A new and very dangerous ransomware threat to deal called Spore has been discovered.
Locky and Samas ransomware have certainly been major headaches for IT departments. Both forms of ransomware have a host of smart features designed to prevent detection, grow infections, and inflict the most damage possible, leaving companies with little option but pay the ransom demand.
However, there is now a new ransomware threat to address, and it could well be even bigger than Locky and Samas. Luckily, the ransomware authors only seem to be targeting Russian users, but that is likely to change. While a Russian version has been used in hacking attacks so far, an English language version has now been created. Spora ransomware attacks will soon be a global issue.
A massive portion of time and effort has gone into producing this very dangerous new ransomware variant and a decryptor is unlikely to be created due to the way that the ransomware encrypts data.
As opposed to many new ransomware attacks that rely on a Command and Control server to receive instructions, Spora ransomware can encrypt files even if the user is offline. Closing down Internet access will not stop an infection. It is also not possible to restrict access to the C&C server to prevent infection.
Earlier Ransomware variants have been created that can encrypt without C&C communication, although unique decryption keys are not necessary. That means one key will unlock all infections. Spora ransomware on the other hand needs all victims to use a unique key to unlock the encryption. A hard-coded RSA public key is used to create a unique AES key for every user. That process happens locally. The AES key is then used to encrypt the private key from a public/private RSA key pair set up with each victim, without C&C communications. The RSA key also encrypts the separate AES keys for each user. Without the key supplied by the hackers, you cannot unlock the encryption.
This complex encryption process only represents part of what makes Spora ransomware unique. Different to many other ransomware variants, the hackers have not set the ransom amount. This gives the hackers a degree of flexibility and importantly this process occurs automatically. Security experts believe the degree of automation will see the ransomware provided on an affiliate model.
The flexibility allows companies to be charged a different amount to a person. The ransom set is calculated based on the extent of the infection and types of files that have been encrypted. Since Spora ransomware gathers data on the user, when contact is made to pay the ransom, amounts could easily be changed.
When victims visit the hacker’s payment portal to pay the ransom, they must supply the key file that is set up by the ransomware. The key files contains a range of data on the user, including details of the campaign used. The hackers can therefore carefully monitor infections and campaigns. Those campaigns that are successful and result in more payments can then be repeated. Less effective campaigns can be brought to an end.
At present there are a number of different payment options, including something quite different. Victims can pay to unlock the encryption, or pay extra to avoid future attacks, essentially being given immunity.
Emisoft Internet experts who have analyzed Spora ransomware say it is far from a run of the mill variant that has been quickly thrown together. It is the work of a highly knowledgeable group. The encryption process contains no weaknesses – uncommon for a new ransomware variant – the design of the HTML ransom demand and the payment portal is highly sophisticated, and the payment portal also contains a chat option to allow communication with the hackers. This degree of professionalism only comes from a lot of investment and massive work. This threat is unlikely to disappear soon. In fact, it could prove to be one of the most serious threats in 2017 and into the future.
DNS based web filtering takes advantage of cloud based technology to provide an Internet content filtering service equally as powerful as hardware or software solutions, but without the capital investment and high maintenance costs of those. As with most cloud-based technologies, DNS based web filtering software is handy and reliable, and extremely scalable.
Any Internet filtering solution has to have SSL inspection so that it can examine the content of encrypted web pages. Whereas SSL inspection can drain CPU resources and memory when included in hardware and software solutions, with DNS based web filtering the inspection process is done in the cloud – thus enhancing network operations.
How DNS Based Web Filtering Operates
In order to filter Internet content using a Domain Name Server (DNS), you need to register for a web filtering service. The service provider gives you a browser-based account you log into, submit your external IP address and set your web filtering policy. Then you just redirect your DNS system settings to the service provider´s web filtering service.
If you have a range of web filtering policies for different positions within your company, tools are available to link management tools such as LDAP and Active Directory with the web filtering service. It is also possible to put in place a DNS proxy for per user reporting and select from a variety of predefined reports. Alternatively, it is a simple process to set up your own bespoke reports.
Due to the way in which DNS based web filtering works, it can be applied with every type of network and operating system. Multiple locations and domains can be managed from one management portal, and – due to the SSL inspection process being conducted in the cloud – end users will not suffer the latency usually associated with hardware and software solutions.
Highly Granular Controls Maximize Your Security Strength
The most common given reasons given for adding an Internet content filter are to safeguard the company from web-borne dangers and to enforce acceptable use policies. DNS based web filtering achieves both these aims by deploying a three-tier mechanism for filtering Internet content. The three tiers work in tandem to maximize the company´s defenses and prevent users accessing material that could be an obstruction to productivity or cause offense.
The first tier includes SURBL and URIBL filters. These are commonly referred to as blacklists and they compare each request to view a website against IP addresses from which malware downloads, phishing attacks and spam emails are known to have been initiated. When matches are located, the request to visit the website is denied. Blacklists are given and updated by your service provider.
Behind the blacklists, category filters and keyword filters make up the second and third lines of defense. These can be applied by system administrators to stop users visiting websites within some categories (social networking for example), or those likely to include material that would be inappropriate for an office environment. Keyword filters can also be used to prevent users accessing specific content or web applications, or downloading files with extensions most linked with malware.
Exemptions to general policies can be set up by user or user group if access to a website or web application is required by a certain department within the company. For example, you may not want your employees to engage in personal Internet banking during working hours, but it is likely crucial for your finance department has access to online banking services. Similar exemptions could be established (say) if your marketing department needed access to the company´s Facebook or Twitter accounts.
DNS Based Web Filtering Provided by SpamTitan
SpamTitan offers businesses a range of DNS based web filtering solutions – WebTitan Cloud for companies with fixed networks, and WebTitan Cloud for WiFi for companies providing a wireless service to end users. Both DNS based web filtering solutions have been created with maximum ease of use, maximum granularity and maximum security from web-borne threats.
Along with being versatile and effective DNS based web filtering solutions, both WebTitan Cloud and WebTitan Cloud for WiFi include many features to safeguard your company. Both solutions have best-in-class malicious URL detection, phishing protection and antivirus software – all of which is updated automatically. Both also update our filtering mechanisms in actual time – including the categorization of new websites as they are released.
The service grows in line with your company, so you never have to worry about registering new users or even multiple networks. WebTitan Cloud and WebTitan Cloud for WiFi are infinitely scalable, with no bandwidth limits, and no latency problems. Unless you advise them, your users will never know they are being safeguarded from web-borne threats until they try to visit an unsafe or inappropriate web pagesite.
An enterprise web filtering solution must provide a robust defense against web-borne threats along with being flexible in order to meet the requirements of the enterprise. However, flexibility without ease-of-use can result in the solution being useless. If enterprise web filtering software is difficult to configure, filtering parameters may either be set too high – obstructing workflows – or set too low, allowing a gateway for hackers.
At SpamTitan, we are conscious of the possible issues related to enterprise web filtering, and we have developed a range of flexible and easy-to-use enterprise Internet filtering solutions that can be set up and in minutes, that have no upfront costs, and that have low maintenance overheads – releasing IT resources to focus on other important problems. We also provide guidance on how to optimize filtering parameters.
In order to maximize the flexibility of our enterprise web filtering software, we deploy a three-tier filtering mechanism and whitelists to allow access to websites that may otherwise be restricted and to reduce the strain on CPU resources when the solution is reviewing encrypted websites. The three tiers consist of URIBL/SURBL filters, category filters and keyword filters:
- URIBL/SURBL filters manages requests to visit websites against blacklists of websites known to be harboring malware or who mask their true identities behind proxy servers. They also review for any IP addresses associated with phishing attacks and block access if a match is discovered.
- Our category filters sort more than six billion web pages into fifty-three different categories (abortion, adult entertainment, alternative beliefs, alcohol, etc.). Network Administrators can block access to any of the categories with the click of a mouse via the centralized management portal.
- Keyword filters restrict access to websites containing specific words, using specific apps, or inviting installations with specific file extensions. This third tier of our enterprise web filtering software supplies a high level of granularity to prevent workflow obstruction or gateways for hackers.
All the filtering parameters are subject to user policies, which can be established and managed by individual user, user group or enterprise-wide. For ease of use, our enterprise Internet filtering solution can be integrated with Active Directory and LDAP, and allows for many different administrative roles to be created for network managers, policy managers, and reporting managers.
SpamTitan’s variety of flexible and simple-to-use enterprise Internet filtering solutions consist of WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for WiFi. Each can be deployed within minutes and each has automatic network configuration.
- WebTitan Gateway is a virtual appliance that is downloaded behind the firewall and can be run as an ISO directly on existing hardware or a virtual infrastructure. It can be used on most operating systems, scalable to thousands of users and supports both HTTP and HTTPS web filtering.
- WebTitan Cloud takes advantage of cloud-based technology to send an unmatched combination of coverage, accuracy and flexibility with imperceptible latency. Deployment only needs a quick redirection of the enterprise´s DNS to our servers.
- WebTitan Cloud for WiFi has been specifically created to supports both static and dynamic IP addresses. It keeps wireless networks, single WiFi access points and nationwide networks of WiFi hotspots safe from web-borne threats with the same flexibility and ease of use.
All of our enterprise Internet filtering solutions provide actual-time oversight of network web activity and a suite of reporting options that can be set up to provide deep insight into activity by user, user group, URL or IP address and identify trends or policy violations. Network Administrators can also set up email alerts to notify of any attempts to circumnavigate the enterprise web filtering software.
If your interest in enterprise Internet filtering solutions is a result of you being a Managed Service Provider (MSP) or reseller, you will appreciate that flexibility and ease-of-use is of paramount importance when supplying an enterprise Internet filtering service to clients. The option of managing the solution yourself, or delegating responsibility to each of your clients, may also be of interest to you.
However, some of the biggest benefits of providing our WebTitan service to your clients are that all three WebTitan solutions are multi-tenanted enterprise Internet filtering solutions, they can be provided in white label format for re-branding, and we offer a range of hosting options – in our infrastructure, in your infrastructure, or in a private cloud for each client via AWS. Please speak with us for more information about our services for MSPs.
If you would like to discover more about our flexible enterprise web filtering software, do not hesitate to contact us and talk about your requirements with one of our Sales Technicians. The discussion will help decide the most appropriate enterprise Internet filtering solution for your circumstances, after which you will be asked to take advantage of a thirty day free trial.
During the trial period, you will be supported by our industry-leading Customer and Technical Support experts. They will provide advice about optimizing the filtering parameters, and take you through fine-tuning the enterprise web filtering software to achieve optimum effectiveness. Then, at the end of the free trial, if you choose to continue with our service, no further configuration will be rnecessary.
We are happy that you will find our enterprise web filtering software a strong defense against web-borne threats, flexible and easy-to-use. Contact us today to begin your free trial and you could be evaluating the merits of our enterprise Internet filtering solutions in your own environment quickly.
A Southern Oregon University phishing attack has demonstrated exactly why so many hackers have opted for phishing as their main source of profits.
The Southern Oregon University phishing attack involved just one phishing email. The attackers pretended to be a construction company – Andersen Construction – that was erecting a pavilion and student recreation center at the University.
The attackers spoofed the email address of the construction firm and asked for all future payments be directed to a separate bank account. The university then transferred the next payment of €1.9m to the new account in April.
The university saw that the construction firm had not received the funds three days later. The FBI was made aware of the situation as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the hackers have not withdrawn all of the funds from their account, although a sizeable chunk cannot be located. Joe Mosley, a representative for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
In order for a scam like this to be successful, the hackers would need to be aware that the construction project was taking place and the name of the firm. Such data is not hard to find and universities often have construction projects operational.
These attacks are referred to as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not known whether the vendors email account had been hacked, but that step may not be necessary to pull off a phishing attack such as this.
Increase in BEC Attacks Prompts FBI Alert for Universities
In this instance, the payment was massive but it is far from an isolated incident. Last month, the FBI published a public service announcement warning universities of attacks such as this.
The FBI warned that access to a construction firm’s email account is not required. All that is required is for the scammer to buy a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter changed.
By the time the university saw that a payment has not been sent, the funds have already been removed from the scammer’s account and cannot be recovered. Payments are often of the order of several hundred thousand dollars.
The FBI advised SOU that there have been 78 such attacks in the past 12 months, some of which have been carried out on universities. However, all groups are in danger from these BEC scams.
The Southern Oregon University phishing attack shows just how simple it can be for cybercriminals to pull off a BEC attack. Securing against this time of scam requires employees to be vigilant and to use extreme caution when requests are made to alter bank accounts. Such a request should always be verified by some means other than email. A telephone call to the construction firm could easily have prevented this scam before any transfer was completed.
Social media can be a key factor of a group’s marketing operations – it can also be the gateway for many online threats. Internet users who choose not to use unique passwords for their online activities, share their passwords, or willingly provide confidential information without due consideration for the security implications can be risking the online security of an entire group.
Instead of an employee threaten the integrity of your group’s online security, it is in your best interests to implement an Internet filtering solution from TitanHQ. An Internet filtering solution – and proper training about the risks of communicating confidential data online – can address the risk of your organization´s online defenses being compromised by an staff member’s carelessness or naivety.
The main focus of our spam advice section is to keep you informed with the latest news on new email spam campaigns, email-based threats and anti-spam solutions that can be deployed to prevent those threats.
Email spam is more than an annoyance. Even if the amount of spam emails received by employees is relatively small, it can be a major drain on productivity, especially for groups with hundreds or thousands of employees. This section includes articles offering advice on how to reclaim those lost hours by cutting the number of messages that are delivered to your employees’ inboxes.
However, much worse than the lost hours are the malware and ransomware threats that arrive through spam email. Email is now the number one attack vector used by hackers to deliver malware and ransomware. Hackers are now using increasingly sophisticated methods to get around security solutions. Today’s spam emails use advanced social engineering tactics to trick end users into revealing login details and other sensitive information, and installing malicious software on their computers.
Major advances have also been made to malware and ransomware. Self-replicating worms are being used to infiltrate entire networks before ransomware attacks take place, maximizing the damage caused and the ransom payments that can be generated. The cost to industry is significant. In 2018 ransomware attacks resulted in $1 billion in losses by companies, with 2017 expected to see those losses increase to a staggering $4 billion. Blocking spam email messages from being sent is therefore an essential element of any cybersecurity policy.
Good spam advice can help groups take action promptly to reduce the danger of email-based attacks.