Cyber attacks: When your computer "o'zapft is"

Checklist

Regardless of their geographic location, companies and individuals can take various measures to prevent infection and financial loss:

1. be vigilant when reading email messages that contain links or attachments.

Most of the campaigns described here relied on social engineering to trick users into infecting themselves with malware, even though their systems were likely to have displayed security warnings while or before they opened the malicious files.

2. never activate macros in documents received by e-mail.

Never run executables linked to an email message unless you are absolutely sure that the message is authentic. Perform regular, frequent backups that can be restored instead of paying a ransom to unlock encrypted data.

3. companies should also invest in appropriate security technologies to protect their employees.

SMEs are particularly at risk because their bank details are often provided in private email accounts and therefore represent a higher priority target for attackers. SMEs also have more to lose in a ransomware attack. However, larger numbers of employees increase the chances of a successful infection.

Ransomware has now grown into an illegal but multi-million dollar industry. Recently, Central Europe has become a target for one of the strongest ransomware variants as well as an unusual one. Earlier this year, for example, several hospitals in Germany were forced to postpone operations and shut down a variety of connected devices when they were hit by ransomware.

As with banking Trojans, losses far exceed the direct cost of paying a ransom or cleaning up computer viruses. A current overview.

Petya ransomware

Although not as well known as its famous ransomware cousins - be it Locky, Cerber, CryptXXX or Cryptowall - the Petya ransomware family has been attracting attention lately, targeting Central and Eastern Europe. In Germany, strangely enough, the Petya ransomware has only been observed in half-hearted copycat attacks.

Petya ransomware does not encrypt files individually like many other ransomware variants. Instead, it uses a special boot loader and a very small kernel (operating system) to inject and encrypt the master file table on the hard drive. Petya's write routine actually overwrites the master boot record with its own kernel.

Infected systems are then rebooted and users get to see screen pages like the one shown in the screenshot.

Ransomware Locky

Locky has been circulating since February 2016 mostly as fake, high-volume email campaigns. In them, the Locky ransomware is ported, associated with Dridex threat actors. In the third quarter of 2016, distributed email messages accounted for more than 95% of Proofpoint's monitored global malicious email volumes.

For example, such ransomware sent the following neutral e-mail: Service@kids-party-world.de with the subject "Your order is on its way to you! - "OrderID 654321" and the attachment "invoice_12345.zip" (both with random digits) were included in the email.

Likewise, a "John.doe123@[random domain]"(random name, 1-3 digits) with the subject "Emailing: _12345_123456" (random numbers) and matching attachment "_12345_123456.zip" keeps popping up! - The contaminated attachments were .zip archives with JavaScript (in WSF or HTA files), which, when executed, download the Locky ransomware.

Summary

Although Europe is currently struggling with ongoing financial pressures, the relative prosperity and good business climate of German-speaking regions explain recent increases in malware volume and diversity, particularly in Germany and Switzerland. proofpoint.com observed email attacks here with the distribution of German messages and decoy documents on several families of ransomware and banking Trojans, including variants such as Petya (as well as personalized campaigns for banking Trojans such as Ursnif and Dridex) that are rare elsewhere.

www.proofpoint.com