Intelligence
Briefing
January 07th 2016
NOT PROTECTIVELY MARKED
Current Threats

Teenage Cyber Crime Awareness

Investigation Update

Malware

Ransom32
Action Fraud Reports from the South West Region

PBX/Dial Through Attack
Miscellaneous

CiSP

New non-protectively marked briefing
NOT PROTECTIVELY MARKED
 The SWRCCU are dealing with increased incidents in relation to teenage cyber crime. Help
your children make the right choice and stay clear of cyber crime.
 Please full screen to watch the video.
NOT PROTECTIVELY MARKED
Investigation Updates:
Ransomware
 We are currently investigating a ransomware attack against an organisation in which
a laptop holding sensitive information was infected.
 This attack may be linked to the new Ransom32 malware.
NOT PROTECTIVELY MARKED
Malware: Ransom32
 New easy-to-use ransomware code has been discovered – it has been named
Ransom32 and is believed to be a first of its kind. It is known to affect Windows,
Mac and Linux.
 The malicious code and administration system are written in the web languages
HTML, CSS and JavaScript, which are commonly used on mainstream websites. It
manipulates the JavaScript framework to infiltrate the victim’s computer.
 The Ransom32 code is freely downloadable from one dark web site and can be
downloaded by anyone who pays with Bitcoin.
 Ransom32 has been designed for users who lack technical skills to create their own
brand of ransomware.
NOT PROTECTIVELY MARKED
Malware: Ransom32 (continued…)
Infection:
 The main method of distribution is currently via email, though it is also possible to
unknowingly download the malware from a compromised website.
 The malware arrives embedded in a self-extracting RAR (compressed) file.
 Ransom32 will connect to a command-and-control (C&C) server over the TOR
anonymised network.
 Once the malware has infected a system, victims can be locked out of their
computer and asked to pay a ransom via Bitcoin currency to regain access.
 The malware looks for and scrambles a huge variety of files including images,
movies, documents and data archives.
 It is highly unlikely that any encrypted files will be recoverable. Paying the ransom
is no guarantee of getting the files back.
NOT PROTECTIVELY MARKED
Malware: Ransom32 (continued…)
Prevention:
 Make sure anti-virus and malware scanners are running and up-to-date.
 Be very cautious of unexpected emails in your inbox and do not open any
attachments from unknown sources.
 Keep your web browsers and Java installations up-to-date.
 Do not open an executable files that may appear randomly on your computer,
unless you are familiar to it.

Make regular backups. Backup all sensitive data and personal files and store them
offline on a different media such as an external hard drive.

Avoid surfing “questionable” sites.
NOT PROTECTIVELY MARKED
Hacking PBX/ Dial Through
We have received a report of a PBX/Dial Through attack on a dental lab based in Devon. The telephone
system was compromised and calls were placed to premium rate numbers resulting in a financial loss of
£343.
In order to prevent yourselves becoming the next victim:

Use strong pin/passwords for your voicemail system, ensuring they are changed regularly.

If you still have your voicemail on a default pin/ password change it immediately.



Disable access to your voice mail system from outside lines. If this is business critical, ensure the
access is restricted to essential users and they regularly update their pin/ passwords.
If you do not need to call international/ premium rate numbers, ask your network provider to place a
restriction on your line.
Consider asking your network provider to block outbound calls at certain times eg when your business
is closed.

Ensure you regularly review available call logging and call reporting options.

Regularly monitor for increased or suspect call traffic.


Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the
function, close it down!
Speak to your maintenance provider to understand the threats and ask them to correct any identified
security defects.
NOT PROTECTIVELY MARKED
CiSP - Cyber Crime Threats Shared
The Cyber Security Information Sharing Partnership (CiSP), which is run by Cert-UK, is an
information sharing platform used to share and publish cyber crime threat information.
The aim of the platform is to allow members to take remedial action and modify their
organisations to prevent cyber attacks.
If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact
us as we can sponsor you.
A regional South West CiSP is in place and will formally launched in March 2016; more
details will be shared in due course.
NOT PROTECTIVELY MARKED
Additional Briefing Dissemination
This document has been given the protective marking of NOT
PROTECTIVELY MARKED and may be disseminated outside law
enforcement with no restriction.
If you know anyone else who would like to receive this, please send us
their e-mail address and we will add them to the distribution list.
Any comments or queries please email South West Regional Cyber
Crime Unit at:
swrccu@avonandsomerset.pnn.police.uk
0117 372 2446
NOT PROTECTIVELY MARKED