A Leading Media Company, Media Prima Attacked by Ransomware

Ransomware Hits Again

It seems the situation is not getting any better because there are more and more major companies and networks reporting to have been victims of ransomware attacks.

The most recent one is Malaysia’s leading media company, Media Prima, a company that runs TV, radio channels, newspapers and digital media. In the past four days, its computer systems have been breached and infected with ransomware. The attackers are demanding 1 000 bitcoins, which is around US$6.45 million.

How Does Ransomware Work?

When a ransomware attacks occurs, it encrypts all your system and your files until you pay the ransom. You get instructions on the screen on how to do it. The payment is done in Bitcoin. Many pay he ransom in hopes of retreating their data.

However, usually there is a timer attached to the Ransomware lock that ticks down to when the files become lost forever. Yes, this happens too. Ransomware can start destroying all the keys required for decryption if you don’t pay the ransom by given deadline.

Aside from offsite backups, there are no alternatives available today to recover the files without paying the ransom – and once the keys are destroyed, the files are gone forever.

Latest News

Latest information show that this attack was most probably designed specially to target Media Prima. We don’t have the exact information on whether Media Prima’s data has been breached, and whether the media group would be suffering financial losses due to the ransomware attack.

Some sources claim that Media Prima’s office email has been affected but that the company has migrated the email to another system. For now, Media Prima is not considering paying the ransom.

Businesses: Ransomware’s New Target

Ransomware attacks are getting more agile, complex and widespread. They have increasingly started targeting businesses of all sizes in all sectors, rather than consumers.

One of the attackers’ most common and favorite ways to spread ransomware is by sending malicious emails to employees of the company. Once they open the email or sometimes even click on the link in the email, the ransomware starts automatically downloading in the background.

The ease with which it can be shared, and spread is precisely one of the reasons why ransomware is becoming more and more popular among cyber criminals. Attacks have been spread to mobile devices through the help of different banking Trojans.

We cannot emphasize and highlight enough the importance of individual companies educating their own employees on how to identify a ransomware attack before becoming a victim.

Luck is not something you should rely on when it comes to ransomware because it can happen to any company. The consequences can be potentially catastrophic, because such an attack could destroy business if offline backups haven’t been stored.

Ransomware Turning Into a Business

The ransomware distribution techniques are running like a business today. Developing, buying, selling, trading and distributing different ransomware variants enabled hackers to create micro-economies that turned into a global network. The main reason for this is the fact that hackers realized they can get huge sums of money this way.

This image was designed by Vectorpocket and can be found at https://www.freepik.com

Created by Vectorpocket – Freepik.com

Protect Yourself in Time

The most important thing to keep in mind is that you should not wait for ransomware to attack you or your business. Protect your corporate network as well as your home devices in time. Install a necessary antivirus solution and enhance your protection with an anti-malware solution, that will serve as an additional layer of your protection.

Together, they will detect any suspicious behavior on your devices and block it immediately, keeping your data safe from anyone who wants to invade your privacy and keeping you from becoming another victim.

How to Survive in Today’s Cyber World

According to Routine Activities Theory, which is one of the four major victimology theories, the crime occurs when a motivated offender and a suitable target are present while capable guardians are absent. These three elements must converge at the same time and in the same environment. This theory suggests that a motivated offender will act upon the suitable target when there is nobody that can prevent the crime from happening. Thus, we can say that a burglar can sneak into a house, where nobody is present, to steal valuable goods.

The Suitable Targets

If we apply this theory to the cyber world, the environment and the time limits are no longer an issue due the structure of the cyber world. So, regardless of the size or sector, all businesses are targets for cyber-attacks. Cyber-attacks occur when a motivated hacker detects a target that has no appropriate guardian or cyber security system in this case.

What Motives Hackers to Infiltrate…

There are many reasons behind a cyber-attack. From hackers’ point of view, they have many desires and motivations behind their actions. These can be categorized into three main sections for better understanding.

Designed by Freepik can be found at https://www.freepik.com/free-vector/young-anonymous-hacker-with-flat-design_2753362.htm

Designed by Freepik

Financial Gains

This is the most common reason that initiates a cyber-attack. The hackers usually want to earn money as easy as possible. Thus, they usually follow three main ways to achieve their objectives.

  1. Hackers infiltrate into your network or database to steal the information that you create and store to do business. This information could be related to your customers or products. This kind of data breach is usually unnoticed because hackers aim to steal the information periodically. Once the information is taken, they can either use the information for identity theft and fraud or they can sell it to other third parties for the same reason.
  1. Hackers can lock your computer or encrypt your files and demand a ransom to restore it back. Once they are in your computer, they execute a malicious software called ransomware that leads you to a stalemate. This malware informs you that your computer is locked, or that your files are encrypted, and you have only one way to recover them: paying the ransom they want. At this point, even if you pay the ransom, there is a chance that your files will stay locked forever or you can be targeted again with the same ransomware.
  1. Instead of selling the information, hackers can change the information within the company, so they can attack to perpetrate a direct fraud on a business. In this attack pattern, hackers usually aim to change the destination of a payment. They can send a fake email, which looks legitimate, on behalf of a supplier that advices about changed bank details. Once it is changed, the money goes to hacker’s account rather than the supplier’s account. 

Hacktivism

It means infiltrating into a system or a network to make a political or social point. Hacktivists can interrupt or stop their target’s normal activity with Denial of Service (DoS) attacks. Governments and political institutions are often targeted by DoS attacks. They can also look for information to damage their targets’ reputation. After the data breach, the information usually ends up on Wikileaks.

Challenge

Some hackers love to challenge themselves to prove themselves in their community, to have an adrenaline rush or both. They may not have criminal intentions. For example, white hat hackers hack into institutions’ network with an authorization to find out the weaknesses. However, inexperienced hackers may damage the system and create new weaknesses or back doors in the network for those who have criminal intentions while challenging themselves.

Hackers may have other motivations as well as getting revenge, gaining a commercial advantage or more complex ones…

Insider Attacks

While a motivated hacker can attack your business from the outside; insiders, such as employees and business partners, can also attack or assist the attacks that target your business. In fact, many cases of security breaches occur due to misuse of corporate IT systems by an insider. An insider can be motivated, careless or negligent.

Even if your business has a sufficient cyber security system, insiders often open your business up to cyber risks. An insider can:

  • open spam e-mails,
  • click on suspicious links,
  • share confidential information on social media,
  • install unauthorized software,
  • keep confidential information on portable device and leave it unattended,
  • use personal e-mail account for business,
  • download pictures, videos and audios,
  • use unsecured devices to access a company’s network…
Designed by Freepik can be found at https://www.freepik.com/free-vector/warning-pop-up-with-flat-design_2604665.htm

Designed by Freepik

The Capable Guardian

A business must be protected from both outside attacks and inside negligence. An antivirus or anti malware software can protect your business from outsiders but it won’t control insiders. Even if the software offers very solid protection, without required policies that controls the insiders, there will always be back doors for hackers. That’s why traditional anti-virus solutions do not work in the corporate network protection.

As an advanced corporate network protection software, Zemana Endpoint Security offers antimalware, anti-ransomware, anti-phishing and anti-keylogging protection. In addition to its real time multilayered defense and machine learning capabilities, Zemana Endpoint Security controls insiders and prevents negligence within the company. It restricts them via its content control mechanisms, such as URL and keyword filtering, application blocking and device management. Thus, Zemana Endpoint Security won’t let insiders open your business to cyber risks.

All You Need to Know About Cerber Ransomware

What is Cerber ransomware?

Cerber is one of the most active kinds of ransomware. It encrypts the files of its victims and demands money in exchange for giving access to their files back. It works even if you are not connected to the Internet, so you can’t stop it by unplugging your PC.

Just like any other type of ransomware, Cerber virus generally attacks via phishing emails and exploit kits. Once your PC is fully infected and your files encrypted, you are met with a message that gives instructions on how to decrypt them. The ransom is demanded in bitcoins with the promise you will gain access to your files once you pay the fee.

In July 2016, active Cerber ransomware campaigns delivered via exploit kits successfully infected roughly 150,000 users worldwide.

How Does it Work?

Earlier version of Cerber renamed encrypted files with a .cerber extension. Newer versions now add a random file extension. Cerber finds its way inside your system by employing the help of a Trojan horse virus. It is most commonly distributed via emails.

Usually, you would receive an email in your inbox with either some form of attachment or a link to some website in it. The Trojan virus will typically be inside the attached file – this could even be a Word file – and will proceed to download the ransomware, as soon as you have opened the said file. Same goes for the link, if that has been the case – it will redirect you to a website from which Cerber may be downloaded from.

What Is So Special About Cerber?

Cerber doesn’t target all countries. Countries such as Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan are safe from this ransomware because if the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer.

Cerber virus works based on Ransomware-as-a-Service business model, which means that affiliates can join in order to distribute the ransomware, while the Cerber developers earn commission from each ransom payment.

Will I Get My Data Back If I Pay The Ransom?

To ensure victims can make the payment, attackers provide you with instructions on how to make the payment in Bitcoin.

There is this possibility of paying the ransom to the hackers. But there’s no guarantee it will work, because cyber-criminals aren’t exactly the most trustworthy group of people.

Also, paying the ransom may encourage these bad guys to continue and even expand their operations. We strongly suggest that you do not send any money to these cyber criminals, and instead address to the law enforcement agency in your country to report this attack.

Designed by Vectorpouch and can be found at https://www.freepik.com

Created by Vectorpouch – Freepik.com

How To Prevent Cerber Ransomware From Infecting My PC?

To prevent Cerber or any other type of malware from infecting your PC, it is crucial to have an antivirus software installed on your PC as a basic protection together with an antimalware protection that will serve as an additional layer of protection. Also, you need to have backup for your personal documents.

Cerber Removal

Unfortunately, once your PC has been infected and your data encrypted, you cannot recover them. Hackers behind the Cerber ransomware claim you will get your data back once you pay the ransom but noone can guarantee this will happen.

Antivirus and antimalware software can only remove the infection from your PC or they can block it/prevent it from infecting your PC if you were wise enough to have them installed on time. However, they cannot recover your encrypted files. Therefore, it is highly important to protect your files on time.

If you are using Zemana AntiMalware premium version (which comes with 15-days free trial), it will protect you by blocking the Cerber ransomware on time. This way, it will prevent it from infecting your PC.

However, if you decide to continue using the Trial and do not wish to purchase the Premium subscription at the end of the trial, your Zemana AntiMalware program will disable premium features. All other (basic) features will remain unchanged. This means that you will no longer be protected from Cerber, but you will still be able to scan your PC with Zemana AntiMalware, which will detect Cerber and block it.

Therefore, the best prevention against Cerber virus is installing the right protection solution even before you get infected.

Zemana AntiMalware As A Cerber Removal Tool

According to MRG Effitas, Zemana AntiMalware has proved to be the best anti-ransomware software on the market.

If you are looking for a solution that will help you in removing Cerber, it is important to note that Zemana AntiMalware is compatible with any antivirus software that you might have on your PC and will run alongside it without any conflicts.

Below you can find a guide on how to detect and remove this ransomware with Zemana AntiMalware.

STEP 1: Download Zemana AntiMalware here.

STEP 2: Once download, install the software on your PC. You can do this by double-clicking on ZAM program icon on your desktop or in your download files.

STEP 3: Press the ”Scan” button.

zma english UI

STEP 4: When the scan is complete, click “Next”.

STEP 5: Restart your computer if you are prompted to do so.

 

Cyber Threats That are Lurking in Hospital Environment

Healthcare technologies are saving and enhancing patients’ lives with wearable devices that can monitor patients’ health and apply medication according to values of the patient, such as insulin pumps, pacemakers and so on. Also, it provides storage for Electronic Health Records, which is used to see patients’ history very quickly and evaluate patients’ condition effectively and quickly.

When these devices connect to each other, this technology can also be used outside of the clinical environment. Thus, doctors can monitor their patients remotely; without the patient coming to the hospital. Healthcare technologies offer increased efficiency, reduced errors, automation, remote monitoring and time saving.

But, Is It Safe?

It is known that hospitals are very attractive targets for stealing patient information. According to worldwide reports, millions of medical reports have been stolen already. Recently, health sector is one of the most targeted sectors and attacks towards this sector are increasing and getting more severe.

Then

Before Electronic Health Records, every hospital or even every department had their own records. A case of missing/stolen papers, which were exposed later, were only affecting hundreds or thousands of patients within that hospital or department. These records would only be accessed physically and were limited to the hospital staff who could gain access to the physical paperwork. Thus, it was very hard for an outsider to sneak a peek at medical records.

Now

With Electronic Health Records, the medical data is electronic now. All the data from various hospitals is gathered in one pool and it can be accessed remotely. Thus, in case of a breach, millions of patients will be affected. This led financially or politically motivated hackers to go after celebrities or businessmen, who don’t want their medical data revealed due to a condition that can humiliate or reduce their reputation.

This image was created by Rawpixel.com, can be found at https://www.freepik.com/free-photos-vectors/heart

Created by Rawpixel.com – Freepik.com

More Than a Data Breach

Now that wearable devices are in the picture, more severe consequences should be expected from cyber-attacks that target the health sector. The devices, which can share real-time vital readings and apply doses of medicine, will become new targets and create new vulnerabilities upon integrating into a hospital’s network without applying necessary cyber safety precautions. Thus, health security will become a patient safety issue.

Why Is The Health Sector Being Targeted?

People thought that nobody would be interested in attacking health care systems, so, they avoided spending money on cyber security systems. Unfortunately, they were wrong. The health care system motivated hackers and it created new back doors for hackers to infiltrate. Due to this lack of awareness, some hospitals are still using operating systems that are no longer supported such as Windows XP, some are not keeping their software updated to prevent security breaches.

On the contrary, medical data is so much more valuable than financial data. Aside from selling medical data for thousands of dollars, it could be used to obtain health services and medication –that can be sold on the Internet – or even open bank accounts and apply for loans.

It could also be used for more than making money. Imagine a politician, who has an allergic reaction to bee stings; combining this information and bees would be potentially life-threatening threat for the politician. Or a cyberwar that can target specific people through their medical devices…

How Health Care Technology Can Be Protected?

In the health care system, the focus is on the patients’ care; millions of dollars are being spent to keep patients alive and to treat them well by using health care technologies that create and store vast amounts of sensitive and valuable information. Biologic viruses are being wiped out from hospitals but what about cyber viruses: spyware, ransomware and other kind of malware?

This image was designed by Tirachard can be found at https://www.freepik.com/free-photo/blurred-background-abstract-blur-beautiful-luxury-hospital-and-clinic-interior-for-background-vintage-effect-style-pictures_1375238.htm

Created by Tirachard – Freepik.com

Since new types of malware are created in the cyber world every minute, there are no 100% effective ways to protect any kind of computer or device from cyber-attacks. However, the following steps will be very protective as they will fix the vulnerabilities:

  • Backups should be created to quickly recover data in the event of an attack that erased or encrypted all data.
  • All software must be updated to ensure that security patches cover recent vulnerabilities of the software.
  • All medical data should be encrypted so in the event of a breach, the third parties can’t use it.
  • All employees should be trained to eliminate inside threats such as attacks that occur due to mistakes or deliberate actions: phishing websites and social engineering attacks.
  • Instead of traditional antivirus solutions, advanced security software must be used, because of its multilayered defense and machine learning capabilities – Zemana Endpoint Security is one of them.
  • A network security system device, such as firewall, is a plus along with advanced security software.

New Wave of Browser Hijackers

New Phishing Campaign

A new phishing campaign that was redirecting users to a browser hijacker has been discovered recently. The attackers used fake alert messages to trick the users into thinking they are infected with malware. After that, scared users called the number that was shown in the notifications asking for technical support to help them remove malware. Unfortunately, they were paying for unnecessary technical support.

Phishing Emails

It all starts with a user receiving an email asking them to click on the box to display a message. The message in the email is often designed to convince you that you are infected with malware. Apart form the message, there is a technical support phone number as well.

If you click on it, you might be redirected to a website and tricked into providing your credentials. Meanwhile, the malware shifts the browser to a full-screen display and does not allow users to close the fake outlook page.

Since both home and business users use email every day and rely on it, experts believe that this new phishing campaign targeted both groups.

Namecheap Domain Names

According to experts, the domains used by the attackers to send the phishing email were all purchased from Namecheap. Namecheap provides services on the domain name registration and offers domain names that are registered to third parties for sale.

Why Do Browser Hijackers Pose Such a Threat?

Browser hijackers are one of the most common threats in today’s online world. Many with not enough technical background often don’t even realize they have been infected with it. This is precisely why browser hijacking can be very dangerous.

How Can I Recognize It?

Whenever a software tries to modify your browser settings, default search engine or homepage, you are infected with a browser hijacker. It performs the changes without your permission. Browser hijackers also redirect you to websites you don’t want to visit with the sole purpose of trying to trick you into giving out your credentials.

It often comes in the form of an adware, displaying annoying ads on your screen making it difficult for you to close them. There are high chances you will even accidentally if not on purpose click on the ad and be redirected to a website that you don’t want to visit. There you might be asked to share your email address or your financial credentials.

How Can I Protect Myself From Browser Hijackers?

Here are some necessary steps you need to take to ensure your protection:

  1. Update your OS and your browser software
  2. Install an antivirus and antimalware protection
  3. Use your antivirus software’s “Real-time protection” feature
  4. Don’t click on suspicious links in your emails
  5. Be suspicious of free programs (double check how secure and legit it really is)

How To Remove Browser Hijackers?

Removing a browser hijacker is often a rigorous process. It’s best to start with your browser and work your way to your operating system to see how far-reaching the browser hijacker is.

We advise you to remove suspicious and unnecessary toolbars and extensions. After that, you can close your browser and restart your computer.

Once your computer has restarted, check if that what you removed is still gone. If it is, change your browser settings — default search engine, homepage, etc. — and everything will return to normal. If you’re still being redirected or an extension won’t uninstall, you’ll have to go deeper.

In That Case, Install Zemana AntiMalware

Zemana AntiMalware had been known as the best tool on the market to help you detect and remove browser hijackers. It has always been highly efficient in this and the best thing is that you can download it for free (it comes with 15-days free trial).

However, if you decide to continue using the Trial and do not wish to purchase the Premium subscription at the end of the trial, your Zemana AntiMalware program will disable premium features. All other (basic) features will remain unchanged.

zma english UI

Stay safe with Zemana! 🙂

TRITON: The Malware That Could Have Killed Hundreds

In December 2017, a Middle Eastern oil and gas petrochemical plant was attacked by malware named TRITON, also known as TRISIS or HatMan. It targeted the plant’s Safety Instrumented System that is a part of Industrial Control Systems.

ICS vs SIS

Industrial Control Systems (ICS) are computer-based devices that are used by engineers to monitor and keep different variables under control. These autonomous devices are used in industries that create products via applying continuous series of processes to raw materials such as electric generating, oil refining and chemical processing.

Safety Instrumented Systems (SIS) are being used to monitor variables but they are not intended for controlling the production process. They trigger alarms and overriding signals to protect people, the plant and the environment when a monitored process goes beyond the allowed level within the operational limits.

Factory designed by Macrovector https://www.freepik.com/free-vector/industry-background-design_1048767.htm

Designed by Macrovector

These systems are used in oil and gas plants, nuclear energy facilities, water treatment facilities and more. Thus, incidents such as hardware failure, fire and explosions are prevented, and the producing continues without catastrophic results.

Seriousness Of This Attack 

Unlike other cyber-attacks, this attack was very critical. The purpose was more than stealing information or causing disruption; it was supposed to create catastrophic incident by disabling the Safety Instrumented System. Due to seriousness of the industrial attack an in-depth analysis was performed.

The Attack Pattern

According to the analysis, the malware targeted Schneider Electric’s Triconex products that are known as SIS. It was written very well. The malware’s intent was to install Remote Access Trojan (RAT), which was designed to give the attackers read write execute over the Safety Instrumented System in RUN/Remote mode, access to all regions of memory, access to control logic and access to firmware.

It was written specifically for the model and firmware version of the targeted SIS – Tricon 3008 v10.3. The malware required to have access to the SIS network locally or remotely and a computer to load the malware onto Tricon.

In this incident, the TriStation terminal, which is a software application for developing, testing, and documenting safety-critical and process-control applications that execute on Triconex controllers, was used to launch the attack. Furthermore, the key switch that is located on the front panel of the product must be switched to Program Mode. Thus, the switch would not protect the memory from being written anymore and Tricon would get infected.

What Was Their Plan?

Apparently, the hackers wanted to manipulate layers of shutdown protocols to keep the system running while they reach deeper to gain more control. Despite being well written, the malware accidently triggered the emergency protocol and the system was shut down. This gave away the attack. Since the hackers could not deliver actual payload into system their true intentions are still unknown.

Russia?

However, recently analysists found a clue that traced the malware to Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is in Moscow, Russia. According to analysists, the malware development activity supports TEMP.Veles activity, which includes testing multiple versions of malicious software and was used during the TRITON intrusion, very likely.

From the testing activity, analysts found independent ties to CNIIHM and a person, whose online activity shows significant connection to CNIIHM. TEMP. Veles used an IP address registered to CNIIHM to monitor open-source coverage of TRITON, network reconnaissance, and malicious activity for supporting TRITON intrusion. Behavior patterns of TEMP.Veles activity was consistent in the Moscow time zone.

Lastly, analysists think that CNIIHM has the required institutional knowledge and personnel to develop and TRITON and TEMP.Veles operations. Without specific evidence they could not prove the link between CNIIHM and TRITON but they have associated this capability with Russia.

The Wake Up Call      

This incident should serve as a vital wake up call in the industrial control and cyber security community. Therefore, strong protection is crucial today more than ever. Also, for businesses it is highly important to educate their employees about the importance of cyber security and all the risks that cyber world brings. There are numerous examples, where malware attacks occurred due to employees’ negligence. Having proper security systems along with employee awareness will work the best to maintain safe online experience.

New Banking Malware Found on Google Play

New Target – Users From Brazil

Malware authors have always used different apps to disguise Banking Trojans and place them on Google Play Store. Security researchers have found a new strain of malware targeting banking apps on Android devices. This time a new malware banking family is targeting users from Brazil. It is distributed through Google Play as well as through Facebook in the shape of promoted ads.

What Is The Threat All About?

This Android malware impersonates the performance of the following apps: Clean Droid with over 500 installs, Quem viu teu perfil with over 10,000 installs and MaxCupons with over 1,000 installs. To stay under the radar, the app can only be downloaded and installed in Brazil.

alala5

 

laaal5

 

lalaal3

When Was It Released?

The malicious app was most probably released in September 2018. The earliest recorded infiltration has been available for more than a month. Clean Droid infiltration is also distributed on Facebook. There are two Clean Droid pages created on Facebook in October 2018 using identical profile picture as the app on Google Play. One of the pages uses Sao Paulo, Brazil as their address to attract more people from that region.

Targeted Apps

The sole purpose of the new Android malware is to fool users and make them enter their credentials, so it can steal them. This is its primary focus. This Trojan family does not only target one app. It targets different apps such as shopping apps, financial and banking apps as well as entertainment apps. The estimated number is around 26 different apps. It hides inside these apps and has a complex functionality.

Here Is How You Can Protect Yourself

1) Only download apps from Google Play – malicious apps are much more common on third-party app stores, where they are rarely removed even when detected, unlike on Google Play

2) Before downloading apps from Google Play, make sure to check its ratings, reviews and the number of downloads

3) Pay attention to what permissions you grant to the apps you install

4) If you don’t use an app, uninstall it – simply, get rid of it. The fewer apps you have on your phone, the fewer chances an attacker will invade it.

5) Always keep your Android device updated and use a reliable mobile security solution. Our Zemana Mobile Antivirus is a lightweight but strong app that will keep your mobile device safe without overloading your system.

6) Turn off Wi-Fi and Bluetooth connections when you are not using them.

 

Let us know if this article was helpful of interesting to you!

Also, feel welcomed to sign up to our Zemana forum! Here, you can join different discussions and ask all about Zemana products and meet other Zemana users.

Stay safe with Zemana! 🙂