirm information with other sources before you decide to take action.

To summarize, consider the source, double check if the data is correct using other reliable sources, and especially with "fake news"... Think Before You Click!

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO,
www.KnowBe4.com

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.

Talk about adding insult to injury with this new KillDisk version. Here is how social engineering can cost you dearly.

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014,

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

KillDisk was used in 2015 and 2016 when another gang, the Russian BlackEnergy cyber-espionage group, used the malware to attack and sabotage energy- mining- and media companies in the Ukraine. Bad guys have very active forums and they talk all the time so this probably how state-sponsored Russian hackers got their hands on KillDisk.

Until today, the KillDisk malware strain was only active in espionage and sabotage ops. Well, they are now moving in the ransomware racket with a bang: 222 Bitcoins ransom, which with the skyrocketing Bitcoin exchange rate is well over 200 grand. If you get hit with this and your backups fail, that gets very expensive.

The new KillDisk strain uses very robust encryption, giving each file its own AES key, and then encrypting the AES key with a public RSA-1028 key. These guys know what they are doing.

KillDisk was recently used against Ukrainian banks

Recent KillDisk attacks were against Ukrainian banks. These attacks infected bank workers with the TeleBots backdoor trojan via phishing attacks with malicious email attachments. TeleBots is an easy to recognize malware strain because it uses the Telegram protocol to communicate with its criminal owners.

Catalin Cimpanu at Bleepingcomputer said: "After collecting data from infected systems, such as passwords and important files, the TeleBots gang would deploy the KillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. The purpose was to make the computer unbootable and also hide the intruder's tracks.

In the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.

At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations."

Why did they add a ransomware feature?

It's easier to hide your tracks if KillDisk would pose as ransomware. You are basically talking a very profitable form of obfuscation.

The victim would assume they suffered an expensive ransomware infection, and wouldn't scan for the TeleBots trojan or other data exfiltration code. Victims trying to avoid bad PR would restore from backup or pay the ransom and move on. Meanwhile, back at the ranch they would still be robbed blind.

According to malware researchers at CyberX, the KillDisk ransomware component shows the following message on infected computers and asks for a huge ransom demand of 222 Bitcoin, well over 200 grand.

To unlock your files, you have to contact their customer support via an email and pay the ransom, and then receive your private RSA key that decrypts all your files.

The business model used here is not the spray-and-pray of the cheap ransomware. This gang goes for the high-end approach and demands a high price. Once you contact them through the email address, they will try to extort you threatening to dump sensitive files they stole via the TeleBots backdoor.

if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test and find out what your phish-prone percentage of your users is.

https://info.knowbe4.com/phishing-security-test-16

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.

Our friends at Proofpoint reported that last week employees in the United States have been bombarded by a spam attack that pushed a double-whammy of a sextortion attempt combined with a possible ransomware infection.

Starting around May 2018, there have been a number of attack waves pushing different versions of sextortion threats.

There have been sextortion scams where the criminals claimed they were from China, where the hackers claimed they intercepted a user's computer cache data, where the hackers claimed to have hacked all of a victim's online accounts, where crooks claimed they hacked the victim's phone, or where crooks claimed to have recorded the user via his webcam while visiting adult sites.

These themes vary almost on a weekly basis, as scammers professionally test different themes and tactics to determine the best ROI. And they've been making money hand over fist.

But this week, sextortion scams took another dangerous turn. Security researchers at Proofpoint blogged they've seen a variation of a sextortion scam campaign that included a download link at the bottom of the blackmail message.

The scammers claimed to have a video of the user pleasuring himself while visiting adult sites, and they urged the user to access the link and see for himself. But Proofpoint says that instead of a video, users received a ZIP file with a set of malicious files inside.

Users who downloaded and ran these files would be infected by the AZORult malware, which would immediately download and install the GandCrab ransomware. Even if the user had no intention of paying the sextortion demand, curious users would still end up being held for ransom if they were careless enough to follow the link and ran the files they received.

You should warn your users to delete these emails, or better yet, click on the (free) Phish Alert Button and report them your organization's IT Incident Response team.

I suggest you send the following to your employees in high-risk jobs specifically. You're welcome to copy, paste, and/or edit:

The bad guys are getting more and more dangerous with sextortion scams. They now send you an email that claims they have a video of you watching an inappropriate website, and that you can download that video and see it for yourself. But if you do, your computer gets infected with ransomware! If any of this type of emails make it through the spam filters, please follow our organization's email security policy, and Think Before You Click! [OPTIONAL] Click on the Phish Alert Button to delete it from your inbox and at the same time alert IT about this scam.

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s Phish Alert button now also works with Outlook Mobile for iOS and Android. This enables your users to report suspicious emails from not only their computer but from their mobile inbox as well.

(If you’re running Office 365 and want to give your end-users the ability to report suspicious emails from from their mobile inbox, you can enable the official Outlook Mobile app for iOS or Android directly from the KnowBe4 console. )

The Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!

Best of all, there is no charge!

• Reinforces your organization's security culture
• Incident Response gets early phishing alerts from users, creating a network of “sensors”
• Email is deleted from the user's inbox to prevent future exposure
• Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)

This is a great way to better manage the problem of social engineering. Compliments of KnowBe4!

Here is a link you can cut and paste into your browser to get the Phish Alert Button https://info.knowbe4.com/free-phish-alert

Warm regards, Stu

Guys,

We honor any and all "ask-off" requests. At the bottom of all our emails are unsub options and they work. If they don't - email me and I will fix that.

Also, you can email me personally at [email protected] if you want to get out of salesforce and/or the newsletter and we WILL get you off the list.

Warm regards,

Stu

@scottalanmiller thanks Scott !!!

On Friday, a Seattle Federal District Court judge sentenced 32 year old Roman Valerevich Seleznev to 27 years in prison for running a vast credit card and identity theft operation, selling millions of credit card numbers on the black market. This was the longest sentence handed down for hacking-related charges in the United States.

Seleznev’s schemes led to losses of at least $170 million. Among Mr. Seleznev’s victims were 3,700 financial institutions and 500 businesses around the world, including several restaurants in the Seattle area.

Seleznev is the son of Valery Seleznev, an outspoken member of the Duma, the lower house of the Russian Parliament, and a close political ally of Russian President Vladimir Putin.

Up to now, US law enforcement has had very little cooperation capturing and convicting Russians accused of hacking crimes. Russian cybercriminals can operate with impunity as long as they do not hack inside Russia itself. In return for that relative freedom, cybercriminals are often tapped to work for Russia’s intelligence agencies.

Next time, stay home

Only when Russian cyber criminals are dumb enough to travel outside of Russia that US law enforcement is able to detain them, most recently in Prague and in Barcelona. However, Secret Service officials say more than three dozen Eastern European hackers suspected in crimes remain out of reach.

Seleznev never traveled to any country that had an extradition treaty with the U.S. For more than a decade, the Secret Service tracked his movements around the globe but couldn't do anything about him.

Then Summer 2014, Seleznev and his girlfriend took a vacation in Maldives which doesn't have an extradition treaty with the U.S. either, but the US State Department convinced local authorities to help capture Seleznev anyway. He was arrested by Malidivian police at the airport on his way home and handed over to U.S. officials, who whisked him by jet to Guam and then to a federal prison in Washington State.

Seleznev wrote an 11-page letter (PDF) by hand to the court this year, admitting to and apologizing for his crimes.

“Today is a bad day for hackers around the world,” said Annette L. Hayes, the United States attorney for the Western District of Washington. “The notion that the internet is a Wild West where anything goes is a thing of the past.”

That's great PR of course, but the reality is that Vladimir Putin uses hackers for his own nefarious purposes, and will provide them air cover as long as they behave and go for a "staycation" instead of tropical islands.

@dashrender We want to make sure our brand new password management training module reflects the requirements of the market. The survey tells us what you really need and want. Stu

There are many kinds of maps, they can show roads or general geography, but sometimes they shed light on other dimensions like economic, political and/or military perspectives.

First of all, you need to realize that Planet Earth is an "anarchy of nations". There is no planetary overlord—which we probably should be glad about—and the United Nations are corrupt and ineffective. Countries are locked in a constant struggle for power.

These maps explain why Russia is so incredibly aggressive on the Internet, and essentially is using the net as an integral part of their asymmetric cold warfare.
Strategically speaking, Russia is in a difficult spot since the 1991 collapse of the communist Soviet Union. Putin has repeatedly said this is his biggest regret, and he wants to resurrect the old Soviet power (where his job was stealing Western intellectual property for the KGB).

Here is a map that shows the furthest reach of the old Soviet regime during the cold war:

Have a look at the straight line drawn from Leningrad to Rostov-on-Don, and keep that line in mind. (Note that Leningrad became St. Petersburg in 1991 after the collapse).

No Natural Barriers

Now, there are no natural barriers that stop invaders from Western Europe to roll straight into Russia, like the Germans did in the Second World War. Here is a map that illustrates this:

Since the 1991 collapse, Russia has no buffers in place to protect against an invasion, and NATO has made significant inroads in Eastern Europe. The other problem is that Russia is almost landlocked and has no easy access to the sea.

Landlocked

Basically Europe controls Russia's access to the sea, and during the Cold War, air bases in Norway, Scotland, and Iceland, coupled with carrier battle groups, worked to deny Russia access to the sea. This demonstrates the vulnerability Russia faces due to its lack of access to oceans and waterways.

Cannot Project Significant Force

Russia cannot project significant force because its naval force is bottled up and because you cannot support major forces from the air alone. Russia's primary issue is the western frontier and Ukraine. Putin thinks that the Euro-American interest in creating a pro-Western regime there has a purpose beyond Ukraine. Putin's Ukraine viewpoint is that they lost a critical buffer zone, and guess what, from his perspective he is right.

Russian Economy In Serious Trouble

Russia's economy is very much like an intersection in the boondocks with a gas station, a gun shop, and a flag on top. Their economy is in serious trouble given the plummeting price of oil in the past years and no expectation of getting better. Their weapons exports only partially compensate for this.

The Upshot

Russia occupies the weaker strategic position, having lost their western buffers against an invader, an economy in trouble, and are struggling to maintain the physical integrity of their "Mother Russia".

Here is the picture of how things look now, and compare the straight line from St. Petersburg to Rostov-on-Don again with the first map:

It is not hard to see why they are grabbing hold of any strategic advantage they can get their hands on, and the internet allows them to overcome traditional military limitations. Russian cyber attacks by the FSB, GRU and organized cyber crime (protected by the Kremlin) are not going away any time soon.

The Gerasimov Doctrine

The WSJ observed: "Russia’s military laid out what is now seen as a blueprint for cyberwarfare with a 2013 article in a professional journal by Gen. Valery Gerasimov, the chief of Russia’s General Staff. Cyberspace, wrote Gen. Gerasimov, 'opens wide asymmetrical possibilities for reducing the fighting potential of the enemy.'"

In his 2013 article, Gerasimov talked about the Russian military’s desire to hone its hacking skills as an extension of conventional warfare and political conflict. In reality, they were already deeply engaged in this and expanding their reach. In Washington’s defense and national security circles, Russia’s attacks in cyberspace have become known as the “Gerasimov doctrine”.

In addition to the above, Russian President Vladimir Putin said a few days ago: "The leader in Artificial Intelligence will rule the world." He predicted that future wars will be fought by drones, and "when one party's drones are destroyed by drones of another, it will have no other choice but to surrender." Terminator, here we come. Link to Associated Press.

The vast majority of Russia's attacks start with social engineering and spear phishing attacks. KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails so you can see which users answer the emails and/or click on links in them or open infected attachments.

See it for yourself and get a live, one-on-one demo.

Request A Demo

https://info.knowbe4.com/kmsat-request-a-demo

Interesting Scott! I crossed CheckPoint Charlie into Eastern Germany at the Berlin Wall.

@tim_g We do ! Now 15,000 customers.