Technology Ransomware crooks are targeting vulnerable VPN devices in their attacks
Google Fi's VPN is coming to the iPhone this spring
Google Project Fi’s VPN service has only been available to Android users in beta so far, but that’s about to change. “We’re expanding access to the VPN to iPhone, so that it will be available for all users on Fi,” the company announced in a press release. “We plan to roll out the VPN to iPhone users starting this spring.” In addition, the VPN service is officially coming to all Android users, after being in beta for the last couple of years. “After listening to your feedback and making performance improvements, we’re taking the Fi VPN out of beta for Android phone users.
Cyber criminals are exploiting security vulnerabilities in VPN servers to encrypt networks with a new form of ransomware, and may have disrupted industrial facilities in the process.
Theis detailed in , following an investigation into a ransomware attack against an unspecified victim in Europe.
At least one of the attacks targeting these facilities managed to encrypt industrial control servers with ransomware, resulting in the temporary shutdown of operations. Kaspersky did not identified the victim of the successful ransomware attack, or how the incident was recolved, but have detailed the ransomware which encrypted the network and how cyber criminals were able to gain access.
Known as Cring, the ransomware first appeared in January and exploits a vulnerability in Fortigate VPN servers (). Fortinet issued a , but cyber criminals can still deploy the exploit against networks which have yet to apply the security update.
These two unusual versions of ransomware tell us a lot about how attacks are evolving
Researchers detail two new types of ransomware - AlumniLocker and Humble. Both are new and have very different ways of doing things, demonstrating the diversity in a space attackers are keep to get involved in.Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion.
By exploiting unpatched VPN applications, attackers are able to remotely access the username and password, allowing them to manually login to the network.
From here, the attackers download, an open-source application to view and save authentication credentials, and us this to steal additional usernames and passwords to move laterally around the network and also deploy tools including , a legitimate penetration software tool abused by attackers, to gain additional control over infected systems.
SEE:(ZDNet special report) | (TechRepublic)
Then, with the aid of malicious PowerShell scripts, the attackers are able to encrypt all of the systems which have been compromised across the network with Cring ransomware. At this point, a note by the attackers tells the victim their network has been encrypted with ransomware and that a ransom needs to beto restore the network.
Largest ransomware demand now stands at $30 million as crooks get bolder
There's been a big rise in ransom payments over the last year - and some ransomware gangs demanding vast amounts.Ransomware shows no sign of slowing down as the average ransom paid to cyber criminals by organisations which fall victim to these attacks has nearly tripled over the last year.
While there's no information on how the incident at the European industrial facility was resolved, researchers note thatto protect against a known vulnerability was the "primary cause" of the incident.
Other factors which allowed the attackers to deploy ransomware on the network include the lack of timely security updates applied to the antivirus software that's supposed to protect the network – and how some components of the antivirus were even turned off, reducing the ability to detect intrusions or malicious activity.
The way this particular network was configured also helped the attackers by allowing them to move between different systems which didn't all need to be on one network.
"There were no restrictions on access to different systems. In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems," said Vyacheslav Kopeytsev, senior security researcher at Kasperky.
Ransomware gangs have found another set of new targets: Schools and universities
National Cyber Security Centre issues advice on how to protect networks from cyber criminals after a spike in ransomware attacks causing disruption across the education sector over the last monthThere's been a spike in ransomware attacks targeting schools, colleges and universities, the UK's National Cyber Security Centre (NCSC) has warned.
To help protect networks from Cring ransomware attacks, it's recommended that Fortigate VPN servers are patched with the relevant security updates to prevent the known vulnerability from being exploited.
It's also recommended that VPN access is restricted to those who need it for operational reasons and that ports which don't need to be exposed to the open web are closed.
Researchers also suggest that, so if the worst happens and the network falls victim to a ransomware attack, it can be restored without the need to pay criminals.
MORE ON CYBERSECURITY
Hackers want millions in ransom. American schools are considering the cost. .
Cybercriminals have ramped up attacks against public school districts, underscoring how ransomware has become a daily scourge preying on Americans almost daily.Like most parents, Sanders has been performing a daily juggling act. When she's not teaching special education classes at Buffalo Public Schools, she and her husband are usually making sure their three kids are attending their remote classes.