The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works.Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). Also: ExpressVPN review: A fine VPN service, but is it worth the price? What a VPN actually does is take data that you’re sending out over the internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. ExpressVPN, which is the service we’re talking about in this guide, has more than 3,000 servers in 160 locations. On the flip side, a VPN takes data from a server on the internet, encrypts it on one of ExpressVPN’s servers, sends that encrypted data to your computer, which decrypts it when it arrives. This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for ExpressVPN, can be in your choice of 94 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server. Also: ExpressVPN vs. Surfshark vs. NordVPN: Which is best?

That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security. OK, so with that introduction into how VPNs, and specifically ExpressVPN works, let’s look at how to set up and install ExpressVPN. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Locations: 160Countries: 94Simultaneous connections: 5Kill switch: yesLogging: noPrice: $12.95 per month, or 12 months for $99.95Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, game consoles, smart TVs, routers

Installing ExpressVPN The first thing you’re going to want to do is point your browser at ExpressVPN’s website and click the Get ExpressVPN button. You’ll want to pick a plan that suits your budget, buy it, and set up an account. Once you have an ExpressVPN account, we’ll move on. Log into your account dashboard. Generally, you’ll want to hit the Download button. If your platform isn’t correct, click Setup Other Devices. Here, you’ll want to do two things. First, make a note of your activation code and click the Open file link. Next, give Windows permission to do its thing. I went ahead and closed my browser window. ExpressVPN will take a minute to install. Starting ExpressVPN Now that you’ve installed ExpressVPN, it’s time to log in. This is the same account you used to create your account, get your activation code, and download ExpressVPN. Once again, you’ll need to let Windows know you approve of this install. Next, enter the activation code you saved off from before. If you misplaced it, just open a browser tab, go to ExpressVPN.com, click the Account button, and copy it again. Go ahead and set things up to launch ExpressVPN on login. You don’t have to initiate a VPN connection when you log in, but it will be nice to have the software ready when you are. And, if you are traveling, you’ll want the VPN to come on immediately on login to protect your data. The next option is entirely your choice. I tend to hover between “Hell, no!” and “Why not?” depending on my mood. And there you are. Checking ExpressVPN’s settings Here’s the main screen for ExpressVPN. Before hitting connect, click the hamburger menu on the upper left. Next, choose Options. This is one of the most important tweaks you’ll make. We’re not going to dig into a lot of settings options, but it’s very important you make sure “Stop all internet traffic if the VPN disconnects unexpectedly” is checked. This is what VPNs call a kill switch. It means that, if the VPN disconnects, you won’t be sending traffic unprotected. You should also check “Allow access to devices on the local network (such as printers or file servers)” so you can connect to local devices. Hit OK and you’re all set up. Using ExpressVPN If you hit the big power now, you’ll connect to the nearest server. I live in the US Pacific Northwest, so that’s why Seattle is displayed. But, if you want to connect to another country, click the three little dots. I went ahead and chose the UK Once I hit the big power button, I was connected. In fact, to servers on the internet, I no longer appear to be in the US Pacific Northwest, I appear to be in Blackwall in East London. To disconnect, hit the big power button again. If you can’t find that window because you minimized it or it’s obscured behind your browser, go down to your system tray. There, you’ll find a small menu that launches and operates ExpressVPN. ExpressVPN’s cool speed test ExpressVPN has a very cool speed test feature. It will, in one shot, allow you to test all of the company’s servers and see how they all perform. Launch it from the hamburger menu. Just hit the Run Test button. Give it a few minutes and you’ll get the results of the entire ExpressVPN network. So, there you go. That’s how to use ExpressVPN. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Image: Group-IB

Since the start of the year, a new ransomware gang named ProLock has made a name for itself by hacking into large companies and government networks, encrypting files, and demanding huge ransom payments.
ProLock is the latest ransomware gang that has adopted the “big-game hunting” approach to its operations. Big-game hunting refers to going after larger targets in order to extract big payments from victims who can afford it.
System administrators who manage these larger networks are most likely to see attacks from this particular group.
Below is a short summary of all ProLock activities that system administrators need to be aware of, based on reports published by Group-IB, Sophos, and two FBI alerts [1, 2].
ProLock’s start
The ProLock gang began its activity (attacks) in late 2019. They initially operated under the name of PwndLocker but rolled out a major code upgrade and changed their name to ProLock in March 2020, after security researchers identified a bug in the original PwndLocker strain and released a free decrypter.
Distribution
In most of the incidents analyzed by security researchers, the ProLock ransomware was deployed on networks that have been previously infected with the Qakbot trojan.
The Qakbot trojan is distributed via email spam campaigns or is dropped as a second-stage payload on computers previously infected with the Emotet trojan. System administrators who find computers infected with either of these two malware strains should isolate systems and audit their networks, as the ProLock gang could be already wandering around their systems.
Lateral movement
But since the ProLock gang usually buys access to one Qakbot-infected computer and not entire networks, they also have to expand their access from this initial entry point to other nearby computers, for maximum damage.
This operation is called “lateral movement,” and there are various ways the ProLock gang does this.
Group-IB says ProLock uses the CVE-2019-0859 Windows vulnerability to gain administrator-level access on infected hosts and then deploys the MimiKats tool to dump credentials from the infected system.
Depending on what they find, the ProLock gang can use these credentials to move laterally across a network via RDP, SMB, or via the local domain controller.
WMIC is used at the last moment to push the actual ransomware to all compromised hosts, where it encrypts files, and according to Sophos, plays the OS alert tone at the end to signal the end of the encryption routine.
Impact
All the operations needed to move laterally across a network are executed by a human operator in front of a terminal — and are not automated.
As a result, ProLock incidents usually manage to infect a large number of computers, as the ProLock human operator bides their time in order to maximize damage.
Group-IB says this tactic allows the group to demand very high decryption fees from victims, most of which face prolonged downtimes, in case they decide to rebuild internal networks.
“The fact that their average ransom demands range anywhere from 35 to 90 Bitcoin (approx. $400,000 to $1,000,000) only confirms their ‘think big’ strategy,” Group-IB said in a private report shared with ZDNet today.
These sums are below the average ($1.8 million) of some other big-game hunting ransomware gangs, but ProLock extortions have been gradually increasing in recent months. For example, Group-IB told ZDNet that the recent ProLock case they traced involved a ransom of 225 Bitcoin, which is around $2.3 million.
Some of the group’s past victims include big names like ATM maker Diebold Nixdorf, the city of Novi Sad in Serbia, and Lasalle County in Illinois.
Paying the ransom
But despite the damage this ransomware group can do, in one of its two alerts, the FBI warned organizations against paying the ransom, as the ProLock decrypter that victims receive doesn’t always work as intended, and usually fails when decrypting larger files.
Victim shaming
Furthermore, ProLock has also been seen in some incidents leaking data from the networks of victims they infected, and which refused to pay.
While some other ransomware groups have created special sites where they leak this data, ProLock prefers to dump it on hacking forums or pass it to journalists via email.
All in all, ProLock appears to be the first ransomware gang that uses Qakbot as an initial entry point, but most of its other tactics are shared with most other big-game hunting and human-operated ransomware gangs — so, defending networks against ProLock should be straightforward for companies that have already taken precautions against the other ransomware groups. More

Qbot, otherwise known as Qakbot or QuakBot, is an old software threat to Windows users that pre-dates the first iPhone, but it’s still being improved for nefarious efficiency.  The malware emerged in 2007, making it almost an antique in the new service-led ransomware world, but the malware is still nimble and efficient, according to cybersecurity outfit DFIR’s analysis of a sample its researchers found in October. 

ZDNet Recommends

Qbot is known for reaching Windows PCs via phishing emails and exploiting bugs in key apps like Microsoft’s email client, Outlook. The malware recently gained a module that reads email threads to improve the message’s apparent legitimacy to victims. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The malware’s operators rely on clickable phishing messages, including tax payment reminders, job offers, and COVID-19 alerts. It can steal data from Chrome, Edge, email, and online bank passwords. DFIR researchers looked at a case where initial access wasn’t known but was likely delivered via a tainted Microsoft Excel document that was configured to download malware from a web page and then used a Windows schedule task to get higher level access to the system. Qbot’s authors have learned to live off the land by utilizing legitimate Microsoft tools. In this case, it used these tools to raid an entire network within 30 minutes of the victim clicking on a link in the Excel sheet. 

“Thirty minutes after initial access, Qbot was observed collecting data from the beachhead host including browser data and emails from Outlook. At around 50 minutes into the infection, the beachhead host copied a Qbot dll to an adjacent workstation, which was then executed by remotely creating a service. Minutes later, the beachhead host did the same thing to another adjacent workstation and then another, and before we knew it, all workstations in the environment were compromised.” The attack affected PCs on the network but not servers, according to DFIR.Qbot’s operators have branched out to ransomware. Security firm Kaspersky reported that Qbot malware had infected 65% more PCs in the six months to July 2021 compared to last year. Microsoft spotlighted the malware for its modular design that makes it difficult to detect. The malware hides malicious processes and creates scheduled tasks to persist on a machine. Once running on an infected device, it uses multiple techniques for lateral movement.The FBI has warned that Qbot trojans are used to distribute ProLock, a “human-operated ransomware”.  More

NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday. The microchip company said it first became aware of the incident on February 23 and added that it impacted its IT resources.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement. We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online,” an NVIDIA spokesperson told ZDNet. “Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident. Security is a continuous process that we take very seriously at NVIDIA — and we invest in the protection and quality of our code and products daily.”British newspaper The Telegraph reported that the company had been facing two days of outages last week related to email systems and tools used by developers. Reports later emerged online that South American hacking group LAPSU$ claimed it was behind the attack on NVIDIA. The group claimed to have 1 TB of data that included employee information. 

In screenshots from their Telegram channel, a LAPSU$ member claims NVIDIA put ransomware on their system after the hack.”Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”Emsisoft threat analyst Brett Callow noted that the Telegram channel where these messages were posted is now “temporarily inaccessible.””While hacking back is not common, it has certainly happened before,” Callow said. “Deploying ransomware on the attackers network may prevent them from leaking whatever data they exfiltrated.”Earlier this year, LAPSU$ hacked and extorted Portugal’s largest TV channel and weekly newspaper. Blue Hexagon CTO Saumitra Das said ransomware gangs can now cause brand damage and steal IP without actually deploying the final ransomware payloads.”There is always a tradeoff for the attackers between encrypting data and stealing data because encryption and deletion can trigger alarms at organizations with mature security programs and take away the leverage from the attackers,” Das said.  More

For the second time in three months, Toll Group has become the victim of a ransomware attack that has led to the suspension of IT systems.  Melbourne, Australia-based Toll Group is a global logistics company that offers freight, warehouse, and distribution services. Toll has roughly 40,000 employees and operates a distribution network across over 50 […] More