trojan Archives – Sterling IT

Petya Ransomware, worst than Cryptolocker as will try and encrypt whole drive or most files.

Posted on May 16, 2016 by Mark Pace

This Petya ransomware will kill the Master Boot Record making your hard disk useless. If this fails, it will then run a file-encypting program

Petya is an unusual ransomware threat that first popped up on security researchers’ radar in March. Instead of encrypting a user’s files directly, it encrypts the master file table (MFT) used by NTFS disk partitions to hold information about file names, sizes and location on the physical disk.

Before encrypting the MFT, Petya replaces the computer’s master boot record (MBR), which contains code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.

However, in order to overwrite the MBR after it infects a computer, the malware needs to obtain administrator privileges. It does so by asking users for access via the User Account Control (UAC) mechanism in Windows.

In previous versions, if Petya failed to obtain administrator privileges, it stopped the infection routine. However, in such a case, the latest variant installs another ransomware program, dubbed Mischa, that begins to encrypt users’ files directly, an operation that doesn’t require special privileges.

The ransom that Mischa currently asks is approx 2 bitcoins, or around US$900

Another thing that sets Mischa apart is that it encrypts executable (.EXE) files in addition to documents, pictures, videos and other user-generated files typically targeted by ransomware programs. This has the potential to leave installed programs and the OS in a non-functional state, making it harder to pay the ransom from the affected system.

The installer for the Petya-Mischa combo is distributed via spam emails that pose as job applications.
These emails contain a link to an online file storage service that hosts a picture of the alleged applicant and a malicious executable file that masquerades as a PDF document.

If it’s downloaded and executed, the fake PDF file first tries to install Petya and if that fails, it installs Mischa.
There is currently no known way to restore files encrypted by Mischa without paying the ransom.

Are you travelling staying in a hotel or using public wifi? – ‘Darkhotel’ downloads information-stealing malware.

Posted on November 13, 2014 by Mark Pace

There are a number of articles and warnings about Executives being hacked in shared wi-fi including Luxury Hotels , especially in the APAC regions.

Dubbed ‘Darkhotel’ by Kaspersky, the attackers infiltrate luxury hotels’ wi-fi to steal sensitive corporate data from travelling executives.

Targeted businesspeople connect to the hotel wi-fi and are prompted to download fake updates from programs such as Google Toolbar, Adobe Flash and Windows Messenger. Once downloaded, the backdoor installs an advanced keylogger, an information-stealing module and the Trojan ‘Karba’.

Once these applications are installed, it starts looking for private information, cached passwords and login credentials, the attackers delete these hacking tools and avoid suspicion.

A representative from Kaspersky said the attackers have “operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision”.

This malware can also be spread through peer to peer or file sharing networks. It’s estimated that Darkhotel has been downloaded over 30,000 times in the last six months.

To date, the majority of these infections were identified in Japan, Taiwan, Russia, China and Hong Kong.

Kaspersky principal security researcher, Kurt Baumgartner, said these attacks are becoming more common: “Targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”

To avoid attacks,

1. Never install or accept software you are not sure about. If you are in doubt, call Sterling IT and we will quickly confirm the legitimacy of the application or pop up.

2. Use a phone company internet connection such as Vodafone, Telstra or Optus 3G/4G USB or Pocket wifi cards instead of shared services.

3. Ensure your antivirus is up to date.

4. NEVER open emails that you are not expecting with links or attachments.

Cryptolocker attack but removed and all data recovered with zero data loss

Posted on October 14, 2014 by Mark Pace

Attack of one of the worst Trojans around.

Last week, for the very first time, one of Sterling IT’s customers was attacked with Cryptolocker virus.

When we had the alert, and then found client couldn’t access files, we thought it was just a corruption. Upon inspection, most files were renamed with .encrypted at the end and a HTML file explaining to pay a ransom to recover all the emails.

Sterling IT went into Disaster Recovery Mode (SITDR) and we were able to save the client from any data loss (even though EVERY file on 1x user PC plus most shares on the server were affected, as this user was in management and accounts security groups and shares). Using Shadow Protect and our monitoring systems, we were able to lock down the network, recover all files from DR backups and get the client back up and running.

It was first noticed because of Dropbox. As this company uses Dropbox for some business applications, and the infected user also had Dropbox access, ALL FILES were deleted. The only savior was one of the PCs was locally backed up which the files were recovered from there. (we recommend using private sharing apps with Synology , synocloud, rather than Dropbox as you have full control and is PRIVATE CLOUD).

How did this all happen?

Simple, opening an email with the Trojan. You might also ask about protection mechanisms we have.

First and foremost, the client recently moved to Microsoft Office 365. We would have thought that Microsoft anti-spam and antivirus would have maybe picked this up as first defense, but obviously didn’t. The second defense was a Fortigate firewall with antivirus scanning – been a great defense in general. And thirdly, antivirus and firewall on desktop.

Even with ALL these defenses, the Trojan still go through.

We have many clients sending us emails daily asking IS THIS SAFE? This is what we are here for, to help and protect our clients. Its FREE and QUICK!

Attack of one of the worst Trojans around.

How did this all happen?

REMEMBER : PLEASE DO NOT CLICK ON EMAILS YOU DON’T KNOW OR/AND NOT EXPECTING. IF UNSURE CONTACT STERLING IT.

REMEMBER :
PLEASE DO NOT CLICK ON EMAILS YOU DON’T KNOW OR/AND NOT EXPECTING.
IF UNSURE CONTACT STERLING IT.