ransomware attack

Is Your Organization Ready to Defend Against Ransomware Attacks?

Without question, cybercrime is escalating and ransomware attacks and threats abound. Learn how to defend against ransomware, how infection can occur and how you can fight back.

Cybercrime is reaching unprecedented heights. And with the recent “WannaCry” ransomware attack, cyberthreats are back at the top of every IT department’s list of priorities and concerns. Unfortunately, it’s a trend that is unlikely to be curbed anytime soon. Cybersecurity communities have estimated that the total cost of cybercrime damage worldwide is estimated at $6 Trillion annually by the end of 2021, forcing more and more businesses to invest in cybersecurity spending on products and services to protect their business critical data from potential ransomware attacks.

Here I’ll talk more about what ransomware is, how infections can occur and how your business can be more prepared to defend against potential attacks.

What is ransomware?

Ransomware is typically defined as a subset of malware where the data on a victim’s computer becomes inaccessible and payment is demanded (usually in the form of bitcoin or other cryptocurrencies), before the data is decrypted and the victim can re-access their files.

Ransomware attacks can present themselves in a variety of forms but Microsoft Malware Protection Center explains that the two most widespread ransomware families to be reported in 2016/17 were:

  • Lock-screen ransomware
  • Encryption ransomware

Typically, lock-screen ransomware will present victims with a full-screen message which then prohibits the user from accessing their PC or files, until a payment is made. Whereas encryption ransomware will modify the data files via encryption methods so that the victim cannot open them again. In both cases, the attackers are in total control and demand large sums of money to access or unlock the files.

How does a ransomware infection occur?

On average, most ransomware infections occur through email messages carrying Trojans that attempt to install ransomware when opened by victims, or alternatively, websites that attempt to exploit vulnerabilities in the victim’s browser before infecting the system with ransomware.

Multiple high-profile incidents in 2016/17 alone, have demonstrated the destruction ransomware attacks can have on enterprise networks just as easily as on individual PCs.  For example, EternalBlue (a Windows exploit) released by the mysterious hacking group Shadow Brokers in April 2017 breached spy tools at the National Security Agency (NSA) and offered stolen data for auction, and the WannaCry strain targeted thousands of targets including the National Health Service in the UK (in total netting ~52 bitcoins or around $130,000 worth of ransom).

Not to mention many other widespread strains of ransomware including Petya, Nyetya, Goldeneye, Vault 7, Macron which have had devastating effects on countries, enterprises, election debates and individuals around the world. Attacking enterprise networks in this manner, is even becoming even more attractive because of the value of the files and data that large enterprises own means attackers can demand higher monetary values for ransom.

How to fight back

The increasing threats of ransomware attack should come as no surprise, because in reality organizations have always been under threat from malicious cyberattacks, viruses and ransomware, just more so now than ever before, and IT managers should continually be looking for ways to better protect their valuable data. Therefore, it is essential that your organization has a plan in place to defend against such attacks, minimize financial impact, reduce IT impact and maintain brand reputation.

The industry recognized recommendations suggest organizations follow the simple 3-2-1 rule and the implementation of a strong security plan. The goal of the 3-2-1 rule is to provide customers with a data protection solution that maximizes application uptime, and data availability in the event of a disaster striking.

With the proper execution of the 3-2-1 backup principles, IT managers can protect their data by:

  • Maintaining 3 copies of data (primary data and two copies)
  • Store backup copies on 2 different media types (such as tape, disk, secondary storage or cloud)
  • Keep 1 copy off-site (either on tape or in the cloud, since disasters can strike without notice, if all other forms of protection fail, you still have access to offline data!)
Windows 7

Windows 7 EOL timebomb identified

Latest figures reveal Microsoft is still struggling to shift people off Windows 7. Will it be the XP End of Life drama all over again?

The number of people still using Windows 7 could lead to a problem when it eventually goes out of support, with even the well-received Windows 10 failing to convince a majority of users to upgrade.

Hospitals, and the police in particular have been slow to give up Windows XP, despite it being out of support and hence vulnerable to new forms of attack.

The latest Netmarketshare figures from Net Applications reveal the picture two years on from the launch of Microsoft Windows 10.

here are the latest month on month figures:

Windows 7: 48.43 (-0.48), Windows 10: 27.99 (+0.36), Windows XP, 6.07 (-0.03), Windows 8.x: 7.42 (-0.35), Mac OS 13 Beta: 0.02 (no change), Mac OS 12 (stable): 3.59 (+0.07), Mac OS 11: 1.09 (-0.08), Mac OS (older): 1.24.

Bottom line: Windows 90.37 percent of the market. Mac has 5.94 and Linux has taken a jump to 3.37 (0.84).

The only event of note – it has been quiet, as relatively few devices are released over the summer – is that there are now the same percentage of people using Windows 8.1 as there are Windows XP – 6.07.

So how is Windows 10 is actually doing? At launch, Microsoft stated it was aiming for 2 billion machines in its first two years. The fact it hasn’t achieved that even allowing for IoT and XBox devices, as well as a host of other new form factors, is obvious, but it was a big goal in the first place.

When the first figures came out, a few days after launch, Windows 10 was already sitting at 0.39 percent, thanks to the early adopters program. A year later, it sat at 22.99, as the free upgrade offer finished.

Microsoft would have had egg on their faces, had they extended the offer, but nevertheless, progress since has been slow. Today’s 27.99 means that just a five percent shift has moved to Windows 10 since the end of the freebie.

When you consider all the devices that Windows 10 is on besides desktops, that’s a pretty unhealthy figure. The last public figure that Terry Myerson gave was 500,000 devices. That’s just not good enough, and whatever Microsoft’s notoriously oily marketing people tell you, it remains a long way from where the company would hope to be.

Microsoft has actually increased its market share overall – It was 90.37 percent for August, up from 88.74 two years ago. But it’s actually down a tiny fragment on this time last year, where it was at 90.39.

So where is all this coming from? Well we can’t look to Windows 8.x which now has less than half the users of two years ago (from 15.86 to 7.42). And XP has dropped by a similar figure (from 13.09 to 6.07).

The issue is Windows 7. People and more especially businesses are still refusing to give it up. It has lost its market share – down from 60.75 in August 2015 to 48.43 percent in August 2017. But again – it’s actually UP on this time last year, where it was at 47.25.

So Microsoft’s increase market share seems to be down to the continuing success of an eight-year old operating system that has been superseded twice. In other words, come 2020, we’re going to have the XP debacle all over again.

And it’s not just Windows. Mac OS has actually fragmented in the past two years. The number of people of Mac OS has dropped from 7.66 to 5.85. Linux on the other hand continues to bloom in its own tiny way, going from 1.68 to 3.37.

There’s no question that the last two years have seen a tremendous change in the market – not least of all, the variety of form factors and new players such as Chrome OS, which isn’t included here for logistical reasons.

But the key problem remains, if Microsoft can’t shift people off Windows 7, without annoying them in the process, then we’re setting ourselves up for another End of Life timebomb.

Good Bye, VMware vSphere Web Client

VMware has announced to deprecate the Flash-based vSphere Web Client with the next numbered release (not update release) of vSphere. The next version of vSphere will be the terminal release for which vSphere Web Client will be available.

Since vSphere web client is based on Adobe flash technology, It results in less than ideal performance as compared to HTML5 based vSphere client and also has constant update requirements. Additionally, Adobe also has recently announced plans to deprecate Flash.

vsphere web client

Currently we have two variants of the vSphere GUIs which includes the vSphere Web Client and HTML5-based vSphere Client in vSphere 6.5 to manage the operation of virtual datacenter.

With the decommissioning of windows based vSphere client, VMware also introduced the HTML5 based vSphere client with vSphere 6.5. Which provides the solid performance as compared to the vSphere web client. The vSphere Client was introduced first in the Fling, then supported with vSphere 6.5. Since its introduction, the vSphere Client has received positive responses from the vSphere community and customer base.

With the recently released vSphere 6.5 Update 1, the vSphere Client got even better and is now able to support most of the frequently performed operations. With each iteration of the vSphere Client additional improvements and functionality are being added.

By the time the vSphere Web Client is deprecated, the vSphere Client will be full featured but with significantly better responsiveness and usability.

The HTML based vSphere Client will be the primary GUI administration tool for vSphere environments starting in the next release. It is recommended that customers should start transitioning over to the HTML5 based vSphere Client as the vSphere Web Client will no longer be available after the next vSphere release. This announcement from VMware gives ample time to customers to prepare for the eventual vSphere Web Client deprecation.

The Evolving Role of the Managed Service Provider

Nearly every enterprise has at least one relationship with a managed service provider today and it’s very likely that relationship has evolved over the years. Get ready, it’s changing again and very much to the advantage of the enterprise.

Managed services has its origins in the beginning of the tech market when companies would turn to a reseller to not only integrate but manage the finished solution. Reselling begot hosting in the late 1990s as the Internet began to crossover from government system to the foundation of our lives, as it exists today. Hosters played two key roles: granting individuals and companies access to the Internet and renting server rack space so corporate applications (mostly web sites) could have a point of presence (POP) on the Internet.

This business evolved from rack hoster to rentable IT admins, who took on the tasks of managing the hardware, OS and increasingly the middleware and applications that ran on those servers. The hosting market was a lucrative and relatively well protected space until cloud computing came along. With the introduction of Software as a Service, applications could now be delivered and managed directly by the software provider themselves. Salesforce led this new market disruption in typical innovator fashion by targeting smaller firms, with lower enterprise-grade expectations and line of business budgets. By the time SaaS started penetrating the enterprise market, its multi-tenant, highly scalable deployment model and new pay-per-user business model was hard for hosters to match and the fight was on.

Public cloud platforms added to the competitive threat by extending the SaaS basics to hosted applications. Now both application outsourcing and the core business of hosting were under threat. A surface examination of these developments might lead you to conclude that the days of the managed service provider were looking pretty gloomy but that’s actually far from the case. It’s simply another evolutionary point in the business life-cycle. While the volume of traditional hosting and application outsourcing opportunities diminish as more applications shift to SaaS or cloud platforms, we aren’t making a binary shift and nor are we getting a free ride from a management and monitoring perspective. Look a little deeper and you’ll find that a large percent of corporate workloads don’t easily fit onto cloud platforms, can’t be cleanly replaced by SaaS and won’t go through such a binary change. In fact the definition of an application is shifting and, for most businesses, already have.

Take, for example, the common business process of eCommerce. Is that a single application? For most companies, absolutely not. It’s a workflow that blends together multiple applications including ERP, CRM, commerce, machine learning, mobile and web, content management and many other elements. And if your company has been around more than 10 years it’s highly likely you have some pretty customized elements in that mix. And it’s a workflow we are constantly refining to stay competitive, improve customer satisfaction with and adapt as end users shift from web-centric to device-centric. So given the changes we are seeing in applications and the shift to cloud that is taking place, what is the end result – a highly blended mix where certain elements are shifted to SaaS, others moved to cloud platforms and others that can’t make the move but must continue as part of the mix.

According to Gartner, Inc., by 2018, more than 40% of enterprises will have implemented hybrid data centers, up from 10% in 2015. Given that we need to accelerate the evolution of this blended model to keep pace both competitively and with our ever-changing customers, what’s the best use of your limited development and IT staff resources? You will pick up some bandwidth as the management of SaaS apps shifts to the SaaS provider and of the infrastructure below the elements you can shift to cloud platforms. But the integration, evolution, security and need for more agile UX improvements all remain. And whether you put your applications on hyper-scale public clouds like Azure or on more localized offerings such as those provided by most MSPs, you still have to manage the Cloud Handshake.

Looking at your task list and cross-correlating this with your IT staff bandwidth, you’ll likely draw the conclusion that managing the Cloud Handshake falls low on the priority list. And this is exactly where the managed service provider can add the most value. And exactly where their business models are evolving. As pointed out in this white paper from Hosting.com, the future of the managed service provider is in managing the blended IT environment. The reality is that your deployment portfolio is evolving to a mix of in-house, hosted, SaaS and multiple cloud platforms. And managing this mix isn’t your core competency and shouldn’t be your priority. MSPs are evolving their business models towards managing this mix so you can focus on the things that are unique to your business.

Links in phishing-like emails lead to tech support scam

Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.

Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.

However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived device, platform, or software problems.

The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:

  • Many of these scams start with malicious ads found in dubious web pages—mostly download locations for fake installers and pirated media—that automatically redirect visitors to tech support scam sites where potential victims are tricked into calling hotlines.
  • Some tech support scams are carried out with the help of malware like Hicurdismos, which displays a fake BSOD screen, or Monitnev, which monitors event logs and displays fake error notifications every time an application crashes.
  • Still other tech support scams use cold calls. Scammers call potential victims and pretend to be from a software company. The scammers then ask victims to install applications that give them remote access to the victim’s devices. Using remote access, the experienced scam telemarketers can misrepresent normal system output as signs of problems. The scammers then offer fake solutions and ask for payment in the form of a one-time fee or subscription to a purported support service.

The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.

An alternative infection path for tech support scams

The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.

Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.

Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.

Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.

The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:

  • hxxp://love.5[redacted]t.com/wordpress/wp-content/themes/acoustician.php
  • hxxp://s[redacted]t.com/wp-content/themes/paten.php
  • hxxp://k[redacted]g.org/wp-content/categorize.php

Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.

Fig 5. Redirects to support scam site

Landing on typical support scam websites

Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.

Fig 6. Tech support scam site with fake warning and support number

The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.

Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.

More advanced tech support scam sites use web elements to fake pop-up messages. Some of these scam sites open full screen and mimic browser windows, showing spoofed address bars.


This article was first published at microsoft.com