The latest institutional victim of a ransomware attack, the University of Calgary, paid $20,000 CDN (about $16,000...
U.S.) to resolve an attack that affected the university's systems for 10 days. University IT staff needed eight days to restore email service, though a university official said the damage was limited.
"UCalgary IT teams have been working around the clock to address systems issues caused by the attack, and regular updates have been provided to the campus community," Linda Dalgetty, vice-president of finance and services at University of Calgary, wrote in a statement. "There is no indication that any personal or other university data was released to the public."
"The university is now in the process of assessing and evaluating the decryption keys," Dalgetty wrote. "The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time."
According to Dalgetty, the university is working with cybersecurity experts in the wake of the ransomware attack, and as it was a criminal act they have also called on the Calgary Police Service to help with the investigation. "As this is an active investigation, we are not able to provide further details on the nature of the attack, specific actions taken to address it, or how or if decryption keys will be used."
CryptXXX ransomware devs spiff up their malware
Meanwhile, developers of the popular CryptXXX ransomware have apparently stepped up their game. Researchers tracking CryptXXX and its frequent updates reported seeing version 3.100 used in ransomware attacks in the wild. The latest upgrade adds new features, including the ability to find shared resources on a network, list all files in shared directories and encrypt those shared files.
"This new round of updates means that even if users are able to decrypt their files, whether through an updated third-party tool or by paying the ransom, CryptXXX can still cause significant downtime by encrypting files on network shares," wrote researchers at Proofpoint Inc., the Sunnyvale, Calif. cybersecurity firm.
"CryptXXX has become quite widespread, especially with a number of TeslaCrypt actors shifting operations to CryptXXX recently," Proofpoint wrote, noting that "the actors behind CryptXXX have continued to rapidly refine the ransomware with updates to encryption, scanning for network shares, cosmetic updates, and updates to lock screen behavior. Because CryptXXX also includes robust information-stealing capabilities, multilayered network and endpoint protection are also critical to prevent data exfiltration in case of infection. CryptXXX updates have appeared very quickly over the last month and, without an available decryption tool, users and organizations must focus on detection and prevention."
Shortly after the latest beefed-up version of CryptXXX was detected, another researcher discovered ransomware attacks using CryptXXX have apparently moved away from using the Angler exploit kit (EK), replacing it with the Neutrino exploit kit.
Brad Duncan, handler at SANS Internet Storm Center, wrote that "this is not the first time we've seen campaigns associated with ransomware switch between Angler EK and Neutrino EK."
"How can people protect themselves against Neutrino EK? As always, properly administered Windows hosts that follow best security practices (up-to-date applications, latest OS patches, software restriction policies, et cetera) should be protected against this EK threat."
In other news:
- Cisco and Arbor Networks report that DDoS attacks can comprise up to 10% of internet traffic in a country undergoing such an attack. DDoS attacks increased by 25% in 2015 alone, and went up by more than 2.5 times over the past three years, according to the report, with researchers projecting a further 2.6-fold increase by 2020. "DDoS attacks can represent up to 10% of a country's total internet traffic while they are occurring. The average size of DDoS attacks is increasing steadily and approaching 1 Gbps, enough to take most organizations completely offline. In 2015, the top motivation behind DDoS attacks was criminals demonstrating attack capabilities, with gaming and criminal extortion attempts in second and third place, respectively. DDoS attacks account for more than 5% of all monthly gaming-related traffic and more than 30% of gaming traffic while they are occurring."
- A coalition of tech firms and rights groups has released an open letter to the Senate, calling out proposed legislation that would allow warrantless access to an expanded range of data related to internet use. The proposed changes to the National Security Letter (NSL) regulations expand the amount and type of data that can be accessed on the strength of an NSL without requiring a warrant. Tech firms signing the letter include Facebook, Google and Yahoo; they were joined by ACLU, Human Rights Watch, EFF and other groups. In their letter, the organizations charge that the proposed expansion of the NSL statute "has been characterized by some government officials as merely fixing a 'typo' in the law. In reality, however, it would dramatically expand the ability of the FBI to get sensitive information about users' online activities without court oversight." They stated further that the changed provision expands the categories of records, known as Electronic Communication Transactional Records (ECTRs), that are accessible to the FBI using NSLs. "Under these proposals, ECTRs would include a host of online information, such as IP addresses, routing and transmission information, session data, and more." According to the letter, the "information that could be collected using an NSL -- and thus without any oversight from a judge -- would paint an incredibly intimate picture of an individual's life. For example, ECTRs could include a person's browsing history, email metadata, location information and the exact date and time a person signs in or out of a particular online account. This information could reveal details about a person's political affiliation, medical conditions, religion, substance abuse history, sexual orientation, and, in spite of the exclusion of cell tower information in the Cornyn amendment, even his or her movements throughout the day."
- Google is removing support for SSLv3 and RC4 for Gmail -- this time, more gradually, for the IMAP/POP client users. "After June 16, 2016, IMAP and POP clients using SSLv3 or RC4 will gradually no longer be able to connect with Google's mail servers. As a more general reminder, we plan to deprecate SSLv3 and RC4 across all of Google and any other systems relying on these less secure protocols over time. We suggest proactively updating to the recommended standards for TLS clients as a best practice," Google wrote: "Unlike Gmail SMTP, this change will be rolled out as a gradual change, where it may take longer than 30 days for users to be fully restricted from connecting to Gmail from SSLv3 or RC4 connections; however, we recommend updating your clients soon in order to avoid any potential disruption."
- Cybersecurity firm Fortinet completed its acquisition of network security monitoring and analytics firm AccelOps. Ken Xie, Fortinet founder, chairman of the board and chief executive officer, said: "With the acquisition of AccelOps, Fortinet extends its Security Fabric to address these challenges by combining security and compliance monitoring with advanced analytics for multi-vendor security solutions, enabling automated and actionable security intelligence from IoT to the cloud." According to their supplemental Form 8-K, Fortinet "paid approximately $28 million in cash, subject to certain adjustments, and up to an additional $4 million in cash consideration, subject to future performance."
Find out more about how the Angler exploit kit managed to bypass Microsoft's EMET tool.
Learn more about an unusual new ransomware attack affecting older versions of Windows.