Go to the U of M home page

Friday, May 12, 2017

Krebs: U.K. Hospitals Hit in Widespread Ransomware Attack

A timely reminder to make sure your computer is updated.

The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.
The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.

U.K. Hospitals Hit in Widespread Ransomware Attack

At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.
It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.


In a statement, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”
According to Reuters, hospitals across England are diverting patients requiring emergency treatment away from the affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.
NHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of Wanna Decryptor (a.k.a. “WannaCry“), a ransomware strain that surfaced roughly two weeks ago.
Lawrence Abrams, owner of the tech-help forum BleepingComputer, said Wanna Decryptor wasn’t a big player in the ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.
“It’s been out for almost two weeks now, and until very recently it’s just been sitting there,” Abrams said. “Today, it just went nuts. This is by far the biggest outbreak we have seen to date.”
For example, the same ransomware strain apparently today also hit Telefonica, one of Spain’s largest telecommunications companies. According to an article on BleepingComputer, Telefonica has responded by “desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.”
An alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wanna Decryptor is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.
According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.
That SMB flaw has enabled Wanna Decryptor to spread to more than 36,000 Windows computers so far, according to Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.
“So far, Russia, Ukraine, and Taiwan leading,” the world in new infections, Kroustek wrote in a tweet. “This is huge.”
Abrams said Wanna Decryptor — like many ransomware strains — encrypts victim computer files with extremely strong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing the infection does nothing to restore one’s files to their original, unencrypted state.
“It’s not difficult to remove, but it also doesn’t seem to be decryptable,” Abrams said. “It also seems to be very persistent. Every time you make a new file [on an infected PC], it encrypts that new file too.”
Experts may yet find a weakness in Wanna that allows them to way to decode the ransomware strain without paying the ransom. For now, however, victims who don’t have backups of their files have one option: Pay the $300 Bitcoin ransom being demanded by the program.
Wanna Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should pay a visit to BleepingComputer’s ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.

Tuesday, May 9, 2017

Advisory: FTC Promotes Privacy Awareness Week

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

05/08/2017 10:39 PM EDT

Original release date: May 08, 2017
The Federal Trade Commission (FTC) has released an announcement on Privacy Awareness Week, celebrated this week in the U.S. The theme of this year’s initiative is “Share with Care,” and the FTC is offering privacy tips, including how to safeguard your information online, improve your computer security, and limit unwanted emails.
US-CERT encourages users and administrators to review FTC’s post on Privacy Awareness Week and these related resources from US-CERT:

https://www.us-cert.gov/ncas/current-activity/2017/05/08/FTC-Promotes-Privacy-Awareness-Week

Monday, May 8, 2017

Example 198: Email Update!

Scam email update sent from a compromised UMN account

Message text
Subject:    Email Update!
Date:   Mon, 8 May 2017 20:03:37 +0100
From:   compromised UMN account <xxx @umn.edu>
Reply-To:   gmail account



We are using this opportunity to notify the Students, Staffs and Alumni
of University of Minnesota that an update is being done on all accounts.
We strongly advise that you update <hxxp:// tinyurl.com/ xxxxx > your
account promptly to avoid closure/inconvenience on your account, kindly
do this immediately.
Sincerely,
IT Admin
Login form

Minnesota bogus branded simple login form
Minnesota bogus branded simple login form


Things to note

  • Form uses tinyurl to mask non-umn login address
  • Form is modestly branded
  • Form shows password in the clear

Example 197: Your Edu Webmail Expired on 05.08.2017,Update

 Non-branded email and form claiming to warn about email account.

Message text

Subject:    Your Edu Webmail Expired on 05.08.2017,Update
Date:   Mon, 8 May 2017 12:40:19 +0000
From:
Your Webmail Edu account certificate expired on 05.08.2017, it may
interrupt your email delivery configuration, and POP account settings
page error when messaging. To re-new your webmail certificate, please
take a moment to update your records per link below or copy and paste link.
hxxp://helpdesk1.xxx.xx/
Account will function as normal after the verification process, webmail
and your certificate will be re-newed.
Web form

non-branded, simplistic phishing form
non-branded, simplistic phishing form

Thursday, May 4, 2017

Advisory: NO, no one has shared a document on Google Docs with you

Email Attack Hits Google: What to Do if You Clicked







Photo

A screen shot of an email received by a New York Times reporter on Wednesday that included a link that appeared to be for a Google document. (Identifying information has been redacted.)



Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam.
The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document.                    ........
If you receive suspicious email, here are some tips:
1. Do not click, even when the email is from your mother.
2. Turn on multifactor authentication.
       (this is coming for all UMN users soon, stay tuned)
3. Shut it down.
Go to https://myaccount.google.com/permissions
Revoke access to “Google Docs” (the app will have access to contacts and drive).
4. Change your passwords ... again.
5. Report it.
Report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.
...

See also:
http://money.cnn.com/2017/05/03/technology/google-docs-phishing-attack/
https://www.washingtonpost.com/news/the-switch/wp/2017/05/03/why-this-google-docs-phishing-attack-is-particularly-sneaky/


Thursday, April 20, 2017

Advisory: Unexpected Emails

An example of  spam emails that may be trolling for personal information!

Message Text

Subject: New resources for education

Hello!

Apple-Edu would like to share a special opportunity to you - a sweepstakes offering resources and equipment you can use! Please share anyone with who may wish to consider this - thanks!

    Learn More <<-link

Sincerely,

   

Web Form
Web form used to troll for user email addresses
Web form used to troll for  user email addresses

Things to Note


  • Is this message plausible? Is there any reason that you would receive this message?
  • If the message is delivered to your email - why does their form request your email address?
  • If this message was sent from a specific organization/company - where is the URL hosted?
  • Is the person sending it from the company represented?
Actions
  • Use "mark as spam" - this will help filter such messages in the future
  • Report suspicious email to University Information Security - phishing@umn.edu

Tuesday, April 18, 2017

Advisory: BBB Scam Tracker

The Better Business Bureau maintains an information and reporting tool for scams at https://www.bbb.org/scamtracker



Spot a business or offer that sounds like an illegal scheme or fraud? Tell the BBB about it. Help  investigate and warn others by reporting what you know.