Since 2015, the cybercriminals behind ransomware SamSam have extorted nearly $6 million in payouts from individuals, companies and government organizations. No one is immune to the demands from the group who have employed an extremely targeted approach to their model which continues to net up to $300,000 per month for the criminal gang.
Follow The Money…
IT security company Sophos has been able to follow payments to the crime network by tracking Bitcoin addresses that are declared on the digital ransom notes sent to victims. Researchers have found that to date nearly $6 million in ransom has been paid by around 233 targets. The largest payment to the group by an individual was $64,000, and governmental organizations targeted by the ransomware include hospitals, universities, municipal organizations and even entire cities. The city of Atlanta and the Colorado Department of Transportation have both suffered attacks by the group.
How Does It Work?
SamSam is not a random malware injection that one can ‘pick-up’ via email or clicking on the ‘wrong’ link on a website. SamSam victims are carefully preselected and systems targeted by the group are manually infected either by obtaining stolen credentials, available for sale on the Dark Web, by exploiting vulnerabilities via remote desktop protocol (RDP), file transfer protocol (FTP) servers or by brute force attacks against unsecure passwords that allow the hackers to gain entry to the system. SamSam ransomware is deployed by a human attacker who systematically infects the entire network before sending out the demand for ransom.
Once the attacker is in the system, it is effectively locked down, the data encrypted (kidnapped) and the only way to regain access to the data is to pay the ransom to be able to receive the decryption keys. Usually, ransomware is released ‘into the wild’ so it is not easily controllable or trackable, SamSam though is frighteningly specific. Targets are researched carefully, attacks are coordinated and very often, the victim does not report the cybercrime in case they lose the data for ever. The loss of important data for a hospital, university or an entire city could be catastrophic. Victims are more inclined to pay the ransom rather than risk the collapse of their entire organization.
Why do people pay the ransom? Because the cost of the fix is almost always more expensive, and time consuming, than the ransom. In cases where ransom was not paid – the city of Atlanta for example, the cost of the fix was reported to be around $2,6 million, against the $51,000 demanded in the ransom.
You Can’t Stop SamSam, But You Can Prevent An Attack
While there is nothing to be done once your data is encrypted, as always, prevention is infinitely better than cure, and having systems and protocols in place to prevent access is the best way to minimize the risk. Keep software and systems up to date, restrict access and implement multi-factor, multi-device authentication on systems and ALWAYS have an offline, preferably air-gapped, backup of everything.
After the Cambridge Analytica data privacy put Facebook in hot water for ‘selling’ the personal data of over 85 million Facebook users, the company is embroiled in another data privacy breach. In 2015, Facebook stated that it restricted access to user data for third-party technology and app development companies. It was revealed, in a document presented to the United States Congress in July that this was not the case.
Data Sharing by Facebook – Software & App Developers
The documents delivered to the government investigation committee revealed that despite stating they had cut off access to user data by outside companies, it continued to share data that included user’s personal data with hardware, software and app developers after 2015. The report was made available just hours before the deadline for the request for information which came after CEO Mark Zuckerberg testified before Congress in April 2018.
Who Had Access to Facebook Data?
Part of the document received by Congress reads, “We engaged companies to build integrations for a variety of devices, operating systems and other products where we and our partners wanted to offer people a way to receive Facebook or Facebook experiences”.
The companies had access to Facebook user data to enable them to better create Facebook integrations for mobile devices and other websites. Seemingly innocuous and all in the quest for a better user experience, but at what cost to the loss of individual privacy and who really knows what happens to your personal data or how it is used once it leaves Facebook? Facebook has reported that it has already ended up to 38 of these joint partnerships and plans to discontinue the rest by the end of October 2018. However, it was also revealed that Facebook would continue to work with Apple, Amazon and Tobii past the October 1028 deadline.
Facebook has come under much criticism following the scandal around Cambridge Analytica and their misuse of user data to manipulate the 2016 U.S. elections. It has also raised a lot of questions about how robust the company’s data management process really is. Not only are questions being asked about the sale of personal data to third-party companies, but the overall data protection and cyber security policies in place to protect its 2 billion users against cyber-attacks and hackers. After the Cambridge Analytica reveal in March, the company lost around $60 billion in market value in just two days.
No chance of early release from prison for Konrad Voits, the ex-hacker who hacked into the Washtenaw County Jail to secure the early release of at least one inmate. Voits pled guilty to the federal crime of hacking into a protected computer and is not set to serve a seven-year sentence in prison.
Fake Sites Used to Trick Officials
Voits used a fake website ewashtenavv.org instead of the official website at ewashtenaw.org and successfully convinced country officials to visit the fake site. This allowed Voits to install malware onto computers in the IT department eventually gaining him access to the entire system. Voits was able to access over 1600 personal addresses, search warrants, and the capability to alter jail records to secure the early release of prisoners.
Vigilance and Cyber Security
It was not any sophisticated anti-hacking software that alerted officials to the breach of cyber security at the county offices though. Cross checking release details of inmates against paper records alerted officials to the discrepancy which led to the involvement of the FBI and the eventual arrest of Voits.
How To Protect a System Against Malware
Unfortunately, to gain access to a system, malware must be physically installed on a device. This usually signifies a level of human involvement, to a greater or lesser degree our systems are only as secure as the people using them. A simple one-character change in a web address allowed Voits access to thousands of records. Many individuals are also at risk of hacking attacks and malware intrusions via links sent in emails, od social media and via messaging apps on cellphones. The best way to avoid security loopholes in systems is to remain vigilant, check all links that are visited to make sure they are directing to the correct site and don’t click on anything (link, image or video) that is unknown. For businesses this means having a strict code of online conduct for all employees.
An ex-employee of Israeli-based cyber-arms dealer and software company has been arrested for theft and attempting to sell a phone hacking tool on the Dark web for $50 million. The NSO Group is a well-known software and cyber security company that specializes in the development of technology that can be utilized in the fight against terror. No stranger to controversy, the company has in the past been accused of selling software that has led to attacks on human rights activists and journalists in politically sensitive regions of the world. Notably, the software was used to target activist Ahmed Mansoor in the United Arab Emirates in 2016.
High-Tech Malware Used to Hack iPhones and Android Phones
The NSO Group provides software to governments around the world that can crack the sophisticated security provided by mobile phones. The software can be used to spy on individuals and organizations, as well as used by law enforcement to stop criminal activity. However, the spy software manufacturer recently fell prey to a breach of security itself when an ex-employee stole proprietary software for the company’s product, Pegasus.
Pegasus, which operates as malware, targets vulnerabilities in iPhones and Android devices. Though both Apple and Google have been quick to patch and fix the supposed vulnerabilities, Pegasus is still considered one of the most powerful spyware software programs available for commercial use.
The employees stole the source code for Pegasus which was NSO Groups most powerful software and spyware. Allegedly, the 38-year-old employee was trying to sell the spy software on the dark web for around $50 million, payable in cryptocurrencies. The company noted that the selling price of $50 million was substantially higher than the regular licensing price of around $1 million per deployment. The indictment was handed down by Israel’s attorney general and detailed the crime by the employee who disabled standard McAfee Security software on his computer and brazenly copied the Pegasus source code onto an external hard drive.
Trying to broker a sale on the dark web proved futile as the potential buyer reported the sale and hack details to NSO Group which led to the arrest of the individual.
What Does This Mean for Cyber Security
Despite selling their own form of hacking software, the NSO Group has always maintained that their source code and software is only sold and used by reputable and approved government agencies, specifically in the fight against terror. The fact that the software could so easily be copied by the simple disabling of an out-of-the-box security program and put up for sale means that even the most secure facilities and systems are vulnerable to attack. Often, security threats stem from within organizations, where ironically, security is habitually the weakest. Making sure that employees and people with access to company software, especially potentially dangerous cyber weapons, is a crucial step in the development of any program. The risk that cyber weapons end up in the hands of people who would use them to perpetrate crimes against humanity is too great to be trusted to an antivirus package.
Zip Slip is the name given to a critical vulnerability that, as the name suggests, is all about Zip files. The massive vulnerability was discovered and researched by cyber security firm Snyk who disclosed that thousands of projects may be affected by the vulnerability.
How Hackers Use Zip Slip
The most interesting (and alarming) thing about Zip Slip is its simplicity. Hackers can create Zip files that utilize path transversal to enable the overwrite of vital system files and either destroy or overwrite the code with potentially malicious alternative code. The Zip Slip vulnerability also gives attackers the ability to execute remotely in part of the system that are used on a regular basis, such as system files and even popular applications used daily.
What Is Affected?
Snyk has posted a list of projects and libraries with diagnosed vulnerabilities on GitHub and users should check to see if they are utilizing vulnerable software and download the patch to get your system fixed.