The Heritage Company has temporarily shut down its operations due to a ransomware attack. In December of last year, CEO Sandra Franecke announced to the company’s 300 employees that the company had not fully restored its systems following a ransomware attack that October. As a result of the attack, the company would be temporarily suspending all its functions. In a statement to the company’s employees, she stated that “we do not prevent you from searching for other employment”.

What is data encryption?

Ransomware attacks are a type of cyberattack that encrypts data on a victim’s computer, demanding ransom payment for its release. Encryption is the act of scrambling data into a format that cannot be read unless it is decrypted using a digital key.

Unfortunately the Heritage Company has not been the only ransomware victim in recent times. Over the past year, ransomware  has become increasingly common among small sized businesses. In August of 2019, Wood Ranch Medical, a medical clinic located in California, announced that it was a victim of a ransomware attack. The attack had a widespread impact on the company’s IT infrastructure including its servers and backups, where personal client information was stored. On December 17^th 2019, the clinic closed as a result of the damages, stating that the records that were encrypted were lost and could not be recovered.

Ransomware attacks are now targeting backup systems

Ransomware attacks rely on the leverage of releasing encrypted data to extort money from victims. Therefore, if the victims have up-to-date backups of all the sensitive information, it eliminates the pressure point that attackers use. Knowing this, ransomware attacks have started to target the backup systems of victims as well, as illustrated by Wood Ranch Medical. In particular, since mid 2019, data backup manufacturers began warning customers that ransomware attackers were now targeting Network Attached Storage (NAS) devices.

Does paying the ransom fee guarantee safe release?

There have been many instances where encrypted data has not been released even after ransom has been paid. These strains of ransomware, called wipers, are designed to simply destroy the data. An example of a wiper ransomware is “NotPetya”. However, because the victim has no way of guaranteeing that the data cannot be restored, ransom payment is still the only option in many attacks.

Learn more about NotPetya and other ransomware strains by calling us today at 888 366 4443 or emailing us at info@gige.ca

Dexphot is a malware that has raised concern over its complex strategy of avoiding detection.

First detected in October 2018, Dexphot is a strain cryptojacking malware. Cryptojacking malware is defined by its main goal of secretly hijacking computer resources in order to generate digital currencies for the cyberattacker. The victim’s computer suffers slowdowns, and is at risk of overheating due to overuse of computer resources. You can learn more about the impacts of cryptojacking infection in our article here.

How is Dexphot designed to avoid detection?

Microsoft states that Dexphot exploits a combination of back-end processes in order to avoid detection by antivirus software. These include PowerShell, DLL, and MSI. By exploiting these three processes, Dexphot is able to use polymorphism to exist in many different forms, making file-based detection difficult.

MSI

MSI is short for Windows Installer packages. Dexphot avoids malware detection by using hundreds of unique URLs to install the malware onto victims’ computers. According to Microsoft, over 200 URLs that have been used to download Dexphot have been identified.

Furthermore, Dexphot is able to detect the presence of antivirus software during infection. If it discovers that antivirus is installed, it automatically stops the installation process.

DLL

DLL, or Dynamic Link Libraries, is a useful process that helps with code modularization, and efficient use of computer resources. However, malware such as Dexphot can exploit DLL to hide their malicious activity.

After installation, Dexphot exploits DLL in order to unpack 3 malicious files onto the victim’s computer. 2 of these files monitor and protect the 3^rd file, which executes the cryptojacking.

These 3 malicious files use a technique called “hollowing” in order to avoid detection. This involves hijacking legitimate processes and hiding malicious code in otherwise legitimate code execution. Specifically, Dexphot hijacks the processes svchost.exe, nslookup.exe, and setup.exe files in SysWoW6.

What is PowerShell?

PowerShell is a tool that is pre-installed in Windows operating systems. Its purpose is executing code, often directly from computer memory without using the disk. The danger of malware abusing PowerShell is that exploits can leave little to no evidence, making it both difficult to detect and to trace.

Dexphot exploits PowerShell in the event that it is ever compromised by antivirus software. If this occurs, Dexphot will initiate a self-termination and reinfection process that relies on PowerShell.

Microsoft states that its new Defender Advanced Threat Protection uses behaviour based detection in order to detect malware such as Dexphot. As described above, Dexphot is difficult to detect using a file-based detection strategy, as it can appear in many forms.

Don’t fall victim to malware like Dexphot. Contact us at +1 888 366 4443 or info@gige.ca to learn more about how to protect yourself.

To protect yourself from ongoing BlueKeep exploit attacks, Microsoft urges users with systems running Windows 7, Windows Server 2008, and Windows Server 2008 R2 to update their operating systems.

BlueKeep is a vulnerability with the ‘worm’ capability. This means that the malware can spread itself to other vulnerable computers on the network without additional input from the victim, making this type of malware particularly dangerous.

An example of the ‘worm’ malware is WannaCry, which was able to globally infect over 100 000 computers within a 24 hour period in 2017 due to its worm capability.

 

Ongoing BlueKeep Exploits

To detect malware on the internet, Cybersecurity professionals often set up ‘honeypots’ – decoy computers that are designed to study cyberattack methods by baiting attackers into infecting them with malware.

On October 23d, cybersecurity researcher Kevin Beaumond noticed that honeypots that he had set up around the world were crashing and rebooting themselves with increasing regularity. Hutchins, another cybersecurity researcher, confirmed that the reboots were caused by the BlueKeep exploit.

Upon further investigation, Hutchins also discovered that the BlueKeep exploit that was detected had the goal of installing a cryptomining malware on infected PCs. You can learn more about cryptomining in our article here.

 

What are steps that you can take to protect yourself?

Keep your system Updated

The most effective way of protecting yourself from BlueKeep exploits is by keeping your PC up-to-date. Security engineers are constantly detecting repairing security vulnerabilities in their software. It is essential that you download security patches from your software manufacturers in order to protect yourself from publicly known dangers.

Disable RDP

Remote Desktop Protocol (RDP) is a Windows feature that allows for a computer to remotely connect and control another PC. It is useful for IT management and remote troubleshooting, but can also be a security liability. BlueKeep exploits RDP in order to infiltrate PCs, so it is important to keep this feature turned off to protect yourself.

Don’t fall victim to cyberattack. We can help you protect your company from cyberattacks such as the BlueKeep. Call us at +1 888 366 4443 or email us at info@gige.ca to get started immediately.

Company cybersecurity should be of upmost importance to any organization. Protecting sensitive data and client information is essential to building customer trust. A recent report conducted by the Centre for Internet Security (CIS) has found that many of today’s companies are neglecting simple cybersecurity practices. In the study, named “State of Cyber Hygiene Report”, over 300 Professional I.T. Technicians were surveyed to find out if organizations were adhering to 6 key cybersecurity avenues. Their results are as follows:

1 // Security management of company hardware

Inventory tracking of company hardware is essential to being able to detect suspicious devices that connect to your company’s network – an important part of company cybersecurity. If an attacker is able to connect a malicious device to the company’s server, they will have bypassed a critical aspect of the company’s cybersecurity wall.

The study discovered that a mere 29% of the studied companies keep inventories of 90%+ of their devices. Significantly, the survey discovered that more than half of the companies take between hours and months to discover unregistered devices on the company network.

2 // Security management of company software

Similarly to hardware management, software whitelisting allows for an organization to only allow authorized software to be installed on company-connected devices. The detection of any suspicious or unregistered software will result in an alert. Without this precaution, company computers could be running malicious software completely undetected.

With the proficiency of current-day malware, it only takes minutes of undetected connection for a malicious device to wreak havoc. However, CIS found that only 14% of organizations were able to detect new devices on their network in minutes, leaving the remaining 86% vulnerable to these devices.

3 // Ongoing assessment of vulnerable areas

Organizations should be continuously vigilant for new software vulnerabilities and react promptly in downloading relevant updates. Many historical cyberattack incidents were the result of companies neglecting to update their servers in time, making them vulnerable to threats that were in-fact patched out months before. It is recommended that companies adopt cycles of update-checks on the timeline of days and weeks, rather than months, in order to maximize security.

The study discovered that a majority (56%) of the companies have been keeping up with updates within one week, while the remainder of the companies took over a month to discover and deploy new updates.

4 // Limited administrative access

Administrative accounts have more control over an organization’s computers. Because of this, they are often a major target for cyberattackers. To counteract this, it is recommended that administrative computers are kept disconnected from sectors of the company’s network, to both minimize their vulnerability as well as their control. However, it was found that only 47% of companies are using this method to protect their administrative computers.

5 // Managed configuration environments for company devices

A common avenue for data breaches is a mistake during the set-up of software on new company systems. This is because configuration of these machines is often done in unsecure, unmonitored environments. To counteract this, it is important for the company server to scan for changes in software configuration on a minute-by-minute timeline. However, the study found that a mere 18% of companies were actually adhering to this recommendation.

6 // Ongoing monitoring of company event logs

Finally, it was deemed important for companies to continuously monitor logs of changes and digital activity. This allows for more efficient detection of suspicious or unregistered activity, which may be cause by cyberattack attempts. It was found that an astonishing 54% of studied organizations were not doing any log analysis on their network’s systems.

Strengthen your company cybersecurity and do not fall victim to cyberattack. Become informed and regularly practice these 6 critical cybersecurity measures. Our tech experts at GigE have years of cumulative experience designing, deploying and maintaining cybersecurity strategies. You can learn more about our IT security services here.

With our new 10-for-10 policy, we now offer ten minutes of professional consultation for only CAD$10. Call us at +1 888 366 4443 to get started now!