Sopra Steria …. Ryuked.. Services down

IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.

The French-headquartered company detected the cyberattack on 20 October and made it public the following day.

Rreports pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.

Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.

Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.

It has been revealed that Ryuk operators exploited the Netlogon vulnerability CVE 2020-1472 which hits the domain controllers and exfilterates the data. Microsoft released the patch for this Exploit in August

The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.

It may take few weeks for services to up across geographies.

Cybersecurity Hygiene tips

1.Block your Camera

2. Mute your Laptop Mic

3. Limit your Public Data

4. Use a More Private Search Engine

5. Enable 2-Factor Authentication or MFA

6. Move Crypto Assets to a Secure Location

7. Block Quick Money Transfers

8. Use a VPN

9. Use a Password Manager

10. Enable Firewall Protection at Home

11. Backup data regularly

12. Install Next Gen Av

13. Use of diversified passwords for public – private

14. Say no to not required apps in Smart phones

16. Don’t click on suspicious links on email

15. Keep an eye on apps uses your location and data

17. Keep changing security device passwords regularly

18. No unwanted ports opened in firewall

Lockbit stirkes PTI

The computer server of India’s leading news organization, Press Trust of India (PTI), was attacked late Saturday night by ransomware, disrupting news service across the country for several hours.

A ransom was demanded from PTI after the cyber attack. However, the work of the news organization started after about 12 hours of struggle by IT engineers.

A PTI spokesperson said that its servers across the country were attacked by ransomware called Lockbit at 10.00 pm on Saturday. The virus encrypted all data and applications, disrupting its news service.

The origin of the virus is not known, nor was it a deliberate attack. However, a ransom was demanded to return encrypted data after the attack.

A PTI spokesperson said that the work of the news institute was back to normal from 9 am on Sunday after a 12-hour struggle by PTI’s IT engineers. The company did not provide ransom to the attackers.

According to a recent survey by cyberspace company Sophos, ransomware attacks have increased over the years. Eighty-two percent of companies surveyed have accepted ransom attacks between January and June this year.

Only 8 percent of companies can prevent an attack before encrypting their data, compared to their global average of 24 percent. Only one-third of Indian companies said they were able to recover encrypted data from backups, while 66 percent said they would have to pay a ransom to recover data.

Emotet (👹) . Now asks to update MS Word ! Tricky

Emotet comes with a new template of phishing pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The botnet is operated by a threat actor tracked as TA542. Recent campaigns tricked with malicious word doc’s with Covid themed info

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

In a recent campaign ,the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.”. reported researchers

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft Word
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder

Users should be educated aware about the legitimate and Phishing mails. Proper defence in depth strategy to get escaped from these anomalies