XSP

Keyboard equipped with a red ransomware dollar button.
Keyboard equipped with a red ransomware dollar button.

There has been report of several companies becoming infected by the Crysis Ransomware and as such we have had a look into what it does and how it can be prevented.

History

First detected in February 2016, this virus has multiple methods of infection typically an email which has attachments using double extensions to make them appear non-executable.  Although it has been seen to also come through SPAM emails and compromised websites.  There has also been reports that it has been distributed to online locations and shared networks disguised as an installer for various legitimate programs.

Description

Crysis Ransomware itself is capable of encrypting over 185 file types across fixed, removable and networks drives and uses RSA and AES encryption, once infected it will also look to delete the computers shadow copies.  Whilst also creating copies of itself into the following locations.

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The virus will then look to create/edit certain registry keys to ensure it is run on each system start.

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

Finally after encryption there is a .txt file placed in the computers desktop folder, sometimes this accompanied by an image set as the desktop wallpaper.

  • %userprofile%\­Desktop\­How to decrypt your files.txt

There has also been reports of Crysis stealing data and credentials from the affected machines and passing these back to its Command and Control server.  This would then allow the computers and local networks that have been infected to become vulnerable to further attack if the credentials are not changed.

It has also been seen that Crysis will monitor and gather data gathered from IM applications, webcams, address books, clipboards and browsers prior to sending this to the C&C server with the windows variant stealing account and password credentials.

Prevention

To reduce the risk of infection we recommend the following

  • Ensure you are using an upto date AV product
  • Ensure any specific Ransomware prevention tools in the AV are used
  • Ensure you have a regular tested backup of the data
  • Educate users in the dangers of opening attachments from an unknown source

 

 

trend-micro

 

Originally published on the Trend Micro Blog

A recent Trend Micro report carried out by the Ponemon Institute uncovered an interesting new dynamic in the workplace. Increasing numbers of U.S. consumers are bringing wearable technology into the office.

This raises a difficult problem for enterprise IT managers keen on keeping IoT devices from swamping the workplace as the influx of BYOD devices did a few years ago. So what’s the best way to move forward?

Growth and risks

Let’s be clear, the use of IoT devices and wearables in the workplace is by no means soaring. According to our study – Privacy and Security in a Connected Life – just 25 percent of U.S. consumers said they even plan to use a fitness tracker. For Google Glass, this figure was an even lower 16 percent. Yet adoption is increasing, and as it does, these devices will inevitably find their way into the corporate world, just as the smartphone and tablet did before them. From smart watches to activity trackers and smart glasses, there’s a growing feeling that these devices can help our productivity and well-being. Given we spend the majority of our lives at work, it’s a no-brainer that employees will want to wear them in the office.

While they may support productivity, connected devices present risks for the IT department, especially those that could auto-sync corporate data, making them a potential target for hackers and thieves. Even data tracking the movements of mobile sales staff could tip off competitors about new leads. Many IT leaders will want to manage this risk by ensuring any workplace IoT devices are controlled with MDM, security tools and policies. However, according to our research, 50 percent of U.S. consumers do not believe their employer has the right to access personal data on their smart device, despite connecting to the corporate Wi-Fi.

Staff versus employer

This dilemma brings the usual arguments raised by BYOD, namely that sensitive corporate or customer data could be at risk if accessed or stored on an employee-owned device. Now if IT managers try to shackle devices with MDM or security tools, they could risk the wrath of users.

A recent court case highlights that such problems are no longer theoretical. A U.S. District Court in Texas heard the case of a staff member who sued his employer for loss under the Computer Fraud and Abuse Act. The former employee was forced to use his own iPhone for accessing customer emails at work since one was not provided. When he resigned, the company’s network administrator remotely wiped his phone, deleting not just work information, but also his personal data. In the end, the employer won, but it won’t be the last case of this kind as staff and their employers increasingly clash over BYOD.#
Best practice BYOD

So what can the under fire IT manager do to walk this fine line, protecting both enterprise data and staff expectations of personal privacy, while enabling staff productivity? Here are a few tips for starters:

  • If you haven’t already, classify enterprise data and perform a risk assessment to better understand what is at stake if it ends up in a competitor’s hands.
  • Find out how many personal smart devices are already being used at work.
  • Familiarize yourself with the operating systems, devices and security shortcomings of these devices.
  • Consider enforcing remote lock/wipe and password protection for all devices allowed to connect to the corporate network.
  • Utilize a ‘containerized’ security approach which keeps corporate and personal data separate on devices.
  • Apply policies so that the most sensitive corporate data is encrypted.
  • Assess any new IoT devices before they are allowed to connect to the network.

 

 

 

 

Cryptolocker Banner

This important notification is being released by Trend Micro for AWARENESS of the Ransomware Cryptolocker family. The main purpose of this Threat Awareness is to provide complete information about the threat and communicate the recommended solutions and best practices so that customers can apply them and avoid being affected or contain the threat from spreading further. If similar infections are being experienced in your respective regions, please contact your support engineer.

Threat brief

We are experiencing a resurgence of the malware family named Cryptolocker (and others variant). This is a crypto-ransomware variant which has the capability to encrypt files. It uses many technics (HTTPS, P2P, TOR…) to mask its command-and-control (C&C) communications. Usually, this attack is delivered thought spear-phishing method as an email attachment. Upon execution, it connects to several URLs to download the crypto-ransomware. It displays a ransom message. Users must pay the ransom before the set deadline is done. Otherwise, all the files will permanently remain encrypted. But beware, ransom payment is no guarantee that the original files will be restored!

Notable Variant
•  A particular variant, TROJ_CRYPCTB.XX , offers users the option of decrypting 5 files for free—as proof that decryption is possible.
•  Users are also given 96 hours, instead of 72 hours, to pay the ransom fee.
•  The displayed ransom message has options for four languages, namely, English, Italian, German and Dutch.
•  In some case, infection could occur through embedded URL over email or compromised web site with drive-by download technics.
Ransomware Image

How to protect from CRYPTOLOCKER attack ?
•  Use Reputation for real-time protection using cloud automatic sharing system (Smart Protection Network)

◦  Email Reputation to block malicious and suspicious email.
◦ Web Reputation to block compromised websites, newly C&C remote hosts and other disease vectors.
◦  File Reputation through SmartScan technology for real-time security updates on your solutions.

• Leverage sandbox, emulation and heuristic integration in current Trend Micro product with Custom Defense approach

◦ Automatic execution of suspicious content on innovative dynamic engines
◦ Native & easy deployment to existing Trend Micro solutions (OffiScan, IMSva, IWSva, ScanMail…)
◦ Empower Deep Discovery approach to detect over network any cryptolocker attack, ransomware, 0-day, targeted attack and any others unkown malware/variant

• Apply Best Practices on your Trend Micro solutions
Block potentially dangerous file over email (exe, scr, cab filetype…)
◾IMSva : http://esupport.trendmicro.com/solution/en-us/1099617.aspx
◾WFBS & ScanMail : http://esupport.trendmicro.com/solution/en-us/1099619.aspx

◦Tune Endpoint security solutions with Trend Micro recommendations
Malware : http://esupport.trendmicro.com/solution/en-us/1054115.aspx
◾Ransomware : http://esupport.trendmicro.com/solution/en-us/1099423.aspx
http://esupport.trendmicro.com/solution/en-us/1101715.aspx

•Education to end-user is key to pro-active defense:
◦ Always check who the email sender is.
◦ Double-check the content of the message.
◦ Refrain from clicking links in email.
◦ Backup important data.

• Coming soon into OfficeScan 11 Service Pack 1 !!! Anti-Cryptolocker feature to protect your personal file against encryption or malware action. Beta will start in few weeks. Contact your support engineer for more information.

How te remediate if Cryptolocker infection is running ?
• Détection and removal tool for Cryptolocker :

Threat Cleaner for GOZ and CryptoLocker (32-bit and 64-bit)
• Most of the time, encrypted personal file are lost even if user pays the ransom. Backup restore is the best solution to retrieve original and unmodified personal files.
• For Windows users, in case of system backup & restore features were active, lost files could be restored based on last automatic backup :

http://windows.microsoft.com/en-us/windows7/previous-versions-of-files-frequently-asked-questions

If you have any queries about Trend Micro Solutions and the Ransomware Cryptolocker family, call our support team on 0118 9898 245.

Trend Micro Worry Free

For a long time, Mac users have thought that having a MAC makes them secure from viruses and malware. While a lot of users think that MAC's built-in security is enough and with over 97% not protected by any security software- this leaves them wide open to attack. Without adequate protection, MAC users are also open to malware attacks when downloading or installing new software and opening attachments

What can MAC users do to improve their security? Watch this video: Mythbusting about Mac computers's Security to find why MAC users need virus protection too!

 

Visit our website to request your Trend Micro Product Demo or call our product specialists on 0118 9898 222 for more information.

 

Trend MSP ProgramTrend Micro MSPs and resellers are looking for ways to improve their profit margins while maintaining excellent customer service.

Building your profit margins while providing customers with a high quality service is the focus for today’s MSPs. How do you find a way to increase profitability without affecting the service you deliver and keeping your customers happy?

Many MSPs and resellers are turning to licensing programs as ways to evolve their business model. The Trend Micro Xsp licensing program enables MSPs to become more profitable and increase the value of their business. Here's 5 reasons why you should join the Trend Micro licensing program:

  1. The pay-as-you-go model makes it easier to manage your client’s costs.
  2. A billing process tailored for MSPs and resellers. The Xsp program provides a usage portal for generating reports and monitoring client activity.
  3. It's easier for customers to manage changes in staff levels. If your clients have reduced their staff numbers or are growing rapidly, being able to offer them the number of licences to suit the size of their business will work to your advantage.
  4.  A growth model. The Trend Xsp programme lets you increase recurring revenues, cash flow and the more you sell, the more money you make.
  5. Last but definitely not least, MSPs and resellers have full control over their licenses and relationships with their customers.

Experience working with the MSP business model and being part of a programme developed by the leading internet security provider, make Trend Micro the choice for building profitable I.T. businesses.

Download the factsheet and visit our website for more information. Our product specialists are also available on 0118 9898 222 to help with any queries.

Banner_TrendEvent

Join Trend Micro, the leading internet content security and threat management company, at the Worry-Free 9 Launch event on Wednesday 11th June 2014. The event will be held at Trend Micro’s prestigious and state-of-the-art new headquarters in London (Paddington).

Why should I attend?

  • Find out how to grow your business selling additional Trend Micro services, based on the cloud-based central management and reporting tool (Remote Manager) across your customer base.
  • Discover how the free Worry-Free Remote Manager tool helps you to easily manage security for both hosted and on premises customers through one console.
  • Find out about the purpose built solution tailored for small VARs that minimises your time/resources to manage security for your customers.
  • We’ll be there to talk about our expertise in working with MSPs and the xSP licensing programme, the quarterly pay-as-you go rental model.

Register here for the event

By attending you could be in with the chance to win a VIP Trip to a Le Mans Race. This prize includes full access to a Le Mans Pit Crew Team and Pit Lane. These tickets cannot be purchased and are exclusive to Trend Micro.

We look forward to seeing you at the event and showing you why Trend Micro Worry-Free 9, is the global market leading solution that helps to build businesses and relationships with your clients.

 

Are you moving into Managed Services? If your business provides IT support as a managed service you can bundle security software from Trend Micro as part of your service offering. All Trend Micro products are available including Worry Free. By Partnering with Trend Micro on their xSP programme you will have access to the following:Trend Micro xSP

  • Quarterly pay-as-you-go billing
  • Industry-unique self-provisioning licence portal (LMP)
  • Industry-unique web-based management console (WFRM)
  • Integrate with leading RMM and PSA tools (such as Autotask and ConnectWise)
  • State-of-the-art solutions that use the cloud, eliminating costly installation and setup work

For more information visit http://www1.bluesolutions.co.uk/vendors/trend-micro/msp-solutions.aspx

Apply online at https://www.rissp.com/Register.aspx