Insights For Success

Strategy, Innovation, Leadership and Security

Malware

GrandCrab Ransomware As A Service (RaaS)

GeneralEdward KiledjianComment
Capture.PNG

What is GrandCrab?

GrandCrab is a successful ransomware that encrypts files on the infected machine and demands payment to decrypt them.

Easy Money

What is you are a horrible human being willing to make gains from the suffering of others but you are lazy. You want to screw other people but don’t want to spend the time setup your own Command and control server? You don’t want to customize the malware to talk to your C2 server?

This is where Ransomware as a Service comes in.

Enter GrandCrab as a Service http://gandcr4cponzb2it.onion/

The offering

The GrandCrab RaaS has two tiers:

  • Standard at $230

  • Premium at $600

Standard Service

  • You can change and customize your ransomware

  • Name of the project

  • Change the demand of ransom

  • A description to help the victim in format .HTML, .PHP

  • You can change the logo, Remove GandCrab logo

  • You can choose the extension for example photo.png.gdb

  • Priority support

  • Automatically updated since the category (Ransom Builder)

  • The victim can pay you in Bitcoin or Dash

  • Withdrawal in Bitcoin or Dash

  • We will touch 10% fees ransom

  • You can add 3 users different free

  • You can create 3 ransomware

  • Victims can you contact by chat directly, you can also ban

  • You will have news about the dashboard

  • Geolocation victims infected

  • Show the IP of the victim

  • Manage the keys of decryption

  • You will be able to manage all the victims since the dashboard

  • With several possibilities

  • You can infected in unlimited

  • You can see the blockchain explorer

  • Spreading automatically without providing any effort or you can also spread manually

  • You will have full access to our forum with the rank Platinum (forum under construction soon available)

  • Victim URL automatically generated in .onion customize your own URL

  • View antivirus report in real time

  • Lifetime license !

  • Theme only white

Premium Service

  • The same features different even more fun

  • You receive 100% of the ransom paid by the victims no commission fees

  • Ransomware automatically updated by our support

  • Victims can you contact by chat directly, you can also ban

  • Spreading automatically without providing any effort or you can also spread manually

  • The victim can pay you in Bitcoin or Dash and Monero !

  • Withdrawal in Bitcoin, Dash, Monero

  • Automatically increases the ransom if no payment of the victim

  • Choose your own delete time

  • Create up to 10 different ransomware

  • You can add 8 users different free

  • Make the ransomware in format .pdf

  • bulletproof hosting, server VPN

  • Priority support by ticket since dashboard

  • Change all the logo, An icon in format .ICO, Remove the gandcrab logo, Add an animated logo in .GIF

  • Manage all the victims since the dashboard

  • You will have a fully functional 2019 tutorial to teach you, In format .pdf .mp4

  • Assignment on multiple computers in seconds from the same WIFI network

  • Undetectable by antivirus update regularly

  • Victim URL automatically generated in .onion customize your own URL

  • You can infected in unlimited

  • Manage the keys of decryption

  • Change the theme ransomware

  • You can see the blockchain explorer

  • Geolocation victims infected

  • You can also see the operating system

  • Show the IP of the victim

  • You will have full access to our forum with the rank Gold (forum under construction soon available)

  • You will have the ransomware source code, contact us from the dashboard with your login only for premium members

  • View antivirus report in real time

  • Crypter fud

  • Lifetime license !

  • Theme dashboard white, black

Conclusion

The conclusion is that security is hard and hackers are learning about the benefits of offering “things as a service” and using cloud to reduce costs. Attacking is become cheaper while protecting our organizations is becoming more costly

Improve your internet security right now, easily and for free

GeneralEdward KiledjianComment
matrix-2953869_1920.jpg

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?


I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

DNS1.png

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?


They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.

OPSEC - Introduction to Malware

GeneralEdward KiledjianComment
hacked-1734197_1920.jpg

What is malware

Malware is shorthand for Malicious Software and has been around almost from the start of computing. Its main purpose is to harm the computer or the user. Malware has been known to steal login credentials, monitor the user, tamper with information (breaking integrity), steal information or just making the system unusable. 

Malware can be designed by a nefarious teenager in his mother's basement looking to make a name for himself or by a state-sponsored threat actor against activists or journalists.

How can I tell if my computer is infected

The first rule of thumb is to use the Antivirus product that came with your operating system. As an example, all modern Windows systems are shipped with a self-updating antivirus supported by Microsoft. Third party products have been known to cause issues (here, here, etc).

To be transparent, antivirus will detect standard run of the mill type of malware but anything more sophisticated will easily get through. Larger companies with well-funded security teams typically eschew antivirus for more advanced malware detection tools based on a series of technologies like application behaviour monitoring, machine learning, artificial intelligence and system baselining. Unfortunately, these are not yet available for small operations but expect them to eventually make their way there.

So the question of detecting malware on your computer is a difficult one and often requires a highly skilled technician with precise tools that knows what he/she is looking for.  At the very least, use the tools available to you now:

warning I received when someone in Sao Paulo tried to log into my Lastpass account.

warning I received when someone in Sao Paulo tried to log into my Lastpass account.

  • Sign up for services that offer 2-factor authentication (so malware can't log into your account by simply stealing a password) and that will notify you of unusual behaviour (Google, LastPass, etc). 
  • Notice subtle indicators. Pay attention to your computer and look for subtle inconsistencies. Does your webcam light turn on when you are not using it? Does it look like you sent an email you don't remember sending? Does an online service show a login time you know you weren't working?  Pay attention to subtle cues.

How did I get infected?

The most common technique used by threat actors is to trick the user into installing malware pretending to be something else. It can pretend to be a system update. It can pretend to be a holiday card from a family member. It can pretend to be a work file from your boss. It can be a drive-by download where your system is exploited simply by being vulnerable and you visiting a carefully crafted webpage. 

  • Link to a malware site can be disguised as a link to a popular internet site (Apple, Amazon, Microsoft), shared content (a document, holiday card, music file, etc) or a fake system update (flash update, etc).
  • You may be targetted via email. It is common for highly skilled threat actors to compromise the systems of people you trust and use that trust to trick you into running malware, visiting a malware site or performing an action you otherwise would not. Remeber that these are often highly skilled practitioners that understand human psychology and will exploit it as needed. This includes chat apps, email, messages on forums, web pages, etc.
  • You can get infected by connecting purpose-built attack hardware to your computer. We have devices that look normal (like the USB Rubber Ducky from Hak5) but that can run attack code without your knowledge as soon as they are connected to your computer. 
  • Someone can gain physical access to your computer and plant malware without your knowledge. In security we consider it game over if anyone has access to your equipment, This is why companies spend large sums of money physically protecting their servers in isolated access controlled cages inside heavily guarded and secured datacenters. 

The more valuable you are as a target the less likely you are to notice the attack. 

How can I protect myself from malware?

  • Make sure you are running legally registered versions of all the products you use daily. Using legal versions entitles you to the latest updates and every security person will recommend keeping all of your software and operating systems updates regularly. Threat actors will often exploit vulnerabilities that have been patched (aka if you update you are protected). 
  • Only install the software you absolutely need. Remember that every software is a potential attack vector. Install only what you need and only download it from the manufacturer never from a download site like CNET, Download.com, etc (to prevent supply chain attacks like CCleaner.) Many of these download sites make money by bundling garbage apps that get silently installed and these can also be used to attack you.
  • Remember that anything you open or click on can compromise your security. Call a sender before opening a file. Download and scan it first with something like VirusTotal before opening it. Never click on links in email or instant messaging. Always go to the URL yourself (obfuscating a malicious link to look 'good' is easy). If you use Gmail, open questionable attachments in Google docs or sheets as this will often strip the malicious content.
  • Remember that one second of forgetfulness is all it takes. Be extra vigilant when browsing the web. Never run anything on the web. Always know that the web can be faked. Even known sites can be compromised and used to inject malware.
  • When travelling to high-risk areas, I usually travel with a Google Chromebook. It auto updates itself. There are very few known attacks against it. Chromebooks have a feature called Powerwash that factory resets the device image to "like new" within 2 minutes. Often times I will powerwash my device before performing sensitive tasks. Also, data is stored in the Google cloud. Regardless of how you feel about their privacy policies, they have proven to be excellent at protecting their users from targeted attacks. Make sure you turn on 2-factor authentication.
  • Turn off your computer and unplug it from a physical network when not in use.

What can I do if I am infected?

  • The first rule is that if you are infected or even suspect that you are infected, forget about cleaning your device and have it completely reinstalled from scratch using known clean installation media. 
  • If you are infected, immediately unplug your computer from the internet (ethernet or WIFI) and shut down your computer.
  • Use a known clean computer to log into your web services and change all your passwords immediately.  
  • If one of your devices is compromised, and you are a high target, assume all your other devices could be compromised and reinstall everything from scratch including your smartphone.
  • If you have support from a government agency, reach out to them and ask them for support. If you are a journalist or activist, reach out to one of the public security support organizations like the Toronto Citizen Lab
  • If you know when you were infected, make sure you restore files from a date prior to the infection. It is critically important to use a backup service that provides version control (e.g. blackblaze version control). 

How to protect your PC from infection

GeneralEdward KiledjianComment

Think of all the valuable data your PC contains (pictures, files, invoices, contacts, etc). Now imagine losing all of that data Virus' are still a thing but you should be more worried about ransomware, worms and all of the other digital creepy crawlies roaming the net looking to make you their next victim.

Go read my article entitled "How to secure Windows 10".

Backup everything, then back it up again

In 2012, I wrote an article entitled "The best way to protect your data - images, music, documents". The main point is that you should always remember the 3-2-1 rule of backups:

  1. Have 3 copies of all of your important data (1 primary and 2 backups)
  2. Make sure your 2 backups are on separate media technologies (e.g.1 on a hard drive and the other in the cloud or 1 on a hard drive and the other on a tape backup)
  3. 1 of your backups should be offsite in a remote location that would not be impacted by a major disaster that hits your area (e.g. in the cloud).

The advantage of most cloud backups is that they support version control which means if you infect your files with ransomware, you can always go back to  a known good version. My backup strategy involves:

  1. 1 primary version of my data and a local hard drive backup
  2. 1 complete synchronization of my files on a fully encrypted trust no one online storage service
  3. 1 complete backup using a remote backup service (like backblaze or carbonite)

Update everything

WannaCry created an incredibly outcry in the tech world with thousands of companies getting infected in hundreds of countries. The truth is that an update published 2 months prior patched that vulnerability. Updating computers in large companies is complicated but your home PC shouldn't be.

You must must must update your operating system and applications regularly to stay protected.

The latest version of the operating systems from Microsoft, Apple and Ubuntu are all configured to auto-update themselves. In addition to the OS, make sure you periodically check for application updates.

If you use an Apple Macintosh computer, you may even want to use something like MacUpdate Desktop to constantly check if any of your installed apps have updates available.

Leave the built-in firewall on

Some "Security" apps turn off the built in firewall but it is critically important to ensure it is always on. On Windows, you can turn if on/off with these instructions. You can find information about the Apple Mac application firewall here

Use an antivirus

The question I get asked the most often is should I buy a third party antivirus for my home computer and my answer is no. Anytime you add a third party tool, you increase the attack vector therefore rely on what Microsoft bundles with Windows 10. You can follow these instructions to change the Windows Defender Antivirus cloud-protection level to 10.

In February I wrote an article entitled "Companies buying bitcoin to prepare for cyber extortion" and in there included this paragraph:

Companies have started to jump on the Ransomware protection bandwagon. An EDR &”next-generation AV” company called Cybereason offers a free product called RansomFree. They claim it protects against 99% of ransomware by monitoring how applications interact with files on your computer. Did I mention RansomFree is free? I haven’t used their product and thus can’t recommend it but it does seem to be useful and could really help the average consumer ensure they don’t end up getting victimized.

You can run something like RansomFree on your home PC in addition to the Windows antivirus. 

Upgrade the fleshware

The truth is that even the best most advanced technology can't prevent an infection if the user does something stupid. Often users are the weakest link the the corporate security chain and you are no different. 

Using good security hygiene will go a long way to protecting you. Basic tips:

  • never open an attachment from a user you do not know well or that you are not expecting
  • never click on a link embedded in an email
  • never install applications from untrusted sources (including torrents or anything pirated)
  • Remember that you can also get infected from a website so use Google Chrome with the the Ublock Origin plug-in

What to do if you get infected?

If a user's PC or Mac does get infected, their first thought is to find someone that can clean it. The truth is that once your PC is infected, it can' really be cleaned properly or trusted. At that point, you must do  a clean re-installation from a known clean source and then recover your files from a known good backup.

Some technical support companies will offer cleanup services but don't do it. Once your PC is infected, you don't know what else could be lurking in the background waiting to strike again. The best course of action is to start fresh.

Hopefully you have backups and everything will work out just fine. If you don't have backups and your files are encrypted by ransomware, you can always check out a free online site called No More Ransom Project and see if they offer a free decryptor for your ransomware. There are no guarantees your infection strain has a decryptor but it doesn't hurt to check.

 

Companies buying bitcoin to prepare for cyber extortion

GeneralEdward KiledjianComment

In an uncertain world where kidnapping for ransom is an all too common occurrence, many hostage negotiators use the no-concession policy. They justify this position by explaining that paying a ransom makes it more likely that the perpetrators will try it again and often times the ransom is used to fund illegal or terrorist organizations.

Although I have seen very little empirical evidence to prove that this no-concesion approach is more desirable than paying the ransom, this mentality was brought into the digital age when cyber-ransoms, cyber-extortions and crypto-malware became prevalent. 

More and more companies though have started to take a different approach and are now prepared to pay ransom in exchange for saving their networks, devices and information. To meet these demands quickly, some companies have started to store bitcoin as a risk mitigation strategy.

Why this change of heart? Many of the most popular well written malware was actually designed to ensure victims could recover their data when the ransom was paid. This attention to detail and solid customer service by the bad guys, means victims are now relatively certain that they will be saved if they pay the ransom. 

Sure paying the ransom means funding organized crime and will likely fuel the next wave of crypto-malware but companies have a duty to protect their organization (rather than take the moral high ground).

This change in mindset is so pronounced that traditional physical K&R (kidnap & ransom) negotiation experts have started to test the cyber-extortion and cyber-ransomware negotiation space. 

True verifiable numbers are hard to find but firms like Recorded Future ( a cyber intelligence company) has stated that it believes the cyber-ransom market has now reached the 1B$ mark. Kaspersky says a company is cyber-attacked every 40 seconds.

Obviously crypto-malware can be counter-acted by proper, regular offline backups but many companies don't start a robust recovery program until it's too late. They either pay the ransom or lose their data. Its that plain and simple.

Right now the advantage is with the attacker. Corporate information security groups have to bat 100% to keep the company safe. This is expensive, time consuming and not always achievable. The attacker just need to infect 1 machine on the network and then can propagate and move laterally from there. 

Companies have started to jump on the Ransomware protection bandwagon. An EDR &"next-generation AV" company called Cybereason offers a free product called RansomFree. They claim it protects against 99% of ransomware by monitoring how applications interact with files on your computer. Did I mention RansomFree is free? I haven't used their product and thus can't recommend it but it does seem to be useful and could really help the average consumer ensure they don't end up getting victimized.

It is clear that this malware is written by extremely skilled and determined threat actors. This isn't code written in somebody's basement but rather a professional extortion company with developers, quality assurance and even customer support to ensure a paying customer is taken care of. 

So the question is will your company prepare by buying and storing bitcoin? If you will, how much should you store? that is the new question.