November 24, 2017

Protect Yourself From Malware, A Decryptor Key For Ransomware Released on July 27

All the links and info you need to protect your computer

WannaCry Ransomware

Decryptor For Ransomware Released July 25th 2017

Ransomware, which charges money (bitcoin) to decrypt data on infected computers, has caused more than a billion dollars worth of damage and affected hundreds of thousands of users worldwide.  Among those crippled by having their computer data encrypted are hospitals who provide life saving care.

Message ransomware displays when your computer info has been encrypted

courtesy of malwarebytes

The great news is that  Malwarebytes Lab  declared they have a FREE fix (decryptor) for old and some current versions of Ransomware (malware that encrypts your data) including, GOLDENEYE/PETYA(Petya/Not Petya) .  To unlock your computer if you have Goldeneye, Red Petya or Green Petya click the link to Malwarebytes LABS.  If you have been infected click here for info about how to identify the the particular version of Petya Malware that you have picked up.  Even for the uninitiated there are step by step instructions on how to use the decryptor.  I can not emphasize the importance of this step to those victimized by cybercrime.  Before using this decryptor BACKUP YOUR FILES.  As malwarebytes declaimer states they are not responsible for lost or damaged files.

Malwarebytes Decryptor step 1

Malwarebytes Decryptor step 1

 

An Ounce of Prevention Is Worth A Pound Of Cure

To avoid being a victim in the first place:

  1. Run all Microsoft Updates (especially MS17-010) and backup your computer regularly. You can set them to run when you are asleep. In Windows 10, go to Settings  > Update & Security. You’ll see your update status there.
    In Windows 8.1, go to Settings  > Change PC Settings Update and recovery. In Windows 7, go to Control Panel > Windows Update.                                                                Setting Windows to update when you are asleep
  2. To read Sophos Anti Virus free, complete rundown, about what Ransomware is and the best ways to protect yourself click here.
  3. If you receive a suspicious email promising money or free stuff; DON’T OPEN IT!  DON’T CLICK A LINK.  Protect yourself from phishing emails.  Phishing emails is are likely the source of the Sony Hack.  Lack of proper care by employees was the source.  The security experts at some jobs sometimes send out fake phishing emails to get employees up to speed on internet security.
  4. Make sure you have a security suite and that Real Time Protection (on access scanning) is turned on in your antivirus.
  5. Click on the following links to read about securing your computer and phone when you use Facebook, Twitter(most recently targeted by Russia), Skype or any social media.
  6. Take care when using public WIFI.  One of the most serious new threats (inexsmar 7/23/17) involves hackers targeting hotel wifi. It is a multi stage trojan that covers it’s own tracks.  Another step in the evolution of malware. Never divulge any financial info or login to work on WIFI.  Use a VPN, enable two factor authentication and disconnect immediately after using wifi.  Watch this video or read this article on how to protect yourself while using WIFI.  There is nothing someone can’t do to a computer compromised on WIFI.
  7. DON’T pay!  You’ll encourage more attacks and the chances are lottery slim you’ll get your computer unlocked.  Even if they do, it does not rule out the chance you are still infected and being used (botnet).
  8. Use a password manager and login to your computer using an account that DOES NOT have administrative privileges.  If your account has limited privileges so will malware.  Only login as admin when you need to.
  9. Kaspersky Labs, has a free ransomware tool for business.
  10. If you are not sure about the safety of a site, insert url into Google’s Safe Browsing search window and check out their Malware dashboard.  (this doesn’t always work but it’s worth a shot).  Run an ad blocker on your browser.
  11. Keep all plugins up to date (Java,Flash, Adobe), disable autorun (at work), disable macros in word. DO NOT enable macros if an email requests especially the following case number.doc, e-ticket_79010838.doc, fax_msg896-599-5459.doc etc.  Click here for complete list. dont enable macros

Despite taking all the above precautions I encourage you to backup,backup,backup.  This is the safest thing you can do. Regardless of the security solution, we are the weakest link.  We use overly simplistic passwords(use a password manager) i.e., no special characters etc.  or duplicate (work and personal email) passwords. And who hasn’t clicked on something we should not have. Backing up may be as simple as turning on file history  backup you set in Windows Update and Security or choosing from PC Mags Best Backup Software of 2017.   The options for a safe restore are much easier with the Creators Update.

The current Cyber threat GOLDENEYE/PETYA Wiper Virus (Petya/Not Petya) no longer contains the kill switch  Wanna Cry (also known as wannacrypt) contained but it uses the same exploit (Windows vulnerability) that may be stopped by running this patch.  Many claim, it was made to destroy not to make money, leading some to think it was an attack from one nation state on another.  The target seems to be once again The Ukraine, who has suffered 60% of the attacks (let’s see who attacked the Ukraine before…hmm).  The casualties, which now include  (U.S.) Fedex  who will recover, but expects their losses to be significant.   Other collateral damage was San Francisco’s Radio and TV station KQED which has been paralyzed by a ransomware attack for over a month that encrypted thousands of files .   A bit like getting hit from fallout from a nuclear test?

AlphaBay Dark web marketplace for all things evil is shut down

Malware is just part of a pattern of criminal activity which includes major illegal drug and chemical distribution. The two largest dark web marketplaces AlphaBay (200,00 users) and Hansa Market have been shutdown. As stated in FBI.Gov release AlphaBay had more than 100,000 listings for fraudulent documents, IDs, malware and other hacking tools. A major source for vendors advertising Fentanyl and Heroin,   AlphaBay had 250,000 listings for illegal drugs and toxic chemicals.

 AlphaBay founder, Alexandre Cazes, whose whose handle was alpha02, used his personal email to welcome members to AlphaBay . This careless hubris got him doxed and arrested, in the same manner as Ross Ulbricht, who originated Silk Road AlphaBay’s predecessor.  Cazes was found dead in his cell in a Thai prison several days later of an apparent suicide. The bust announced on July 20th 2017, used the combined efforts of U.S, Dutch, Thai and Canadian law enforcement teams.  After AlphaBay was shut down criminals unwittingly moved to Hansa Market to do their “business” not realizing it was a trap set by Dutch authorities who had control of the site for 27 days.  Four major drug dealers were taken down as a result of the bust.  Hansa was also a site for stolen data and malware.

So why did big companies and hospitals get hacked?  Some didn’t know they needed the patch, like movie editors who work on Avid ISIS or Nexis shares (Info for patch for Avid here). Big organizations have scheduled updates so as to not to interfere with day-to-day operations, once a week sometimes less.  Some don’t even have a networked option. In addition, these updates usually come in scheduled releases not all in once, except for emergencies.  Also the bad guys target organizations that can’t afford not to pay like hospitals who are running computer based diagnostic and treatment options 24/7.

If you are a cybersecurity wiz, hospitals are desperate for talented IT pros.  They can’t fill the positions fast enough because they pay on average 25% less than financial institutions and their security experts are always on call.  And if there is a breach instead of losing a couple bucks; lives are at stake.

Why haven’t more offender’s been caught?  There is now very sophisticated software that hides the bad guys.  The good guys catch up and the bad guys find a way around it.  Malware can be downloaded to a computer and remain dormant for months till a host’s action triggers it.  It can even affect the physical architecture of a computer.  But let me clear that Microsoft put out the patch  in Mid-March almost a month before the WannaCry ransomware attack.  So we must shoulder some of the blame for the current epidemic.

Graph of Ransomware attacks
Graph of Ransomware attacks courtesy of Microsoft

The new Windows Creator Update, when and if you decide to get it, provides much improved built-in Windows Defender Security and a more secure and feature filled Microsoft Edge browser.  In addition, instead of running updates that were cumulative and took a while to download and run; Microsoft will be sending more frequent and smaller updates that are easier for your PC to digest. One of the biggest features is called container based isolation,which literally isolates malware within a browser and prevents it from taking control of any other system on your computer.  This is a newer version of “Sandboxing” technology; because some malware was found to wait out the Sandbox isolation and then do it’s mischief.  This fall, things will improve even more with the new “Redstone” update (the 2nd Creators Update) from Microsoft, which features the Windows Defender Application Guard.

How to use all the newest features in The Creators Update to protect your computer
How to use all the newest features in The Creators Update to protect your computer

Let me be clear The Creators Update is not perfect yet, what update is?

Though the money to move to the new OS like Windows 7 or Windows 10 (a free upgrade for most) in The United States is not at issue. The money to own a legitimate copy of the software in some countries is often not available, as a Ukrainian student at my work pointed out. Without the newer version or legitimate copies of the software, getting timely updates may not be possible. This explains why WannaCry and Goldeneye/Petya hit some countries harder than others. Pirated versions of Windows may be cheap but WannaCry made many pay dearly.  With the right software you can build a Windows operating system but upgrading and updating patches is another issue altogether.

Observe these rules for safety when using your phone.  For those who think their Android Phones are always secure, they are, until you download apps (pirated phony apps) from unproven developers (Chinese free versions of Angry Birds or a cheating tool for the game King of Glory).  The results are about 2 million handsets getting a virus from The Google Play Store (SLocker and now Flocker).  Most likely you’re on your phone more than computer.  Why not secure it with it’s own anti-malware app  and run a web security app like Disconnect, that stops mobile trackers from collecting your info while protecting you from malvertising threats?

Courtesy of Trend Micro

If you don’t, you could visited by The Android version of Ransomware, which encrypts texts, pictures and videos.  If the ransom is not paid within a few days the price increases.  The name on the Android Ransomware demand is Lycorisradiata.  Lycoris Radiata (the Chinese red spider or magic red lily) is a flower with extremely poisonous bulbs used in Japan to surround rice paddies and houses to keep pests away. Wouldn’t it be nice if we could surround our phones and computers with something poisonous to keep out pests.  The poisonous Lycorisradiata has now been joined by a new threat GhostCtrl  which now can record audio and video while gaining access to phone data in real time.  Restricting permissions on devices seems to be part of the solution but who wants to do that to their phone?

 

Finally don’t let this all make you crazy; back up, follow rules for safe browsing, run all Microsoft Updates and enjoy your computer and your life.

How The WannaCry Ransomware Spread.  Compiled from data gathered by MalwareTech

About Bob Hershon 1 Article

Multimedia lab specialist at a College.
Photographer and journalist mainly for Jazz Magazines in the 90’s. Wrote about soundtracks and did press releases for Verve Gitanes after that.
Worked at the Menlo Park VA (1969-1970 same one Ken Kesey was at earlier. He’s (older). Palo Alto VA (under the best scientist I’ve ever met, Leo Hollister)1971-1974. Part of the group were two other geniuses Hamp Gillespie and Jerod Tinkleberg. I was just a research assistant on my way to screwing up a doctorate.
Burt Center Residential Treatment Center for Autistic and traumatized children and young adults 71-74 and Family Service Agency of SF before recovering my sanity at Canada College Music School. John Kreiger and Phillip Ienni guided me to the light and poly tonality.
To stay sane I played guitar for 40 years. The picture was taken years ago. I have gone gray and old.

2 Comments

  1. It is very important to know the steps how to deal with these hackers attacks. Especially having the steps what to do next after it happened to you. Thanks to Bob, I will send this article to all my friends to let them know about the procedure

    • I have updated the article to include a decryptor key for anyone you know who has been victimized by four current strains of ransomware. I have also updated the steps to prevent being hacked. Thanks so much for responding.

Leave a Reply

Your email address will not be published.


*