Skip Navigation

Critical Infrastructure News

How is Ransomware Really Spread?

When you are discussing something where you can’t really view it with your eye, such as ransomware, it is hard to really understand where it comes from. It’s easier to believe it just magically appeared on your network or computer versus thinking something you did caused it to appear. We regularly hear about malware attacks, especially when they happen to large corporations. But rarely is there focus on what the end user did to cause the attack to happen in the first place.

There are several false pretexts on which such ransomware files are pushed at you via the Internet such as fake antivirus pop-up ad or a box prompting you to install a driver file. These attempts have been around for a while, but there are still many, many users that fall for them. If you click on one of these corrupt popups, a ransomware program will be installed that encrypts the data on your computer system and shows you a message to make a ransom payment to the perpetrators to have your data decrypted.  In most cases, the payment is sought to be done using bitcoins, so no tracking can be done on the money or the person receiving it.

The most common way that ransomware is spread is through email-based attacks. It’s estimated that almost 60 percent of ransomware spreads via emails. These emails contain infected files, typically as attachments, and are worded to encourage the user to download the file and execute it. Often, they appear to be from someone you know, but as you look closer you will see something is slightly off in the email address. It also could appear to be from a known company, posing as a software download, or even an image that draws your eye.  Social engineering tactics are often used by the perpetrators. This involves the careful planning of malicious communication by contextualizing the message, salutations, sender address, and tone to inspire trust in the receiver, leading to the desired action (typically double-clicking on that cursed .exe file).

One other way ransomware is spread on is by malvertising. This is where the ransomware is hidden in an advertisement on a legitimate site. The perpetrator buys advertising space and entices users to click on the ad with a great deal or interesting story, but once the user clicks, they have infected their machine and server. By clicking on this malvertising, information about the user’s operating system, software versions, plugin status in the browser, and other vital details to protecting ones identify are revealed. In 2017, Google alone remove 1.7 billion suspicious ads. Scary, huh?


US Charges Three Members of Elite Chinese Cyber-Espionage Unit

US authorities have acted on one of the worst-kept secrets in cyber-security and have filed official charges against three Chinese hackers part of one of China's elite cyber-espionage unit.

According to an indictment unsealed today by the Department of Justice (DOJ), officials have charged the three hackers for hacking three companies —Moody’s Analytics, Siemens, and Trimble— between 2011 and May 2017.

More precisely, the DOJ charged Wu Yingzhuo with hacking Trimble, Dong Hao with hacking Siemens, and Xia Lei with hacking Moody's Analytics.

The three suspects work for cyber-security firm Boyusec

The three suspects work for Chinese cyber-security firm "Guangzhou Bo Yu Information Technology Company Limited," also known under its short name of Boyusec. Both Wu and Dong are founding members and shareholders, while Xia is just an employee.

Several reports published in May 2017 fingered Boyusec as notorious cyber-espionage unit APT3, one of the Chinese government's most proficient hacking units.

APT3, also known as UPS, Gothic Panda, and TG-011, has been active since 2010 and has been tied to the theft of intellectual property from private businesses, but also to cyber-espionage with substantial political implications. Past reports have tied the group to hacks all over the world, but most often in Hong Kong and the US.

Boyusec identified as APT3 six months ago

Blog posts published by Intrusion Truth linked Wu and Dong to domain names used in the server infrastructure from where many APT3 attacks originated.

Another report claimed Boyusec was a government contractor that reported to the Guangdong Information Technology Security Evaluation Center (or Guangdong ITSEC), who is a local branch of the China Information Technology Evaluation Center (CNITSEC), an organization run by the Chinese Ministry of State Security (MSS).

Fake Black Friday apps look to steal consumer details

As many as one in 25 Black Friday apps could be fakes looking to steal logins and credit card information according to a new report.

Digital threat management company RiskIQ has used internet reconnaissance and analytics to identify digital threats against the top five eCommerce brands during the Black Friday shopping season.

It finds that more than 32,000 malicious mobile apps are using the branding of the top-five online retailers. These apps seek to trick shoppers into entering credit card information, giving up Facebook and Gmail credentials, or downloading malware that steals personal information or locks devices until ransoms are paid.

Malicious apps represent four percent of the 4,356 (one in 25) total Black Friday-themed apps available in app stores. Each of the top five brands has at least 15 malicious apps that use their name and branding alongside the term 'Black Friday.'

The top-five retail brands leading in eCommerce also have a combined total of more than 1,451 blacklisted URLs that contain their branded terms as well as 'Black Friday' and are linked to spam, malware, or phishing.

With consumer spending over the Black Friday weekend expected to be up by 47 percent compared to last year, this is clearly an attractive target for cyber criminals. In order to protect yourself RiskIQ recommends only downloading from official app stores, and being wary of apps that ask for lots of permissions like access to contacts and text messages.

You can read more about the findings and find more tips for staying safe in the full report available from the RiskIQ site.


Tennessee city still not recovered from ransomware attack

The City of Spring Hill, Tenn. is still suffering from the effects of a ransomware attack that struck the municipality in early November when government officials refused to pay the $250,000 ransom demanded by the cybercriminals.

The attack has essentially stopped the city from being able to conduct many of its usual functions as its IT department attempts to rebuild the database from backed up files.   The attack has locked city workers out of their email accounts, and residents are unable to make online payments, use payment cards to pay utility bills and court fines, or conduct any other business transaction. Instead, the city is asking that payments be made by check, and then either dropped off or mailed.

One after effect this has had is people are now forced to line up outside city hall to take care of their business, but on a more severe note the attack has also forced emergency dispatchers to log 911 calls by hand on a whiteboard, according to WKRN, and has shut down all mobile data terminals in the city's police cars. City officials told WKRN that all emergency services are still being provided.

The 911 and city email systems were first in line to be restored starting this week. No information is believed to have been removed from the city's server by the attackers.


Cybercrimes present unique challenges for investigators

The federal investigators looking into the breach that exposed personal information maintained by the Equifax credit report company are used to dealing with high-profile hacks and the challenges they present.

The U.S. attorney’s office and FBI in Atlanta have prosecuted developers and promoters of the SpyEye and Citadel malware toolkits, used to infect computers and steal banking information. They’ve helped prosecute a hack into Scottrade and ETrade that was part of an identity theft scheme, and aided the international effort that in July shut down AlphaBay, the world’s largest online criminal marketplace.

The U.S. Attorney’s office has confirmed that, along with the FBI, it is investigating the breach at Atlanta-based Equifax, which the company said lasted from mid-May to July and exposed the data of 145 million Americans. Neither agency would discuss Equifax, but the leaders of their cybercrime teams shared insights about the difficulties of cybercrime cases.

“They are challenging, and the success stories are rare,” said prosecutor Steven Grimberg, who leads the Atlanta U.S. attorney’s office cybercrime unit, created last year to fight the growing threat. For every conviction there may be 10 times as many that don’t end successfully, he said.

Atlanta has become a hub for cybercrime prosecution in large part because of a proactive and aggressive local FBI team, and because U.S. attorneys have committed the necessary resources in recent years, Grimberg said.

Who’s behind the keyboard?

Identifying who’s responsible is a key difficulty: Cybercriminals use aliases and operate on the dark web, in corners of the internet reached using special software, where access is invite-only.

Investigators have infiltrated some of these online forums and can sometimes engage cybercriminals there, said FBI Supervisory Special Agent Chad Hunt, who oversees one of FBI Atlanta’s cyber investigation squads. Once they obtain some information, they can use search warrants to get other data, such as business records or credit card transactions, to match the online alias to a real person.

Even extremely sophisticated cybercriminals sometimes slip up or collaborate with someone who’s less careful, Hunt said.

“If we’re looking at somebody for a while, eventually they’ll make a mistake,” he said. “So even if they are using high-quality encryption, eventually they’ll do something stupid.”

Uncooperative foreign governments

Even when a cybercriminal’s identity is pinpointed, arrests can take time. Many operate in countries that won’t extradite to the U.S. But the FBI continues monitoring these suspects and can catch them if they travel, said Assistant Special Agent in Charge Ricardo Grave de Peralta, who oversees the Atlanta office’s cyber investigation squads.

“A lot of these people are in places that aren’t so great and they like to go on vacation, and we’re happy to meet them in a third location and perhaps bring them to a second vacation here in the United States, all expenses paid,” he said with a smile.

Even with friendly foreign governments, extraditions can take time: Often, the merits of a case are essentially litigated in the process, so that authorities in the other country are satisfied the incriminating evidence is solid, Grimberg said.