in the first three months of 2016 , putting ransomware on track to rake in nearly $ 1 billion this year . But as a result of increased ransom-avoidance , cybercriminals have created an even more insidious threat . Imagine malware that combines ransomware with a personal data leakAttack.Databreach: this is what the latest threat , doxware , looks like . With doxware , hackers hold computers hostageAttack.Ransomuntil the victim pays the ransomAttack.Ransom, similar to ransomware . But doxware takes the attack further by compromisingAttack.Databreachthe privacy of conversations , photos , and sensitive files , and threatening to release them publicly unless the ransom is paidAttack.Ransom. Because of the threatened release , it 's harder to avoid paying the ransomAttack.Ransom, making the attackAttack.Ransommore profitable for hackers . In 2014 , Sony Pictures suffered an email phishing malware attackAttack.Phishingthat releasedAttack.Databreachprivate conversations between top producers and executives discussing employees , actors , industry competitors , and future film plans , among other sensitive topics . And ransomware attacksAttack.Ransomhave claimed a number of recent victims , especially healthcare systems , including MedStar Health , which suffered a major attackAttack.Ransomaffecting 10 hospitals and more than 250 outpatient centers in March 2016 . Combine the data leakAttack.Databreachof Sony and the ransomware attackAttack.Ransomon MedStar and you can see the potential fallout from a doxware attack . Doxware requires strategic , end-to-end planning , which means hackers will target their victims more deliberately . Looking at the data leakedAttack.Databreachfrom Sony , it 's easy to imagine the catastrophic effect doxware would have on an executive of any major corporation . Company leaders hold countless conversations over email each day on sensitive topics ranging from product development to competition to internal politics , and if there 's a doxware attack , the fallout could be extensive . Expect Things to Get WorseThe technology behind doxware is still new , but expect the problem to become worse . Recent attacks have been contained to Windows desktop computers and laptops , but this will certainly change . Once the malware can infiltrate mobile devices , the threat will become even more pervasive , with text messages , photos , and data from apps at risk for being leakedAttack.Databreach. It 's also highly likely that doxware will target more types of files . Workplace emails are currently a big target for hackers . However , a company 's internal communications/instant messaging network is also appealing to hackers using doxware , as the messaging network often serves as a platform where both sensitive business discussion and casual conversations take place , potentially exposing both company secrets and personally embarrassing exchanges . One of these variants hold files ransomAttack.Ransomwith the threat of release and then stealsAttack.Databreacha victim 's passwords . Another mutation , Popcorn Time , takes doxware even further giving victims the option to infect two of their friends with the malware instead of paying the ransomAttack.Ransom.
Last week we first tweeted that the GuardiCore Global Sensor Network ( GGSN ) has detected a wide ransomware attackAttack.Ransomtargeting MySQL databases . The attacksAttack.Ransomlook like an evolution of the MongoDB ransomware attacksAttack.Ransomfirst reported earlier this year by Victor Gevers . Similarly to the MongoDB attacksAttack.Ransom, owners are instructed to payAttack.Ransoma 0.2 Bitcoin ransomAttack.Ransom( approx. $ 200 ) to regain access to their content . We saw two very similar variations of the attackAttack.Ransomusing two bitcoin wallets . In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs . The attacks started at midnight at 00:15 on February 12 and lasted about 30 hours in which hundreds of attacks were reported by GGSN . We were able to trace all the attacks to 109.236.88.20 , an IP address hosted by worldstream.nl , a Netherlands-based web hosting company . The attacker is ( probably ) running from a compromised mail server which also serves as HTTP ( s ) and FTP server . Worldstream was notified a few days after we reported the attack . The attack starts with ‘ root ’ password brute-forcing . Once logged-in , it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘ WARNING ’ that includes a contact email address , a bitcoin address and a payment demandAttack.Ransom. In one variant of the attack the table is added to an existing database ; in other cases the table is added to a newly created database called ‘ PLEASE_READ ’ . The attacker will then delete the databases stored on the server and disconnect , sometimes without even dumping them first . The attack as reported by GuardiCore Centra We logged two versions of the ransom message : INSERT INTO PLEASE_READ. ` WARNING ` ( id , warning , Bitcoin_Address , Email ) VALUES ( ‘ 1′ , ’ Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database ! Your DB is Backed up to our servers ! ’ , ‘ 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY ’ , ‘ backupservice @ mail2tor.com ’ ) INSERT INTO ` WARNING ` ( id , warning ) VALUES ( 1 , ‘ SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE http : //sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE ! The second version offers the owner to visit the following darknet web site ‘ http : //sognd75g4isasu2v.onion/ ’ to recover the lost data . The darknet web site referenced in the ransom note . Each version uses a different bitcoin wallet , 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 vs 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY and based on Blockchain public information people have been paying up .
A maker of Internet-connected stuffed animal toys has exposedAttack.Databreachmore than 2 million voice recordings of children and parents , as well as e-mail addresses and password data for more than 800,000 accounts . He said searches using the Shodan computer search engine and other evidence indicated that , since December 25 and January 8 , the customer data was accessedAttack.Databreachmultiple times by multiple parties , including criminals who ultimately held the data for ransomAttack.Ransom. The recordings were available on an Amazon-hosted service that required no authorization to access . The data was exposedAttack.Databreachby Spiral Toys , maker of the CloudPets line of stuffed animals . The toys record and play voice messages that can be sent over the Internet by parents and children . The MongoDB database of 821,296 account records was stored by a Romanian company called mReady , which Spiral Toys appears to have contracted with . Hunt said that , on at least four occasions , people attempted to notify the toy maker of the breachAttack.Databreach. In any event , evidence left behind by the ransom demanders made it almost certain company officials knew of the intrusionsAttack.Ransom. Hunt wrote : It 's impossible to believe that CloudPets ( or mReady ) did not know that firstly , the databases had been left publicly exposedAttack.Databreachand secondly , that malicious parties had accessedAttack.Databreachthem . Obviously , they 've changed the security profile of the system , and you simply could not have overlooked the fact that a ransom had been leftAttack.Ransom. So both the exposed databaseAttack.Databreachand intrusionAttack.Ransomby those demanding the ransomAttack.Ransommust have been identified yet this story never made the headlines . Further ReadingInternet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bugThe breach is the latest to stoke concerns about the privacy and security of Internet-connected toys . In November 2015 , tech news site Motherboard disclosed the hackAttack.Databreachof toy maker VTech in a breachAttack.Databreachthat exposedAttack.Databreachthe names , e-mail addresses , passwords , and home addresses of almost 5 million adults , as well as the first names , genders and birthdays of more than 200,000 kids . A month later , a researcher foundVulnerability-related.DiscoverVulnerabilitythat an Internet-connected Barbie doll made by Mattel contained vulnerabilities that might allow hackers to intercept real-time conversations . In addition to storing the customer databases in a publicly accessible location , Spiral Toys also used an Amazon-hosted service with no authorization required to store the recordings , customer profile pictures , children 's names , and their relationships to parents , relatives , and friends . In Monday 's post , Hunt acknowledged the help of Motherboard reporter Lorenzo Franceschi-Bicchierai , who published this report . Oddly enough , for a product with such lax security , the service used the ultra-secure bcrypt hashing function to protect passwords . Unfortunately , CloudPets had one of the most permissive password policies ever . It allowed , for instance , a passcode of the single character `` a '' or the short keyboard sequence `` qwe . '' `` What this meant is that when I passed the bcrypt hashes into [ password cracking app ] hashcat and checked them against some of the world 's most common passwords ( 'qwerty , ' 'password , ' '123456 , ' etc . ) along with the passwords 'qwe ' and 'cloudlets , ' I cracked a large number in a very short time , '' Hunt wrote . Further ReadingHow to search the Internet of Things for photos of sleeping babiesThe lesson that emerged long ago is that the security of so-called Internet of things products is so poor that it often outweighs any benefit afforded by an Internet-connected appliance . As the CloudPets debacle underscores , the creep factor involved in Internet-connected toys makes the proposition even worse
The toys -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The breachAttack.Databreach, which grabbed headlines on Monday , is drawing concerns from security researchers because it may have given hackers accessAttack.Databreachto voice recordings from the toy 's customers . But the company behind the products , Spiral Toys , is denying that any customers were hackedAttack.Databreach. Absolutely not , '' said Mark Meyers , CEO of the company . Security researcher Troy Hunt , who tracks data breachesAttack.Databreach, brought the incidentAttack.Databreachto light on Monday . Hackers appear to have accessedAttack.Databreachan exposed CloudPets ' database , which contained email addresses and hashed passwords , and they even sought to ransomAttack.Ransomthe information back in January , he said in a blog post . The incidentAttack.Databreachunderscores the danger with connected devices , including toys , and how data passing through them can be exposedAttack.Databreach, he added . In the case of CloudPets , the brand allegedly made the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication to access . That allowed anyone , including hackers , to view and stealAttack.Databreachthe data . On the plus side , the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed with the bcrypt algorithm , making them difficult to crack . Unfortunately , CloudPets placed no requirement on password strength , meaning that even a single character such as letter `` a '' was acceptable , according to Hunt , who was given a copy of the stolen data last week . As a result , Hunt was able to decipher a large number of the passwords , by simply checking them against common terms such as qwerty , 123456 , and cloudpets . `` Anyone with the data could crack a large number of passwords , log on to accounts and pull down the voice recordings , '' Hunt said in his blog post . Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December . However , both Gevers and Hunt said the company never responded to their repeated warnings . On Monday , California-based Spiral Toys , which operates the CloudPets brand , claimed the company never received the warnings . `` The headlines that say 2 million messages were leakedAttack.Databreachon the internet are completely false , '' Meyers said . His company only became aware of the issue after a reporter from Vice Media contacted them last week . `` We looked at it and thought it was a very minimal issue , '' he said . A malicious actor would only be able to accessAttack.Databreacha customer 's voice recording if they managed to guess the password , he said . `` We have to find a balance , '' Meyers said , when he addressed the toy maker 's lack of password strength requirements . He also said that Spiral Toys had outsourced its server management to a third-party vendor . In January , the company implemented changes MongoDB requested to increase the server 's security . Spiral Toys hasn ’ t been the only company targeted . In recent months , several hacking groups have been attackingAttack.Databreachthousands of publicly exposed MongoDB databases . They ’ ve done so by erasing the data , and then saying they can restore it , but only if victims pay a ransom feeAttack.Ransom. In the CloudPets incident , different hackers appear to have deleted the original databases , but leftAttack.Ransomransom notes on the exposed systems , Hunt said . Although the CloudPets ’ databases are no longer publicly accessible , it appears that the toy maker hasn ’ t notified customers about the breachAttack.Databreach, Hunt said . The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys . But Meyers said the company found no evidence that any hackers broke into customer accounts . To protect its users , the company is planning on a password reset for all users . `` Maybe our solution is to put more complex passwords , '' he said .
It 's been quiet since 2015 , but TorrentLocker has suddenly returned . And this time it wants to stealAttack.Databreachyour passwords too . Cybercriminals are always adding new malicious tricks to ransomware . A ransomware variant which has been relatively inactive for almost two years is back , and this time it 's stealingAttack.Databreachuser credentials from victims in addition to demanding a ransomAttack.Ransomto unencrypt locked files . TorrentLocker -- also known as Cryptolocker -- started targeting Windows users in 2014 before dropping off by the summer of 2015 . Like the majority of ransomware schemes , TorrentLocker spreads via spam email messages containing malicious attachments . Rising Bitcoin prices force Cryptolocker ransomware scammers to drop asking priceAttack.RansomBitcoin 's wild fluctuations have forced a price update to the Cryptolocker ransomware . If the victim enables the macros by choosing to 'Enable Editing ' , a PowerShell code is executed and the ransomware is downloaded , encrypting the victims ' files until they pay a ransomAttack.Ransom. But that is n't where the malicious activity ends , because as noted by cybersecurity researchers at Heimdal Security , this incarnation of TorrentLocker has new features , including the ability to spread itself to other computers via shared files ; something which could see the ransomware taking over a whole network in a very short space of time . In addition to holding networks to ransomAttack.Ransom, the new version of TorrentLocker also harvestsAttack.Databreachusernames and passwords from infected computers , putting businesses at risk of cyberespionage and data breachesAttack.Databreach, while users could see their personal or financial information leakedAttack.Databreachand sold to cybercriminals on the dark web . The researchers warn that the revived TorrentLocker campaign is `` very aggressive '' and that many well known antivirus software products have n't been updated to protect against it , even days after the campaign began . Heimdal Security warns users in its native Denmark that they 're being highly targeted by TorrentLocker . Indeed , it appears that European internet users are the main target for those behind the campaign , as Microsoft told BleepingComputer that Italy is by far the most targeted by the perpetrators .
Democrats in Pennsylvania ’ s state Senate were locked out of their computer network early Friday morning due to a ransomware attackAttack.Ransom, NBC News reports . According to an unidentified state official who spoke with NBC , the Democratic senators in Harrisburg use their own computer network and “ there is no indication that other state agencies of the Republicans have been affected ” . As of about 5 p.m. Friday , both law enforcement agencies and Microsoft were working with the state Democrats to free their network . In a statement sent to reporters via text message and obtained by The Hill , state party officials said , “ there is currently no indication that the caucus system was targeted or that any data has been compromisedAttack.Databreach” . Recently , ransomware attacksAttack.Ransomhave struck everywhere from hospitals and universities to San Francisco ’ s transit system . Last summer , the congressional IT desk warned representatives in Washington DC to be careful of potential ransomware and phishing threatsAttack.Phishing, but the hacks on the DNC were unrelated . In many cases , the payment demandedAttack.Ransomis only in the tens of thousands of dollars , and occasionally ransomware can be spammed without a specific target , but the affected computer systems are encrypted and inaccessible until the hackers release a key . If a network ’ s data is backed up offsite , the target can occasionally circumvent the ransomAttack.Ransomaltogether — albeit with some increased security . A spokesperson for the Pennsylvania Democrats declined to say to NBC News whether that was possible in this case , or whether the attackers had revealed any motives
Ransomware is perhaps the most ingenious cybercrime in the history of the Internet in terms of its simplicity and effectiveness . It has caused absolute terror in nearly every industry , affecting almost 50 % of organizations in 2016 , and is considered one of the top cyberthreats to the enterprise for 2017 . According to the FBI , ransomware — malware that holds systems and data for ransomAttack.Ransom— cost victims $ 209 million in the first three months of 2016 , yet totaled only $ 24 million in all of 2015 . This astronomical rise in ransomware is motivated , in large part , by a lack of preparedness . And the problem will get worse before it gets better . But in order to understand the rise of ransomware , you need to understand its economics . The Business of RansomwareTraditional data from major breachesAttack.Databreachis starting to be worth less and less as the black market gets flooded with stolen records . Just call a toll-free number and the problem is fixed in minutes . Even the cost of prized electronic healthcare records is down 50 % to 60 % from last year . But at the same time , the price per ransomAttack.Ransomhas continued to climb , and much of the data being ransomedAttack.Ransomis completely worthless on the black market . Innovations in online payments have also helped pave the way for the current ransomware epidemic . Similar to how some sites are the middlemen for sellers , Web-based `` businesses '' started to appear in early 2016 to act as proxies for data extortionists to postAttack.Databreachsensitive stolen data to add urgency to payment demandsAttack.Ransom, sell the stolen data to a third-party , or utilize it in other ways . These Web vendors use a `` Business 101 '' approach by providing an easy Bitcoin-based payment interface — currently worth $ 768 each ( at the time of writing this ) — and take a cut of every payment . Popularity Breeds PandemicBecause of ransomware 's massive success , its creators are pushing new technologies to their limits , with the potential to infiltrate every data storage device between the Internet and any given company . And with the massive success of Mirai — the Internet of Things botnet that took down a portion of the Internet last fall — connected devices are poised to become the next big target , translating into even more ransomware .
Ransomware is perhaps the most ingenious cybercrime in the history of the Internet in terms of its simplicity and effectiveness . It has caused absolute terror in nearly every industry , affecting almost 50 % of organizations in 2016 , and is considered one of the top cyberthreats to the enterprise for 2017 . According to the FBI , ransomware — malware that holds systems and data for ransomAttack.Ransom— cost victims $ 209 million in the first three months of 2016 , yet totaled only $ 24 million in all of 2015 . This astronomical rise in ransomware is motivated , in large part , by a lack of preparedness . And the problem will get worse before it gets better . But in order to understand the rise of ransomware , you need to understand its economics . The Business of RansomwareTraditional data from major breachesAttack.Databreachis starting to be worth less and less as the black market gets flooded with stolen records . Just call a toll-free number and the problem is fixed in minutes . Even the cost of prized electronic healthcare records is down 50 % to 60 % from last year . But at the same time , the price per ransomAttack.Ransomhas continued to climb , and much of the data being ransomedAttack.Ransomis completely worthless on the black market . Innovations in online payments have also helped pave the way for the current ransomware epidemic . Similar to how some sites are the middlemen for sellers , Web-based `` businesses '' started to appear in early 2016 to act as proxies for data extortionists to postAttack.Databreachsensitive stolen data to add urgency to payment demandsAttack.Ransom, sell the stolen data to a third-party , or utilize it in other ways . These Web vendors use a `` Business 101 '' approach by providing an easy Bitcoin-based payment interface — currently worth $ 768 each ( at the time of writing this ) — and take a cut of every payment . Popularity Breeds PandemicBecause of ransomware 's massive success , its creators are pushing new technologies to their limits , with the potential to infiltrate every data storage device between the Internet and any given company . And with the massive success of Mirai — the Internet of Things botnet that took down a portion of the Internet last fall — connected devices are poised to become the next big target , translating into even more ransomware .