Author Archives: brianhonan

IRS chief: assume your identity has been stolen

You’ve been told privacy is dead? It’s actually worse than that. Your identity has been reanimated as a zombie and it could be roaming about trying to do things without your consent.

That’s according to Internal Revenue Service (IRS) Commissioner John Koskinen at a recent briefing to reporters: If you are an American, you should assume that any number of cyber criminals have enough information about you to pose as you.

Koskinen was speaking Tuesday ahead of the agency’s annual Security Summit, about the IRS’s data security efforts heading into the 2018 tax season and, inevitably, was asked if the mammoth, catastrophic breach of big-three credit reporting agency Equifax would have an effect on tax fraud.

Not even enough to notice, was the response, reported in The Hill. “We actually think that it won’t make any significantly or noticeable difference,” he said.

Why? “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals,” he said.

Here are the numbers that matter:

There are about 250 million Americans 18 and older.

An estimated 145.5 million people were affected by the Equifax breach where hackers had access to names and addresses and other personally identifiable information (PII) – including information that’s difficult or impossible to change like Social Security numbers and dates of birth.

Meanwhile the official IRS estimate is that more than 100 million Americans have had their PII stolen by hackers.

There’s wiggle room in both figures but the difference between them is as much as 45 million people, more than the individual populations of the large majority of European countries – almost as much as Spain; more than four times that of Greece, Portugal and Sweden; nearly 10 times that of Norway, Ireland and numerous others.

So, according to Koskinen, the reality could be much worse than the official estimate. He advised all Americans to “assume their data is already in the hands of criminals and ‘act accordingly.’”

He’s not the first one to say so, of course. Star security blogger Brian Krebs said essentially the same thing in more than one of the multiple posts he filed on the Equifax breach. But it came across, at least to some privacy experts, as not only a casual dismissal of one of the most damaging breaches of the year, but also uninformed, as if it were at the same level as a credit card breach.

Rebecca Herold, CEO of The Privacy Professor, called it, “simplistic and naïve.”

He apparently doesn’t realize that Equifax, and the other two major US credit reporting agencies (CRAs), possess an amount of data far beyond the other types that have been breached elsewhere – such things as job histories and associated salaries, home addresses, medical information, schools attended, and so much more.

To try and minimize a breach of this magnitude is disappointing, to say the least, from him.

Koskinen, in prepared remarks, said the agency does take tax fraud very seriously, and is having some very serious success in reducing it. The Security Summit – a joint project of the IRS, state tax agencies and the private sector launched in 2015 – is a major reason for that he said. Those improvements are in the fraud statistics, he said:

We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft.

In the “identity theft” category, Koskinen said the number of reported victims in 2016 was 376,000 – 46% down from 2015. And this year, through August, the number is 189,000, a drop of about 40% from the same time last year.

Kay Bell, self-described “tax geek” and author of the blog Don’t Mess With Taxes, complimented the IRS on 37 relatively new data filters created in conjunction with the Security Summit that she said would easily stop a criminal even if he had a name, address and SSN. The filters, she said, make sure, “the meat of the return would be a guessing game.”

Koskinen, in his statement, said other methods of catching fraudulent returns and refunds include:

  • Stronger password protocols.
  • Working with financial institutions to flag questionable refunds.
  • A pilot program that adds a verification code to W-2 forms.

Of course, Koskinen didn’t go into much detail about what individual citizens can do to “act accordingly” in response to assuming that their PII is already in criminal hands. That may be because, other than putting a credit freeze in place with all the credit bureaus and monitoring their own finances, there isn’t a whole lot they can do.

As Herold put it:

All those people whose personal life data was breached at Equifax did not directly do business with Equifax, as is most often the case with those other breaches he references. There was no way the impacted individuals could have done anything to ensure Equifax had appropriate security controls in place for their associated data – they had no choice.

from Naked Security – Sophos http://bit.ly/2yVeA5W
via IFTTT

Kids’ smartwatches harbouring major security flaws

Has Santa Claus, the Tooth Fairy or the agnostic Birthday Gnome ever gifted your tot a smartwatch?

Toss it. All those wrist wraps are Internet-of-Things (IoT) security car wrecks, according to a new report (PDF) from the Norwegian Consumer Council (NCC).

The main point of smartwatches is to geolocate your offspring, but some models also allow parents to call or text their kids. After all, it’s cheaper than a full-fledged smartphone, and somewhat less likely to be buried in a sandbox.

Much like drone makers do to their aircraft, some parents also use the GPS-connected smartwatches to geofence their kids: some models send out an alert when a child leaves a designated area. Some smartwatches have an SOS feature that allows a kid to send an emergency message to a caregiver.

That’s great, except when it’s not. NCC researchers looked at four smartwatch models and found that they can give parents a false sense of security. Some features, such as the SOS and the geofencing alerts, didn’t work reliably.

And, most worrying of all, through simple steps, strangers can take control of the smartwatches. Given the lack of security in the devices, eavesdroppers can listen in on a child, talk to them behind their parent’s back, use the watch’s camera to take pictures, track the child’s movements, or give the impression that the child is somewhere other than where they really are.

Researchers found that several of the watches also transmit personal data to servers located in North America and East Asia, in some cases without using encryption. One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that eavesdropping is going on.

It not only challenges a child’s right to privacy, says Finn Myrstad, director of digital policy for the NCC – “It also threatens their safety,” he says.

Until these issues have been resolved, these watches should be in no stores, even less so on a child’s arm.

In one watch, knowing a user’s phone number “gives an attacker full access to the device,” the report found. In another watch, the researchers “inadvertently came across sensitive personal data belonging to other users, including location data, names and phone numbers.”

One of the watches allowed the researchers to pair an existing gadget with a completely new account, enabling them to see user data, including the watch’s current location and location history and contact phone numbers in the account, all without notifying the watch user.

CBS News quotes Myrstad:

This data can be abused for so many different things – finding out where kids have been means getting extremely sensitive data around where they live, where they go to school. It’s far, far away from any basic standard of security.

According to The Telegraph, the UK retailer John Lewis has already responded to the NCC’s report by withdrawing one of the smartwatch models – the Gator 2 – that the researchers analyzed.

They also tested Viksfjord and Xplora smartwatches. A fourth model, the Tinitell, lacked major security flaws, but it also lacked clear privacy protections, according to the report. According to CBS News, all of the watch models except for Xplora are on sale in the US.

So, another crop of IoT things is insecure. Quelle surprise.

Santa, Tooth Fairy, Agnostic Birthday Gnome, et al., I’m beginning to suspect one of two things:

  1. You’re all NSA agents. That would explain Hello, Barbie, the joke-telling, story-swapping, interactive game-playing, eavesdropping doll that spawned the Hell No Barbie campaign from privacy groups. It would also explain her Hell-spawn sister, My Friend Cayla, which was fitted with a camera and an artificial intelligence (AI) chip for interpreting children’s emotions… and which Germany’s privacy watchdog declared was an “illegal espionage apparatus” that parents should destroy. Given all that, you’re either creeps, government spies, or then again…
    2. You really need help with securing the IoT.

I suspect it’s No. 2. But you’re not alone: we all need help with securing the IoT.

Here are some security tips on how to get that done – ideally before Christmas!


from Naked Security – Sophos http://bit.ly/2yud36c
via IFTTT

IoT Deployment Security Top Concern for Enterprises

IoT Deployment Security Top Concern for Enterprises

A new survey shows that 63% of respondents are worried about the impact of the Internet of Things on corporate security technologies and processes.

A majority of enterprises cite cybersecurity as their main concern with corporate Internet of Things deployments, according to a survey released this week commissioned by BlackBerry.

In the survey, 63% of respondents cited security as their top concern about IoT technologies and processes in the enterprise, yet only 37% of participants said they had a formal digital strategy in place. A full 78% of respondents indicated interest in a solution that would allow them to manage all their endpoints in one place. Nearly two-thirds of respondents (61%) identified hackers and cyberwarfare as a major threat from the IoT.

“The proliferation of IoT is being led by enterprises, and they continue to require a unified endpoint management strategy that is capable of scaling to handle billions of connected devices,” Marty Beard, chief operating officer, said in a statement.

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2yU16aG
via IFTTT

Mr. Robot eps3.1undo.gz – the security review

Welcome back to the Naked Security roundup of this week’s episode of Mr. Robot. Here’s last week’s episode recap if you missed it.

The vast majority of this week’s episode focused on psychological drama, but the major events of the episode were bookended by a bit of Elliot’s (or is it Mr. Robot?) hacking ingenuity. Let’s take a peek.

WARNING:SPOILERS AHEAD – SCROLL DOWN TO READ ON

Elliot takes down the chain of command

As Elliot attempts to repair ECorp from the inside, we see him playing a part that’s familiar to many — the dreaded presentation to uninterested middle managers – while also going after managers that are in his way. All he needed was to get enough information about them to make a reasonable guess at their email passwords (given he works with them, their usernames are easily known), and he finds a treasure trove of blackmail-worthy information.

The first boss he sets the FBI on innocuously mentions his love of the band the Goo Goo Dolls, and Elliot correctly guesses that this boss used a slightly modified version of a Goo Goo Dolls album name (“aboynamedg00”) as a password. Easy enough. The next target in the food chain was even simpler, the personal hint about his favorite hobby wasn’t even needed, Elliot was able to see this manager typing in his spin cycling-related password (“tapitback”) with a simple ‘shoulder surf’ — hacker vernacular for peeking over somebody’s shoulder as they type a password.

This sequence was a nice reminder of two key points:

  1. “Hacking,” whether it is a technical or social hack, doesn’t always have to be complex, in fact often enough the simplest methods are quite effective. In Elliot’s case, all he had to do was pay attention and listen, or peek over someone’s shoulder, and he got enough information to infiltrate his managers’ email accounts. No fancy tools needed, just his eyes and ears.
  2. Both managers’ passwords are shamefully simple. Nobody likes typing complex passwords, but dictionary words? Personally identifiable information? Changing l3tters for numbers? Come on. They’re not even trying.

I’d like to summon the Game of Thrones “Shame” meme here, but it might be dangerous to cross the streams.

Elliot trusts his instincts

The event on the tail end of the episode shows Elliot realizing what Mr. Robot meant by “we’ve been compromised” in regards to Darlene. Elliot suspects that his sister may be acting against him somehow, but we (the viewer) aren’t sure what exactly he knows, or if he realizes the extent to which Darlene is informing on him to the FBI.

In a moment of clarity, Elliot reboots his machine, plugs in a USB drive with a fresh image of Kali Linux on it, and boots up a clean instance of the hacker-friendly operating system. He runs rkhunter, which is the tool Rootkit Hunter, an anti-rootkit scanner. This is our clue that Elliot is looking for something Darlene may have planted on his machine. RKHunter, however, shows that his machine is clean of any software-based backdoors or rootkits, and this is our first hint at what Darlene did.

The show switches a few times to the FBI’s view of what’s going on. There’s a Python script running that’s spitting out PNG screenshots of Elliot’s computer at frequent intervals, and they can see he’s running Kali and RKHunter. So this is our second hint — given he had just rebooted his machine, booted into an entirely different operating system and RKHunter showed the system as clear of any software that could be spying on him; however, the FBI still has a view into what he’s up to, so there has to be something hardware-based working against him.

The screenshots seem quite high-resolution and don’t look like they’re being generated via a camera pointed at his monitor, so we can surmise that something is pulling the images from his monitor directly. Indeed, if we think back to a bit earlier in the episode, when Darlene was staying over at Elliot’s place, we did see her fiddling with something (or perhaps installing) in the back of Elliot’s monitor while he was asleep.

The third hint follows immediately after RKHunter comes back clear. The FBI agent observing Elliot’s monitor says he pulls the URL from the email Elliot was sending to Tyrell, checked it and found that it didn’t contain anything interesting. Dom then makes her realization: “This email isn’t for Tyrell, it’s for us.” Indeed, it’s for the FBI and for us, the viewers. The URL Elliot sent was an obfuscated link to a repository on GitHub for a Dell monitor exploit proof-of-concept (PoC) that was presented at Defcon 24, called “A Monitor Darkly.

It’s Elliot’s own way of saying to the FBI: “I’m way ahead of you.”

The actual monitor exploit says it can allow an attacker to read pixels on the monitor, but the proof of concept for this exploit is for actually displaying images on the target monitor. The researchers who worked on this exploit did acknowledge that there’s potential for this kind of attack to be made more effective with additional hardware like a Funtenna (basically a hacked antenna being used for attack purposes).

What the show portrays certainly seems in the realm of possibility, if you take this PoC to a logical extreme, especially if you were to put the brainpower of covert agencies behind furthering development. We’ve seen Mr. Robot stretch concepts like this before for the sake of good television — remember the Pringles cantenna? — and arguably that’s what happened here as well.

…Or, perhaps the link is purposely close-but-not-correct to throw all of us off Elliot/Mr. Robot’s trail, as perhaps there was malicious code in the linked file and Elliot actually managed to successfully phish the FBI? I’d just as well believe this as a hardware hack.

What did you think of this week’s episode? Was Elliot’s link to the monitor hardware hack PoC an affirmation of the FBI’s tactic, or is this meant to throw us, the viewers, off?


from Naked Security – Sophos http://bit.ly/2io4Jyd
via IFTTT

What’s Next after the SEC ‘Insider Trading’ Breach?

What’s Next after the SEC ‘Insider Trading’ Breach?

Last month’s hack of the Security Exchange Commission may prove to be the most high-profile corporate gatekeeper attack to date. But it definitely won’t be the last.

Traditionally, insider traders followed the Gordon Gekko roadmap to acquiring illicit information, gaining material non-public corporate information from in-person physical sources, such as company executives or company lawyers and accountants, or even from the printer a company used to print deal documents. As the business world has changed, however, insider traders have updated their techniques and taken advantage of the concentration of digital information to obtain a bounty of non-public information that their analog counterparts in the 1980s could never have imagined.

Today, hackers — many of whom are either traders themselves or sell stolen information — are focusing their data intrusion efforts on corporate gatekeepers such as law firms, newswire services, and other third parties that often possess confidential corporate information for numerous publicly traded companies. Predictably, this trend of “insider trading hacks” has continued, reaching its logical extension last month when the Securities and Exchange Commission (SEC) announced that it had been the victim of a significant breach and was investigating whether this intrusion “resulted in access to non-public information [that] may have provided the basis for illicit gain through trading.”

Though the SEC breach will likely prove to be the most high-profile insider trading hack to date, it certainly was not the first. Recent history shows that hackers have been increasingly targeting corporate gatekeepers — entities storing material non-public information for a number of publicly traded companies. For instance, from 2010 through 2014, a group of hackers systematically targeted three newswire services that helped numerous publicly traded companies distribute information about earnings and other corporate transactions.

These hackers collaborated to steal not-yet-published press releases containing material non-public information about hundreds of publicly traded companies. They then passed the information on to a group of more than 30 domestic and international traders who used the valuable intel to trade in the window of time between when the companies uploaded the information to the newswire service and the distribution service published the press releases. Over five years, the hackers stole more than 150,000 news releases prepared by publicly traded companies and used this information to make more than $100 million in illegal trading profits.

The SEC and Department of Justice eventually uncovered the scheme. On August 11, 2015, the SEC charged 32 defendants with securities fraud and froze numerous trading accounts in the United States and abroad. To date, the SEC has settled with 13 defendants and has obtained judgments totaling more than $52 million. Meanwhile, the US Attorney’s offices for the District of New Jersey and Eastern District of New York separately brought charges against nine individuals involved in the scheme. All but one criminal defendant has pleaded guilty.

Law firms are another type of corporate gatekeeper targeted for insider-trading hacks. In December 2016, the SEC and the US Attorney’s Office for the Southern District of New York announced charges against Iat Hong, Bo Zheng, and Chin Hung, all citizens of China. The government alleged that over a period of 11 months, the three men hacked into the servers of two elite New York City-based law firms — reportedly Cravath, Swaine & Moore and Weil, Gotshal & Manges — and stole substantial quantities of sensitive, non-public information involving potential mergers or acquisitions of the firms’ public company clients, which include some of the largest and most well-known companies in the world. The three allegedly then used this information to trade ahead of public merger announcements, generating nearly $3 million in trading profits.

With hackers and traders targeting these critical gatekeepers, the SEC itself, the biggest gatekeeper of all, was an obvious target. On September 20, 2017, the SEC announced that in 2016, hackers exploited a weakness to gain access to the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, which is used by securities industry actors to file more than 1.7 million documents annually with the agency. To date, the SEC either does not know or is not disclosing the amount of information stolen by the hackers, though it has admitted that it is investigating whether the hackers used this information to make illicit trades.

It is also unclear whether the hacked information from EDGAR could be used to make illicit trades because there may not be the same window of time between acquisition of the information and full market disclosure, as in the newswire and law firm hacks described above. But it is clear that the SEC cannot let its guard down. In recent years, securities fraudsters have exploited EDGAR by, for instance, filing fake merger documents for Avon, Rocky Mountain Chocolate, and Integrated Device Technology to create and trade on short-term stock price increases.

As we head into this new era of insider-trading hacks, there remain unanswered questions about who may be liable when data breaches occur. The SEC has already intimated that it will use enforcement actions against securities industry actors who fail to protect investors’ information, and public companies that fail to make timely and adequate disclosures about data breaches. It is possible that public companies could also face scrutiny from the SEC (and potentially shareholders) if they fail to take prudent steps to protect their data, even in the hands of third parties. Third-party gatekeepers may also be subject to liability where they acted negligently or recklessly.

Insider-trading hacks are also costly from a resource and public relations perspective; the SEC hack is another large, blinking warning sign for publicly traded companies. These companies must be aware that domestic and international hackers are targeting this valuable and confidential corporate information. As the cases discussed in this article make clear, public companies cannot simply build their own cyber defenses. They must ensure that the third parties they work with every day — law firms, accounting firms, consultant groups, newswire services, and others — are also up to the task of protecting this valuable information by taking proactive steps such as limiting the digital data trail, requiring third parties to use code words when communicating internally about corporate transactions, or requiring newswire services to issue press releases immediately after a company uploads a document to reduce the opportunity to engage in illicit trading.

The SEC hack was the latest gatekeeper insider-trading hack, but it will not be the last.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

David L. Axelrod, Partner, Ballard SpahrBallard Spahr partner David L. Axelrod is a former supervisory trial counsel at the U.S. Securities and Exchange Commission’s (SEC) Philadelphia Regional Office. At the SEC, he directed all aspects of litigation, leading complex, … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2gxffCR
via IFTTT

Google Advanced Protection Trades Ease-of-Use for Security

Government officials and journalists who use Google services were the first to be invited to use advanced Gmail account security services announced Tuesday. Experts say it’s no security panacea, but tools provided under the Google banner called Advanced Protection empower any private Google users with top-notch security.

The Advanced Protection offering consists of three tiers of protection for those who might need it, such as campaign workers and journalists, Google said Tuesday. Google explains it’s these types of Google account users who are targeted most aggressively by adversaries interested in compromising communications or hacking into accounts to steal sensitive data.

Features include hardware-based two-factor authentication (requiring two physical security keys), limiting full access of a user’s Gmail and Drive to specific apps and requiring extra steps during the Google account recovery process.

“Third-party apps that want access to Gmail or Drive will no longer have permission. For secure access, you will need to use the Gmail app or Inbox by Gmail,” Google explains. “You will only be able to use the Chrome browser to access signed-in services like Gmail or Photos.” Google also explained a set of unspecified steps would be required of anyone who loses access to their account accidentally to prevent a hacker from hijacking the account. “These added verification requirements will take a few days to restore access to your account,” Google said.

“We call this Podesta-proofing your Google account,” said Joseph Hall, chief technologist at the Center for Democracy and Technology, referring to the attack against Hillary Clinton’s campaign manager John Podesta’s personal Gmail account during the last election.

“In addition to the John Podestas of the world, activists, victims of domestic abuse and billionaires are just a few of the people who will be able to benefit from this technology,” Hall said. “Anyone targeted by a nation state or a highly motivated attacker can really benefit from this technology.”

Currently the service is open to personal Google account holders, but requires two Bluetooth or USB hardware-based security keys to turn on the service.  The free Advanced Protection is not available for commercial G Suite account users.

Google calls the offering an “unusual step” to protect “an overlooked minority of our users that are at particularly high risk of targeted online attacks… Advanced Protection provides Google’s strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts.”

Experts warn turning on the advanced protection won’t be for the faint of heart and will place strict limits on how a Google account interacts with other services online and within the context of mobile devices such as tablets and phones. “Lose your password and you may risk never regaining access to your account again,” Hall said.

“I’m encouraged to see Google bringing some of the advanced threat protections from their business products to the select consumer communities,” said Allen Falcon, CEO of solution provider Cumulus Global.

Falcon said what Google is offering are services available as part of its existing G Suite licenses or as paid add-on services running on the Google Cloud Platform. “As such, it is a comparable add-on to those available with other cloud services.  The Security Key enforcement replaces texted keys with a physical key that must be present,” he said.

On the downside, experts point out, Google’s Advanced Protection does not support encrypted email with this offering. However, G Suite Enterprise, at $25 monthly, does supports the use of encryption keys.

For Google this solves a big problem, said Eric Hodge, director of consulting, CyberScout. He said that for the past six months Google has slowly had the confidence of its services slowly undermined by phishing attacks.

“We are seeing a record number of attacks where people are being tricked into authenticating to fake Google pages,” Hodge said.

Earlier this summer, Google said it has disabled offending accounts involved in a widespread spree of phishing emails impersonating Google Docs. The emails targeted journalists primarily and attempted to trick victims into granting the malicious application permission to access the user’s Google account.

“What Google is doing is going to be effective. It’s going to be expensive and hard to manage at scale,” Hodge said. “It’s also going to be a real pain for users who are going to have to carry around a little piece of hardware to access their Gmail account. But I guess if you’re John Podesta, or someone like him, you’re going to want to use one of these advanced tools.”

Google did not indicate when or if the service would be opened up to a larger portion of its user base.

from Threatpost – English – Global – thr… http://bit.ly/2yzI6wE
via IFTTT

New Locky Ransomware Strain Emerges

New Locky Ransomware Strain Emerges

Latest version goes by the .asasin extension and is collecting information on users’ computer operating system and IP address.

Locky authors have again retooled the highly persistent ransomware campaign with a new strain that performs reconnaissance on victims’ computers and goes by a new file extension name, PhishMe reports today.

The latest Locky strain, which began appearing on Oct. 11 and goes by the .asasin extension, is collecting information on users’ computers such as the operating system used, IP address, and other such information, says Brendan Griffin, PhishMe threat intelligence manager.

“The information it’s collecting is nothing too personally identifiable, but it gives the actors a rough idea of information about the computer, and attackers never do things without a purpose,” Griffin observes.

Although the intent of Locky’s reconnaissance isn’t fully clear, its ability to collect information on infected Windows versions could help its authors determine which OS version is the most susceptible to its attacks, says Griffin.

Collected IP address information, which reveals the geographic location of a computer, is helping to set the stage for a new twist with Locky. Victims are hit with either a Locky ransomware attack or banking Trojan TrickBot, depending on their geographic location.

Locky’s Muted Threat

The latest Locky strain uses a .asasin extension, a move that could be designed to intimidate victims into paying the ransom, Griffin surmises. “It could be a muted threat, or a form of new branding to get their name out there again,” he notes.

Since Locky first emerged in February 2016, it has undergone nearly a dozen changes to its file extension name with each new strain, Griffin estimates. Some of its previous strains included extensions .ykcol, .lukitus, and .thor, Griffin says.

Despite this most recent name change, Griffin says it is still apparent that this ransomware strain is Locky. Tell-tale signs that Locky continues to lurk within this strain include the way it runs its encryption process to lock down victims’ data, the structure of its ransom note, and the payment method it demands of its victims.

“Combine those attributes and behaviors and we’re talking about the same animal,” says Griffin.

Locky is considered one of the most persistent and destructive ransomware campaigns, due to the prolific ransomware samples its authors churn out. Locky’s operators, believed to be a group called Dungeon Spider, work with other actors to distribute the malicious payloads via botnets and cleverly crafted phishing campaigns but over the course of last year law enforcement agencies have disrupted these different distribution mechanisms, says Adam Meyers, vice president of intelligence at CrowdStrike.

While some agencies characterize Locky as launching a wave of periodic forceful attacks and then going dormant, Meyers suspects Locky’s authors are rolling out new ransomware variants and allowing Locky to fall into the background until the new experiments don’t pan out. Then they bring back the old standby Locky.

In May, for example, the Jaff ransomware family emerged in force but it wasn’t until researchers released a decryption tool for Jaff in June that the ransomware went away.

“All of sudden, when that happened, Locky popped up. Jaff may have been a replacement for Locky but when that did not work, Locky returned,” Meyers says, noting other similar timing issues with other ransomware variants during Locky’s existence that leads him to believe Locky has been ever-present since it emerged in 2016.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2x8nDMo
via IFTTT