HowTo: Stop the global spread of the WannaDecrypt0r ransomware
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to - just as if it was looking up any website - and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.
However, there are reports that some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain .. if this malware blocking trigger is to be effective," said Lauren Weinstein.
The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses. [Windows XP, Windows 8, and Windows Server 2003] The patches are available for download from here. Microsoft also advises companies and users to disable the Windows Server Message Block version 1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3... Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010 [which] included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Read the full story on SlashDot
FAKE FONT SCAM
If you have ever been on a web page and seen strange characters in the text, usually it means the author is using a different text encoding - An example is that Agrisea uses Western - Look in your web browser (Text Encoding is under View in Firefox).
However, NeoSmart Technologies (an Agrisea technology partner) shows examples of the latest scam affecting the Chrome web browser:
Random characters on a grayed out web page with a white box showing the Chrome Logo and a font missing warning - Except it is all a scam - Do not download anything & close that page. An example:
According to Microsoft Malware Protection Center, a new wave of spam emails carries .LNK files inside ZIP archives. Those files had malicious PowerShell scripts attached to them. "You may think that you are protected from fileless malware because your PowerShell execution policies are set to 'Restricted' so that scripts can't run," the Intel Security researchers said in a blog post. "However, attackers can easily bypass these policies."
Other aspects of Spora also set it apart from other ransomware operations. For example, its creators have implemented a system that allows them to ask different ransoms for different types of victims.
All this points to Spora being a professional and well-funded operation. The ransom values observed so far are lower than those asked by other gangs, which could indicate the group behind this threat wants to establish itself quickly.
IF YOU GET INFECTED: there is nothing anyone can do for you at this time.
Read the full story at Computerworld
MARCHER TROJAN MALWARE ON ANDROID
Super Mario Run, a mobile game by Nintendo, is currently only available to Apple iOS users - Android users must wait for their version yet third-party web sites already claim this app is available - Do Not Download It - This fake app is actually the "Marcher" Trojan Malware.
Only get your apps for Android from the Goggle Play Store, ignore web sites that claim anything else.
The Marcher app, when you install it, requires you to give administrative access, which means whomever is behind Marcher may monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.
[Read more about it here.]
HACKING, SPIES, & CYBERCRIMINALS
1) First thing you must know, keeping your accounts safe must be your top priority so if you get an email asking you for your login or password, delete it - No one you already do business with is going to ask you for that information. And if it is someone in your company wanting to know, walk over and ask them why they want it - They might be infected and not even know it.
2) If an email sounds like it is from one of your friends but seems to be slightly off, call them on your phone to ask, and don't click on links in that email. The email might be a phishing attempt by a spy and not the James Bond type either.
3) Seriously, change your password often (that means more than once a year) and don't use the same password for every place.
4) H.R. departments are coming under attack by fake job applications that arrive in email, usually with a PDF file attachment (like a cover letter) and also have a Microsoft Office something. When whatever it is, Excel, Word, etc. is opened, it says Macros must be enabled and if you do, Ransomware encrypts your computer... See Article 2 below for more.
The "bad guys" out there in cyberspace want to steal whatever they can get from you and where you work. And if they can get a virtual foot in the door on something you use, like your phone, it opens up your whole world that they can then exploit. Which means it will cost you, maybe money or identity theft or maybe something even worse.
SO, Next time Agrisea tells you to change your damn password, don't make a face - We are trying to keep you safer in an increasingly hostile world.
Read more about what is happening in these articles on ZDnet: 1 & 2.
If you have been infected with the Bart ransomware, Bitdefender was able to create a decryption tool and credits collaboration with the Romanian Police and Europol for its success in creating the tool. Bart appeared in June 2016 and stood out because it locked victims' files inside ZIP archives encrypted with AES (Advanced Encryption Standard). Unlike other ransomware programs that used RSA public-key cryptography and relied on a command-and-control server to generate key pairs, Bart was able to encrypt files even in the absence of an internet connection.
[Trend Micro has some tools for recovering from a ransomware attack on Windows PCs. ESET can decrypt Crysis & Dharma ransomware. If you have been infected with the Globe or Globe2 ransomware, go to No More Ransom free decryption tool project. As usual, criminals developed a new version, Globe3, and here is that free decryptor. But wait, there are more software for helping you defeat, remove, decrypt, or otherwise test your systems/networks - Read the article at Computerworld.]
MBR-Protect For WIN PCs is a nifty piece of software that can be applied to a Win PC to protect it in advance from the Master Boot Record (MBR) ransomware. A ransomware that targets the MBR and appeared this year  is called Satana. It doesn't not encrypt the MFT, but encrypts the original MBR code itself and replaces it with its own code which displays a ransom note.
Only Windows XP, 7, 8.0/8.1, & 10 are supported - Download the version for your operating system, 32bit or 64bit. Download page.
"MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers," the Cisco Talos researchers said in a blog post. "It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification."
The problem is that Secure Boot does not work on all computers and for all Windows versions and does not support MBR-partitioned disks at all. This means that there are still a large number of computers out there that don't benefit from it and remain vulnerable to MBR attacks.
See an example of the screen of this latest ransomware "out in the wild":
If you need more details, feel free to view the full story on ComputerWorld
If you are an Agrisea contracted client, your PCs will be modified during January's service. For all others, make sure you backup your PCs often -- If you are infected, be aware that nothing can remove this type of ransomware (at this time) and the only alternative is to wipe your storage media (Hard Drive or Solid State Drive) clean and reinstall everything.
Microsoft has been nagging people to upgrade to Windows 10 [W10] since it came out on 29 July 2015.. Now those nags have been replaced with Windows 10 actually on your PC and in Windows Update as an "Optional update". If you do not change the way updates are installed, you may end up with W10 anyway. [Read more about this 'aggressive' deployment on ZDnet.]
If you have noticed that your internet speed has been a bit slower than usual in the past month, there is a good chance that your Windows 7 or 8.0/8.1 PC now has the W10 software in a hidden directory on your hard drive (or SSD) and it is waiting to be installed.
There is a small piece of software [download it] that removes the nag as well as prevents W10 being installed. However, if you have already said "yes" to install W10 you may be out of luck. Read about the GWX Control Panel software here
If you decided to install W10 as an upgrade from Windows 7 or 8.0/8.1 during the free year, be aware that you only had 30 days to "roll-back" to your previous version of Windows. After 30 days, W10 removed your previous version of Windows and you are stuck now. Whatever license you started with is migrated to w10 so if you wipe your hard drive and reinstall your original operating system, you will need to buy a new license. And Windows 7 Licenses have become hard to get.
Agrisea has many commercial clients who have decided to not upgrade to W10 at this time. Microsoft's sneaky way of downloading 6GB's of data (W10) to each PC even though that PC's owner doesn't want to upgrade, is not acceptable - Most OnSite Contract Clients have already had the W10 block installed.