Trend Micro Ransomware File Decryptor Covers a Decent Number of Strains

While not perfect, this is a nice little tool to have in the toolbox just in case. I haven’t tried it personally, but it is said to decrypt files infected from the list below. Keep in mind there are some issues with certain strains, such as CryptXXX V3 and CERBER, so be sure to read the instructions and notes before proceeding. Hopefully you will never need this, but if you do, good luck.

The tool will attempt to decrypt files encrypted by:

  1. CryptXXX V1, V2, V3
  2. CryptXXX V4, V5
  3. Crysis
  4. DemoTool
  5. DXXD
  6. TeslaCrypt V1
  7. TeslaCrypt V2
  8. TeslaCrypt V3
  9. TeslaCrypt V4
  10. SNSLocker
  11. AutoLocky
  12. BadBlock
  13. 777
  14. XORIST
  15. Teamxrat/Xpan
  16. XORBAT
  17. CERBER V1
  18. Stampado
  19. Nemucod
  20. Chimera
  22. MirCop
  23. Jigsaw
  24. Globe/Purge
  25. V2:
  26. V3:

Erich’s “What in the (cyber security) world is going on?” 02-16-17 edition

So, I will unabashedly admit to failing miserably at making my weekly post the last couple of weeks. I’ve been traveling and webinaring and otherwise buried in stuff. Oh, and I was abducted by aliens. yeah, that’s it… aliens. Either way, my bad.

Careless Licking Gets a Nasty Ransomware Phishing Infection

Yeah, I totally took this headline from my employer. It was just too good to pass up. What happened is Licking County Ohio got hit by ransomware that took down about 1,000 machines and completely shut down the town government. The best quote I’ve seen for a while came from that when County Auditor Mike Smith commented: “Apparently, our clock still works”. Ouch!


Polish banks hit by malware sent through hacked financial regulator

Well, some smooth slick soul managed to upload malware to the Polish financial regular’s website which resulted in infections in some Polish banks. Not a good thing, not at all. Just goes to show, be cautious even when dealing with “trusted” sources.


There is a fake Netflix app that is ransomware

Trying to steal Netflix? It may cost you. Just pay the $8mo for crying out loud.


New campaign spreading ransomware and another trojan simultaneously

Because Locky doesn’t suck enough as it is, this campaign is also downloading a click-fraud trojan so they can make a few bucks on the side. Shameless.


Mirai is spreading via Windows malware

They have started spreading this via windows trojans as they work to build the largest, most terrifying IoT botnet ever known to man. When fridges revolt, nobody is safe!


Arby’s got breached

More than 350,000 credit and debit cards could be at risk after Arby’s POS systems were found to be malware laden. I’d say more, but I have no beef with them. (<- you see what I did there, right?)


Soda machines take down a university

A gaggle of  infected IoT devices, including vending machines, caused a lot of havoc at an unnamed university by flooding the DNS server with seafood-related lookups. Obviously something was fishy, so they took action and tracked it down.


That’s all I have this week. I’m going to work on doing more mini posts based on things I see during the week, so subscribe and you will get those notifications. Thanks

FUD or Fact? Is ransomware and social engineering really that big of a threat?

We hear the stories almost daily, we see the headlines in the news, but how worried should we be?

The answer really is, it depends. Today I have seen a few headlines including this whopper: “New ransomware could poison your town’s water supply if you don’t pay up“. Sounds very scary, and the idea is, however it is important to understand that this is based on a Proof of Concept (PoC) attack demonstrated at RSA. Is it possible that this can occur, I suppose it is, but the real question is if it is likely. The answer is, not right now. This makes it FUD, or “Fear, Uncertainty and Doubt”. There is a big difference between showing a PoC and doing it in the wild, so you can sleep well tonight.


This is where it get’s a bit spooky. It is possible, and if the researchers that did this are thinking about it, you can bet our enemies and the bad guys just out for a big payout, are too. So research like this is important, but let’s not start stocking up on bottled water just yet.

What is the real threat RIGHT NOW?

The current threats deal more with making fast money and wreaking havoc on organizations by locking them out of records and data that is required to do business. Even that threat is expanding though as hackers are working to innovate. Before we see water supplies threatened, expect to see more and more attacks where the bad guys are threatening to, or actually publicly releasing, sensitive information. Imagine if your organizations “secret sauce” or proprietary information was made public. How much did it cost you to develop that, and how much of a competitive advantage would be lost if that happened? Take KFC’s “Secret Recipe” for example. Rumor is, it is guarded by eunuch Ninja cyborgs… or something like that.

The other real threat is CEO Fraud (aka BEC) and W2 scams that are happening right now. Just yesterday I spoke with an individual that signed up for our training because they sent all of their employees W2’s to some scammers. They were surprised to learn that they are not alone. Manatee County, FL (in my own back yard) was a victim, as was Argyle School District in Texas. Even Snapchat got caught in the crosshairs last year. This is real, this is in the wild, and it is happening to organizations of every size in every industry.

So, what do you about it?

The number 1 way to counter these attacks is through user training because the number 1 attack vector is via email phishing. You train your folks and phish them with non-malicious payloads and links. This way they get used to spotting these phishing emails before something real hits. Technical controls are just not reliable enough to catch and stop these targeted attacks, but making your users a “Human Firewall” is.

The number 2 thing is to have good backups. This really only matters for ransomware because once you send money or W2 info, backups won’t help. For those cases, number 2 is to have a plan to deal with it. Developing this plan will help you react quickly and help you develop policies to avoid these attacks (e.g. ALWAYS talk to the requestor on the phone BEFORE sending money or sensitive info). All should agree on this policy, and they will if you have trained them on the threats. Also, know who your local law enforcement contacts are, and how to contact them. Having a PR firm and/or lawyer in mind is also a good idea.

So, keep an eye on the new developments, but don’t get dragged in to the FUD. Focus on the real, current threats and you will do more to protect yourself than by chasing the possible (but not likely) ghosts of things to come.

So, You Are a Tech Manager Now…

** I want to start by saying that this is nowhere near a comprehensive list of things that can help you better manage, but simply a sharing of my personal experience and meant to help people step back and think about things a bit. **


So, now you’re a manager. You got that promotion that you probably either dreaded or worked very hard for. The question is, what now? Your whole career you’ve been a tech guy and now all of a sudden you’re a manager. First thing to remember is, don’t panic! (and perhaps carry a towel just in case)

While this can be a very spooky time, it’s also a great step in your career. You are going to have to look at things a little differently though. For one, instead of waiting for somebody to tell you what to do, you’re going to have to do the telling. That means now, all of a sudden, you are responsible for figuring out what needs to be done and assigning someone to the task. This may be new to you, but if you keep a cool head, it’s not that bad.  Remember that when you’re in management, the responsibility falls to you. You can delegate the work, but you are still responsible for the results.



Being in management means looking at the big picture. You need to understand what it really cost per unit of XYZ, and you are going to need to start thinking about how much available labor you have versus how much you need to spend. It’s like budgeting with money, only with time instead.

Something to remember here is that unlike money, where a dollar is worth a dollar, labor varies in its value. Some folks are 85% efficient, others hover around 12%, some can even cause an efficiency/oxygen deficit by dragging others down (<- we all know that person, right?). Labor is generally referred to in a unit of measure called an FTE (Full Time Equivalent) which we consider to be a body working 40 hours per week. Don’t ever try to calculate projects based on straight FTEs though as this can result in much wailing and gnashing of teeth. You have to remember that just because a person is burning oxygen for 40 hours a week, they are not producing 40 hours worth of work. On the flip side, sometimes a person can be working on 2 things at once that overlap, so you have to consider that. For example, if it takes 2 hours to image a workstation, you can figure that much of that time can be spent doing something else while data copies, so it may only take .5 FTEs (30 minutes of actual labor) to do the job.


When it comes to financial planning, if you are going to have a budget or be a part of budget planning, learn about the difference between CAPEX and OPEX. Understand that in the technical word, a lot of CAPEX also requires significant OPEX. Likewise, you can move some CAPEX expenses to OPEX, for example by moving to that cloud thingie that is so popular with you youngsters.



Another hurdle you may face is a different language used by leadership. They tend to speaking dollarese where we speak in techenese. In a truly cruel irony of the universe, these two languages have very little in common, and those words that are similar in pronunciation, mean polar opposite things. This can lead to anything from minor misunderstandings to World Wars.  To get a handle on this I recommend you spend a little time with some online management courses, maybe somewhere like, that can help you understand management basics and semantics.



This can be truly difficult if you were promoted from within the ranks. You may be dealing with folks that are jealous that they did not get the promotion, folks that were peers that you did not get along with, or even the feeling that you “sold out” to management. Regardless, you have to change the relationship. This doesn’t mean you can’t be friends, but what that means will probably need to change how the friendship operates or is perceived. The days of partying after work with the team, sleeping in the parking garage and coming to work to hear stories that start with, “I can’t believe you did that!” are over. If that’s what you want, resign your leadership role now.


The best advice I can give when it comes to becoming a manager is to be humble, but firm. You are there to help the people you manage succeed and grow, and make the business a success. This is not about power, it’s not about bossing people around, it’s not about you, it’s about leading. That means getting your hands dirty as well and not just giving all the garbage jobs to the team. On the flip side, that does not mean you should do everything yourself. You have to allow others to do new things so they can grow, but don’t try to use them as your personal slaves. This may take some practice, but if you are honest with your team and humble about your role, people tend to respond well. You may have some folks push boundaries, this is normal as they figure out where your limits are. Don’t take this personally, listen to their suggestions, consider the argument, but remain firm in your decisions unless there is a compelling reason to change.


There are other things you may not have had to do, such as performance reviews for your old team members. This gets a little weird when you are managing people that you used to be peers with. It may not be easy, but this is one place where you really earn the title of manager. You may find yourself reviewing a person that you don’t like personally. Set the personal issues aside and judge them on the job requirements. It’s not always easy to do, but just because they shared that embarrassing picture from the Christmas party after a few too many eggnogs, it doesn’t mean they aren’t great at the job. You need to be honest about it and fair to everyone. Don’t be afraid to say, “Tom, we haven’t always got along, but you are a great here.”


Check Your Pride at the Door

Embrace feedback from your leadership and your team as well. Be open to criticism and be willing to learn from it. You are doing something new and uncomfortable and you will make some mistakes along the way. Mistakes are OK if you own the goof up, learn from it and don’t repeat it. Apply this to your team members as well.


Dress Code

I decided to add this after just having lunch with a friend. You might need to dress differently. Embrace it, love it, live it and SUIT UP!  😀





You are responsible for people now, and you will need to act like it. Embrace the personal and professional growth, get serious about things and enjoy seeing your team grow. It will grow on you, and one of the most rewarding things I have ever experienced is watching a person I led excel in their career and personal life.




Ransomware Infection Causes Loss of 8 Years Of Police Department Evidence

This is what we in the business call, “Not good”.

This was the  “OSIRIS” variant of Locky and looked for about $4k in ransom. According to one article, the chief said. “Our automatic backup started after the infection, so it just backed up infected files” which sounds more like replication than backups. It could also be a gross misconfiguration of the backups, either way, the data is gone.

The press release states that this is the result of a phishing email, which is very typical of this sort of thing.

There is more info at the above links or here:

Erich’s “What in the (cyber security) world is going on?” 01-26-17 edition

Lots of new stuff happening this week in the ransomware side of the house. In addition, you still need to be watching for W2 scams as they are starting to get reported. Having said that, here is my wrap up from the last week.


Facebook users hit with “You are in this video?” malware scam

Scammers are always looking for ways to get you to click on things. This one can prey on your fear of stupid things you may or may not have done on camera. Not saying this would get to me, but there might still be a video of me singing, “Any man of mine” during a tequila-fuel karaoke session a number of years ago. We all have that moment, right? Even if you don’t care to admit it, we are curious about what we may be in, and the scammers are using this to get to you click on malicious links, in this case phishing for credentials. Be careful folks.


Android Ransomware Locks Phone and Asks for Credit Card Number

Fortinet researcher Kai Lu, discovered this new threat. It appears to be targeting only Russian-speaking users, but it demands a HUGE ransom of about $9100 (545,000 Russian rubles) via credit card. I’m going to take a quick look in my crystal ball and say that I don’t expect this to actually work. You can buy a LOT of phones for $9100, and would you trust them with your credit card number? Yeah, no. Who knows though, perhaps it’s demonstrating a proof of concept.


Xiongmai messed up again, exposing installer passwords for a bunch of DVRs

Xionmai’s 2017 list of superuser passwords for certain DVRs was found on a LinkedIn page. This list is designed only for CCTV installers to access customer installations and is essentially a one-time pad or per-day superuser password for their DVR service. It appears to only impact versions sold in China, but it’s representative of the security practices of the org.


The St. Louis Public Library got hit by ransomware

They didn’t pay, but it messed things up for a couple of days. I can’t imagine the tension in the libraries over the couple of days this was going on. Hell hath no fury like a librarian slightly annoyed!



Delaware Blue Cross Blue Shield customer records got hit with ransomware

19,000 records were impacted. Because it’s healthcare, it’s considered a breach by the HHS. Not a fun thing. Reading between the lines, I would have to guess that the data was not encrypted when the ransomware hit, otherwise they could argue the breach classification down.


Houston, we have a problem… Data breach reported at Houston area Popeye’s

Popeye’s got, well… popped. Malware was found on computer systems at seven Houston area locations. It looks like it was there between May 5, 2016 and August 18, 2016.


New Satan Ransomware available through RaaS.

 A security researcher, Xylitol, discovered a new Ransomware as a Service, or RaaS, called Satan. This is a profit-sharing type of ransomware, kind of like a bad lawyer in the fact that if you don’t win, you don’t pay. RaaS developers take a 30% cut, and the scales slides down from there based on number of infections. RaaS means that scammers don’t have to have many skills to spread this sort of ransomware. We will start seeing a lot more of this moving forward.


Everyone’s least favorite ransomware is back and testing new infection tactics

One new Locky campaign is being called ‘Double Zipped Locky’ where the idea is to hide their malicious payload in a Zip file within a Zip file, hoping that the victim will think they’re opening a document. It also drops the Kovter Trojan which remains on the infected system and is used to run click-fraud and malvertising campaigns.

The second one is an email posing as a failed bank transaction with a .rar file containing a malicious Javascript file that downloads Locky and installs it.


USB Sticks Could Infect Your Network With New Spora Ransomware Worm

There is some interesting new info out about Spora. This ransomware offers an option of future immunity (for a fee), does not need a C&C server so blocking outbound communication doesn’t help, but the new stuff is, it adds the ‘hidden’ attribute to files and folders on the desktop, the root of USB drives and the system drive. These files and folders are now hidden by the standard folder options. It then makes Windows shortcuts with the same name and icon as the hidden files and folders. The .LNK files open the original file while also executing the malware and the worm. Pretty tricky.

It looks like Spora is the variant that hit a nursing school recently.  An instructors files were unreadable on home PC, so he brought them in on a USB drive to try it on a work machine. It did not end well.


Argyle School District Employees Hit with W2 Scam Data Breach

A school district in Argyle, TX got hit with a W2 scam that looked like it came from the District Superintendent. The email requested the 2016 W-2 information for all employees of the district and the employee sent it. This really happens folks, and now all of these people are at risk for fraudulently filed tax returns and identity theft. We need to spread the word about this, especially this time of year.

There is a new spam campaign spreading Sage 2.0 ransomware 

Sage 2.0 is demanding a $2000.00 ransom and is being spread by the RIG and Sundown exploit kits. This is also exfiltrating the data hidden inside a .png image by  steganography. I have been saying that I expect to see more strains doing data exfiltration, and this is an example of that.

Stay safe out there folks!

W2 Scams are Happening Folks!

If you have been to any of my talks and/or read many of my posts, you know that I have been preaching heavily about W2 scams this time of year. Scammers are hitting up folks with spear phishing attacks asking for W2’s. these look legit and appear to be coming from a person high up in the food chain. I have seen this personally and only the training my people had, and my open door policy, saved our bacon.

This is what just happened in Argyle, Texas:

“District leaders said Wednesday an employee got a “phishing” email that appeared to be from the district superintendent.

That email asked for the 2016 W-2 information for all employees of the district. The employee complied with the email, attaching and emailing all W-2 information.”

I have spoken with FBI Special Agents that tell me that they have seen tax returns filed within 2-3 days from an event like this. Don’t be that guy/gal that let’s all of your employees lose their PII like this. Teach your people about the threat ASAP!

Erich’s “What in the (cyber security) world is going on?” 01-19-17 edition

Before we get started on this weeks wrap up of important things in the infosec world, in light of the inauguration tomorrow, I just wanted to remind people to treat each other kindly regardless of political opinions. Politics is no reason to treat others without respect. Let’s be good to one another and see how that makes you feel.

That being said, let’s see what the bad guys are up to:


Antivirus Detection Rates Are Tanking

While this doesn’t mean it’s time to yank all the AV off your machines, it is a reminder that endpoint protection should not be your only bacon-saving countermeasures. Many tears have fallen, and much bacon has not been saved due to the “all the eggs in one basket” mentality. Think of the bacon, think of the eggs, and incorporate a defense-in-depth approach that reduces the most risk with the least effort and cost. *cough* *cough* User security awareness training is a huge part of this and is known for it’s bacon-saving properties *cough* *cough*.  I must be hungry.


The Brit’s National Healthcare System (NHS) Has Been Walloped in 2016

about 1-in-3 NHS trusts have been hit with ransomware in 2016. 80 per cent if these were targeted by a phishing scheme and Imperial College Healthcare in London was smacked 19 times in just 12 months. This is not new, I have previously talked about this, but it’s a powerful reminder of just how prolific ransomware is, and the fact that most of it is being spread by email. This may be one of the biggest threats to hit the UK since Jeremy Clarkson. Stay safe out there.


IRS Issues Warning On New Tax Phishing Attack

Scammers are hitting up tax professionals in an effort to compromise their systems and then use the info to scam others in to sending their financial info, resulting in false returns being filed. This is a pretty interesting 2-part scam. There is a nice email blurb here that you can use to warn folks you know. Be safe and pick up the phone if your info is requested.


There is a Very Good Gmail Scam Going Around

Watch for this one. They use a traditional account credential phish to get started, then look through past emails to create new messages to your contacts. They are using email attachment names and subjects similar to ones that have been previously sent by the original victim, so the new victims trust where it came from. Simply teaching people to look at the address bar before they enter any credentials will keep you safe in this attack, sadly not everyone gets good quality awareness training.


Here is an Example of a Phishing Email Targeting Navy Federal Users

This shows an example of a .pdf with a malicious link. Keep in mind, the file is not infected so it will pass any AV tests, but following the link will make a person have a rather bad day. In this case a simple link hover shows it’s not legit. This is a simple skill that users really need to know about.


Fraud Attempts Around Christmas of 2016 up 31% 

Not a shocker mind you, but attempts at fraudulent digital retail sales was up 31% on an increase of 16% in e-commerce transactions over 2015.


The CIA dropped over 930k documents on it’s FOIA Reading Room

That’s over 12 million pages of data. I will not be reading them all, instead I will rely on the interwebs to let me know about the interesting bits, and will pass them along to you. So far, the most interesting thing I saw was a Dilbert cartoon that may have previously contained steganography. Stego fascinates me. It wasn’t even a particularly funny cartoon though.


Bad Guys Threaten to Contact Families of Cancer Patients When Ransomware Fails to Make Them $

There is a special place in the circles of Hell for people that mess with orgs like this. This is a cancer treatment org that provides free treatment for those unable to afford it. This was a $43,000 ransom, which can go a long way to providing treatments for folks. One thing to consider here though, I have mentioned before that I expect to see Doxxing and other behaviors like this increase. Since the software takes control of the files when it encrypts it and the bad guys have the keys, there is no reason the data cannot be exfiltrated and decrypted by the bad guys. This is why the HHS says it’s a breach by default. Sadly, I expect to see more of this behavior.


Elasticsearch is the Latest Target for Database Ransom Attacks

Like the recent MongoDb attacks, the bad guys are going after unsecured Elasticsearch databases, encrypting them and demanding .2 BTC (about $175) to get you back your data. If you run an Elasticsearch database, it’s time to lock it down. Here is some help to get you started.


Sometimes We Need to Rethink our Approach to Things

I have to admit, I LOL’ed at this video. It’s a bit mind boggling to watch, but entertaining. I even got to where I was rooting for the guy a bit.


My Brethren are not to be trifled with!

The Cyber Squirrel 1 project released the results of a study at Shmoocon, showing that squirrels top the list of power grid attackers, followed by birds then snakes. I personally have felt the effects of a rodent-related power outage at a previous job. It is rumored that only a smoking tail and pile of ash remained when a squirrel chewed through some wires as a substation, causing a pretty decent outage in Tucson. Furthermore, my brethren have been blamed for the deaths of six people, allegedly (they have not been convicted in a court of law) caused by squirrels downing power lines that then struck people on the ground. “Rodent-related airborne electrocution” would be a pretty crappy cause of death if you ask me. Fear the fur people, fear the fur!


I was honored to speak at BSides San Diego last weekend

I was able to present 2 sessions, one was on social engineering and the other specifically on ransomware. The crew did a great job putting the event together, even though the waffle truck broke down several blocks away. Waffles on Wheels, sounds right up my alley! 😀 This picture was taken a little before the social engineering session started. By the time we started, it was standing room only. Thanks everyone for attending.

Chelsea Manning’s sentence was commuted.

I’m not even getting in to the politics of this here. Just know, after a bit over 7 years, Manning is being set free.

I hope you enjoyed this weekly update. See you next week!

Erich’s “What in the (cyber security) world is going on?” 01-12-17 edition

I am running for a spot on the (ISC)2 Board of Directors. Please check out this post and sign my petition if you are a member.  Thanks!


Spora ransomware offers future immunity (for a price of course)

This is an interesting strain of ransomware. It offers an option of future “immunity” for a fee. The ransom is calculated and can vary as well. Finally, it uses Windows CryptoAPI for encryption and doesn’t require an outside C&C server infrastructure. This all makes Spora a very unique strain. They even have a really nice victim landing page and offer tech support via chat.


Why you shouldn’t trust Geek Squad ever again

There has been quite a stir about this issue and I can see why. These techs are being incentivized to search the computers without a warrant. While I support reporting things if they stumble across something, the way BestBuy is doing this is ripe for abuse and if the techs are actively seeking out things like this, bypasses the rights of the individual with respect to search and seizure. Also, how can you feel confident that the tech wouldn’t plant things to make an extra few bucks for themselves. It’s all a bit too slimy for me.

Heads-Up! Massive New Locky Ransomware Attack Is Coming 

If you have felt like there has been a short break in some ransomware attacks, you aren’t alone. Locky has been pretty quiet for the last few weeks, but it’s not expected to stay that way. Take this slack time to check your backups and get yourself prepared. It’s not going away in 2017, we know that.

Email Slip-Up Exposes 60,000 Bank Customers’ Account Details

In a monumental “Oh crap” moment, an Australian bank let loose of 60,000 of its customers’ account details. The National Australia Bank (NAB) sent confirmation emails to 60k of its customers. They cc:ed themselves on these for record, but sort of messed up their domain name. You see, they cc:ed instead of appears to be a… well… sort of… “dating” site? Whoops. They aren’t really sure if the emails were bounced or what happened to them at this point.

Ransomware extorts Los Angeles school to the tune of $28,000

Los Angeles Community College District (LACDD) ended up paying a ransom of $28k, a choice indicative of not having good backups in place. Weapons-grade backups folks! Test them and monitor them.

ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt

The E-Sports Entertainment Association (ESEA) did not fold to an extortion attempt and the bad guys released about 1.5 million player profiles. There were over 90 fields in each record including registration date, city, state (or province), last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.

DeriaLock ransomware decryptors available

If you were hit with this, there are a couple of decryptors available right now. Check it out if you have been impacted.