Karmen ransomware makes it easy to launch attacks

A new malware do-it-yourself kit called Karmen is making it easy for wannabe cybercriminals to launch ransomware attacks.

Security researchers believe the recently discovered ransomware as a service (RaaS) offering was developed in part by a Russian-speaking ransomware author who goes by the alias DevBitox. For a price, Karmen can turn almost anyone into a cybercriminal in just a few clicks.

 

RaaS offerings like Karmen began popping up on the dark web in 2015 and ransomware developers have continued to make the kits more user-friendly over time.

Karmen is based on a well-known open source ransomware project called Hidden Tear. Using a web-based interface, aspiring cyber-extortionists can customize Karmen before distributing it to potential victims. The ransomware also comes with a dashboard that allows cybercriminals to track the number of machines infected and the total revenue accrued. The dashboard also notifies users when a new version of Karmen is available so they can continue distributing the latest ransomware.

Karmen automates many processes—including payment processing—so users can concentrate on distributing the ransomware. The creators of Karmen are currently charging $175 to would-be criminals who want to get into the ransomware game.

Some might assume that an inexpensive ransomware kit would be quickly picked up by antivirus software, but Karmen is a well-designed piece of malware. It’s packaged with a small loader and doesn’t take up much space. Karmen can detect if it is operating in a sandbox environment and can automatically delete portions of its code to prevent security researchers from analyzing it.  Karmen scrambles files with AES 256-bit encryption and operates with minimal connections to its command and control server.

The ease of use and low price point of Karmen lowers the barrier to entry to the ransomware market. This just the latest indication that ransomware attacks will continue to increase, requiring companies and consumers to be more vigilant than ever before.

To protect your data, it’s important to educate yourself and employees on healthy computing habits, such as how to detect phishing messages, how to properly handle data and what to do if anomalies in the computing environment are detected. Education combined with a host of technical controls such web traffic filtering, virus detection and firewall protection go a long way toward reducing the incidence of attacks.

But you need to be ready if a ransomware attack succeeds. That’s why business and individuals need an effective backup and recovery solution. Ransomware attacks your valuable data and demands payment, but you can reject such demands if your own backups are current, intact and easily accessible.

Once the backup system is installed, don’t wait for ransomware such as Karmen to put it to the test. Be sure to conduct data restore tests regularly. This will familiarize team members with the recovery process and ensure that your data will be restored as quickly as possible when disaster strikes.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Important considerations for your business and GDPR

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.

Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans.  This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations.  However, GDPR does introduce some new requirements that companies need to understand.

The upcoming Microsoft Office Modern Workplace episode “GDPR: What You Need to Know” incorporates the expertise of Brendon Lynch, Chief Privacy Officer at Microsoft, and Karen Lawrence Öqvist, CEO at Privasee on how to prepare for GDPR.  Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.

Consent requirement

GDPR mandates that companies obtain consent from individuals before storing their information.  Consent must be specifically for how the data will be used.  Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use.  Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed.  This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.

Rights to erasure and data portability

Under GDPR, individuals have the right to erasure and the right to data portability.  Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.

Accelerated breach notification

Breach notification timelines are greatly accelerated in GDPR.  The supervisory authority must be notified within 72 hours of the breach.  This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach.  This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.

Data protection officer

Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals.  The data protection officer must be a senior person in the organization who reports to executive management.  They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.

Next steps

We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world.  GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements.  In addition to what has been presented here, the Microsoft Office Modern Workplace episode on GDPR provides some excellent guidance.  Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Smart printers require smart security: Exploring Xerox ConnectKey

For decades, the printer has been the intermediary between the digital and physical worlds.  Through it, our creations become tangible and yet; this intermediary has become so pervasive and such a mainstay of our technological world that it was assumed somewhat unchallengeable.  However, while the basic functions of printing, scanning, copying and faxing have stayed the same, the modern printer is a far different creature from the monoliths of the past or even the printers of last year.

Today’s printers exchange data with users not only on the local network but also across the cloud and through apps.  They are accessible from the browser to the tablet, and they perform complex tasks to empower end users.  Scanned documents can be stored or archived to a variety of destinations including the cloud.  Workflows that originate with the printer, such as data entry or data manipulation, are automated and performed by the printer, eliminating the need for multiple data flows between devices and simplifying the overall process.  The printer truly embodies the concept of a smart device.

These smart printers have become high-value targets for attackers looking for an inside device to compromise.  They have many connections to services and applications and can function as a conduit for data exfiltration.  They are equipped with much more processing power, memory, and networking capabilities, which can be used by attackers to scan networks for weaknesses and to launch attacks.  As such, printer security is an essential part of cybersecurity.  It must not and cannot be ignored!

The challenge for consumers and companies, therefore, is to find a printer that can both perform modern functions and withstand modern attacks.  I had the pleasure of speaking with engineers and developers at Xerox to discuss how security is implemented in their ConnectKey ecosystem, a framework that is implemented across both their VersaLink and AltaLink platforms.

The VersaLink and AltaLink products offer app-centric interfaces, and the devices are accessible via smartphones and tablets. Customers and channel partners can download applications from the app gallery.  Core security controls are there including user authentication, role based access control, logging and audit trails.  ConnectKey encrypts data at rest using AES-256 and grants administrators considerable latitude in establishing policies for how to control access to data and how data can be stored and transmitted to the device and to the systems integrated with ConnectKey.

One aspect I had been particularly interested in was whether ConnectKey could protect against rooting the device.  Since many users will have physical access to the device, it is imperative for ConnectKey to prevent unwanted firmware and software from running on it.  ConnectKey only runs software and firmware that is digitally signed and encrypted, and it performs a verification of its firmware each time it starts up.  The AltaLink printer also utilizes McAfee’s whitelisting technology to protect against unauthorized code and malware.

Overall, the impression I got was that Xerox takes security seriously.  We live in a data-centric world.  Data is the lifeblood of our companies and must be secured.  The devices that interact with, store, and retrieve data must offer reliable security comparable with that of other enterprise computing systems.  Consider whether the print devices on your network are providing the security needed to protect against today’s threats.

This article was written thanks to the insight and support of Xerox, a technology leader that innovates the way the world communicates, connects and works. As always, the thoughts and opinions expressed here are my own and do not necessarily represent Xerox’s positions or strategies.

Ransomware extortionists not as trustworthy as they’d have you believe

There are a variety of different ransomware variants that encrypt your data with no intention of ever decrypting it. There are also ransomware distributors who are happy to collect ransom payments but have no interest in returning anyone’s data.

Innocent victims often fall prey to ransomware hoaxes or find problems with ransomware decryptors. They all end up in the same place they started, without their valuable data.

Some of the groups behind the most prevalent ransomware viruses are working to build up confidence that victims will receive their data if they simply pay the ransom, but victims have learned the hard way that paying the ransom comes with no guarantee.

Purely destructive ransomware
There have been a number of ransomware viruses that infect systems only to delete victims’ files and then demand a ransom payment. One version—dubbed Ranscam because it is a ransomware scam—does exactly this. Similarly, AnonPop also pretends to be ransomware, deleting victim files rather than encrypting them.

The good news is that both Ranscam and AnonPop do not wipe the data from the disk. Wiping writes over data multiple times so that it cannot be recovered. That means if your files are deleted by Ranscam and Anonpop, you may be able to get them back using a file recovery program. Victims of Anonpop can also use their “system restore” feature to restore files and settings.

Ransomware hoaxes
Citrix did a study of 200 UK companies who had received fake ransom demands and found that 63% of them still paid the ransom. Why? Because they were unsure whether the demand was real or fake. Victims sometimes received demands for ransom in email, through browser popups, or in messages on their mobile devices.

Sometimes victims are unable to obtain decryption keys because ransomware authors stop supporting a particular version of a ransomware virus. But this doesn’t stop them from spreading those versions around and demanding ransom, even though there is no way to recover the data.

In some cases, new versions of ransomware are released because anti-malware researchers have released decryptors for a previous version. However, in other cases, ransomware authors upgrade their software proactively before a flaw has been discovered. For example, the creators of JIGSAW made updates to their code that changed encryption packages, but versions in the wild still contained the old code and could not be decrypted.

Occasionally, there are bugs in ransomware code that prevent extortionists from generating decryption keys. CryptXXX came out with a new version, but bugs in the payment system prevented it from sending decryption keys to victims who paid. Those who were infected were able to pay the ransom, but the decryption capability no longer existed or was unavailable.

Cybercrime power struggles
Some victims of ransomware have started communicating with an extortionist or even paid a ransom demand and then found that the extortionist was apprehended by law enforcement. Law enforcement forensically preserves data and evidence for court and shuts down services, but victims are left without decryption keys, so their machines wipe data or remain encrypted. At some point it is possible that they will receive their money back, but not their data.

Other extortionists have been taken down by a rival cybercrime groups or hackers in the midst of their negotiations with victims, and in some cases, victims have already paid the ransom or some portion of it. Unfortunately for these victims, their transactions were lost in the limbo of cybercrime power struggles, and they may not end up getting their data back.

The big cybercrime groups behind some of the major ransomware variants out there try to establish some level of integrity with their victims so that they will pay the ransom. But there are plenty of others who show that trusting a criminal is a gamble at best.

Don’t gamble with your data. Paying ransoms is not an effective way to recover data. Ensure that you have a robust backup and recovery strategy in place and you’ll never have to pay the ransom.

 For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Cybersecurity career landscape and industry trends

I recently did an interview with Karen Marcus for Careers in Cybersecurity on education, career development, and career success.  The transcript is provided below and is divided into a section for those just starting out in cybersecurity, those mid-career and those late into their career.  Enjoy the read and please let me know your thoughts in your comments.

For someone just starting out in cybersecurity:

What degrees should they pursue? Any advice for landing that first job?

There are a variety of degrees from associates to Ph.D. that concentrate on security in some way such as Information Assurance, Cybersecurity, or Information Security.  Some may also decide to pursue a similar degree such as IT or Computer Forensics with an emphasis on information security.  However, if you do not have a degree in one of those fields, don’t despair.  Cybersecurity touches on many aspects of the organization, and your individual discipline and experience can give you insight into that part of cybersecurity.  For example, those in HR would relate to employee training, onboarding and termination procedures, employee screening and background checks, and employee compliance requirements while a person from an accounting background could understand the SOC/SSAE accreditation process, ROI, the financial impact of implementing new systems.  If you fall into this category, consider training to educate you on compliance, security controls, and risks so that you can adapt your own business understanding to cybersecurity.

What three things should they focus on in their first job to support advancement later on?

This is a hard one as each job will be different and there may be different methods used for advancement.  However, generally, a person in cybersecurity should demonstrate that they are a continual learner by striving to stay ahead of the technology curve and never stop reading.  Second, focus on your communication skills.  Communication skills are essential at any level, but they are increasingly valuable the farther up the ladder you move.  Lastly, be adaptable.  Cybersecurity is an ever-changing industry, and you will need to be able to change with it.

What pitfalls should they watch out for?

Don’t peg your life to some arbitrary set of career objectives.  Your career is as unique as you are and you should be the one to determine where you want to go.  Next, be successful from start to finish.   Success is not something that is achieved finally at the end of a career by seeing if you met some life goal or accomplishment.  Rather, it is being satisfied with the position you have, the value you bring to your company, and the impact you have on those around you.  Satisfaction is not complacency.  Goals are excellent, and you should set exciting stretch goals for yourself, but understand that each goal would not be accomplished if not for the successes of the moment.  Recognize those successes and take the time to cherish and celebrate them.

 

Middle Career (those who have been working in cybersecurity for a few years but haven’t progressed to a senior or executive level):

Do you recommend pursuing a Master’s degree?

A Master’s degree is an excellent choice for those who have established themselves in the industry and want to move forward.  I do not recommend it for those who have not yet entered the industry yet as it will price them out of entry-level jobs by being overqualified and yet they will be underqualified for other jobs.  A Master’s degree can be an excellent way to augment a degree that was not in cybersecurity such as those with a CIS, Computer Science, or Business degree.  Those are likely the people who will see the most value from a Master’s degree.  Some employers will want a Master’s degree in order to progress up the ladder and so this may be a requirement.

What skill gaps may a person in this position need to fill? How can they get appropriate training and/or mentoring to address them?

A mentoring relationship is an excellent suggestion, but I wouldn’t wait till you are in you middle career to do it.  I found a mentor shortly after starting in the industry and have mentored those who haven’t even entered the industry yet.  There is hardly ever a time when the experience of someone who has gone before you cannot be put to good use.

Your employer may have training options for you on specific skills.  The type of training should be based on your own learning style.  Some can learn easily from reading books, while others learn best from webinars or from online training.  Still, others require instructor-led training.  Each has its advantages and disadvantages regarding ease and cost.

Each person needs to take responsibility for his or her own training and keep learning each day.  This includes reading articles and other materials regularly to keep abreast of changes in the industry.  Consider following a cybersecurity expert on Twitter and read what he or she posts.  You can also subscribe to RSS feeds from cybersecurity sections of major publications or for cybersecurity blogs.  You would be surprised at how much you can learn just by reading a little bit each day.

Are there other obstacles that may have nothing to do with the person (e.g. company politics or being in a particular sector)? If so, how can they be overcome?

Company culture can be a catalyst or an inhibitor for success.  Ensure that you are well suited for the company culture.  Many have found themselves in a culture that is counter to their own, and their career progression was difficult like swimming against the current.  Let the culture current take you where you want to go rather than fighting it.  You will have a much more satisfying life if you do.

Late Career (those who have been working in cybersecurity for many years and have seen substantial success, perhaps progressing to executive and C-suite levels):

What is the next level for professionals in this position, and what can they do to get there?

Executives are the big fish in a company, and the way to move up is to find a larger pond or to grow their own pond.  That often means finding a larger company or one that is growing at a faster pace.  However, the real focus should be on what your goal is.  You may be perfectly satisfied with your current position.  If you make enough money and enjoy the position, there may not be a need to increase stress by changing jobs, learning a new routine, establishing new relationships, and proving yourself all over again.  Consider the cost of changing new jobs when evaluating the potential benefits.

What advice do you have for diversifying skills or fine-tuning specialties?

There comes a time in everyone’s life when they realize that change has finally made part of their skill set irrelevant.  In the cases, it is important to recognize this and not fight it.  Next, seek out complimentary skills that build on the knowledge and experience you have already and then seek those out.  Add breadth to your skill set by extending outward in your retraining rather than seeking out greatly differentiated skill sets.  Retraining with this method will make it much easier for you to adopt those skills and to thrive.

Is there a common post-retirement path or pattern?

I am a strong proponent of mentoring others.  I think the process should begin long before retirement and extend into retirement.  Mentoring gives the mentor a connection back to a previous generation and into the workforce after they have left it and it is a great benefit to those they mentor.  Seek out no more than three people to mentor and establish a real relationship with them, asking them questions about their goals and strategies and sharing your understanding and the things you have learned along the way.

Retirees can also participate in professional groups.  Those who spent a lifetime learning likely won’t want to stop, and this can be an excellent way to keep up with what is happening in the industry.

Spora ransomware could become a major player

Spora is a relatively new ransomware, but there are signs which indicate that it could become a major player in the underground ransomware market, according to various reports.

There are currently hundreds of ransomware variants being used by cybercriminals, but only a handful are backed by major criminal syndicates that have the funding to write robust malicious code and the infrastructure to support global extortion efforts. These groups are behind some of the biggest names in ransomware like Locky, CryptoLocker and TeslaCrypt. Spora is not there yet, but it’s certainly on its way.

A strong build
The first thing that sets Spora apart from a large number of homegrown ransomware variants is its encryption capabilities. Spora utilizes offline encryption to avoid detection and is capable of performing the encryption using a unique key set without communicating with a command and control server. This is not a brand new technique. It’s been used successfully in the past by both Cerber and Locky. Spora differs in that it encrypts each file with a distinct key, then file keys are encrypted with an AES key unique to the victim.

Second, Spora has a very well designed website with a professional look and feel. It has an easy to use interface consisting of a clean dashboard with colorful icons, tool tips and a live support chat that delivers quick responses to inquiries, according to security researchers.

One very interesting feature of Spora is that it offers victims a menu of options for retrieving some or all of their files as well as protection services. They allow users to decrypt two files free as an act of good faith and to demonstrate their ability to decrypt the data. Other options include decrypting several files for $30, removing the ransomware for $20, protecting against further infections of Spora for $50, and a full restore for $120. However, it should be noted that these prices may change. Spora uses identifying information provided by victims when they connect to the payment website to dynamically generate prices. The cybercriminal behind Spore likely charge more for businesses or for those in different regions. Even with its dynamic prices, Spora is priced much lower than other ransomware, a strategy that was likely designed to build up their reputation.

Spora’s weaknesses
Despite these strengths, Spora has some significant weaknesses. The ransomware does not yet have a way to bypass the UAC, a feature in Microsoft Windows that prevents programs from running with escalated privileges. A UAC warning message appears when Spora executes and victims must allow the program to run. Spora also launches a command prompt to delete volume shadow copies and the command prompt is displayed on the screen for the victim to see.

At the moment, Spora is limited to Russian-speaking countries. The attackers behind this ransomware appear to be organized and professional so it is likely that the next version of Spora will address its current deficiencies and target a much larger audience. Prepare yourself by backing up your data and by validating that your backups can be restored.

Continue reading

How to create a BYOD policy that keeps your business data secure

Bring your own device (BYOD) policies are commonplace in many organizations today. Employees bring in their personal cell phones, laptops, tablets and other mobile devices and use them to content to corporate networks. Additionally, employees regularly use personal computers and other devices not owned by the organization to work at home or on the road.

Unfortunately, BYOD can be risky for organizations that do not implement adequate security controls.  Personal devices that aren’t properly managed by the company often have inconsistent security controls implemented on them. For example, one device may lock out after three minutes of idle activity and require a complex password, while another may not even require a password to log on. However, both devices may be used to access sensitive or critical business data. For organizations that lack strong and consistent security controls, BYOD can easily turn into a security nightmare. Here’s a quick list of steps you can take to create a BYOD policy that will protect your business data:

  1. Establishing a policy that governs how BYOD devices can connect to and use organizational systems, how they should be backed up, and which security settings should be in place.
  2. Configure devices to connect to network resources over a transparent virtual private network.
  3. Gain greater control over mobile devices with a Mobile Device Management (MDM) solution. MDM solutions allow for more consistent security settings to be applied to devices. For example, applications can be whitelisted or blacklisted, BYOD devices can be geofenced, and jailbroken phones can be banned from connecting to networks or data stores.

BYOD and the ransomware threat
A large percentage of BYOD devices are mobile phones or tablets that are susceptible to some forms of ransomware. Mobile ransomware viruses often masquerade as enticing applications such as POGO Tear, which pretends to be a Pokemon Go application; Android defender, a bogus antivirus app; Charger, a fake battery management app; Lockdroid, a counterfeit Google Android update package; and Lockscreen, a deceptive Android lock screen app. Some mobile devices have been found to have malware pre-installed on them. The owners of those devices did not need to download a fake app. They were infected the moment they powered up the new device.

The good news is that mobile data is often easy to restore if appropriate backups have been taken of the phone or tablet. The bad news is that an infection may not be limited to your device. Worms may propagate through mobile email clients to your contacts. Additionally, some malware may infect a mobile device and then be transmitted to a computer when the device is connected for charging or data exchange.

Protect yourself by keeping your mobile operating systems and apps up to date. Consider a mobile firewall, mobile antivirus solution, and make sure you back up your device. Other BYOD devices such as laptops should be equipped with endpoint protection software, secure and up-to-date operating systems, and they should be backed up regularly.

Continue reading