Human nature is amazing. I can tell you that there are a million stars in the sky and you will believe me. I can tell you that the paint on the wall is wet, and 8 out of 10 people will touch it to make sure. Social engineering and phishing email scams are part of the second part of this. It’s natural to be curious, to want to know what’s inside something.  That curiosity has led to the mother load in the malware world.

Welcome to the Pain

The malware jackpot has just been struck. Locky, Samas, and Cryptolocker are spreading like wildfire across the globe. Why? The answer is simple: they are cheap, easy, and effective. In the last few weeks, Ransomware has hit a number of medical organizations including the Hollywood Presbyterian Medical Center, the Chino Valley Medical Center, the Desert Valley Hospital, and Methodist Hospital in Henderson, Kentucky.

But how does such a sophisticated piece of malware get into enterprises such as these? Why is the MedStar network in DC, a collection of 10 hospitals and 250 outpatient facilities in the DMV using pen and paper today?  Why is a 5 billion dollar healthcare provider that servers hundreds of thousands of people infected with something so easy to defend against?

These collections of healthcare providers all have two things in common.

  1. They lack on site security specialists to help protect their environments for external threats.
  2. They severely lack awareness training against Phishing.

What exactly is phishing? It is quite literally the oldest trick in the book. Started back in 1995 when attackers used to masquerade as AOL Customer Service Reps, they would message users and give false error codes before tricking users into giving up their passwords.  The format of these have shifted in the last 21 years to more realistic emails that trick uneducated users into opening a malicious document, clicking a malicious link, or running a malicious macro.

According to Special Agent Chris Stangl, section chief at the FBI’s cyber division, most of these hackers are from Eastern Europe and have increasingly targeted businesses which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.

The attackers are slowly ramping up their ransomware to larger businesses with more significant ransoms. The payout across the last two years, according to news reports, was in the 45 – 50 million dollar ranges. Most companies that lack the technical human resources to deal with these issues pay up, especially if their industry requires real time reporting or lifesaving operations.

What do we do??!?

But Antifreke, how are we supposed to protect ourselves when these emails look so real?  Well, there are a few things you can do.

  1. The first is to look at the sender. If you don’t recognize them, don’t open the email. Period.
  2. If there is an XLS or PDF, save it to your desktop, right click and scan it. If it is flagged as malware, guess what. Don’t open it. Period. Delete it.
  3. If you do open it, and it asks you to run a Macro. Delete it.
  4. If you are lazy and didn’t do the first three, send it to your IT department, where someone there hopefully has a security hat they can throw on to tell you to Delete it.

 

Awareness and training are extremely important. So far in 2016, Ransomware has been reported in nearly every sector. Be on the lookout for more and more of these types of attacks. There is minimal sophistication in these emails. If it looks fake, delete it. If you don’t recognize anything in there, delete it. If you have a weird feeling, delete it.

Remember to be smart. There is no patch for human stupidity. Don’t be stupid and you won’t be the person responsible for your enterprise environment coming to a screeching halt.

Advertisements

Join the conversation! 2 Comments

  1. […] Now this isn’t the warhead on a missile, but it follows the same basic principle. The payload is delivered and detonated to grant access to a system. This can come in all different forms such as macro enabled documents, exes, pdfs, scripts, it can even be delivered from a website the list goes on and on. The payload can take the form of an exploit or it can inject shellcode to open up the backdoor. For more on how to avoid these head over to Antifreke’s post on Ransomware and Phishing. […]

    Like

    Reply
  2. […] Now this isn’t the warhead on a missile, but it follows the same basic principle. The payload is delivered and detonated to grant access to a system. This can come in all different forms such as macro enabled documents, exes, pdfs, scripts, it can even be delivered from a website the list goes on and on. The payload can take the form of an exploit or it can inject shellcode to open up the backdoor. For more on how to avoid these head over to Antifreke’s post on Ransomware and Phishing. […]

    Like

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Antifreke

SOC Ninja, Security Researcher, threat intelligence and OSINT advocate. Tea Junkie. Follow me on Twitter @Antifreke

Latest Posts By Antifreke

Category

Information Security Profession, Security Research

Tags

, , , ,