Posts Tagged ‘Ransomware’

Many companies spend a fortune on Next Generation anti-virus and Machine Learning “AI” tools to halt the spread of ransomware and although I strongly believe that user education and training plays a key part in this Windows does can help in a massive way. Windows File Services Resource Manager (FSRM) a resource already built into Windows can halt the spread and quarantine accounts that are affected.

This solution utilises PowerShell and Windows File Services Resource Manager to automatically lockout a user account when ransomware activities are detected.

Installing FSRM
First and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services Role and can be installed with the following PowerShell command (all one line).

Install-WindowsFeature –Name FS-Resource-Manager
–IncludeManagementTool

Take note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment below and I’ll get to writing!

Get Email Alerts
In order to be emailed of the action our killswitch takes, we will need to set up the SMTP Server settings within FSRM. We don’t necessarily have to do this right now, but it saves us from seeing annoying prompts in the future steps.

Open up Server Manager > File and Storage Services > Right-click on your server > File Server Resource Manager (this can also be accessed through Administrative Tools). Once opened, right-click “File Server Resource Manager (Local)” in the left pane and select “Configure Options…” Go ahead and set up all your email settings, similar to below.

Set up Killswitch Directory
In your corporate file share(s), set up a directory that begins with an underscore. If the ransomware is encrypting alphabetically, this will ensure that it is tripped as soon as possible. Within that directory, we will place a text file called killswitch.txt.

Set Up the Killswitch
Many variants of ransomware look to find mapped drives and will begin encrypting data in alphabetical order. Because of this, our killswitch is going to be a directory placed in the file shares that begins with an underscore.

Create a new File Group under File Screening Management that will look at all files except our killswitch.txt.

Next, we will create a File Screen Template utilizing the File Group we created called “All File Types”.

We will want to configure email alerts, so on the E-Mail Message tab, fill out the pertinent information.

We also want to automate the removal of the offending user in order to stop the ransomware from encrypting our entire file server. We will do this with some PowerShell. Copy the following and save it to your preferred location. In this example, I’m just saving it to C:\kickuser.ps1.

param( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force }

On the Command-Tab, check “Run this command or script:” and the following:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

For the command arguments, insert the following:

-Command “& {C:\smbblock.ps1 -username ‘[Source Io Owner]’}”

Set it to run as Local System.

Apply the File Screen
From within FSRM, Select File Screening Management > File Screens and create a new File Screen. Set the path to your underscore directory and use the “Detect Ransomware” File Screen template that we created earlier.

kill_1

Testing
To test, I created a test account (test guy) and modified the file. I was instantly locked out of the share. The output of our PowerShell script, as well as the share permissions, show this:

testing 567

perm2

Wrapping Up
This methodology should help mitigate some risk around ransomware attacks. In the future, it may also be beneficial to make the following changes:

  1. Create a secondary killswitch in a ZZZ_Killswitch directory in case a ransomware-variant starts in reverse-alphabetical order.

I believe in using the resources we already have available to us in helping secure our organisations, and hopefully, this helps. Feel free to comment with any questions or suggestions.

 

In capsule:

  • New ransomware named DoubleLocker infects android devices
  • Discovered by security researchers in ESET antivirus
  • The ransomware not only encrypts data but also changes the pin
  • Ransomware is spread through fake adobe flash player app
  • A ransom amount of 0.0130 BTC is demanded to retrieve the data

Security researchers have discovered a new ransomware called DoubleLocker which infects Android devices.

The specialty of DoubleLocker ransomware is that it can change device’s PIN which prevents users from accessing their device and also encrypts the data found in the device.

According to researchers from ESET antivirus, the ransomware is spread via fake adobe flash player app using compromised websites.

After installation, the app request for activation of google play service for obtaining accessibility permissions. The app uses them to activate device administrator rights to make itself as the default home application.

ESET malware researcher Lukas Stefanko said that “Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated, and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”

The new pin set by the attacker is of a ransom value which is neither stored or sent anywhere making it impossible to recover it. When the ransom is paid the attacker resets the pin remotely and unlock the device.

The files are encrypted using AES encryption algorithm through “.cryeye” extension. The attacker has implemented the encryption properly so without the decryption key it is impossible to recover the files said stefanko.

A ransom amount of 0.0130 BTC (approximately USD 74) is demanded to retrieve the data.The only option for the user to retrieve their device other than paying ransom is factory reset, but files will be lost if not backed up properly.

Researchers said there is a possibility to bypass the pin in rooted devices if the device was in debugging mode before getting infected.

“The user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.”

To prevent your device from infection, do follow the instructions below:

  1. Always switch off “Allow installation from unknown sources” in security settings thereby restricting download apps from a third party and anonymous sources.
  2. Always backup your data regularly.
  3. Don’t download attachments from unknown sources.
  4. Always Use google play store to install apps, don’t use any third party app stores.
  5. Download apps from verified developers and check their app rating and download counts before installing an app.
  6. Verify app permission before installing an app.
  7. Install the best and updated antivirus/antimalware software which can detect and block these type of malware.

WannaCryToolkit scanner and removal toolkit

Posted: 14/05/2017 in Uncategorized
Tags: , , ,

Trustlook ( Security and technology company) has released a scanner and removal toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry.|

 1. WannaCry Ransomware Scanner Tool

The Wannacry Scanner can help system admin to scan your network for vulnerable windows systems, the tool is under “scanner” directory.

Installation

git clone https://github.com/apkjet/TrustlookWannaCryToolkit.git
cd TrustlookWannaCryToolkit/scanner/
pip install -r requirements.txt

 Usage

Usage: wannacry_tlscan.py host/network
Example:
wannacry_tlscan.py 192.168.0.100
wannacry_tlscan.py 192.168.0.0/24
Single host scan
wannacry_tlscan.py 192.168.0.100
Single a network
wannacry_tlscan.py 192.168.0.0/24

2. WannaCry Vaccine Tool

The WannaCry Vaccine Tool help user to prevent your system from being affected by WannaCry Ransomeware.

1. Run

tl_wannacry_console.exe and tl_wannacry_no_console.exe prevent WannaCry Ransomeware to encrypt user’s files.

The two tools works pretty much the same, except tl_wannacry_console.exe comes with a console to show some progress information. tl_wannacry_no_console.exe runs in background.

Users may want to add tl__wannacry_no_console.exe to Windows startup script, so everytime user start his computer, Trustlook WannaCry Vaccine Tool will start prevent your system from being affected.

2. Add to Windows startup script

add tl_wannacry_no_console.exe value to following register script

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Source download: github

tv crime2

Ransomware malware threat has forced somebody for the terrible suicide and once again has marked its history by somebody’s blood. Sad, but it’s True!

Joseph Edwards, a 17-year-old schoolboy from Windsor, Berkshire, hanged himself after receiving a bogus email appeared to be from police claiming that he’d been spotted browsing illegal websites and that a fine of 100 pound needed to be paid in order to stop the police from pursuing him.
The scam email pushed the well-known Police Ransomware onto the boy’s laptop and also downloaded malware that locked up his system once it was opened.
Edwards was an A-level student with Autism, a developmental disability, that likely made him more susceptible to believing the Internet scam mail, supposedly sent from from Cheshire police, was genuine, a coroner heard on Thursday.
Edwards was so upset and depressed by the accusation and the extortionate demand that he hanged himself hours after falling victim to the crucial threat. He was found hanged at his family home in Windsor by his mother Jacqueline Edwards, who told the coroner that he probably didn’t understand the implications of his actions.

He didn’t seem to have any worries known to me. I don’t think he really understood,” Jacqueline Edwards told the coroner. “Joseph was subjected to a scam on the internet, a threatening, fake police link that was asking for money,” his mother said in a statement. “He would have taken it literally because of his autism and he didn’t want to upset Georgia [his sister] or me.

As far as we all know, a Police ransomware of this type does not encrypt files and usually asks a victim to pay a small fine that last around £200 or €200. It’s normally much easier to remove the threat from infected systems by using dedicated tools specially designed to remove such infections.
According to Detective Sergeant Peter Wall, it will be almost impossible to trace the fraudsters behind the ‘crude’ email, but believe it may have originated outside the UK.
This is not first time when Ransomware has become deadly reason to take someone’s life. Over a year ago, a Romanian family faced same Police Ransomware threat and the Romanian victim hanged himself and his four-year-old son, scarring that his young son would pay for his mistake and his life would be spend in the moment of delusion.
Ransomware is one of the most blatant and obvious criminal’s money making schemes out there, from which Cryptolocker threat had touched the peak, and cyber criminals have developed many Cryptolocker versions (prisonlocker, linkup, icepole, cryptobit) by which you have to safeguard your system.