Report Shows Small Percentage Of Employees Know About Ransomware

The statistics are alarming. Ransomware is fast becoming the favored hobby horse of hackers worldwide. Barely a week goes by that a new strain isn’t introduced into the wild, with expensive, and often tragic consequences. Right now, the average amount paid by office workers impacted by a ransomware attack is $1400, a figure that continues to creep higher.

What’s perhaps even more alarming, however, is the fact that although companies the world over have made a concerted effort to sound the alarm on the danger this type of software represents, no more than 30 percent of knowledge workers have any real understanding of the dangers that ransomware poses, according to Intermedia’s 2017 Data Vulnerability Report.

One of the most curious findings of the report was the fact that employees more often shoulder the costs of ransomware payments than employers do, with fully 59 percent of impacted employees paying the ransom out of their own pockets.

Unfortunately, small and medium-sized businesses are particularly vulnerable to this large and growing threat. Jonathan Levine, Intermedia’s CTO, had this to say on the topic:

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat. This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must afford, and hackers realize this.”

Perhaps worst and most distressing of all is the fact that 19 percent of the time, even when a ransom is paid, the files are never unlocked, making it a bad gamble. If you run a company of any size, make sure your employees from top to bottom fully appreciate the threat this attack vector poses.

Known WordPress Malware Is Back For Second Round

This past summer, an Italian security researcher named Manuel D’Orso discovered a nasty malware attack aimed at WordPress sites.

Dubbed “Wp-Ved,” after the name of the .php file bearing the malicious payload, the attack was relatively small in its scope and scale, with a few scattered attacks starting in the summer and continuing in sporadic fashion to this very day.

Apparently, the hackers who own the code learned what they needed to, and recently an updated variant of the malware has been spotted in the wild.

The malware is not subtle. It doesn’t try to hide what it’s doing in the least. It simply injects malicious code into legitimate files, focusing on old WordPress default themes such as “Twentyfifteen” and “Twentysixteen.”

Once the code is in place, it works quickly to create a new Admin user with the name “100010010,” which gives the hackers a back door they can use to launch other scripted attacks at their discretion.

Again, owing to the completely un-subtle nature of the code, any user who is running any sort of web application firewall (WAF) would be completely immune to this type of attack, as the WAF would have spotted it immediately and shut it down before it could do any damage. Sadly, a significant percentage of webmasters running WordPress sites don’t take advantage of this sort of protection.

Although this isn’t a large scale, coordinated attack, given the sheer number of WordPress sites on the web, it’s something to be mindful of. As to the damage the hackers could cause if you are infected, unfortunately, the sky’s the limit. Once they’ve got an Admin-level backdoor to work with, there’s not much they couldn’t do, so if you run a WordPress-based site, it’s worth your time to check to see if you’ve been infected. If you have, you’re sitting on a ticking time bomb.

As to how you can protect yourself, the first step is, of course, to delete the files containing the malicious code.

Once that’s done, disable and delete the rogue Admin account, and if one is available, begin making use of a web application firewall so that you can avoid any problems with Wp-Ved in the future.

The WordPress community is, on the whole, quite good at rooting out malware designed to work against the platform. However, this is certainly not the first such campaign hackers have gotten past the active community’s defenses, nor will it be the last.

Just recently, for example, security researchers found vulnerabilities in two of the platform’s most popular plugins, Yoast SEO and Formidable Forms.

In the case of the Yoast security flaw, it has been patched as of version 5.8 of the plugin, so if you use Yoast, be sure you’re using the most up-to-date version.

The bug in the Formidable Forms plugin was patched in version 2.05.02 and higher, so again, if you’re using this plugin on your website, be sure you’ve got the latest and greatest installed.

FBI Advises Users To Reboot Their Routers

Cisco’s Talos Security Team has identified a new threat, and it’s a nasty one impacting more than half a million consumer-grade routers in the US.  According to the Talos Team’s report, the new malware is impacting a broad cross-section of routers made by TP-Link, QNAP, Netgear, Mikrotik, and Linksys.

Known as “VPNFilter,” the malware currently infecting routers appears to be the first stage in a multi-phase attack, with the first segment allowing the hackers to collect a wide range of communications data and slave the device to launch attacks on others.  The code also contains a kill command that allows the hackers to destroy the device at will.

As of now, the FBI has already taken swift action and has seized a domain used by the hackers as a means to deliver the later stages of the attack. They report that the primary and secondary means of further infection have been dismantled.  They also report, however, that the hackers still have a fallback method of infection, which relies on sending “poisoned” data packets to each infected device.

Based on an evaluation of the code and the presence of redundant mechanisms for delivering the later stages of the infection, the code has been traced to a Russian hacking group with deep ties to the Russian government.  The group is known by a variety of names, including Fancy Bear, Sofacy, APT 28, and Pawn Storm.

On the heels of seizing the domain, the FBI released a statement that includes:

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.  Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled.  Network devices should be upgraded to the latest available versions of firmware.”