A new ransomware named “Locky” is currently circulating in the wild and making the headlines. There are some good reports regarding Locky ransomware already available over the Internet. This blog intends to focus on some technical areas that (we believe) have not been covered yet, namely, its domain generation algorithm, command and control communication, and file encryption.

For reference, the following is a screenshot of Locky’s Decrypter page (cropped to save space): Click Here To Read The Rest Of The Article

UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate UDP packets using scripts.

DNS uses UDP primarily and under some circumstances uses TCP. Because, the usage of UDP/DNS protocol is extremely popular as a DDoS tool.

Since DNS is a critically important protocol upon which the Internet is based, its availability is of utmost importance. To deny the availability, a malicious attacker sends spoofed requests to open DNS resolvers that allow recursion. There are millions of open DNS resolvers on the Internet including many home gateways. The open DNS resolver processes these requests as valid and then returns the DNS replies to the spoofed recipient (i.e., the victim). When the number of requests is large, the resolvers could potentially generate a large flood of DNS replies. This is known as an amplification attack because this method takes advantage of misconfigured DNS resolvers to turn a small DNS query into a much larger payload directed at the target. In yet another type of attacks, unsolicted or anomalous queries may be sent to the DNS servers. Click Here To Continue Reading

“Houston, we have a problem.” This is not news to healthcare organizations, whether they are in Houston, Boston, St. Louis or San Francisco. 2015 was a banner year in healthcare, for all the wrong reasons. The increasing number of attacks on healthcare systems exposed security shortcomings: many unsecured attack vectors, compromised sensitive data and the possibility of catastrophic consequences.

2016 will bring more of the same. Healthcare organizations must speed up their security efforts to avoid putting their patients, and themselves, at risk. There were multiple data breaches in 2015—Anthem and Premera among them—as well as a well-publicized ransomware attack on Hollywood Presbyterian Medical Center. 2016 will continue those trends. In fact, the Hollywood Presbyterian attack could have been the proving ground forthat ransomware, which may be put into larger, more costly attacks in 2016.

Fortunately, there is growing recognition among healthcare leaders that security needs to be at the top of their “must do” list. Firewalls are no longer enough to protect patient information. The expansion of the Internet of Medical Things has resulted in a borderless network perimeter. There are devices in use in multiple locations that must be secured, including: Continue Reading This Article

We have all embraced online searching and shopping. The days of driving around town to compare costs or referring to the most current newspaper advertisement for a bargain have long gone. Today’s consumer reaches out via the Internet on a variety of devices to check product reviews, find discount coupons, locate attractions, and read email sales notices from their favorite companies. Click Here To Continue Reading

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs. Most recently, Nemucod has been known to download TeslaCrypt ransomware variants.

However, the last few weeks saw a shift in Nemucod variants–it now has a code to drop ransomware from its body. The sample arrives via a typical Nemucod spam with encrypted JavaScript attachment.

Upon decrypting the JavaScript, we can see that it attempts to download a file on the user’s temporary directory from compromised websites. The downloaded file is an executable file that is later on used to encrypt the user’s files: Click Here To Read The Rest of The Article

Our automated crawling and analysis system, SherlockDroid / Alligator, has just discovered a new Android malware family, on a third party marketplace.

Figure 1: Part of SherlockDroid report. Android/BadMirror sample found as suspicious

The malware is an application whose name translated to “Phone Mirror”. Because it is malicious, we have dubbed it ‘BadMirror‘.  Click here to continue reading article

It’s been over two weeks since we reported about Locky and predicted that it will be a major player in the ransomware scene. We decided to check our Intrusion Prevention System (IPS) telemetry statistics for CryptoWall, TeslaCrypt and Locky two weeks after (Feb 17^th to March 2^nd) to see how Locky is doing and where it sits compared to its more seasoned counterparts.

While the statistics cover a short timeframe, it does give some insights not only on Locky’s early operations but also on how these three major ransomware families are affecting users on a global scale, which we intend to share in this post.

In total, we collected over 18.6 million hits from CryptoWall, TeslaCrypt and Locky C&C communications. It is important to consider that when analysing IPS hits, malware may communicate to its C&C server multiple times. In this case, analysing the ratios of these numbers provide more meaningful results. Click here to continue reading article