Malware threatens small businesses’ data, livelhood

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.buffalonews.com/city-region/malware-threatens-small-businesses-data-livelhood-20140123

The first thing Mark Wilson noticed was a drag on the computer system that
he and five others used at his company.

“Everything was just crawling,” said Wilson, president and co-owner of Apex
Cary Insurance in Apex, N.C.

Wilson called Raleigh, N.C.-based Petronella Technology Group, which asked
if he noticed anything like a ransom note.

Sure enough, Wilson found a pop-up on one of the monitors asking for $300
in exchange for a key that would unscramble all of the business’s files
that it had encrypted.

Wilson’s company had been hit by ransomware, which is a form of malware –
or malicious software – that infects a computer and its connected systems,
and then demands a payment. The attackers are likely criminal organizations
based in Russia and Eastern Europe.

The company’s digital files had been scrambled by CryptoLocker, a version
of ransomware that first appeared in September. It has since infected about
25 million systems across the globe, about 70 percent of which are in the
U.S., according to Keith Jarvis, senior security researcher with the Dell
SecureWorks Counter Threat Unit.

CryptoLocker appears to be spreading through emails that lure victims into
opening them, according to a November alert issues by the U.S. Department
of Homeland Security’s Computer Emergency Readiness Team.

The CryptoLocker infections offer a glimpse into criminal organizations
that work together, using the Internet to gain personal information in
order to sell it or use it to steal from bank accounts.

Ransomware has been around for years, but untraceable and unregulated
virtual currencies have fueled increasing attacks, according to a McAfee
Labs report on 2014 threat predictions.

Defense options, the report and experts said, include not opening
suspicious emails and keeping antivirus software and patches current. An
effective computer file backup structure will also minimize risk.

Dell researchers, Jarvis said, have observed the CryptoLocker being
distributed through cyber criminals working together to mine personal data
using different malware, such as botnets – a network of infected machines
that communicate with controlling cyber criminals.

Gameover Zeus, one of the most notorious and sophisticated botnets involved
in online banking fraud, is distributed by the Cutwail spam botnet, which
used email attachments to lure users. After an attachment has been opened,
Upatre malware downloads and then executes Gameover Zeus, which brings in
other malware families, including CryptoLocker.

Dell SecureWorks has seen variants of Zeus go after small and medium
businesses because they are usually less secure, said Elizabeth Clarke, a
spokesperson for Dell SecureWorks.

CryptoLocker victims should take an inventory of their files and have
off-site backups available to recover infected data. It’s easy to remove
CryptoLocker, Jarvis said, but the machine could still be hosting Gameover
Zeus and other malware.

“Everything on the machine is suspect,” he said. Infected equipment should
be taken to a professional, who can reinstall the operating system from a
clean source.

Craig Petronella, president of Petronella Technology Group, has seen three
small businesses hit with the CryptoLocker since October, and each company
has spent about $300 to save their data.

Petronella learned about CryptoLocker after Jerry Hall, who owns Total
Systems Heating & Cooling in Spring Lake with his wife, Brenda, shared his
concerns about a pop-up on his computer.

Petronella got into the Halls’ computer system and found instructions for
making a payment. The pop-up also gave a deadline in which CryptoLocker
would permanently encrypt all of the Hall’s files.

“It’s a ticking timer,” Petronella said. “And it’s counting down.”

FBI spokeswoman Jenny Shearer wrote in an email that they advise against
paying the ransom. Jarvis and Clarke agreed, pointing out that people are
funding criminal organizations.

“Sometimes people have their back against the wall, and it is the data for
their company for the last 10 years,” Jarvis said.

The Halls used USB hard drives as a backup system, Petronella said, which
were also infected by the CryptoLocker because they were connected to the
company’s server.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!