Magniber (Possible Cerber Replacement?) Targeting South Korea

Well it looks like Cerber may have had a makeover. According to this article at BleepingComputer.com, there is a new strain of ransomware targeting South Korea called Magniber. This clever name is a mashup taken from the Magnitude exploit kit and Cerber. Two known extensions it’s using in the event of infection are .ihsdj & .kgpvwnr

Kudos to  security researcher Michael Gillespie for discovering this.

It appears that this strain may be decryptable, so don’t go shelling out those Bitcoins just yet if you get hit with this, follow this link to the Magniber Ransom Support & Help Topic on BleepingComputer.com.

Keep those backups in shape and don’t forget to train people not to click in the first place!

The Median Price To Get In To The Ransomware Game? Just $10.50

I’ve long been saying that the ransomware problem is going to get worse before it gets better. The Ransomware Economy report published by Carbon Black does a great job backing my theory.

Becker’s Health IT & CIO Review does a good job of boiling things down to 4 key points:

  • Dark web ransomware market for 2016 – $249k. So far in 2017 – $6.2 million
  • Ransomware retailers are making about $31k more per year than a typical software developer
  • DIY ransomware kits range from $0.50 to $3k with a median of $10.50
  • 6,300 marketplaces have about 45k product listings

Ouch.

As long as the money keeps flowing in by the truckload, the bad guys will continue to innovate and unleash more on the masses. Get prepared for it to be worse before it gets better.

Protecting Your Organization From Ransomware Part 1 – Train Your Users

 

This is part 1 of a mini-series that I’m going to do on the things that can protect your organization from ransomware. This is not an exhaustive list, however if done properly, they can seriously reduce the risk of ransomware taking your organization down. At the very least, following these suggestions will reduce the amount of impact that a ransomware infection will have on your organization.

Part 1 – Train Your Users

If there’s one thing I’ve learned working here at KnowBe4, it’s what a difference training your users can make. I talk to folks all the time and hear story after story about how trained users made the difference. In my younger years, I probably wouldn’t have believed it however having experienced it first-hand, let me tell you, it really does work.

This is not a sales pitch for my company. I want to try to help you understand how to make the time you spend training your users provide the best ROI.  If you already have to do annual training for compliance, just putting a little more effort into things and taking it seriously can pay off big for you.

 

Messaging – Start Right From the Beginning

Messaging plays a huge role in how well your training is accepted and is a step that is often neglected completely, or barely considered. Start by understanding that people in general don’t just like to be told to do something “because we say so”. I don’t know if that’s any more prevalent outside of the IT/Security Professional and user interaction, but it frequently raises its head here. When it comes to training your users you want to avoid an “Us” versus “Them” mentality. We have to change it in to a “Us” helping “Them” feeling. While it is easy to get frustrated when the users click on things that you know they shouldn’t, you need to have patience. Try to remember that most users don’t live in the tech world we do. They aren’t aware of the threats the way we are and it’s our job to help them understand this. Users aren’t usually dumb, they often just have skills in domains that we may not, and vice versa. 

Consider how a user feels about the training in the 2 following messaging scenarios:

“Folks, it’s that time of year again when we do the mandatory security awareness training. This is required to be done annually by some of our regulations and contracts. We will meet in the break room at 10am for 1 hour. Anyone not able to make will need to schedule a follow up appointment. We will start testing everyone by sending simulated phishing emails at least once a month after that. Again, this is mandatory. Thanks, It Staff” 

or

“Folks, did you know that 91% of successful data breaches start with a spear-phishing attack? Did you know ransomware and phishing can also hit you at home and potentially cost you all of your important photos and documents? The bad guys don’t care, but we do, so we have some great training that will help protect not only the organization, but you and your family at home as well. This training is online and on-demand and should take about an hour, so you can watch it at your leisure when you have some spare time. Training does need to be completed in the next 30-days, after that we will be sending some simulated phishing emails at least once a month to help you exercise what the training teaches you. Let us know if you have any questions and happy learning! Thanks, IT Staff” 

Do you see how the messaging in one scenario is positive and helpful while the other sounds like it’s just something you have to do to get through until next year? Also, the phishing sounds like a test in the first scenario (lots of people are scared of tests) where the second scenario leans toward an opportunity to exercise these skills (much less intimidating). Consider this when doing your messaging, even when it comes to initially getting approval from management and HR.

 

Leadership Buy-In – Facts Without FUD

From the beginning, when you are going to run a training program like this, you need to have some people on board. Your Executives need to understand the value of what you’re doing, the HR department needs to be on board with it, and any other executives need to understand the importance.

FUD stands for Fear, Uncertainty and Doubt. While it can force people to make decisions, it can backfire in big ways, tarnishing your reputation and making future proposals more difficult. It is better is to present the facts and risk without wrapping things in emotional phrases or positioning designed to scare. Let your leadership know that they are targets for things like CEO fraud, W2 fraud, and ransomware. Show real examples of these things impacted an organization, but don’t embellish. Sometimes you have to start by simply educating them with articles of recent breaches or other examples that may resonate with them. This may take a little while, but changing this culture from the top will reap huge rewards further down the line.

As I said above, when you communicate with the HR department your focus needs to always be on how you are teaching the people to be safe. This isn’t about “getting” people or being tricky, it’s about preparing them for the attacks that are happening in the real world and protecting the organization. Invite them to screen the phishing emails and make them feel like they are part of the program, not just standing by. Sometimes they will want to stay involved, sometimes they will bow out when they feel comfortable with what is going on. Either way, it will put them at ease.  

 

Training Needs To Be Relevant – Ditch the Tech-ese

When you train people, it needs to be engaging. The users need to be made to feel that they understand the topic and need key points to help retain the information. Sadly, we as technical people tend to get overly technical in our explanations. Remember, the marketing staff doesn’t care about C2 communication channels or specifics of malware delivery. If you want their eyes to glaze over, that’s a quick way to do it.

My first suggestion is to subscribe to a 3rd-party service to supply the training. Frankly, it is difficult to get the same kind of return on the training investment doing it yourself. 3rd parties collect feedback about the training and improve, as well as staying on top of the current threats. In addition, the final product looks professional and saves a lot of your time preparing and tracking the training. After working here at KnowBe4 and seeing the results and the low price, I can’t imagine ever doing it myself again. Seriously.

If you like pain, you can do it yourself. 😀 If you are going to go this route, I strongly urge you to involve HR and Marketing in the design of the course. They can help keep you on track if you are getting too techie. You will want to have a way to track who completed the training as well and be ready to send follow-up emails as needed. I also can’t stress this enough… if you can do it online and on-demand, you will get much better results. You do need to make sure it is interactive so they can’t just let it run in the background while they go to lunch.

 

Comments are welcome below

 

Next up: Part 2 – Have Weapons-Grade Backups

This will cover things you can do to help ensure that you can recover from a ransomware attack and common pitfalls to avoid. Subscribe at the top-right corner of the page to get alerts when new posts are made.