The Connection, Inc Blog

The funny thing about ransomware is that they give them very strange names: Bad Rabbit sounds like the name of a villainous bunny who gets his comeuppance in some type of modern nursery rhyme, not malware that would ravage hundreds of European businesses. Locky seems like the son of Candado de seguridad, a character Medeco would come up with to educate kids on proper physical security. The latest in a long line of funny-named ransomware, SamSam, isn’t a pet name for your pet ferret you perplexingly named Sam, it is one of the worst ransomware strains ever, and it has caught the attention of U.S. Federal law enforcement.

Both the Federal Bureau of Investigation and the Department of Homeland Security have issued alerts for the ransomware, also known as MSIL/Samas.A. The alert was issued on December 3, 2018, and outlines an attack on multiple industries, some with crucial infrastructure. The ransomware has been in the news as of late, as two Iranian nationals, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted by a U.S. grand jury in New Jersey for ransomware attacks on the Colorado Department of Transportation.

The pair is alleged to have victimized over 200 hospitals, businesses, government agencies, and schools in the U.S. and Canada beginning in 2015; extorting over $6 million over that time. In addition to these charges, the two hackers have now been indicted by the state of Georgia on charges that they were the ones that perpetrated the ransomware systems that crippled Atlanta’s government in March of 2018. By taking almost 3,800 of the City of Atlanta’s computers hostage, prosecutors state that Mansouri and Savandi have cost the city millions of dollars in consultant fees, downtime, and other costs.

What is SamSam?
SamSam is a privately developed ransomware that is being used to target specific companies selected by the developers. This means that it isn’t just a commodity ransomware, it can’t be found on some type of criminal forum on the dark web, and it isn’t sold as a service like many other forms of ransomware. This is a major problem for any organization that is targeted, as none of the typical endpoint defensive strategies work to stop it.

What’s worse, is that that once a SamSam strain is used, and security vendors publish a report, another SamSam strain is developed. It is thought that this development team includes the two hackers implicated in the Colorado DoT crimes, the Atlanta crimes, and hundreds of other attacks over the past three years.

What Can You Do?
Thus far the SamSam ransomware has entered victims’ networks using exploits in web-facing servers. It has been deployed as millions of other pieces of malware as an executable file that is mistakenly unleashed, or via brute force via the Remote Desktop Protocol. So, while you can lock down your RDP, your best bet is to have a dedicated strategy that:

• Doesn’t allow unauthorized users to have administrative privileges
• Limits use of Domain Access accounts to administration tasks
• Doesn’t provide service accounts for important services
• Restricts access to critical systems

If you are diligent in your organizational cybersecurity practices, you should be able to conduct business as usual without having to worry about ransomware, SamSam or otherwise. If you are interested in knowing more about SamSam and how to stop it, contact the IT professionals at The Connection, Inc for more information at (732) 291-5938.

If you own an Asus laptop, there is a chance that a recent update could have installed malware, and we are urging anyone who has an Asus device reach out to us to have it looked at.

65 of any currency doesn’t seem like a lot of money, but when you are dealing in the cryptocurrency Bitcoin, it adds up quick. One city on Florida’s Atlantic coast is finding that out the hard way after getting hit with a ransomware that stymied the city of 35,000 government’s ability to function. Let’s take a look at the situation that made the city’s leaders agree to pay hundreds of thousands of dollars to scammers.

We all know how important it is to protect your desktop and laptop computers from malicious threats. Installing antivirus and security software is one of the first steps you take when you get a new computer, and for good reason. An unprotected device is at great risk. With that said, a lot of users don’t think about the threats that target their most-used devices, their smartphones.

Malware and other cybersecurity threats are not a new thing to smartphones and mobile devices, but they don’t tend to get the same attention as threats that target Windows. This might be because, for the most part, mobile device malware is a little less common, or at least a little less intrusive. That doesn’t make it any less of a problem though.

You might also feel a little less at risk simply because of your relationship with your device. Our smartphone is often with us day and night, at work and at home. Combine that with the fact that most users use their smartphones in a sort of echochamber, they might not be directly exposed to threats as often as they are on a PC. We’ll get to more on this shortly, but first it’s important to break down the risks based on whether you have an iOS or Android device.

iPhone Malware

Apple may tout iOS as being the safest mobile operating system on the market, but it has never been completely safe. The biggest risks are only a problem for users who have jailbroken iPhones, meaning they ‘hacked’ their own device to allow themselves to bypass Apple’s built-in security restrictions. If you haven’t done that, you are avoiding a lot of risk. The other risk, which is less common, involves a more major type of risk called a zero-day hack. Zero-day hacks target devices that haven’t received a security update after the security update has been released to the public. 

The problem with iOS security is that there aren’t a lot of ways to prevent the issue, and you are really at the mercy of Apple to keep your device safe. They certainly want to keep their reputation, so trusting in them to do so isn’t invalidated.

Android Malware

Android is in a different situation. There are a lot more risks for Android devices, simply because there are many different manufacturers making and supporting the operating system. For example, Samsung uses a slightly customized version of Android, and if you have a Galaxy Note 10, you’ll get the latest updates to Android on a different schedule than Google’s Pixel. 

Android is also more open and flexible than iOS, which is why a lot of users prefer Android over iOS. If you want to install an application that hasn’t been vetted by Google, you can. You can also jailbreak an Android device, which, similar to jailbreaking an iPhone, can override some of the built-in security restrictions.

Even installing apps off of the Google Play Store can sometimes lead to malware being installed. Google has had to play cat-and-mouse with app developers to keep threats off the marketplace, but it has become clear that it really comes down to the user being careful with what they install.

That isn’t to say you should abandon Android or restrict your employees from using Android devices to access company email or other apps. Many long-time Android users never experience malware - it depends on how you use your device.

How to Protect Your Smartphone from Malware

Rely on that Echochamber - We mentioned this earlier, but both Android and iOS feature their own app stores. Although Android devices can install applications that aren’t on the Google Play store, most modern devices make it a little harder to do so, or at least add an extra step warning users that it might put their device at risk.

If you don’t jailbreak your phone, and you only install applications that are thoroughly vetted, positively reviewed, and come directly from the Apple App Store or Google Play, you will greatly reduce the risk of infecting your device.

Don’t Get Phished - Many threats these days don’t even rely on infecting a certain device to get things going. Instead, they rely on the end user to slip up and make a mistake. Phishing attacks are a prime example of this. A user will get a legitimate-looking email from a bank, online store, or other common online account and be asked to submit their login credentials. This email is actually spoofed and made to look real, and upon logging in, the password will be sent to a cybercriminal instead.

Install Anti-malware - Most antivirus and anti-malware software providers have Android apps. It’s not a bad idea to have something running on your phone to help protect you.

Establish Device Security Policies - If you are a business owner and your employees use their personal devices to check email, review documents, and communicate for work, it’s a good idea to establish a mobile device policy. You can require users to enable device locking, encryption, and other security features. This gets set up on your network, and when they sign in to their email on their device, their device has to comply with your company’s requirements before they can get access to anything.

We can help you protect your company data, including helping you establish centralized mobile device security policies. If you want to learn more, don’t hesitate to give us a call at (732) 291-5938.

The threat landscape is filled with more types of malware than ever. To keep your business’ network running effectively, it’s important to have a strategy to keep malware out. Today, we’ll talk about a few basics you should know to keep your cybersecurity strategy working properly.

Each year there are changes that need to be made in the way that organizations manage their IT security. In 2017, ransomware burst on the scene in full force, and cyber security strategies reacted, coming up with fully managed security platform that remediate issues better, and cost organizations far more than they would have spent on IT security just a short time ago. In 2018, the same problems persist, while other developing technologies threaten the natural order of things. Today, we will look at how cybersecurity is being approached in 2018.

Network security for small businesses is far from simple. There are countless threats out there that want to see your business fall, and it only takes one to see this come to fruition. Unless you take action now to protect your organization, you risk the future of your business. But what is it that businesses need to protect from, and what measures are out there that can accomplish this feat?

We are going to switch things up a bit and walk you through a retelling of a ransomware attack through the eyes of a business owner. Usually when we talk about these types of threats, we approach it from our perspective and talk about what you should do to prepare and what the threats are, but we wanted to try to show you what an event like this could feel like, for you, in your position, and in your own eyes. We hope that this will raise awareness of how crippling an event like this can be on your company, and we hope you let us know if this perspective helps you, your colleagues, and your staff get a more personal sense of what ransomware can do. Enjoy!

What a day it has been!

Typically, when I have a day like I just had, I wouldn’t sit here and write about it, but since our story is sure to help people, I thought that I should. Besides, my adrenaline is still pumping, and I don’t think I can sleep yet anyway.

The day I had was terrifying but started just like any other. I got through my morning routine and made my way to the office. I even stopped at the shoppe to get coffee. Once I entered the building I knew something was wrong. I had two employees beat me to the office. They were milling around almost aimlessly in the hallway. Before I even reached my desk, I was inundated with bad news.

“We are locked out!”
“What are we supposed to do?”

After getting past my employees into my office, I tried to ascertain what the problem was. It was evident very quickly that we had a major problem on our hands.

@!#?! It’s ransomware! I can’t believe it!

It could only be ransomware.

I wasn’t sure what allowed this to happen. Did one of my staff click on a bad link? Was our network vulnerable from the get go? Since the ransomware had spread onto the network, I could tell that the affected computer had to be used to manage other endpoints, pushing ransomware to all the endpoints the terminal had managed. This is why the computers that were on the network had the same message. This means that it ended up stealing usernames and passwords to open each endpoint and lock down the data on them.

It is during this period that the entity that unleashed this beast on us would look to take as much data as they could. It turned out that my company was using a global password configuration and the ransomware spread throughout our network like wildfire. So, when I was met with the message, I knew exactly what I was dealing with.

I never for a second thought that it would happen to us. Our business doesn’t deal with major financial institutions or medical records, so it would seem to keep us safe from these kinds of security breaches. I guess I’m just the latest person to ask, “why us?”

For those who don’t know, ransomware is any type of malicious application that “kidnaps” the data and holds it for ransom. It can shut down the files of a single computer, or in our experience, it can spread over the network to several endpoints; effectively shutting down operations for long stretches of time. I wanted to share my experience to help you know what to expect if you are one of the unfortunate business owners that have to have all the answers.

Don’t Panic
No matter how prepared you are for something like this, at first, you feel panic. Typically, you are immediately overwhelmed and are left kind of dumbfounded, glancing around the room, looking for answers that aren’t there. Regrettably, if you are doing that, the damage is done and there is nothing you can do about that. Scenarios race by in your head and the more they turn negative, the more the fear builds up in the base of your neck, in your throat, or in the pit of your stomach. You need to stay as calm as you can and begin troubleshooting immediately. The thing about ransomware is you can’t just wait it out. Once that wave of fear subsides, you have to make a measured response, because you likely have people that are on the clock, and an IT infrastructure that is locked down.

After the initial shock, I went to work.

Fighting Ransomware
I learned quickly that there are two main types of ransomware:

• Locker - Malware that locks the computer or device.
• Crypto - Malware that encrypts data and files.

The type we were unfortunate enough to encounter was WannaCry, a crypto ransomware that has infected millions of people worldwide by taking advantage of an unpatched Windows vulnerability. As a small business, our technology management was pieced together, but after this event, and all we’ve learned from it, we will definitely be sure to make our staff cognizant of how to avoid situations like this.

For us, we had three machines infected with a variant of WannaCry. The ransomware stated that if we pay $300 in Bitcoin for every machine that was locked, we could get our data back... and the clock was ticking, literally.

At that point, we had three options. We could abandon the machines and buy new ones, we could pay the hackers that had encrypted our data, or, we could attempt to restore our systems.

Part of me wanted nothing more than to just abandon the machines, bust our IT budget for the year and be done with it. We instead decided to try to restore the machines to a prior version, because paying the hackers was never a real option. First of all, any person that could inflict this kind of fresh hell on a small business was not to be trusted; and, I felt if I were to pay the ransom, there was no guarantee that we would a) get our files back; or, b) not get harassed again by the same people.

Since cost was a factor, we reached out the IT professionals at The Connection, Inc, and they walked us through the process of restoring our terminal and the two machines connected to it. Luckily for us, they had the knowledge and expertise to help us get through this horrible time. We will lose quite a bit of work, but, as of right now, it looks like we are going to come out of this whole thing much better than the majority of companies that have dealt with it.

I know we were lucky. I know we have to try harder. I know we aren’t out of the woods just yet, but I have to thank the people at The Connection, Inc. They really came through for us!

Ransomware attacks are rampant. If your small business isn’t proactive about its network security and if you don’t train your people on what to look for, you could be dealing with a problem that could potentially sink your business. For more information about ransomware, WannaCry, or other threats your organization faces today, call us today at (732) 291-5938.

Ransomware is a growing problem for businesses, being one of the most difficult threats to remove from an infrastructure. Not only is it easy to spread, but difficult to avoid as a whole. How can your organization prepare for this threat? It starts by being mindful of how ransomware is spread and how your employees react to it, both now and in the future.

Ransomware locks down files on your business’ infrastructure. Through ransomware, it’s easy to cripple a business by limiting access to important information or files located on an infrastructure. If the user fails to pay the ransom, they risk losing their data for good. Even if they do pay the ransom, there’s no guarantee that the hacker will give up the encryption key. The user is presented with a conundrum; pay up for a potential to get your data back or ignore the request and hope for the best.

Ransomware was primarily spread through the use of spam when it was first introduced to the online environment. Hackers would create ransomware campaigns to spread it to as many users as possible, hoping that any number of them would choose to pay up rather than lose access to their precious files. As time went on, however, ransomware became used in a more targeted fashion. Rather than claim as many targets as possible, hackers instead chose to go after only those who were most likely to pay up with spear phishing tactics designed to fool even the most stalwart and mindful user. In many cases, these targeted attempts were made against businesses, whom value data more than the average end user might.

These spear phishing attempts are incredibly difficult to identify for the untrained eye, and the amount of damage they could inflict on your company is untold. Your employees need to be able to identify potential ransomware threats. Even the cautious approach might not be enough, however, as the future of ransomware could potentially hold even more dangerous threats. Already, hackers are taking advantage of threats that can be purchased on the online black market, including ransomware threats, vulnerabilities, and even lists of targets. How can a small business protect themselves from such a prominent threat?

It all starts by remaining as mindful of security best practices as often as possible. By this, we mean trusting no suspicious message in your inbox without first double-checking any information found in it. If you receive an unsolicited message with an attachment claiming to be a resume, bank statement, shipping information, or anything else that seems out of place, think twice before downloading them. The same can be said for any links that cannot be verified as secured.

Is your business prepared to handle the next generation of ransomware? While we don’t know what the future holds, we know that you can confidently face it with security services from The Connection, Inc. To learn more, reach out to us at (732) 291-5938.

The term ‘spyware’ has some clearly negative connotations to it, and rightly so. This variety of malicious software can cause no small amount of trouble if left unchecked. What follows is a brief overview of spyware, and what measures you can take to protect yourself and your business from it.

Let’s say that you receive an email from a software vendor, say, Microsoft. When you are contacted by a major company like this, do you automatically assume that it’s secure, or are you skeptical that it’s a scam? Ordinarily, it might not seem like a big issue, but all it takes is one click on an infected attachment or malicious link to infect your business’s infrastructure.

According to a Swedish cybersecurity firm called Detectify, there are major online domains that are at risk of email spoofing due to misconfigured server settings. Email spoofing is the act of sending a message, while masking the true email address that it comes from. This allows hackers to forge the sender address to suit their needs. Generally speaking, email messages don’t have automatic authentication built into them. This is something that must be configured on the server side of things.

Thankfully, there are ways to properly configure your email server, but unless you’re a hardcore techie, you run the risk of either configuring the system incorrectly, or changing settings that may compromise your security. Yet, it’s still important to keep in mind how the solutions that prevent email spoofing, work. Here’s a breakdown of the details:

• Sender Policy Framework (SPF): This is a record that’s checked alongside the DNS (Domain Name System) record, in order to decide whether or not the server is allowed to send email using the specific domain. SPF uses three identifiers for its messages: softfail (accept the message, but mark it as spam), hardfail (reject the message entirely), and neutral (do nothing and let the message through unhindered).
• DomainKeys Identified Mail (DKIM): DKIM hashes the body and the header of the email separately, and creates a private key that gets sent with the message. Once the message is received, the key will perform a DNS request to see where the email originated. If everything adds up properly, the message is received.
• Domain-based Message Authentication Reporting and Conformance (DMARC): DMARC is considered the ideal solution, as it makes use of both SPF and DKIM to identify an email. DMARC’s functions split into three: reject (a full rejection, and the end-user never sees the message), quarantine (the message is stored for your review), and none (allow the message through). The idea is to either identify messages as fraudulent, or provide the system administrators with the ability to review them and make the decision themselves.

You might be wondering why we’re even bringing this up, and it’s because Detectify discovered that, out of the top 500 sites on the Internet, 276 of them can be spoofed. Detectify considers servers that don’t have SPF or DMARC configured correctly to be vulnerable to email spoofing - this includes using no SPF at all, using SPF with softfail only, and using DMARC with action none. Therefore, you need to take measures to ensure that your team knows how best to identify spoofed email domains, and phishing messages in general. If you don’t, you could be placing your business in harm’s way. On top of that, you’ll want to make sure your email server is configured to not allow your email domain to get spoofed.

The best way to keep your employees from falling into this trap is by ensuring that you’ve educated them on security best practices, and to limit their exposure to such threats in the first place. This includes taking the time to explain to them how phishing threats and other security discrepancies behave, as well as implementing solutions to keep suspicious messages out of your inbox in the first place.

Your business needs to consider security a top priority, and only The Connection, Inc can help. Reach out to us at (732) 291-5938.

Ransomware is an online threat that continues to develop and evolve to accommodate the motives of cyber criminals around the world. Ransomware locks down your business’s files and demands a decryption key for their safe return, which makes it difficult (or impossible) to move forward with operations. How can you prevent ransomware from destroying your business’s chances of survival?