Ransomware criminals extort $1 Million From South Korean Company

 

If ever there was a flagship incident to demonstrate the power of ransomware, this is it. Ransomware, a particularly infamous form of cybercrime where business critical data is restricted until payment is made, has been in the headlines for all the wrong reasons.

This story is a little different. While ransomware can attack businesses both large and small, many criminals utilising the numerous viruses available target low hanging fruit: small business. It’s a simple numbers game, with many small companies having little to no cybersecurity in place. This tendency makes a volume approach attractive to cybercriminals.

A million dollars is, of course, slightly different from this approach. High profile attacks aren’t exactly uncommon, with the recent strike on the UK’s healthcare system with ransomware virus WannaCry drawing international attention.

 The details

Nayana, an established web hosting provider that located within the South Korea, was the victim of the attack. Believed to have occurred on June 10, weaknesses in the overall cybersecurity arrangements of the company made them a prime target for exploitation.

 As is usually the case, the ransomware itself came in the form of a premade virus named Erebus. Able to target over four hundred file types, the sophisticated code easily penetrated the company’s assets. The attack spread through 153 Linux servers owned by the web hosting company, leaving owner Chil-Hong facing an absolute disruption to provision of service.

As is often the case, negotiations occurred. The criminals initially demanded a staggering 550 bitcoin payment; well in excess of the $1 Million dollars that Chil-Hong bargained the criminals down to. With the CEO already having liquidated assets, two instalments of the total are claimed to have been made.

Hoping to conclude the ‘deal’ as quickly as possible to restore his customers data, Chil-Hong quoted on Twitter that the ‘probability of recovering all the data will be higher’ once the last instalments are made.

This notion, while understandable, sets a dangerous precedent. As you might imagine, criminals don’t exactly obey the law, nor will they reliably honour a personal agreement. Many victims of ransomware attacks who have paid up find themselves subject to further demands.  While it is common for modern ransomware to incorporate a payment system, there is no guarantee that any form of response will be even received should a payment be made.

Protecting your assets

 Fortunately, it is not an exhaustive or costly process to protect your business assets from being exploited by cybercriminals. Ransomware works by restricting access to vital information and data that cannot be found elsewhere; this makes safeguarding simple.

Backups of all business-critical assets is a simple first step. This ensures that should you be targeted in an attack, you will be able to restore your documents to working order separate from the attack itself. With the need for payment removed, recovery can subsequently take place.

Employee awareness is also a practical measure. Many data leaks and cybersecurity issues, including susceptibility to ransomware, can be avoided by cascading information on security processes and information on attacks. With many attacks being caused by internal sources, mandating a greater level of awareness of the threats posed by ransomware and other cyberattacks can provide remarkable results.

Investment in professional support and software, however, remains a powerful measure in the fight against ransomware and cybercrime. Although the above measures can ensure an acceptable level of overall security, many businesses cannot afford to be remotely susceptible to an attack.

Just as modern ransomware has evolved and become more sophisticated, so has software that protects against it. A combination of investment in this software, combined with professional consultancy services such as a data and security audit, can ensure a level of protection that removes your business as a viable target in the digital world.

Custodian360 -The UK’s only SentinelOne Managed Service Provider

Custodian360

The UK’s only SentinelOne Managed Service Provider is showcasing at InfoSecurity Europe 2017

6th June 2017 – Twyford, UK – Independent Information Security and Mobility Solutions Provider AVR International will be exhibiting its new Managed Endpoint Security Platform Custodian360 at InfoSecurity Europe 2017, the region’s leading information security event which takes place at Olympia, London from 6th to 8th June 2017.

Launched in January 2017, Custodian360 (custodian360.com) is a Complete Managed Endpoint Protection Service and is proud to still be the UK’s only Managed Service Provider for SentinelOne.

Custodian360 was built with SME business in mind. Cost has traditionally been a barrier; denying many access to the Enterprise Grade Security Products we all need when facing up to the current threat landscape. Custodian360 packages a fully managed service around the SentinelOne product, backed by industry veterans and makes this service available to businesses of all sizes.

The service is led by Andy James (Director), bringing a wealth of Cyber Security knowledge and experience backed by a history of providing global, managed service solutions. With Partner Management and Operations Support provided by Kevin Baker (Partner Manager) and Chris Knight (Support Manager) respectively coupled with forensic analysis and remediation performed by a team of analysts, you can rest assured that your EndPoints are in safe hands.

Andy is “hugely excited to be bringing Custodian360 to InfoSecurity Europe this year” and “is proud to be able to offer this ground breaking service to protect small businesses at a crucial time ensuring that everybody can now be protected from the myriad of threats we face daily”.

With many businesses unable to maintain the resource necessary to constantly monitor and track threat intelligence, Custodian360 takes away this problem and our analysts become part of your team. Our swift response and reporting feeds threat information back into your organisation, allowing you to track incidents and responses without having to employ expensive full time resources.

A service of this type is only made possible because of the near 100% detection rates provided by SentinelOne. With its advanced Deep File Inspection to detect threats before execution, and its behavioural analysis engine detecting all threats whether they are file-based, file-less, browser exploits or good old fashioned exploits Custodian provides a full Endpoint Protection and Remediation Platform that allows businesses to concentrate on running their business while Custodian360 deals with the threats.

With 2016 recording a record number of over 400,000 ransomware attacks, the demands on businesses to protect themselves from cyber-attacks and data breaches have increased exponentially. Custodian360 detects, protects and repairs instantly and with full Ransomware detection, prevention and roll back capability, encrypted files no longer means having to pay a ransom or restore from backup.

Custodian360 will be exhibiting at Stand No. L09 at InfoSec, presenting the Managed Service solution and demonstrating its wide range of features and capabilities live and with real malware.  Stop by and say hello to the team and visitors will be invited to enter a prize draw to win an iPad Pro tablet.

 

About AVR International Ltd

AVR International Ltd is an independent provider of IT security and enterprise mobility solutions.  Founded in 2002 by Helen Hall to provide an agnostic approach to Anti-Virus products and their sale, the business has gone from strength to strength and applied this founding agnostic approach across all solutions offered. Helen has recently taken a new role within AVR International, having been a hugely successful Managing Director, she is now AVR’s Chairman, perfectly positioned to hold a strategic view and support the Management Team as they go on to develop the business further. With Nick Kellaway taking the reins as Managing Director, it’s an exciting time as we work hard to build and provide solutions and services to our rapidly growing customer base.

AVR’s team of solution and technical specialists and strong vendor partner relationships enable it to provide individually tailored solutions for businesses and organisations. With more and more solutions being added to the portfolio, AVR is well placed to advise businesses of all sizes where they should focus their attentions to achieve effective security and mobility strategies.

AVR offers expert Threat Protection services coupled with a broad range of protection against cyber-attack and data breach in addition to Data Compliance solutions.  In January 2017, AVR introduced Custodian360, a complete managed endpoint security platform specifically targeted to small and medium sized businesses.

Whilst AVR cover some 48 security and mobility areas, the core services that drive the business are: :

 

    • Threat Protection – Anti Virus, Firewalls, Endpoint solutions
    • Mobility Solutions – Enterprise Mobility Management and New Tech solutions
    • Managed Services – Bespoke fully managed services for major High Street Brands across the UK
    • Professional Services – Tailored Consultancy, Security Posture Audits, Managed Service Contracts, Proof of Concept, Configuration and Deployment, Training, Technical Telephone Support, In-house Mobility Device Helpdesk

 

www.avr.co.uk| LinkedIn | Twitter

Ransomware Blog Post

What do you know about Ransomware?

Ransomware is blazing its way across the front pages of news sites and the primetime anchor spots on TV, and for good reason; WannaCry has been an attack that has stunned the world with its reach and disruptiveness. Perversely, the WannaCry attack has been welcomed by some professionals in the cybersecurity industry. While the damage is entirely lamentable, it has highlighted the extent of unpreparedness that is common to the digital world. With modern ransomware able to devastate national infrastructure such as the NHS in the United Kingdom, more is clearly required to reach a secure level of operation. With this said, there are details to ransomware that many are entirely unaware of. Being a nuanced and technical subject, we have brought together a list of informative points to bear in mind.

The amount of money made by ransomware is staggering.

Ransomware wouldn’t be as prevalent as it is if there wasn’t a huge amount of money to be made! While there are many forms of viruses and hacks online that exist purely as toys, the most telling indicator of how widespread an attack will be is the potential it has to make profit and ransomware are no exception.

This is partly since a ransomware attack can ‘blanket’ target both large and small industries and companies with ease. While large corporations are just as vulnerable to being caught, it’s also true that small businesses are being hammered every day with demands to pay up to access their suddenly ‘encrypted’ data. Cryptowall 3.0, a salient example of this potential for income, made $325 million in 2015 alone.

Payment doesn’t guarantee the release of your files

To quote author Terry Pratchett, “Criminals don’t obey the law. It’s more or less a requirement for the job.” The same disregard for the very agreement in their ransomware is commonly seen. Many individuals have been the victim of a ransomware attack, suddenly finding that their business-critical files are beyond use and must be paid to be accessed. The problem? They don’t release the files. Many accounts exist across the internet of people who have ponied up the funds as demanded by their local cybercriminals, after which the files remain encrypted. This behaviour of giving in to the criminal’s demands is dangerous; many perpetrators of ransomware attacks make their best money by repeatedly targeting and ‘squeezing’ those who have initially paid in the hopes of restoring access to their files.

Ransomware is easily accessed

The two pillars of ransomware success in recent years are the ease of its access and the simplicity of its use. We’ve explained how ransomware can attack both small and large businesses en masse. With many small businesses woefully underprepared for an attack, often with little to no defence at all, penetration is easy. Second to this is the ease at which an individual can ‘get involved’ in ransomware themselves.

Ransomware can be downloaded easily online in a relatively anonymous manner, particularly if the individual masks their presence with the use of software such as VPN managers. This allows any interested individual access to some of the most damaging and widespread forms of ransomware available. On a more sinister note, however, is the ‘as a service’ approach to distribution. It’s important to remember that cybercriminals are in it for the profit; it isn’t done just for fun!

The SaaS model allows individuals to acquire the most efficient forms of ransomware at no cost, instead directing a portion of their ill-gotten gains back to the producer of the ransomware each time they succeed. This low barrier to entry in terms of both cost and simplicity in using the products themselves is a large factor in the sheer rate of attacks witnessed over recent years, as well as a significant contributing factor in the continued growth of the cyber phenomenon as a whole.

Custodian360 is one of the only truly managed ransomware protection solutions available in the UK, using state of the art real time detection & prevention software backed up by a team of security analysts dedicated to the protection and remediatin of your network.

Get in touch with us today to find out more about us.

WannaCry Interface

WannaCry – See It In Action

This week we are running webinars at 3pm GMT every day where we will talk about the current threat landscape and show Wannacrypt in action before taking a deep dive into the forensics of the attack. To register for one of these, send an email to info@custodian360.com or leave you details at https://custodian360.com/contact-us/

Friday the 12th of May 2017 saw the first Ransomware worm that we have seen in the wild wreak havoc across the globe, striking indiscriminately at those running Windows XP, Windows Server 2003 or unpatched Windows 7 Operating Systems. This worm has exploited the vulnerability MS17-010 allowing it to spread through a network at alarming speed and with no user interaction.

The first that many of us heard about this was when it was announced that a number of NHS Trusts were experiencing some kind of cyber-attack. As it then transpired, Telefonica had already suffered the same fate in Spain and then reports started to come from many different sources alerting us to the fact that this was much more widespread than just the NHS Trusts or a few larger companies.

WannaCry InterfaceOver the next few hours I personally watched the spread of the worm around the globe, more and more infections were reported, social media was alight with comments and pictures for many hours as more and more people fell victim to Wannacrypt which was soon dubbed Wannacry.

Very soon we were looking at numbers as high as 200,000 infections worldwide, had this been a traditional Ransomware campaign this wouldn’t have been too bad for many organisations as they would have been facing a ransom payment of hundreds of dollars.

Many would see this as acceptable to quickly recover files and many would pay the ransom quite quickly. Instead, what we had was organisations facing huge ransom payments totalling many thousands of dollars. For the majority, the only option was to start a massive clean-up operation of rebuilding affected computers and restoring files (where possible) from backup.

This leaves many IT staff facing a long weekend working day and night to try and put their business back to a position where they are operational on a Monday morning. As this has been such a high-profile incident we can clearly see that for many this just hasn’t been possible and many organisations are still in Disaster Recovery situations or are limping along, many reverting to using paper as a means of communication.

It’s clear to see that it doesn’t get much worse than this. As the person responsible for providing IT services within an organisation this is absolutely the worst nightmare situation.

We should sympathise with some of these larger organisations though. Many use bespoke applications that were developed to run on Windows XP or Windows Server 2003 and are not compatible with later, more secure operating systems and the cost of both re-developing applications and migrating to new operating systems is prohibitive.

This, unfortunately makes them sitting ducks. As exploits are discovered they are dependent on their security measures and vendors being good to their claims about protection levels. We have seen Microsoft release an emergency patch to prevent the spread of the worm on these systems but we can’t rely on Microsoft doing that in the future as these systems are well beyond end of support. Even if Microsoft do release patches for found exploits in the future, we have just seen that it takes a couple of days for these to become available, what option do you have then, shut down all of your systems until you can apply patches?

That’s just not an acceptable approach. Security vendors and suppliers must step up and work with these organisations to provide the level of protection that is now needed. Many new vendors are doing this and are thinking of new ways to detect malicious behaviour and stop it in its tracks.

The old approach of detecting threats and attacks by using signatures to identify known behaviours is woefully outdated and leaves many potentially exposed to the huge cost of remediation and consumption of huge engineering hours. Recently, NSS Labs performed a Total Cost of Ownership and Effectiveness test across a number of EndPoint Protection vendors. This showed us that a 500-user company can potentially spend $1,250,000 on cleaning up a cyber-security incident. This is a big enough number for any organisation to “lose” and it is sure to rise after this most recent incident.

At AVR International we have championed a move towards analysing behaviours in real time and preventing threats as they occur rather than before they happen. This may sound like a risky approach but when you look at what is actually happening these days it is absolutely the right approach. Having run versions of Wannacrypt myself and looking at the forensics following execution it is frightening to see how quickly this particular threat works, the Ransomware itself seems to have one failing though, it creates new files and encrypts them but doesn’t delete any files until it has finished encrypting. Every piece of Ransomware I have analysed up until now follows a simple pattern, create, write and delete.

This means that if you can stop the Ransomware while executing then you won’t lose any files, the system doesn’t look pretty but you can still carry on working. Many “next generation” vendors will be able to do that and this allows us to not only avoid paying ransoms but allows us to remediate at a more leisurely pace.

One vendor goes further though, SentinelOne is currently the only “next generation” vendor to offer protection and full remediation in a single lightweight, autonomous agent. Moreover, they are the only vendor I am aware of that can say that none of their customers were affected by Wannacrypt. That is some claim to be able to make but as SentinelOne’s only UK Managed Security Service Provider, Custodian360 can also make that claim.

SentinelOne’s powerful Deep File Inspection identifies Wannacrypt in all of its forms before it has a chance to execute meaning you are never at risk.

With support for Windows XP and Windows Server 2003 it would seem to be the obvious choice for EndPoint protection given the current threat landscape.

So obvious in fact that I am running a series of Webinars to demonstrate how Wannacrypt works and what it does when executed, this is an educational webinar in the most. We will demonstrate how SentinelOne remediates and recovers from the threat after executing and we are running these webinars every day, 3pm GMT is the Managed Service offering and 4pm GMT is SentinelOne as an owned solution, to register, just drop us an email at info@custodian360.com

All are welcome and we will discuss the current threat landscape, how we see it changing and where it could go before looking into the forensics of this specific attack and what we can do to not only detect these threats but stop them in their tracks.

Cyber Security is changing at a rate never before seen, don’t let yourself become the one that got left behind as that sitting duck.

Ransomware Blog Post

Ransomware is coming for small business. Is yours ready?

In the thriving landscape of global cybercrime, ransomware is extending its reach ever further. Swiftly taking an increasing portion of the global cost of cybercrime, this highly disruptive and extortionate practice is aimed at a target ripe for the taking: small business.

What is it?

As the name implies, ransomware holds the asset or business owner to ransom. By infecting the source, it is possible for ransomware viruses to restrict access to business-critical data and software unless a fee is paid. Like more traditional crime, payment is far from a guarantee of safety, with victims who cough up falling victim to repeated extortion.

It’s far from new. Ransomware has been on the scene since the infamous “Trojan horse” in 1989. What you can bet on is the sophistication of modern viruses that are insidious and capable of penetrating the poor standard of cybersecurity common to small businesses.

The damage it causes

The scale of the problem is far from small. The U.S Department of Justice recently estimated that ransomware will be the most damaging form of cybercrime experienced in 2017.The problem is fast exceeding mere millions. Robert Herjavec, the founder of Herjavec Group, provided an accurate estimate of $1 billion Dollars in damage an extortion worldwide in 2016 due to ransomware alone.

This alarming figure is all the more concerning due to its meteoric rise in such a short time; it wasn’t long ago that the FBI and industry giant MacAfee were talking figures in the tens and hundreds of millions for the major ransomware at the time.

Why small business?

The numbers are simple. Why target one large company per month for £10,000 when ten smaller businesses can be attacked and extorted for £2,000 instead? Lacking in dedicated risk & security staff, small businesses are also inherently more vulnerable to attack. Proper precaution against cybercrime is no small undertaking and the investment in money and time required to effectively safeguard against ransomware is something many SME’s simply cannot afford.

Criminals know this. The statistics on the expansion of ransomware in the small business landscape is nothing short of incredible, with the frequency of attacks in 2017 predicted to triple or quadruple those of 2015. With new ransomware specifically designed to bypass common gaps in security such as the absence of anti-malware software, perpetrators are well prepared to exploit the security tendencies of such smaller business worldwide.

 How to prepare

With the extent of damage to entrepreneurial start-ups and SME’s across the world, now more than ever is the time to identify and protect to avoid falling victim yourself.

The good news is you have options. With software, hardware and professional consultative support becoming a bigger business with every year within the cybercrime landscape, many services and solutions have arisen that can help ensure your business does not fall victim to the insidious threat of ransomware and wider cybercrime.

For those with the budget, simple professional consultation can be a swift solution that can tailor to your business-specific needs. Cybersecurity professionals will possess comprehensive and specialized skills that can prove critical to protecting business assets and infrastructure.

If the independent approach suits your needs better, standard practices such as the mandating of strong passwords and effective firewall and intrusion detection systems can easily make your business more trouble than it is worth to target. It’s worth remembering that small business is a ripe target due to the tendency for little to no cyber security; a solid application of tried and tested basics can ensure a robust level of protection to most attacks.

Act now

Large or small, no business can afford to be complacent. With the average costs of even fake ransomware attacks costing UK businesses over £13,000 per incident the writing is on the wall: invest in security or risk the consequences of an attack.

Custodian360 is a complete EndPoint Protection solution offering, Prevention, Detection and Remediation with full spectrum analytics. Powered by AVR International Ltd, Custodian360 allows us to centrally manage your EndPoints using our behavioural analysis agent to alert our experienced analysts to assess the threat quickly and effectively.

When threats are detected we are able to stop them in their tracks regardless of their nature, be it conventional malware, file less, browser or network based threats thus ensuring the safety of your users and continuity of business is uninterrupted. Even in the case of the most virulent ransomware strains, if any files are encrypted we can offer full remediation in a matter of seconds returning your files to a pre-execution state and removing all traces of any threat.