Trend Micro

Keyboard equipped with a red ransomware dollar button.
Keyboard equipped with a red ransomware dollar button.

There has been report of several companies becoming infected by the Crysis Ransomware and as such we have had a look into what it does and how it can be prevented.

History

First detected in February 2016, this virus has multiple methods of infection typically an email which has attachments using double extensions to make them appear non-executable.  Although it has been seen to also come through SPAM emails and compromised websites.  There has also been reports that it has been distributed to online locations and shared networks disguised as an installer for various legitimate programs.

Description

Crysis Ransomware itself is capable of encrypting over 185 file types across fixed, removable and networks drives and uses RSA and AES encryption, once infected it will also look to delete the computers shadow copies.  Whilst also creating copies of itself into the following locations.

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The virus will then look to create/edit certain registry keys to ensure it is run on each system start.

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

Finally after encryption there is a .txt file placed in the computers desktop folder, sometimes this accompanied by an image set as the desktop wallpaper.

  • %userprofile%\­Desktop\­How to decrypt your files.txt

There has also been reports of Crysis stealing data and credentials from the affected machines and passing these back to its Command and Control server.  This would then allow the computers and local networks that have been infected to become vulnerable to further attack if the credentials are not changed.

It has also been seen that Crysis will monitor and gather data gathered from IM applications, webcams, address books, clipboards and browsers prior to sending this to the C&C server with the windows variant stealing account and password credentials.

Prevention

To reduce the risk of infection we recommend the following

  • Ensure you are using an upto date AV product
  • Ensure any specific Ransomware prevention tools in the AV are used
  • Ensure you have a regular tested backup of the data
  • Educate users in the dangers of opening attachments from an unknown source

 

 

Keyboard equipped with a red ransomware dollar button.

Ransomware is on the rise, but the authorities struggle to deal with it, so businesses often end up paying the ransom! What are security vendors doing to combat it?

You don’t need to look very far to see the hoo-ha that ransomware has recently caused.

This is not only because the sheer volume of ransomware attacks has swollen as never before (global cases increased by almost 170% in 2015, with the UK “disproportionately hit,” according to this FT.com article), but because the number of cases reported has actually gone down.

This can only lead to one conclusion: businesses are paying the ransom, in an attempt to get their businesses back up and running, because the authorities are failing to help them do so!

It’s one hell of a gamble. Cybercriminals aren’t exactly known for their integrity or willingness to be bound by contract, so where’s the guarantee that they’ll give businesses back the access to their files once they’ve coughed up?

Indeed, as FBI Cyber Division Assistant Director James Trainor has commented,  “Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom.”

Ransomware: what it is, what it does

Before we go any further, though, let’s clarify terms. All ransomware (CryptoLocker, CryptoWall, and CTBLocker are names that crop up often, but there are many others, some of which are listed here) is about blocking a business’s access to a system and/or its files until a sum of money is paid to the malefactor.

In practice, this happens in many different ways, varying from scareware, to browser or screen-locking software, to encrypting ransomware. (This Malwarebytes infographic, that our partners can now request to co-brand and use for their own marketing campaigns, explains it very neatly).

In a further malevolent twist, cyberattackers may choose to “leak” the files that they have sequestered if the ransom is not paid, exposing a business’s potentially confidential and legally privileged information to public view online.

Reputationally, this can be shattering, but the financial impact of ransomware is breathtaking too. The Verizon Data Breach Investigations report puts the business cost of losing access to just 1000 records at more than £46,000!

In short, businesses are vulnerable, the authorities are swamped, and there’s no honour among cyber thieves. So it’s down to security vendors to step up to the plate and prevent ransom situations from arising in the first place. Here’s a taste of how three of them are turning the tables on the file felons!

Bitdefender: cross-product protection at startup

Bitdefender’s answer to the ransomware challenge has been to develop a Ransomware Protection module that is included in all Bitdefender 2016 products (including business versions sold through the IT channel).

Clearly, this makes ransomware protection accessible to the end-user, regardless of the product they or their organisation have purchased.

But Bitdefender products also activate the Ransomware Protection module at startup, and scan all critical system areas before files are loaded, with zero impact on the system’s performance.

At the same time, protection is provided from certain attacks that rely on malware code execution, code injections, or hooks inside dynamic libraries, so defence against the ransomware is instant, broad, doesn’t slow end-users’ core computing tasks down, and – most importantly of all – doesn’t let the ransomware get a foothold.

Malwarebytes: ransomware protection throughout the infection timeline

Malwarebytes has built a solid reputation on its ability to detect, monitor and block malware of all kinds, right from the earliest attempts by the malware’s author to probe the most effective delivery methods.

This means it can spot indications of threatening behaviours way before the threat actually deploys – and it has applied this philosophy to its Anti-Ransomware product, too.

In the words of their security blog, it “uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files.” The ransomware therefore “has no shot at encrypting.”

Although the product is still in beta, it is based on an already successful application  - CryptoMonitor - that Malwarebytes acquired from EasySync Solutions, so its provenance certainly inspires trust.

We don’t yet know how Malwarebytes will market the general release version for business users through the IT channel. Will businesses be able to buy it standalone? Or as part of the existing Malwarebytes Endpoint Security suite?

The latter is already a truly potent bundle. It includes the powerful Anti-Malware solution that (uniquely!) also comes with an inbuilt remediation tool – that is to say, it can clean up already infected systems, making for some very grateful customers!

It also includes the Anti-Exploit solution, that detects the zero-day exploits that other solutions simply miss. Factoring Anti-Ransomware into this already compelling combination would be something of a coup!

Watch this space…

Trend Micro: fight ransomware at every layer

Ever the source of insightful and sobering security stats, Trend Micro has publicly announced that ransomware infections among UK firms in February 2016 alone far exceeded the figures for the first six months of 2015!

Its approach to fighting ransomware is highly layered, with Ransomware Protection features included in its endpoint products (OfficeScan, Worry-Free Business Security), email and gateway products (ScanMail, Cloud App Security, Hosted Email Security, amongst others) and network products (Deep Discovery).

Trend Micro was named a Leader in the 2016 Endpoint Protection Platforms Magic Quadrant, published by industry analyst Gartner. This covers, amongst other technologies, anti-ransomware, so Trend’s solutions are definitely “up there” when it comes to stopping businesses being held at gunpoint!

Anti-ransomware: a pattern emerges

In all the three vendor cases mentioned above, there is a strong underlying truth: everything turns on being able to stop the ransomware infection happening in the first place. Once files are infected, it’s way too late.

This knowledge has certainly been an incentive for security vendors to act. If it’s not an incentive for businesses and the IT channel partners who supply them to act, too, I don’t know what is.

security-banner

Our top security updates in the news and on the web this week

1.10 tips to avoid Cyber Monday scams

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place. First posted on Malwarebytes.

For the original post and further information click here

2. More POS malware, just in time for Christmas

Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break. First posted on The Register.

For the original post and further information click here

3. Some simple security advice for computer and smartphone users

Demonstrated how easy it can be to compromise users computers and 'steal' very personal video and photos, here's some really simple advice to help prevent this happening. First posted on Pen Test partners.

For the original post and further information click here

4. CryptoWall Updates, New Families of Ransomware Found

The ransomware threat isn't just growing—it's expanding as well. There has been a recent surge of reports on updates for existing crypto-ransomware variants. First posted on Trend Micro.

For the original post and further information click here

ransomware-update

5. Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks

The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites. First posted on Malwarebytes.

For the original post and further information click here

6. Another Day, Another HMRC Tax Phish…

We could all do with a bit of a tax refund right before the festive season, and wouldn’t you know it. First posted on Malwarebytes.

For the original post and further information click here

7. Diving into Linux. Encoder’s predecessor: a tale of blind reverse engineering 

Linux.Encoder.1 has earned a reputation as the worlds first Ransomware family tailored for Linux platforms. First posted on Bitdefender Labs.

For the original post and further information click here

If you have any security news that you would like to see on our blog please send it to us at bluesolutions, please include the link from the original article in the email.

trend-micro

 

Originally published on the Trend Micro Blog

A recent Trend Micro report carried out by the Ponemon Institute uncovered an interesting new dynamic in the workplace. Increasing numbers of U.S. consumers are bringing wearable technology into the office.

This raises a difficult problem for enterprise IT managers keen on keeping IoT devices from swamping the workplace as the influx of BYOD devices did a few years ago. So what’s the best way to move forward?

Growth and risks

Let’s be clear, the use of IoT devices and wearables in the workplace is by no means soaring. According to our study – Privacy and Security in a Connected Life – just 25 percent of U.S. consumers said they even plan to use a fitness tracker. For Google Glass, this figure was an even lower 16 percent. Yet adoption is increasing, and as it does, these devices will inevitably find their way into the corporate world, just as the smartphone and tablet did before them. From smart watches to activity trackers and smart glasses, there’s a growing feeling that these devices can help our productivity and well-being. Given we spend the majority of our lives at work, it’s a no-brainer that employees will want to wear them in the office.

While they may support productivity, connected devices present risks for the IT department, especially those that could auto-sync corporate data, making them a potential target for hackers and thieves. Even data tracking the movements of mobile sales staff could tip off competitors about new leads. Many IT leaders will want to manage this risk by ensuring any workplace IoT devices are controlled with MDM, security tools and policies. However, according to our research, 50 percent of U.S. consumers do not believe their employer has the right to access personal data on their smart device, despite connecting to the corporate Wi-Fi.

Staff versus employer

This dilemma brings the usual arguments raised by BYOD, namely that sensitive corporate or customer data could be at risk if accessed or stored on an employee-owned device. Now if IT managers try to shackle devices with MDM or security tools, they could risk the wrath of users.

A recent court case highlights that such problems are no longer theoretical. A U.S. District Court in Texas heard the case of a staff member who sued his employer for loss under the Computer Fraud and Abuse Act. The former employee was forced to use his own iPhone for accessing customer emails at work since one was not provided. When he resigned, the company’s network administrator remotely wiped his phone, deleting not just work information, but also his personal data. In the end, the employer won, but it won’t be the last case of this kind as staff and their employers increasingly clash over BYOD.#
Best practice BYOD

So what can the under fire IT manager do to walk this fine line, protecting both enterprise data and staff expectations of personal privacy, while enabling staff productivity? Here are a few tips for starters:

  • If you haven’t already, classify enterprise data and perform a risk assessment to better understand what is at stake if it ends up in a competitor’s hands.
  • Find out how many personal smart devices are already being used at work.
  • Familiarize yourself with the operating systems, devices and security shortcomings of these devices.
  • Consider enforcing remote lock/wipe and password protection for all devices allowed to connect to the corporate network.
  • Utilize a ‘containerized’ security approach which keeps corporate and personal data separate on devices.
  • Apply policies so that the most sensitive corporate data is encrypted.
  • Assess any new IoT devices before they are allowed to connect to the network.

 

 

 

 

trend-micro

How to Win the Cloud Security Game by Balancing Risk with Agility

The cloud is changing the way organisations around the world do I.T. Attracted by lower costs, improved efficiency and faster development and deployment times for apps, users everywhere are migrating to this new computing model in droves, with or without the blessing of I.T. Yet security is a top concern due to the loss of control of a physical infrastructure.

The challenge of balancing that greater business agility with security risk while keeping costs down is not an easy job. But it’s one that cloud managers will have to confront to be successful. And just like in a game of football, a winning strategy must be built on solid defence.

Shared responsibility

To articulate the challenges of cloud security, Trend Micro recently commissioned Forrester Consulting to survey I.T. professionals tasked with public cloud security projects. 70 percent said the public cloud was an integral part of the product or service they offered to customers.

It’s no surprise that security was a concern to three-quarters (76 percent) of them. In the public cloud, security is a shared responsibility. The cloud service provider will secure up to the hypervisor (including data centre and infrastructure), while the customer must take care of securing the OS, apps, users and data.

Kicking off

When determining how to best augment the secure infrastructure of their cloud provider, cloud managers should start by considering three aspects:

  1. Time to value – This is all-important to developers. It’s why two of the top three barriers to adopting best practice cloud security were given as “too time intensive” (43 percent) and “would slow down cloud usage” (36 percent). Forrester believes cloud resources must be made available in under 15 minutes, automated and out of sight, or developers may look to circumvent IT controls.
  2. Security risks – Cutting down on security in order to speed time to value will expose organisations to the risk of a data breach, including the financial penalties, damage to brand, legal costs, and consumer trust issues this could bring. Adding protection like data encryption, monitoring and logging, intrusion detection/prevention and patch management and other controls to cloud workloads provides multi-layered protection that reduces security risks.
  3. Cost – Applying maximum levels of security to every workload will drive up cost unnecessarily, impacting one of the main reasons of migrating to the cloud. It could also force developers to bypass security. But if you don’t add enough security, you become an easy target for hackers, leading to expensive data breaches. It’s a delicate balance.

Deep Security for the win!

Forrester believes the answer lies with security solutions offering pre-made templates with different levels of security to match the needs of individual workloads:

Optimal cloud security controls would be:

  • Automated: so when a developer launches a workload, it is automatically protected.
  • Personalized: with policies that fit the workload type, sensitivity and regulatory context.
  • Pre-built in a template: so the developer doesn’t have to know what the right security is for their workloads.

With Trend Micro Deep Security, we believe we have the best solution: enabling automated, comprehensive security that won’t get in your way. What’s more, Deep Security can protect your entire organisation – across physical, virtual and cloud environments and includes comprehensive protection in a single product and agent. Making management easier and lowering costs.

Contact our sales team today on 0118 9898 222 to find out more about Trend Micro Security Solutions.

bluesolutions_logo-colour

 

Trend Micro Silverstone

Some of our team joined Trend Micro for a day at Silverstone.

The day was a great opportunity for our team and Trend Micro to enjoy the races and also get to sit behind the wheel of a few of the cars.

Here's some of the images from the day:

 

 

Our Sales Manager, Emma Wale enjoyed the day, although it was a bit noisy!

Emma Trend Silverstone

 

 


 

Sandra from Trend Micro enjoys her time behind the wheel of the car...Sandra Trend Silverstone

 

 

 

 

Aaron from Trend Micro is looking concerned that his favourite car might not win the race...

Aaron Trend Silverstone

 

 

 

 

 

Other pictures from the day:

Trend DayTrend car2 Silverstone  Trend Car 21Apr

 

 

Cryptolocker Banner

This important notification is being released by Trend Micro for AWARENESS of the Ransomware Cryptolocker family. The main purpose of this Threat Awareness is to provide complete information about the threat and communicate the recommended solutions and best practices so that customers can apply them and avoid being affected or contain the threat from spreading further. If similar infections are being experienced in your respective regions, please contact your support engineer.

Threat brief

We are experiencing a resurgence of the malware family named Cryptolocker (and others variant). This is a crypto-ransomware variant which has the capability to encrypt files. It uses many technics (HTTPS, P2P, TOR…) to mask its command-and-control (C&C) communications. Usually, this attack is delivered thought spear-phishing method as an email attachment. Upon execution, it connects to several URLs to download the crypto-ransomware. It displays a ransom message. Users must pay the ransom before the set deadline is done. Otherwise, all the files will permanently remain encrypted. But beware, ransom payment is no guarantee that the original files will be restored!

Notable Variant
•  A particular variant, TROJ_CRYPCTB.XX , offers users the option of decrypting 5 files for free—as proof that decryption is possible.
•  Users are also given 96 hours, instead of 72 hours, to pay the ransom fee.
•  The displayed ransom message has options for four languages, namely, English, Italian, German and Dutch.
•  In some case, infection could occur through embedded URL over email or compromised web site with drive-by download technics.
Ransomware Image

How to protect from CRYPTOLOCKER attack ?
•  Use Reputation for real-time protection using cloud automatic sharing system (Smart Protection Network)

◦  Email Reputation to block malicious and suspicious email.
◦ Web Reputation to block compromised websites, newly C&C remote hosts and other disease vectors.
◦  File Reputation through SmartScan technology for real-time security updates on your solutions.

• Leverage sandbox, emulation and heuristic integration in current Trend Micro product with Custom Defense approach

◦ Automatic execution of suspicious content on innovative dynamic engines
◦ Native & easy deployment to existing Trend Micro solutions (OffiScan, IMSva, IWSva, ScanMail…)
◦ Empower Deep Discovery approach to detect over network any cryptolocker attack, ransomware, 0-day, targeted attack and any others unkown malware/variant

• Apply Best Practices on your Trend Micro solutions
Block potentially dangerous file over email (exe, scr, cab filetype…)
◾IMSva : http://esupport.trendmicro.com/solution/en-us/1099617.aspx
◾WFBS & ScanMail : http://esupport.trendmicro.com/solution/en-us/1099619.aspx

◦Tune Endpoint security solutions with Trend Micro recommendations
Malware : http://esupport.trendmicro.com/solution/en-us/1054115.aspx
◾Ransomware : http://esupport.trendmicro.com/solution/en-us/1099423.aspx
http://esupport.trendmicro.com/solution/en-us/1101715.aspx

•Education to end-user is key to pro-active defense:
◦ Always check who the email sender is.
◦ Double-check the content of the message.
◦ Refrain from clicking links in email.
◦ Backup important data.

• Coming soon into OfficeScan 11 Service Pack 1 !!! Anti-Cryptolocker feature to protect your personal file against encryption or malware action. Beta will start in few weeks. Contact your support engineer for more information.

How te remediate if Cryptolocker infection is running ?
• Détection and removal tool for Cryptolocker :

Threat Cleaner for GOZ and CryptoLocker (32-bit and 64-bit)
• Most of the time, encrypted personal file are lost even if user pays the ransom. Backup restore is the best solution to retrieve original and unmodified personal files.
• For Windows users, in case of system backup & restore features were active, lost files could be restored based on last automatic backup :

http://windows.microsoft.com/en-us/windows7/previous-versions-of-files-frequently-asked-questions

If you have any queries about Trend Micro Solutions and the Ransomware Cryptolocker family, call our support team on 0118 9898 245.

Communication continues to evolve through technology over the years. Unfortunately, cybercriminals are keeping pace and attacking the most popular means of communication.

This  Trend Micro infographic below is a good look at how threats evolve.

If you're looking for a solution to protect your clients' businesses from malware and cybercrime, contact our sales team on 0118 9898 222.
INFOGRAPHIC: How Attacks Adapt

Trend Micro Worry Free

 

 

 

How soon must IT groups patch vulnerable servers? The following windows of exposure timelines show the varying levels of risk enterprises face once a vulnerability is found or an exploit is in the wild.

Any delay in patching after a vendor releases a patch, therefore, is an additional window of exposure.
INFOGRAPHIC: Dodging a compromise

Contact our product and sales specialists today on  0118 9898 222 to find out how Trend Micro Solutions can help your business.

Trend Micro Worry Free

 

 

 

We have been informed by Trend Micro that the issue with the AOL.com domain has been resolved.

The issue with the BT.com domain is still being investigated and we will update you again when we have received another update.

If you are experiencing issues, please contact our support desk on 0118 9898 245 or email us at support@bluesoultions.co.uk during these times:
•   Monday - Thursday 8.30 – 5.30pm
•   Friday – 8.30 – 5.00pm