Karmen ransomware makes it easy to launch attacks

A new malware do-it-yourself kit called Karmen is making it easy for wannabe cybercriminals to launch ransomware attacks.

Security researchers believe the recently discovered ransomware as a service (RaaS) offering was developed in part by a Russian-speaking ransomware author who goes by the alias DevBitox. For a price, Karmen can turn almost anyone into a cybercriminal in just a few clicks.

 

RaaS offerings like Karmen began popping up on the dark web in 2015 and ransomware developers have continued to make the kits more user-friendly over time.

Karmen is based on a well-known open source ransomware project called Hidden Tear. Using a web-based interface, aspiring cyber-extortionists can customize Karmen before distributing it to potential victims. The ransomware also comes with a dashboard that allows cybercriminals to track the number of machines infected and the total revenue accrued. The dashboard also notifies users when a new version of Karmen is available so they can continue distributing the latest ransomware.

Karmen automates many processes—including payment processing—so users can concentrate on distributing the ransomware. The creators of Karmen are currently charging $175 to would-be criminals who want to get into the ransomware game.

Some might assume that an inexpensive ransomware kit would be quickly picked up by antivirus software, but Karmen is a well-designed piece of malware. It’s packaged with a small loader and doesn’t take up much space. Karmen can detect if it is operating in a sandbox environment and can automatically delete portions of its code to prevent security researchers from analyzing it.  Karmen scrambles files with AES 256-bit encryption and operates with minimal connections to its command and control server.

The ease of use and low price point of Karmen lowers the barrier to entry to the ransomware market. This just the latest indication that ransomware attacks will continue to increase, requiring companies and consumers to be more vigilant than ever before.

To protect your data, it’s important to educate yourself and employees on healthy computing habits, such as how to detect phishing messages, how to properly handle data and what to do if anomalies in the computing environment are detected. Education combined with a host of technical controls such web traffic filtering, virus detection and firewall protection go a long way toward reducing the incidence of attacks.

But you need to be ready if a ransomware attack succeeds. That’s why business and individuals need an effective backup and recovery solution. Ransomware attacks your valuable data and demands payment, but you can reject such demands if your own backups are current, intact and easily accessible.

Once the backup system is installed, don’t wait for ransomware such as Karmen to put it to the test. Be sure to conduct data restore tests regularly. This will familiarize team members with the recovery process and ensure that your data will be restored as quickly as possible when disaster strikes.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

GDPR Compliance in the Cloud

With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless.  Companies want to ensure that those cloud services in use are compliant.  The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud.  Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability, and 72-hour breach notification, among other GDPR requirements.

The good news is that cloud providers have not been standing still and they can be a valuable partner for a company’s compliance effort.  The decision to utilize the services of cloud providers was likely made not only for the features they provide but because cloud providers can often implement security controls and procedures that would be cost prohibitive for a company to do on its own.  Many cloud providers are actively considering how to comply with GDPR, and some have already adopted GDPR compliant practices.

Today, cloud services are not only present in organizations, they are often ubiquitous.  One study found that European companies are using over 600 cloud services on average and it is likely that U.S. companies use a similar number of cloud services.  So how do companies with such a large cloud presence comply with GDPR?

Assign compliance responsibility

The first step in the GDPR compliance effort is to identify which person or group will be responsible for ensuring compliance with GDPR.  This may be different groups depending on the organizational culture or the business use of personal information.

According to Karen Lawrence Öqvist, CEO at Privasee, the group responsible may include legal, compliance, or even IT.  IT is often the driver in companies where collecting data is not core to the business while legal often has responsibility when there is an emphasis on the collection of personal information.   No matter which person or group is chosen, someone must be accountable for bringing the company into compliance.

Identify cloud providers

The individual or group responsible for compliance must then determine which cloud providers are in use and what data is stored or processed on these cloud services.  It can be tempting to reduce the scope of the process only to those that house data on Europeans, but this might be a short-term perspective.  Companies must be careful not to limit their scalability and agility by staying on non-compliant systems because those systems may need to house such data in the future as the company evolves.

GDPR compliance can also be an opportunity to build a better relationship with customers.  According to Brendon Lynch, Chief Privacy Officer at Microsoft, the increased control and transparency mandated by the GDPR can be a way to build and maintain more trust with customers.  This is a benefit not only for European customers, but also those around the globe.

Once cloud providers have been identified, consider ways to consolidate services to reduce ease management and compliance with GDPR.  Take the time to identify redundancies and standardize those services across the enterprise with a single provider.  Tiered pricing models and bundling of services can reduce cost, but the primary driver for these changes is reduced complexity of data flows to and from cloud providers.  Do not limit this analysis to cloud providers only.  Consider also which activities are performed in-house and whether moving those operations to a GDPR compliant cloud provider would increase efficiencies or lower costs.

Gap analysis

Next, conduct a gap analysis of each cloud vendor.  Vendor management or compliance groups may send out questionnaires to assess whether cloud providers have the capability to meet GDPR requirements and, if not, whether they have a reasonable plan on how to implement these capabilities before the May 25, 2018, deadline.

Mainstream cloud vendors have been some of the most proactive in implementing methods to secure data in their cloud service offerings and to do so in a way that is compliant with the GDPR.  For example, in the recent Microsoft Office Modern Workplace episode, GDPR: What You Need to Know, the Office 365 prebuilt filters were demonstrated.  These filters are already in place for personal data types such as those used by European countries.  Administrators can use filters to define a policy that will automatically identify data in email, SharePoint, and other Office cloud services, and then take specific compliance actions.

Conduct privacy impact assessments

Privacy impact assessments should be performed on high-risk assets such as HR or financial data to ensure that this information is adequately protected with whichever cloud providers are storing or processing the data.  Privacy impact assessments analyze what personal information the company is collecting, why it is collected, and how it is stored, used, and protected.

Document and train on procedures

It is not enough for the cloud provider to have the capability to comply.  The company must be able to use these capabilities in their compliance strategy.  For example, the option to remove or transfer personal data may be possible on a cloud system, but the company must document how to utilize these features if needed.

Persons or departments in the company must then be trained on how to perform these actions so that they will be ready and able when customers make data requests.  Training alone is not sufficient to ensure that staff will meet the GDPR’s stringent 72 hour notification period.  Here, simulation can provide more reliable assurance that incident response activities can be performed in compliance with the GDPR.  Simulations should have incident response teams and cloud service providers work together to effectively investigating a data breach and gather information for notification.

Wrapping it up

Companies who wish to comply with the GDPR by the May 25, 2018 deadline are trying to understand where their data is, particularly that of Europeans, and how that data is handled.  Cloud providers can be a great partner in this effort and companies should embrace their cloud providers in the effort to become compliant.  Consider your cloud provider a core partner in your compliance rather than a liability and utilize what they have to offer in order to meet the GDPR requirements.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Important considerations for your business and GDPR

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.

Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans.  This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations.  However, GDPR does introduce some new requirements that companies need to understand.

The upcoming Microsoft Office Modern Workplace episode “GDPR: What You Need to Know” incorporates the expertise of Brendon Lynch, Chief Privacy Officer at Microsoft, and Karen Lawrence Öqvist, CEO at Privasee on how to prepare for GDPR.  Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.

Consent requirement

GDPR mandates that companies obtain consent from individuals before storing their information.  Consent must be specifically for how the data will be used.  Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use.  Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed.  This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.

Rights to erasure and data portability

Under GDPR, individuals have the right to erasure and the right to data portability.  Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.

Accelerated breach notification

Breach notification timelines are greatly accelerated in GDPR.  The supervisory authority must be notified within 72 hours of the breach.  This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach.  This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.

Data protection officer

Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals.  The data protection officer must be a senior person in the organization who reports to executive management.  They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.

Next steps

We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world.  GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements.  In addition to what has been presented here, the Microsoft Office Modern Workplace episode on GDPR provides some excellent guidance.  Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Mac Users Face Increased Ransomware Threats

Apple Inc. has a reputation for building secure devices, but don’t become too complacent because ransomware threats to Mac users are on the rise.

While ransomware attacks against Microsoft Windows-based computers and servers remain far more prevalent, security researchers have detected new Mac threats in recent years and expect to see new threats in the future. Here’s a quick look at three forms of ransomware that are known to target Mac users:

KeRanger disguises itself as a popular application
Imagine this: You go to download a copy of Transmission, the popular torrent download application, only to find that it infects your computer with ransomware. That’s what happened to more than 7,000 Mac users in 2016 after cybercriminals hacked into the Transmission website and implanted KeRanger—ransomware that targets Mac OS X—into the downloads. The downloads were stamped with the official Transmission developer certificate so Gatekeeper, the Mac function that validates applications, was easily fooled.

The ransomware was hidden inside a file called general.rtf and was designed to wait three days before encrypting user data. After encrypting files, the malicious software displayed a ransom note demanding one bitcoin. The ransomware installer has since been removed from Transmission’s website.

Think you’re fixing apps with Patcher? Think again
Patcher disguises itself as a patching tool for well-known apps like Adobe Premiere Pro and Microsoft Office. The ransomware, which has been downloaded via BitTorrent, is so poorly designed that even the malware’s creators are unable to supply decryption keys to victims who pay the ransom.

Patcher stores important files, documents, pictures and other media in an encrypted .zip file and deletes the original data. It then attempts to wipe the free space on the drive so that disk recovery tools will be ineffective. Patcher concludes by scattering copies of “README!.txt” in the victim’s document and picture folders. The README! file contains ransom payment instructions.

FindZip makes you hunt for decryption keys
Much like Patcher, FindZip ransomware attacks Mac users by copying important files into an encrypted .zip file and deleting the original data. FindZip, which is also known as Filecoder, has no decryption capabilities so victims who pay the ransom will not be able to recover their data. The good news is that you can discover the decryption keys by comparing an unencrypted file to an encrypted one. Avast has created a tool that automates the process of discovering the tools and decrypting files.

Protect your Mac from ransomware
Mac users are clearly not free from the threat of ransomware. While not at epidemic proportions, ransomware attacks against Macs have seen widespread success by breaking into systems that were assumed secure. Fortunately, users today have access to a variety of backup options. You can add an extra layer of protection to your Mac computer by stepping beyond the Apple ecosystem of TimeMachine nearline backups and iCloud synchronization and embracing a third-party cloud backup solution.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Smart printers require smart security: Exploring Xerox ConnectKey

For decades, the printer has been the intermediary between the digital and physical worlds.  Through it, our creations become tangible and yet; this intermediary has become so pervasive and such a mainstay of our technological world that it was assumed somewhat unchallengeable.  However, while the basic functions of printing, scanning, copying and faxing have stayed the same, the modern printer is a far different creature from the monoliths of the past or even the printers of last year.

Today’s printers exchange data with users not only on the local network but also across the cloud and through apps.  They are accessible from the browser to the tablet, and they perform complex tasks to empower end users.  Scanned documents can be stored or archived to a variety of destinations including the cloud.  Workflows that originate with the printer, such as data entry or data manipulation, are automated and performed by the printer, eliminating the need for multiple data flows between devices and simplifying the overall process.  The printer truly embodies the concept of a smart device.

These smart printers have become high-value targets for attackers looking for an inside device to compromise.  They have many connections to services and applications and can function as a conduit for data exfiltration.  They are equipped with much more processing power, memory, and networking capabilities, which can be used by attackers to scan networks for weaknesses and to launch attacks.  As such, printer security is an essential part of cybersecurity.  It must not and cannot be ignored!

The challenge for consumers and companies, therefore, is to find a printer that can both perform modern functions and withstand modern attacks.  I had the pleasure of speaking with engineers and developers at Xerox to discuss how security is implemented in their ConnectKey ecosystem, a framework that is implemented across both their VersaLink and AltaLink platforms.

The VersaLink and AltaLink products offer app-centric interfaces, and the devices are accessible via smartphones and tablets. Customers and channel partners can download applications from the app gallery.  Core security controls are there including user authentication, role based access control, logging and audit trails.  ConnectKey encrypts data at rest using AES-256 and grants administrators considerable latitude in establishing policies for how to control access to data and how data can be stored and transmitted to the device and to the systems integrated with ConnectKey.

One aspect I had been particularly interested in was whether ConnectKey could protect against rooting the device.  Since many users will have physical access to the device, it is imperative for ConnectKey to prevent unwanted firmware and software from running on it.  ConnectKey only runs software and firmware that is digitally signed and encrypted, and it performs a verification of its firmware each time it starts up.  The AltaLink printer also utilizes McAfee’s whitelisting technology to protect against unauthorized code and malware.

Overall, the impression I got was that Xerox takes security seriously.  We live in a data-centric world.  Data is the lifeblood of our companies and must be secured.  The devices that interact with, store, and retrieve data must offer reliable security comparable with that of other enterprise computing systems.  Consider whether the print devices on your network are providing the security needed to protect against today’s threats.

This article was written thanks to the insight and support of Xerox, a technology leader that innovates the way the world communicates, connects and works. As always, the thoughts and opinions expressed here are my own and do not necessarily represent Xerox’s positions or strategies.

Ransomware extortionists not as trustworthy as they’d have you believe

There are a variety of different ransomware variants that encrypt your data with no intention of ever decrypting it. There are also ransomware distributors who are happy to collect ransom payments but have no interest in returning anyone’s data.

Innocent victims often fall prey to ransomware hoaxes or find problems with ransomware decryptors. They all end up in the same place they started, without their valuable data.

Some of the groups behind the most prevalent ransomware viruses are working to build up confidence that victims will receive their data if they simply pay the ransom, but victims have learned the hard way that paying the ransom comes with no guarantee.

Purely destructive ransomware
There have been a number of ransomware viruses that infect systems only to delete victims’ files and then demand a ransom payment. One version—dubbed Ranscam because it is a ransomware scam—does exactly this. Similarly, AnonPop also pretends to be ransomware, deleting victim files rather than encrypting them.

The good news is that both Ranscam and AnonPop do not wipe the data from the disk. Wiping writes over data multiple times so that it cannot be recovered. That means if your files are deleted by Ranscam and Anonpop, you may be able to get them back using a file recovery program. Victims of Anonpop can also use their “system restore” feature to restore files and settings.

Ransomware hoaxes
Citrix did a study of 200 UK companies who had received fake ransom demands and found that 63% of them still paid the ransom. Why? Because they were unsure whether the demand was real or fake. Victims sometimes received demands for ransom in email, through browser popups, or in messages on their mobile devices.

Sometimes victims are unable to obtain decryption keys because ransomware authors stop supporting a particular version of a ransomware virus. But this doesn’t stop them from spreading those versions around and demanding ransom, even though there is no way to recover the data.

In some cases, new versions of ransomware are released because anti-malware researchers have released decryptors for a previous version. However, in other cases, ransomware authors upgrade their software proactively before a flaw has been discovered. For example, the creators of JIGSAW made updates to their code that changed encryption packages, but versions in the wild still contained the old code and could not be decrypted.

Occasionally, there are bugs in ransomware code that prevent extortionists from generating decryption keys. CryptXXX came out with a new version, but bugs in the payment system prevented it from sending decryption keys to victims who paid. Those who were infected were able to pay the ransom, but the decryption capability no longer existed or was unavailable.

Cybercrime power struggles
Some victims of ransomware have started communicating with an extortionist or even paid a ransom demand and then found that the extortionist was apprehended by law enforcement. Law enforcement forensically preserves data and evidence for court and shuts down services, but victims are left without decryption keys, so their machines wipe data or remain encrypted. At some point it is possible that they will receive their money back, but not their data.

Other extortionists have been taken down by a rival cybercrime groups or hackers in the midst of their negotiations with victims, and in some cases, victims have already paid the ransom or some portion of it. Unfortunately for these victims, their transactions were lost in the limbo of cybercrime power struggles, and they may not end up getting their data back.

The big cybercrime groups behind some of the major ransomware variants out there try to establish some level of integrity with their victims so that they will pay the ransom. But there are plenty of others who show that trusting a criminal is a gamble at best.

Don’t gamble with your data. Paying ransoms is not an effective way to recover data. Ensure that you have a robust backup and recovery strategy in place and you’ll never have to pay the ransom.

 For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware Recovery: How to meet realistic Recovery Time Objectives (RTOs)

When it comes to ransomware attacks, those who lose valuable data and have no viable backup tend to pay the ransom, while those with backups simply restore their data. However, neither group walks away unscathed because they both suffer downtime.

Downtime is the period when systems are unavailable for use, and it can cost small and midsize businesses thousands of dollars or worse—it could put them out of business. An Imperva survey of RSA 2017 attendees found that downtime costs companies more than $5,000 in 56% of cases and more than $20,000 in 27% of cases. Depending on the size of your company, this could be the cost of doing business, or it could be a catastrophe.

Establishing  Recovery Time Objectives (RTOs)
Companies should take the time to identify the maximum amount of downtime that is acceptable under various disaster scenarios. It’s a good idea to get started on this right away because this information will help determine what type of backup systems you need to have in place.

For example, business leaders may decide, after analyzing the data, that email should be restored within 10 minutes, domain services within 30 minutes, customer facing websites within 30 minutes and the Enterprise Resource Planning (ERP) system within 45 minutes. These values constitute applications’ Recovery Time Objectives (RTOs). Business leaders may also decide that email can be down for a maximum of one hour, domain services for two hours, customer facing websites for four hours and the ERP system eight hours before losses due to the downtime are intolerable. Each of these values constitutes a Maximum Tolerable Period of Disruption (MTPOD).

In most circumstances, systems would need to be restored in accordance with the RTOs and, in extraordinary circumstances, systems would be restored within the MTPOD.

Based on the RTO and MTPOD, IT and other groups put redundancy, business continuity, and backup and recovery strategies in place to meet these objectives. This may involve a hybrid recovery strategy with cloud and on-site backups. Companies might also decide to use cloud replication with virtualization to resume services at another site if the primary site fails. Backup and recovery systems are crucial in bringing systems online after disasters like ransomware strike.

Actual vs. estimates
I have found that initial estimates for recovery objectives are often in need of revision following the first incident. Trend Micro estimates that the average ransomware recovery takes 33 hours. This is far higher than most organizational estimates prior to a ransomware infection. That’s likely because organizations don’t always factor in the initial steps of incident response when determining their RTOs. In the example above, recovery controls alone might be able to meet the domain services MTPOD of two hours, but it takes first responders 30 minutes to validate the incident and identify the extent of the incident scope, which results in the organization exceeding the MTPOD by 30 minutes.

In other cases, organizations have been surprised by the scope of ransomware infections. Trend Micro found that 47% of ransomware spreads to 20 or more people. Furthermore, ransomware is efficient at targeting sources of information in organizations. Without this critical information, large groups of employees are unable to do their jobs.

It’s also important to remember that recovery plans need to be kept up to date. Organizations relying on outdated plans may have unclear expectations as to when steps in the plan will be complete and as a result, they will be unable to meet recovery objectives.

Action items
Establish RTO and MTPOD for systems based on their availability need. Next, put controls in place to meet these recovery metrics. If you have not experienced ransomware before, consult with those who have to determine if controls are adequate. Backup and recovery controls are the most crucial elements and must be designed appropriately. That means ensuring that recovery is available to the required locations at appropriate speeds to meet objectives.

Recovery metrics should be reevaluated annually to ensure that changes in business availability needs are reflected in the established metrics. Controls should go through a similar process of evaluation against recovery metrics to ensure that controls can adequately meet recovery metrics for potential threats.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.