Intelligence Briefing January 07th 2016 NOT PROTECTIVELY MARKED Current Threats Teenage Cyber Crime Awareness Investigation Update Malware Ransom32 Action Fraud Reports from the South West Region PBX/Dial Through Attack Miscellaneous CiSP New non-protectively marked briefing NOT PROTECTIVELY MARKED The SWRCCU are dealing with increased incidents in relation to teenage cyber crime. Help your children make the right choice and stay clear of cyber crime. Please full screen to watch the video. NOT PROTECTIVELY MARKED Investigation Updates: Ransomware We are currently investigating a ransomware attack against an organisation in which a laptop holding sensitive information was infected. This attack may be linked to the new Ransom32 malware. NOT PROTECTIVELY MARKED Malware: Ransom32 New easy-to-use ransomware code has been discovered – it has been named Ransom32 and is believed to be a first of its kind. It is known to affect Windows, Mac and Linux. The malicious code and administration system are written in the web languages HTML, CSS and JavaScript, which are commonly used on mainstream websites. It manipulates the JavaScript framework to infiltrate the victim’s computer. The Ransom32 code is freely downloadable from one dark web site and can be downloaded by anyone who pays with Bitcoin. Ransom32 has been designed for users who lack technical skills to create their own brand of ransomware. NOT PROTECTIVELY MARKED Malware: Ransom32 (continued…) Infection: The main method of distribution is currently via email, though it is also possible to unknowingly download the malware from a compromised website. The malware arrives embedded in a self-extracting RAR (compressed) file. Ransom32 will connect to a command-and-control (C&C) server over the TOR anonymised network. Once the malware has infected a system, victims can be locked out of their computer and asked to pay a ransom via Bitcoin currency to regain access. The malware looks for and scrambles a huge variety of files including images, movies, documents and data archives. It is highly unlikely that any encrypted files will be recoverable. Paying the ransom is no guarantee of getting the files back. NOT PROTECTIVELY MARKED Malware: Ransom32 (continued…) Prevention: Make sure anti-virus and malware scanners are running and up-to-date. Be very cautious of unexpected emails in your inbox and do not open any attachments from unknown sources. Keep your web browsers and Java installations up-to-date. Do not open an executable files that may appear randomly on your computer, unless you are familiar to it. Make regular backups. Backup all sensitive data and personal files and store them offline on a different media such as an external hard drive. Avoid surfing “questionable” sites. NOT PROTECTIVELY MARKED Hacking PBX/ Dial Through We have received a report of a PBX/Dial Through attack on a dental lab based in Devon. The telephone system was compromised and calls were placed to premium rate numbers resulting in a financial loss of £343. In order to prevent yourselves becoming the next victim: Use strong pin/passwords for your voicemail system, ensuring they are changed regularly. If you still have your voicemail on a default pin/ password change it immediately. Disable access to your voice mail system from outside lines. If this is business critical, ensure the access is restricted to essential users and they regularly update their pin/ passwords. If you do not need to call international/ premium rate numbers, ask your network provider to place a restriction on your line. Consider asking your network provider to block outbound calls at certain times eg when your business is closed. Ensure you regularly review available call logging and call reporting options. Regularly monitor for increased or suspect call traffic. Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down! Speak to your maintenance provider to understand the threats and ask them to correct any identified security defects. NOT PROTECTIVELY MARKED CiSP - Cyber Crime Threats Shared The Cyber Security Information Sharing Partnership (CiSP), which is run by Cert-UK, is an information sharing platform used to share and publish cyber crime threat information. The aim of the platform is to allow members to take remedial action and modify their organisations to prevent cyber attacks. If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact us as we can sponsor you. A regional South West CiSP is in place and will formally launched in March 2016; more details will be shared in due course. NOT PROTECTIVELY MARKED Additional Briefing Dissemination This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction. If you know anyone else who would like to receive this, please send us their e-mail address and we will add them to the distribution list. Any comments or queries please email South West Regional Cyber Crime Unit at: swrccu@avonandsomerset.pnn.police.uk 0117 372 2446 NOT PROTECTIVELY MARKED