Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Digital identity needs to be cyber security priority in 2018

Protecting digital identities and protecting employees are key cyber security challenges for 2018.

Protecting digital identities and protecting employees are key cyber security challenges for 2018

The issues of protecting digital identity, gaining data visibility and protecting employees are key cyber security challenges for 2018 according to the cyber security 2018 predictions report by security firm FireEye.

“The idea that you can get someone’s date of birth, and their Social Security number and steal their identity and do fraudulent tax refunds, or try to get a loan or credit card – that has to change,” FireEye said.

“This has to happen. Otherwise, every five months, we’re going to have another huge data breach,” they warned.

In addition to the imperative of finding a better way to manage identity, RedEye said it was also important to find a way of dealing with international privacy.

On the topic of nation state actors in the cyber realm, RedEye considers Iran the most interesting country to watch, rather than Russia, China or North Korea.

RedEye said while Iran started “acting at scale” in 2017, the extent of that activity was not really known. “We don’t know if we are seeing 5% of Iran’s activities, or 90% – although I’m guessing it’s closer to 5% – but they’re operating at a scale where, for the first time in my career, It feels to me that the majority of the actors we’re responding to right now are hosted in Iran, and they are state sponsored,” they said.

On the topic of cloud security, RedEye claimed better visibility was of paramount importance. I know that a lot of people are depending on the cloud, and we need visibility.

“Many of these cloud providers are providing it, but we don’t always have security operations that can take advantage of that visibility and see what’s happening,” he said.

An area many companies are still overlooking, RedEye said, is protecting employees from cyber attack.

He said companies needed to consider whether hackers could access corporate accounts through hacking employees’ private accounts, or if they could make it appear as though they have hacked the enterprise.

“There are hackers out there who will hack an employee at a company, and they will post any document they can get, and they will say they hacked the company even if they haven’t. It’s a reputational thing – while it’s hard to gauge the public response to these types of incidents, right now many companies are being deemed irresponsible or negligent or compromised when they are none of those things,” he said.

RedEye said all security professionals should be thinking about what employees are doing when they go home, how they can be secured, how they can be helped, what policies are needed and how those policies could be enforced.

They advised that all organisations moving into the cloud should know everything that is going on.

While there are bound to be new, interesting attacks in 2018, organisations should be preparing for modified versions of current attacks

“For instance, do you have places where documents are getting uploaded and then going into your back office? That’s a good place to ensure there is some high-grade detection, beyond an antivirus scanner. Because you essentially have unauthenticated input going directly into the key parts of your organisation.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber security skills shortage can be addressed

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

There could be up to 1.8 million information security related roles unfilled worldwide by 2022, according to the latest Global information security workforce study from (ISC)2, but the organisation believes there are ways to address this potential shortfall.

“It makes no sense that we have employment issues for veterans and other communities on the one hand, and information security jobs being unfilled on the other,” according to John McCumber, director of cyber security advocacy at (ISC)2.

In this newly created role of advocacy for the information security profession, McCumber is engaging with the governments on issues such as workforce development and supporting information security professionals in the work they do.

McCumber, who has been working in information security in military, national security and civilian roles for the past 30 years, argues that in the light of the fact that there are jobs for people coming out of trade schools, there is no reason that aspects of cyber security cannot be turned into trades.

“By treating cyber security as a trade, it will enable school leavers to get some basic skills without having to do a four-year course and to provide valuable services in well-paid jobs in the cyber security field,” he said. “There are a lot of productive jobs in the cyber security field that do not need a four-year degree.”

The training is aimed at enabling veterans to join the (ISC)2 associate membership programme, which provides them with the experience required to qualify for various information security certifications.

“By enabling veterans to get certified as information systems security professionals, systems security practitioners and cloud security professionals, we are able to connect them with well-paying jobs,” said McCumber.

McCumber predicts that cyber security jobs will also begin changing in future as new technologies enable organisations to automate a lot of their cyber attack responses.

“Things like penetration testing are also likely to be automated with advances in so-called artificial intelligence, so (ISC)2 is working with information security professionals to position themselves for the new world of work and show organisations how they can help them understand their cyber risk and provide an objective way of managing that risk,” he said.

“As a result, that projected 1.8 million cyber security skills gap will not look as insurmountable in two to three years’ time,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Half of UK SMEs spend less than £1,000 on cyber security

Almost 50% of UK small to medium enterprises plan to spend £1,000 or less on cyber security in the next year and 22% do not know how much they will spend, insurance firm Zurich has found.

Almost 50% of UK small to medium enterprises plan to spend £1,000 or less on cyber security in the next yearAs many as 875,000 small and medium-sized enterprises (SMEs) in the UK – 16% of the total – have been hit by a cyber attack in the past 12 months, according to the latest Zurich SME Risk Index.

Businesses in London are the worst affected, with almost a quarter (23%) reporting suffering a breach within this period.

Of businesses that were affected, more than one fifth (21%) said it cost them more than £10,000 and one in 10 (11%) said it cost more than £50,000.

Yet despite the volume of attacks and potential losses, the survey of more than 1,000 UK SMEs showed that business leaders are not committing to investing significantly in cyber security in the year ahead.

The survey, by YouGov on behalf of Zurich, found that 49% of SMEs admitted they plan to spend £1,000 or less on their cyber defences in the next 12 months, and almost a quarter (22%) do not know how much they will spend.

The lack of planned investment in cyber defences is also surprising in the light of the fact that business leaders report that strong cyber security is giving them an opportunity to stand out from competitors, with as many as one in 20 claiming to have gained an advantage over a competitor because of stronger cyber security credentials.

This trend is confirmed by a separate survey of SMEs by security e-learning firm CybSafe, which showed that half of SMEs polled have had cyber security conditions included in contracts with enterprise customers in the past five years, and one-third of respondents said they have had their cyber security measures questioned as part of winning contracts in the past year.

Also, 44% said they have been required to hold a recognised cyber security standard, such as ISO 27001, by their enterprise customers in the past five years and 28% in the past year alone, demonstrating a clear trend in enterprise approach to supplier information security.

“While recent cyber attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it is important to remember that small and medium-sized businesses need to protect themselves too,” said Paul Tombs, head of SME proposition at Zurich.

“The survey results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses.”

However, Tombs said that although the rate of attacks on SMEs is troubling, it also shows there is an opportunity for businesses with the correct safeguards and procedures in place to use this as a strength and gain an advantage.

In September 2016, a report by Juniper Research revealed that 74% of UK SMEs believed they were safe from cyber attack, despite half of them admitting having suffered a data breach.

The report showed that 86% of the SMEs surveyed thought they were doing enough to counter the effects of cyber attacks, and 27% believed they were safe from attack because they were small and of no interest to cyber criminals.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Defence minister opens £3m cyber security centre in

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

The Cyber Works centre, which employs 90 people, will enable Lockheed Martin to work more closely with UK partners to share knowledge and best practice, undertake research and develop new cyber defence capabilities.

In February 2017, Lockheed Martin announced that it would support the UK government’s CyberFirst scheme to inspire and support young people considering roles in cyber security.

The Cyber Works centre is designed to deliver cyber capabilities to UK government as well as support the development of skills and careers in cyber security and intelligence.

Harriett Baldwin, UK minister for defence procurement, said that with its £1.9 billion National Cyber Security Strategy, the country is a world leader in the field.

“The opening of today’s cutting-edge centre is a great example of how partnerships with industry are at the heart of that strategy,” she said. “Together, we are developing solutions to national security risks.”

A key part of the Cyber Security Strategy is partnerships with industry, with £10 million being invested in a new Cyber Innovation Fund to give startups the boost and partners they need

Baldwin said the UK is already leading Nato in its support for offensive and defensive operations in the fight against Islamic State (IS) and complex cyber threats. “This centre will further boost the UK’s cyber capabilities,” she said.

Lockheed Martin is the world’s largest aerospace and defence company and a longstanding leader in the fields of cyber security and intelligence.

The company pioneered the development of the cyber kill chain, an analysis method for cyber network defence that has been broadly adopted across industries and sectors.

Lockheed Martin is also a top provider of capabilities to defence and intelligence communities around the world and operates facilities to defend its own networks across 70 countries.

As well as investing in the new facility, Lockheed Martin plans to take part in the National Cyber Security Centre’s £6.5 million CyberInvest scheme to support cutting-edge cyber security research in the UK.

With National Offensive Cyber Planning allowing the UK to integrate cyber into all of its military operations, defence plays a key role in the country’s cyber security strategy, according to the Ministry of Defence (MoD).

Offensive cyber is being routinely used in the war against IS, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates, the MoD said.

In defence, the MoD said the £800m Innovation Initiative has already boosted investment in UK research and business, with multimillion-pound competitions to develop artificial intelligence and automated systems.

In January next year, the ministry will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all military joint cyber training into one place.

The MoD also has a key role to play in contributing to a culture of resilience, which is why the Defence Cyber Partnership Programme was set up to ensure its industrial partners protect themselves and meet robust cyber security standards, the ministry said.

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

UK firms still relying on perimeter defences for cyber security

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Some 96% of UK businesses feel as though their network perimeter security is effective at keeping unauthorised users out of their network, according to the fourth-annual Gemalto Data Security Confidence Index.

The global ransomware attack in May 2017 affected more than 200,000 computers in over 150 countries, including in the UK where the NHS was forced to restrict operations and turn away patients.

Across the 10 global regions surveyed, 94% of the more than 1,000 IT professionals said perimeter security is effective, but only 35% said they were extremely confident their data would be secure if perimeter defences were breached.

However, the survey also revealed that 46% of UK businesses are only protecting their customers’ data with passwords, and when considering their latest data breaches, 75% of the data stolen from businesses on average was not encrypted, with 11% of businesses not encrypting any of their data.

“As a security professional, it feels like I’ve been saying forever that basic perimeter security measures are no longer enough,” said Joe Pindar, director of data protection product strategy at Gemalto.

“So it’s worrying to see the UK is continuing to place ultimate faith in these systems, without thinking about what attackers actually want – their data,” he said.

Without a switch in mentality, and starting to protect the data at its source with robust encryption and two-factor authentication, the UK is like one of the three little pigs.

“Unfortunately, the one sitting in the straw house – not realising that when the time comes, passwords and perimeter security alone will not stand up to attackers,” he said.

The Gemalto report notes that many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyber attacks.

According to the research findings, 76% of global respondents said their organisation had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention, antivirus, content filtering, and anomaly detection to protect against external attackers.

Despite this investment, 68% believe unauthorised users could access their network, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations polled have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data.

According to the Gemalto report, this means that, should the data be stolen, a hacker would have full access to this information, and could use it for crimes including identify theft, financial fraud or ransomware.

“It is clear there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, vice-president and chief technology officer for data protection at Gemalto.

“By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data, which is a company’s most valuable asset,” he said, adding that it is important to focus on protecting this resource. “Otherwise, reality will inevitably bite those that fail to do so.”

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Major cyber incidents accelerating, says NCSC

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency.

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency

In the eight months since inception, the UK’s National Cyber Security Centre (NCSC) has recorded 480 major cyber incidents requiring its attention.

However, there has been big rise in these types of incidents in the past few months, in part due to an improved ability to spot them and a greater willingness to report them, according to John Noble, director of incident management at the NCSC.

“This increase in major attacks is mainly being driven by the fact that cyber attack tools are becoming more readily available, in combination with a growing willingness to use them,” he told The Cyber Security Summit in London.

Although the WannaCry ransomware attacks in May 2017 came very close, Noble said there had been no C1-level national cyber security incidents to date.

The majority of the major incidents the NCSC has dealt with were C3-level attacks, typically confined to single organisations. These account for 451 incidents to date.

The remaining 29 major incidents were C2-level attacks, significant attacks that typically require a cross-government response.

Across these nearly 500 incidents, Noble said there were five common themes or lessons to be learned.

1. There is still a need for organisations to get the basics right

“We are still seeing organisations that are not getting the basics right, like software security patching, antivirus updating and putting in basic protections and controls for system administrators, who are typically big targets for attackers to steal their credentials,” said Noble.

2. Failure to get the balance right between usability and security

“In the vast majority of incidents we see, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability leading to things like logging being turned off to optimise performance,” said Noble.

“The decision-making around where to strike that balance is typically confused because of the complexity of the enterprises being defended, and because of a lack of understanding about what they are trying to prevent and which data really matters,” he said.

3. Legacy systems and equipment

The existence of legacy systems and equipment in the enterprise presents opportunities to attackers, said Noble. “Often, when we investigate incidents, we find it is in the legacy systems that the compromise has begun,” he said.

4. Outsourcing

“In early 2017, we reported on a major compromise of managed service providers, which provide a tremendous opportunity for bad actors,” said Noble, alluding to Operation Cloud Hopper that was uncovered in April.

“MSPs enable attackers to obtain security credentials in one country, traverse across their network, and then compromise a company or series of companies in another country, and exfiltrate the data through a third country,” he said.

In response, Noble said the NCSC had published a list of questions organisations should ask their MSPs in terms of security.

“Similarly, organisations need to understand the security implications of their supply chains, who they are connecting up to, and what risks are involved,” he said.

5. Mergers and acquisitions

In mergers and acquisition, cyber security is often overlooked in the due diligence process, said Noble. “As a result, the cyber risk is not understood and not addressed effectively,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

UK needs urgent response to online fraud, says NAO

Online fraud is the most common crime in England and Wales and needs an urgent response according to the Parliament’s public spending watchdog.

Online fraud is the most common crime in England and Wales and needs an urgent response according to the Parliament’s public spending watchdog.

While tackling online fraud is complex, the Home Office’s response is not proportionate to the threat, according to the National Audit Office (NAO).

Although the City of London Police is the national lead force for online fraud and runs the Action Fraud national centre for reporting fraud, police and crime commissioners and chief constables are responsible for policing in their local areas.

Despite the fact the face of crime is changing, the NAO’s report said police forces take different approaches to tackling online fraud and for some it is not a priority. Only 27 out of 41 police and crime commissioners refer to online fraud in their most recent annual police and crime plans.

“For too long, as a low value but high volume crime, online fraud has been overlooked by government, law enforcement and industry,” said Amyas Morse, head of the National Audit Office.

“It is now the most commonly experienced crime in England and Wales and demands an urgent response. While the Home Office is not solely responsible for reducing and preventing online fraud, it is the only body that can oversee the system and lead change.

“The launch of the Joint Fraud Taskforce in February 2016 was a positive step, but there is still much work to be done. At this stage, it is hard to judge that the response to online fraud is proportionate, efficient or effective,” he said.

In the year ending 30 September 2016, the Office for National Statistics (ONS) estimated that there were 1.9 million estimated incidents of cyber-related fraud in England and Wales, or 16% of all estimated crime incidents.

Online fraud includes criminals accessing citizens’ and businesses’ bank accounts, using their plastic card details, or tricking them into transferring money.

“Hidden” crimes require new and different responses yet, despite the level of economic crime, statistics suggest police forces remain more focused on traditional crimes, the report said, highlighting that in 2016, one in six police officers’ main function was neighbourhood policing, while only one in 150 police officers’ main function was economic crime.

According to the NAO, the Joint Fraud Taskforce set up by the Home Office to raise awareness of online fraud, reduce card not present fraud and to return money to fraud victims is a positive step. But the report said the Home Office faces a challenge in influencing other partners such as banks and law enforcement bodies to take on responsibility for preventing and reducing fraud. The report said £130mis held in banks that cannot accurately be traced back and returned to fraud victims.

In addition, without accurate data, the report said the Home Office does not know whether its response is sufficient or adequate.

Measuring the impact of campaigns and the contribution government makes to improving online behaviours is challenging, according to the NAO.

According to the NAO, the growing scale of online fraud suggests that many people are still not aware of the risks and that there is much to do to change behaviour. In addition, the report said that different organisations running campaigns, with slightly different messages, can confuse the public and reduce the campaigns’ impact.

While educating consumers is sensible, the NAO said government and industry still have a responsibility to protect citizens and businesses. The report said the protection banks provide varies, with some investing more than others in educating customers and improving their anti-fraud technology. The ways banks work together in responding to scams also needs to improve.

Although there are examples of good practice in protecting people against online fraud, such as Sussex Police’s initiative to help bodies such as banks and charities identify potential victims, the NAO said there is no clear mechanism for identifying, developing and sharing good practice to prevent people becoming victims.

The government wants the police and judiciary to make greater use of existing laws, but the NAO found that stakeholders had mixed views on the adequacy of current legislation. The international and hidden nature of online fraud makes it difficult to pursue and prosecute criminals because of the need for international co-operation and an ability to take action across borders, the report said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

Key lessons from Petya cyber security ransomware attack

The recent Petya cyber security attack does not follow other recent attacks.

The recent Petya cyber security attack does not follow other recent attacks.

Security researchers are struggling to reach consensus on whether the ransomware responsible for the latest global attacks is a new version of Petya or not, and even whether it was true ransomware, but what they have learned so far could help guide security strategies.

Those in support of retaining the Petya name point out that it essentially behaves in exactly the same way because it is designed to:

Encrypt files on disk without changing the file extension.
Forcibly reboot the machine upon infection.
Encrypt the Master Boot Record on affected machines.
Present a fake CHKDSK screen as a cover for the encryption process.
Present a near-identical ransom demand screen after completing its activities.

According to the latest update on the malware, Kaspersky Lab says code analysis has revealed it is technically impossible to decrypt victims’ disks.

To decrypt a victim’s disk threat actors need the installation ID, and in previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery, researchers at the security firm said.

However, they found the new malware – which they have dubbed ExPetr – does not have any such recovery mechanism, which means the threat actor could not extract the necessary information needed for decryption.

In short, victims could not recover their data even if they paid the ransom, the researchers said, which again calls into question the motive behind the malware.

This discovery not only further endorses the security community’s earlier advice not to pay the ransom, but also raises further questions about the true purpose of the malware and is likely to fuel further speculation that it may have been intended purely as a means to cause disruption on to mask some other malicious activity.

This view is supported by the latest statement from the UK National Cyber Security Centre (NCSC) that while managing the impact to the UK of the incident, the NCSC’s experts have found evidence that questions initial judgements that the intention was to collect a ransom. “We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain,” the NCSC said.

Whatever the true purpose, analysis of the malware has confirmed some of the lessons learned from WannaCry and added others which organisations should consider in order to improve their cyber defence capabilities against future threats.

The key lessons from the cyber security attack that have emerged so far are:

1. Having the latest versions of software and ensuring they are patched up to date will go a long way in reducing organisations’ vulnerability to cyber attack.

2. Malware is increasingly using legitimate tools for malicious activity to go undetected. In the case of ExPetr, two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec were used.

3. Malware is hijacking software updating mechanisms to spread malware, and is likely to use this technique increasingly in future.

4. An appropriate and well-tested backup and recovery plan for critical systems and data will go a long way to mitigating the effects of ransomware and other malware attacks, regardless of its particular characteristics.

5. Malware is abusing security tools to discover usernames and passwords, which means organisations should ensure they have appropriate systems and procedures in place to prevent credential abuse.

ExPetr uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users to spread itself on local networks. You can find more details at: https://github.com/gentilkiwi/mimikatz

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Victims of latest global ransomware attack urged not to pay

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine.

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine

The new ransomware, dubbed ExPetr by Kaspersky Lab, has been linked to Petya, because, like that family of ransomware, it also attempts to encrypt the hard drive’s master boot record (MBR), locking victims out of their computer – not just files.

Security researchers have also highlighted that for propagation the ExPetr is not relying only on the EternaBlue exploit that targets a known vulnerability in the server message block protocol in Microsoft Windows.

ExPetr is also being spread using the EternalRomance exploit targeting Windows XP to 2008 systems over TCP port 445 and through abuse of legitimate command line tools PsExec and Windows Management Instrumentation Command-line (WMIC).

The ransomware also uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users.

This means computers may still be vulnerable even if Microsoft patches issued by have been applied for the EternalBlue and EternalRomance expoits that are believed to have been developed by the NSA and subsequently stolen and leaked by the ShadowBrokers hacking group.

However, the immediate application of the Microsoft patches is still advised for any unpatched machines.

In light of the fact that the attackers’ email account for accepting ransom payments has been shut down, victims are also advised not to pay the $300 ransom as it is unlikely they will receive a key for decrypting affected files.

Security researchers monitoring the bitcoin wallet associated with the ransomware report that a few hours after the attack began, the wallet began receiving funds, indicating some victims were willing to pay almost immediately. However, only about 26 victims are believed to have paid on the first day.

To prevent the ransomware from spreading in the network, it is recommended to turn off computers that have not been infected, disconnecting the infected hosts from the network, and making images of compromised systems.

This approach could be useful for restoring data, the firm said, if researchers find a way to decrypt the files. In addition, these images can be used to analyse the ransomware.

Researchers at the firm also claim to have found a kill switch to disable the ransomware locally.

The researchers found that the ransomware checks if the perfc file is present in the C:\Windows\ folder before executing. They suggest creating a file with the correct name in this folder can prevent the substitution of the MBR and further encryption. Similarly, other researchers have suggested that blocking C:\Windows\perfc.dat from writing or executing could halt the ransomware.

Anti-ransomware recommendation for businesses

Use the Windows AppLocker feature to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.
Isolate infected endpoints as soon as possible.
Use the indicators of compromise to update security systems.
Develop a system of regular training courses for employees to increase their awareness of information security issues by demonstrating practical examples of potential attacks on the company’s infrastructure.
Install antimalware software with self-protection that requires a special password for disabling or changing its settings.
Ensure regular updates of software and operating systems on all hosts of the corporate infrastructure, as well as an effective process of managing vulnerabilities and updates.
Conduct regular information security audits and penetration testing will allow timely detection of existing deficiencies in protection and vulnerabilities.
Monitor the corporate network perimeter to control network service interfaces accessible from the internet and correct the configuration of firewalls in a timely manner.
Monitor the internal network to detect and eliminate an attack that has already occurred.

To apply this local kill switch or vaccine, administrators need to locate the C:\Windows\ folder and create a file named perfc, with no extension name.

According to Kaspesky Lab, around 2,000 machines had been hit by the ransomware by the end of the first day of attacks, which appears to indicate ExPetr is spreading much more slowly than WannaCry.

Code analysis showed that the new ransomware does not attempt to spread itself beyond the network it is placed on, leading several experts to predict the attack will not spread significantly further than it did on the first day unless it is modified.

Known victims of the ransomware include Ukraine’s central bank, Ukraine’s Ukrenego electricity supplier, the Chernobyl nuclear power plant, airport and metro services throughout the Ukraine, UK advertising firm WPP, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Danish shipping company A.P. Moller-Maersk, Russian oil company Rosneft, Pennsylvania hospital operator Heritage Valley Health System, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139