In a letter US senatorsdated December 12 that was released Tuesday, Facebook explained how it is able to estimate users’ locations used to target ads even when they’ve chosen to reject location tracking through their smartphone’s operating system The letter was widely shared on social media Tuesday
The Facebook social network, which was responding to a request for information by two senators, contended that knowing a user’s whereabouts has benefits ranging from showing ads for nearby shops to fighting hackers and battling misinformation.Facebook said that clues for figuring out a user’s location include being tagged in a photo at a specific place or a check-in at a location such as at a restaurant during a dinner with friends.People may share an address for purchases at a shopping section at Facebook, or simply include it in their profile information.

Along with location information shared in posts by users, devices connecting to the internet are given IP addresses and a user’s whereabouts can then be noted.Those addresses include locations, albeit a bit imprecise when it comes to mobile devices linking through telecom services that might only note a town or city.Facebook said knowing a user’s general location helps it and other internet firms to protect accounts by detecting when suspicious login behavior occurs, such as by someone in South America when a user lives in Europe. IP addresses also help companies such as Facebook battle misinformation by showing the general origin of potentially nefarious activity, such as a stream of politically oriented posts which might be aimed at a particular country.

The California Consumer Privacy Act (CCPA) will give internet users the right to see what data big tech companies collect and with whom it is shared.

At the end of October Australia’s consumer watchdog sued Google on Tuesday alleging the technology giant broke consumer law by misleading Android users about how their location data was collected and used. The Australian Competition and Consumer Commission accused Google of collecting information on users’ whereabouts even after they had switched off the location setting.

An Associated Press investigation last year revealed that several Google apps and websites stored user location even if the user had turned off the Location History setting. To stop Google from saving these location markers, users had to turn off another setting, Web and App Activity. That setting, enabled by default, does not specifically reference location information.Google later clarified in a help page how the Location History works, but it didn’t change the location-tracking practice.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules in Europe. Critics say Google’s insistence on tracking its users’ locations stems from its drive to boost advertising revenue. It can charge advertisers more if they want to narrow ad delivery to people who’ve visited certain locations. The Australian commission began proceedings in the Federal Court of Australia alleging Google breached the law through a series of on-screen representations made as users set up Google accounts on their Android phones and tablets.

The AP investigation found that even with Location History turned off, Google stores user location when, for instance, the Google Maps app is opened, or when users conduct Google searches that aren’t related to location. Automated searches of the local weather on some Android phones also store the phone’s whereabouts.

Earlier, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

The Ryuk Ransomware is a data encryption Trojan that was first identified on August 13th, 2018. The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK, Threat actors were reported of infecting organizations in the USA and Germany. Initial analysis suggests the threat was injected in systems through compromised RDP accounts, but it is possible that there is a parallel spam campaign that carries the threat payload as macro-enabled DOCX and PDF files.

Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom. The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. A recent flash update from the FBI revealed that over 100 organizations around the world have been beset by Ryuk

The origins of Ryuk ransomware can be attributed to two criminal entities: Wizard Spider and CryptoTech. The former is the well-known Russian cybercriminal group and operator of TrickBot; the latter is a Russian-speaking organization found selling Hermes 2.1 two months before the $58.5 million cyber heist that victimized the Far Eastern International Bank (FEIB) in Taiwan.

Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans.
Analysis. Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks whether it is being executed in a 32-bit or 64-bit OS by using the “IsWow64Process” API a. It also checks the version of the operating system. Next, it executes the payload using the ShellExecuteW API.

Persistence mechanism
Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key:
“”C:\Windows\System32\cmd.exe” /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d “C:\Users\Public\{random-5 char}.exe” /f”

Process injection
Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY.
Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions.

Encryption and similarity with Hermes ransomware
Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it’s easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the “.RYK” extension and some don’t append any extensions after encrypting the files.
Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”.
Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted.

Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.

Malwarebytes Labs director Adam Kujawa said that, while instances of consumer ransomware infections are down 25 per cent over the last year, attacks on businesses are skyrocketing, up a whopping 235 per cent over the same period.Overall, the numbers would show that ransomware numbers have fallen. After peaking at more than 5.7 million total detections in August of 2018, just over 3 million attacks by lockup malware were detected in June 2019.This is not, because criminals are losing interest in using ransomware. Rather, they are getting a much better return from fewer attempts on higher-value targets: namely, enterprises.

Prior to running any ransomware decryptor – whether it was supplied by a bad actor or by a security company – be sure to back up the encrypted data first. Should the tool not work as expected, you’ll be able to try again Ryuk is a particularly horrible software nasty. It works by finding and encrypting network drives as well as wiping Windows volume snapshots to prevent the use of Windows System Restore points as an easy recovery method.

Whatever the size of your company and whatever industry you’re in, we recommend you follow these best practices to minimize your risk of falling victim to a ransomware attack:
• Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can.
• Protect access rights. Give user accounts and administrators only the access rights they need and nothing more.
• Make regular backups – and keep them offsite where attackers can’t find them. They could be your last line of defense against a six-figure ransom demand.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down your RDP. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Ensure tamper protection is enabled. Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.
• Educate your team on phishing. Phishing is one of the main delivery mechanisms for ransomware.
• Use anti-ransomware protection
• Ensure tamper protection is enabled. Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.”

.

Over the last decade when malware exploded from a casual semi-amateur landscape into highly organised criminal operations, capable of generating hundreds of millions of US dollars per year.Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they’ve infected millions of devices across the globe.

The next couple of years will bring a new range of threats that will take tech security far beyond its traditional boundaries and will require a whole new set of skills and alliances. One example: tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m.

There’s the risk to your share price if someone creates a deepfake of your CEO apparently resigning from the company. Alternatively, a convincing deepfake of a celebrity well known for using your products seemingly being rude about your brand could easily hurt sales if it spreads widely. But there’s also the risk that deepfakes could be added to the toolkits used by phishing gangs. There have already been a few cases of crooks using AI tools to fake the voices of CEOs to trick workers into transferring money to their accounts. The next step would be to create a convincing video of an executive asking for an emergency funds transfer.

If employees are regularly tricked into handing money over to fraudsters on the strength of a bogus email (and they still are), imagine how easy it would be to be fooled by a deepfaked video chat with the CEO instead?

The Internet of Things will greatly increase the number of devices and applications that security teams will have to protect. That’s hard for teams that have used to protecting just PCs and servers to have to worry about everything from smart air-conditioning units or vending machines in the canteen, right through to power plants and industrial machinery.

A new threat has arisen with Snatch ransomware which uses a new trick to bypass antivirus software and encrypt victims’ files without being detected – it relies on rebooting an infected computer into Safe Mode, and to run the ransomware’s file encryption process within Safe mode.The reason is that most antivirus software does not start in Windows Safe Mode, a Windows state that is meant for debugging and recovering a corrupt operating system. Snatch uses a Windows registry key to schedule a Windows service to start in Safe Mode. This service ill run the ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped. Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of most endpoint security tools. Devious! and evil.

The Safe Mode trick was discovered by the incident response team at Sophos Labs, who were called in to investigate a ransomware infection in the past few weeks. Its research team says this is a big deal, and a trick that could be rapidly adopted by other ransomware..

Snatch never targeted home users and was not spread by use of mass-distribution methods like email spam campaigns or browser-based exploit kits — that get a lot of attention from cyber-security firms. Snatch targets a small list of carefully selected companies and public or government organizations.This type of targeting and methodology is known in the cyber-security field as “big-game hunting” and is a strategy that’s been widely adopted by multiple ransomware.
The idea behind big-game hunting is that instead of going after the small ransom fees malware authors can extract from home users, crooks go after large corporations and government organizations, from where they can ask for ransom fees that are hundreds of thousands of times bigger.
Ransomware like Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga are big-game hunters.

The group buys their way into a company’s network. Researchers tracked down ads the Snatch team has posted on hacking forums, to recruit partners for their scheme. According to a translation of the ad, the Snatch team was “looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies.” the Snatch team will buy access to a hacked network, or work with another hacker to breach a desired company. Once in, they rarely install the ransomware and encrypt files right away. Instead, the Snatch team bide their time and slowly escalate access to internal domain controllers, from where the spread to as many computers on an internal network as possible. To do this, the Snatch crew use legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products failed to raise any alarms.

Once the Snatch gang has all the access they need, they add the registry key and Windows service that starts Snatch in Safe Mode on all infected hosts, and force a reboot of all workstations — reboot that begins the file encryption process.Unlike most ransomware gangs who are primarily focused on encrypting files and asking for ransoms, the Snatch crew also engaged in data theft. This makes Snatch cunique and highly dangerous, and companies also stand to lose from their data being sold or leaked online at a later date, even should they pay the ransom fee and decrypted their files. This type of behavior makes Snatch one of today’s most dangerous ransomware strains.

Combing a company’s internal network for files to steal takes time, and a reason why Snatch has not made the same amount of victims as other “big game hunting” strains/gangs. The number of Snatch victims is very small. The only known public case of a Snatch ransomware infection was SmarterASP.NET, a web hosting company that boasted to have around 440,000 customers.

Secure ports and services that are exposed on the internet with either strong passwords or with multi-factor authentication. Snatch may experiment with e.g. VNC, TeamViewer, or SQL injections, so securing a company’s network for these attack points is also a must.

Ask us about our security solutions.

0097143365589

U.S. senators grilled Apple Inc and Facebook Inc executives over their encryption practices on Tuesday and threatened to regulate the technology unless the companies make encrypted user data accessible to law enforcement.

Democrats and Republicans presented united front against encryption that can bloc access to key evidence and stymie investigations.

“You’re going to find a way to do this or we’re going to go do it for you,” said Senator Lindsey Graham. “We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.”

Facebook has been at odds with multiple governments since announcing its plan to extend end-to-end encryption across its messaging services earlier this year. The WhatsApp messaging app is already encrypted. In October, U.S. Attorney General William Barr, and law enforcement chiefs of the United Kingdom, and Australia all called on the world’s biggest social network not to proceed with its plan unless law enforcement officials are given backdoor access.

Facebook rejected that call in a letter signed by WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky which it released along with the company’s written testimony. “The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes,” they wrote. “That is not something we are prepared to do.”